rbac

Documentation

Overview

Package rbac provides Role Based Access Control (RBAC) for services in Istio mesh. Seting up RBAC handler is trivial. The runtime input to RBAC handler should be an instance of "authorization" template.

The RBAC policies are specified in ServiceRole and ServiceRoleBinding CRD objects. You can define a ServiceRole that contains a set of permissions for service/method level access. You can then assign a ServiceRole to a set of subjects using ServiceRoleBinding specification. ServiceRole and the corresponding ServiceRoleBindings should be in the same namespace. Please see "istio.io/istio/mixer/testdata/config/rbac.yaml" for an example of RBAC handler, plus ServiceRole ServiceRoleBinding specifications.

Index

• func GetInfo() adapter.Info
• type ActionArgs
• type ConfigStore
  • func (rs *ConfigStore) Check(subject SubjectArgs, action ActionArgs) (bool, error)
  • func (rs *ConfigStore) CheckPermission(inst *authorization.Instance, logger adapter.Logger) (bool, error)
• type RoleInfo
• type RolesByName
• type RolesMapByNamespace
  • func (rs *RolesMapByNamespace) AddServiceRole(name, namespace string, proto *rbacproto.ServiceRole) error
  • func (rs *RolesMapByNamespace) AddServiceRoleBinding(name, namespace string, proto *rbacproto.ServiceRoleBinding) error
• type SubjectArgs

Functions

func GetInfo

func GetInfo() adapter.Info

GetInfo returns the adapter.Info specific to this adapter.

Types

type ActionArgs

type ActionArgs struct {
	Namespace  string
	Service    string
	Method     string
	Path       string
	Properties []string
}

ActionArgs contains information about the detail of a request.

type ConfigStore

type ConfigStore struct {
	// All the Roles organized per namespace.
	Roles RolesMapByNamespace
}

ConfigStore contains all ServiceRole and ServiceRoleBinding information. ConfigStore implements authorizer interface.

func (*ConfigStore) Check

func (rs *ConfigStore) Check(subject SubjectArgs, action ActionArgs) (bool, error)

Check performs the permission check for given subject on the given action.

func (*ConfigStore) CheckPermission

func (rs *ConfigStore) CheckPermission(inst *authorization.Instance, logger adapter.Logger) (bool, error)

CheckPermission checks permission for a given request. This is the main API called by RBAC adapter at runtime to authorize requests.

type RoleInfo

type RoleInfo struct {
	// ServiceRole proto definition
	Info *rbacproto.ServiceRole

	// A set of ServiceRoleBindings that refer to this role.
	Bindings map[string]*rbacproto.ServiceRoleBinding
}

RoleInfo contains information about a ServiceRole and associated ServiceRoleBindings.

type RolesByName

type RolesByName map[string]*RoleInfo

RolesByName maps role name to role info

type RolesMapByNamespace

type RolesMapByNamespace map[string]RolesByName

RolesMapByNamespace maps namespace to a set of Roles in the namespace

func (*RolesMapByNamespace) AddServiceRole

func (rs *RolesMapByNamespace) AddServiceRole(name, namespace string, proto *rbacproto.ServiceRole) error

AddServiceRole adds a new ServiceRole to RolesMapByNamespace with the specified name and namespace. Return nil if added successfully, otherwise return an error.

func (*RolesMapByNamespace) AddServiceRoleBinding

func (rs *RolesMapByNamespace) AddServiceRoleBinding(name, namespace string, proto *rbacproto.ServiceRoleBinding) error

AddServiceRoleBinding adds a new ServiceRoleBinding to RolesMapByNamespace with the specified name and namespace. Return nil if added successfully, otherwise return an error.

type SubjectArgs

type SubjectArgs struct {
	User       string
	Groups     string
	Properties []string
}

SubjectArgs contains information about the subject of a request.