Documentation ¶
Index ¶
- Constants
- Variables
- func IsDeniedError(err error) bool
- func ValidateAuthenticationMethod(authenticationMethod string) error
- func ValidateEntitlement(entityType entity.Type, entitlement Entitlement) error
- func WithConfig(c map[string]any) func(*Opts)
- func WithOpenFGADatastore(store storage.OpenFGADatastore) func(*Opts)
- type Authorizer
- type Entitlement
- type Opts
- type PermissionChecker
Constants ¶
const ( // DriverEmbeddedOpenFGA is the default authorization driver. It currently falls back to DriverTLS for all TLS // clients. It cannot be initialised until after the cluster database is operational. DriverEmbeddedOpenFGA string = "embedded-openfga" )
const ( // DriverTLS is used at start up to allow communication between cluster members and initialise the cluster database. DriverTLS string = "tls" )
Variables ¶
var ErrUnknownDriver = fmt.Errorf("Unknown driver")
ErrUnknownDriver is the "Unknown driver" error.
Functions ¶
func IsDeniedError ¶
IsDeniedError returns true if the error is not found or forbidden. This is because the CheckPermission method on Authorizer will return a not found error if the requestor does not have access to view the resource. If a requestor has view access, but not edit access a forbidden error is returned.
func ValidateAuthenticationMethod ¶
ValidateAuthenticationMethod returns an api.StatusError with http.StatusBadRequest if the given authentication method is not recognised.
func ValidateEntitlement ¶
func ValidateEntitlement(entityType entity.Type, entitlement Entitlement) error
ValidateEntitlement returns an error if the given Entitlement does not apply to the entity.Type.
func WithConfig ¶
WithConfig can be passed into LoadAuthorizer to pass in driver specific configuration.
func WithOpenFGADatastore ¶
func WithOpenFGADatastore(store storage.OpenFGADatastore) func(*Opts)
WithOpenFGADatastore should be passed into LoadAuthorizer when using the embedded openfga driver.
Types ¶
type Authorizer ¶
type Authorizer interface { Driver() string CheckPermission(ctx context.Context, r *http.Request, entityURL *api.URL, entitlement Entitlement) error GetPermissionChecker(ctx context.Context, r *http.Request, entitlement Entitlement, entityType entity.Type) (PermissionChecker, error) }
Authorizer is the primary external API for this package.
type Entitlement ¶
type Entitlement string
Entitlement is a representation of the relations that group members can have with entity types.
const ( // EntitlementCanView is the "can_view" entitlement. It applies to the following entities: entity.TypeCertificate, entity.TypeAuthGroup, entity.TypeIdentity, entity.TypeIdentityProviderGroup, entity.TypeImage, entity.TypeImageAlias, entity.TypeInstance, entity.TypeNetwork, entity.TypeNetworkACL, entity.TypeNetworkZone, entity.TypeProfile, entity.TypeProject, entity.TypeStorageBucket, entity.TypeStorageVolume. EntitlementCanView Entitlement = "can_view" // EntitlementCanEdit is the "can_edit" entitlement. It applies to the following entities: entity.TypeCertificate, entity.TypeAuthGroup, entity.TypeIdentity, entity.TypeIdentityProviderGroup, entity.TypeImage, entity.TypeImageAlias, entity.TypeInstance, entity.TypeNetwork, entity.TypeNetworkACL, entity.TypeNetworkZone, entity.TypeProfile, entity.TypeProject, entity.TypeServer, entity.TypeStorageBucket, entity.TypeStoragePool, entity.TypeStorageVolume. EntitlementCanEdit Entitlement = "can_edit" // EntitlementCanDelete is the "can_delete" entitlement. It applies to the following entities: entity.TypeCertificate, entity.TypeAuthGroup, entity.TypeIdentity, entity.TypeIdentityProviderGroup, entity.TypeImage, entity.TypeImageAlias, entity.TypeInstance, entity.TypeNetwork, entity.TypeNetworkACL, entity.TypeNetworkZone, entity.TypeProfile, entity.TypeProject, entity.TypeStorageBucket, entity.TypeStoragePool, entity.TypeStorageVolume. EntitlementCanDelete Entitlement = "can_delete" // EntitlementAdmin is the "admin" entitlement. It applies to the following entities: entity.TypeServer. EntitlementAdmin Entitlement = "admin" // EntitlementViewer is the "viewer" entitlement. It applies to the following entities: entity.TypeProject, entity.TypeServer. EntitlementViewer Entitlement = "viewer" // EntitlementPermissionManager is the "permission_manager" entitlement. It applies to the following entities: entity.TypeServer. EntitlementPermissionManager Entitlement = "permission_manager" // EntitlementCanViewPermissions is the "can_view_permissions" entitlement. It applies to the following entities: entity.TypeServer. EntitlementCanViewPermissions Entitlement = "can_view_permissions" // EntitlementCanCreateIdentities is the "can_create_identities" entitlement. It applies to the following entities: entity.TypeServer. EntitlementCanCreateIdentities Entitlement = "can_create_identities" // EntitlementCanViewIdentities is the "can_view_identities" entitlement. It applies to the following entities: entity.TypeServer. EntitlementCanViewIdentities Entitlement = "can_view_identities" // EntitlementCanEditIdentities is the "can_edit_identities" entitlement. It applies to the following entities: entity.TypeServer. EntitlementCanEditIdentities Entitlement = "can_edit_identities" // EntitlementCanDeleteIdentities is the "can_delete_identities" entitlement. It applies to the following entities: entity.TypeServer. EntitlementCanDeleteIdentities Entitlement = "can_delete_identities" // EntitlementCanCreateGroups is the "can_create_groups" entitlement. It applies to the following entities: entity.TypeServer. EntitlementCanCreateGroups Entitlement = "can_create_groups" // EntitlementCanViewGroups is the "can_view_groups" entitlement. It applies to the following entities: entity.TypeServer. EntitlementCanViewGroups Entitlement = "can_view_groups" // EntitlementCanEditGroups is the "can_edit_groups" entitlement. It applies to the following entities: entity.TypeServer. EntitlementCanEditGroups Entitlement = "can_edit_groups" // EntitlementCanDeleteGroups is the "can_delete_groups" entitlement. It applies to the following entities: entity.TypeServer. EntitlementCanDeleteGroups Entitlement = "can_delete_groups" // EntitlementCanCreateIdentityProviderGroups is the "can_create_identity_provider_groups" entitlement. It applies to the following entities: entity.TypeServer. EntitlementCanCreateIdentityProviderGroups Entitlement = "can_create_identity_provider_groups" // EntitlementCanViewIdentityProviderGroups is the "can_view_identity_provider_groups" entitlement. It applies to the following entities: entity.TypeServer. EntitlementCanViewIdentityProviderGroups Entitlement = "can_view_identity_provider_groups" // EntitlementCanEditIdentityProviderGroups is the "can_edit_identity_provider_groups" entitlement. It applies to the following entities: entity.TypeServer. EntitlementCanEditIdentityProviderGroups Entitlement = "can_edit_identity_provider_groups" // EntitlementCanDeleteIdentityProviderGroups is the "can_delete_identity_provider_groups" entitlement. It applies to the following entities: entity.TypeServer. EntitlementCanDeleteIdentityProviderGroups Entitlement = "can_delete_identity_provider_groups" // EntitlementStoragePoolManager is the "storage_pool_manager" entitlement. It applies to the following entities: entity.TypeServer. EntitlementStoragePoolManager Entitlement = "storage_pool_manager" // EntitlementCanCreateStoragePools is the "can_create_storage_pools" entitlement. It applies to the following entities: entity.TypeServer. EntitlementCanCreateStoragePools Entitlement = "can_create_storage_pools" // EntitlementCanEditStoragePools is the "can_edit_storage_pools" entitlement. It applies to the following entities: entity.TypeServer. EntitlementCanEditStoragePools Entitlement = "can_edit_storage_pools" // EntitlementCanDeleteStoragePools is the "can_delete_storage_pools" entitlement. It applies to the following entities: entity.TypeServer. EntitlementCanDeleteStoragePools Entitlement = "can_delete_storage_pools" // EntitlementProjectManager is the "project_manager" entitlement. It applies to the following entities: entity.TypeServer. EntitlementProjectManager Entitlement = "project_manager" // EntitlementCanCreateProjects is the "can_create_projects" entitlement. It applies to the following entities: entity.TypeServer. EntitlementCanCreateProjects Entitlement = "can_create_projects" // EntitlementCanViewProjects is the "can_view_projects" entitlement. It applies to the following entities: entity.TypeServer. EntitlementCanViewProjects Entitlement = "can_view_projects" // EntitlementCanEditProjects is the "can_edit_projects" entitlement. It applies to the following entities: entity.TypeServer. EntitlementCanEditProjects Entitlement = "can_edit_projects" // EntitlementCanDeleteProjects is the "can_delete_projects" entitlement. It applies to the following entities: entity.TypeServer. EntitlementCanDeleteProjects Entitlement = "can_delete_projects" // EntitlementCanOverrideClusterTargetRestriction is the "can_override_cluster_target_restriction" entitlement. It applies to the following entities: entity.TypeServer. EntitlementCanOverrideClusterTargetRestriction Entitlement = "can_override_cluster_target_restriction" // EntitlementCanViewPrivilegedEvents is the "can_view_privileged_events" entitlement. It applies to the following entities: entity.TypeServer. EntitlementCanViewPrivilegedEvents Entitlement = "can_view_privileged_events" // EntitlementCanViewResources is the "can_view_resources" entitlement. It applies to the following entities: entity.TypeServer. EntitlementCanViewResources Entitlement = "can_view_resources" // EntitlementCanViewMetrics is the "can_view_metrics" entitlement. It applies to the following entities: entity.TypeProject, entity.TypeServer. EntitlementCanViewMetrics Entitlement = "can_view_metrics" // EntitlementCanViewWarnings is the "can_view_warnings" entitlement. It applies to the following entities: entity.TypeServer. EntitlementCanViewWarnings Entitlement = "can_view_warnings" // EntitlementOperator is the "operator" entitlement. It applies to the following entities: entity.TypeInstance, entity.TypeProject. EntitlementOperator Entitlement = "operator" // EntitlementImageManager is the "image_manager" entitlement. It applies to the following entities: entity.TypeProject. EntitlementImageManager Entitlement = "image_manager" // EntitlementCanCreateImages is the "can_create_images" entitlement. It applies to the following entities: entity.TypeProject. EntitlementCanCreateImages Entitlement = "can_create_images" // EntitlementCanViewImages is the "can_view_images" entitlement. It applies to the following entities: entity.TypeProject. EntitlementCanViewImages Entitlement = "can_view_images" // EntitlementCanEditImages is the "can_edit_images" entitlement. It applies to the following entities: entity.TypeProject. EntitlementCanEditImages Entitlement = "can_edit_images" // EntitlementCanDeleteImages is the "can_delete_images" entitlement. It applies to the following entities: entity.TypeProject. EntitlementCanDeleteImages Entitlement = "can_delete_images" // EntitlementImageAliasManager is the "image_alias_manager" entitlement. It applies to the following entities: entity.TypeProject. EntitlementImageAliasManager Entitlement = "image_alias_manager" // EntitlementCanCreateImageAliases is the "can_create_image_aliases" entitlement. It applies to the following entities: entity.TypeProject. EntitlementCanCreateImageAliases Entitlement = "can_create_image_aliases" // EntitlementCanViewImageAliases is the "can_view_image_aliases" entitlement. It applies to the following entities: entity.TypeProject. EntitlementCanViewImageAliases Entitlement = "can_view_image_aliases" // EntitlementCanEditImageAliases is the "can_edit_image_aliases" entitlement. It applies to the following entities: entity.TypeProject. EntitlementCanEditImageAliases Entitlement = "can_edit_image_aliases" // EntitlementCanDeleteImageAliases is the "can_delete_image_aliases" entitlement. It applies to the following entities: entity.TypeProject. EntitlementCanDeleteImageAliases Entitlement = "can_delete_image_aliases" // EntitlementInstanceManager is the "instance_manager" entitlement. It applies to the following entities: entity.TypeProject. EntitlementInstanceManager Entitlement = "instance_manager" // EntitlementCanCreateInstances is the "can_create_instances" entitlement. It applies to the following entities: entity.TypeProject. EntitlementCanCreateInstances Entitlement = "can_create_instances" // EntitlementCanViewInstances is the "can_view_instances" entitlement. It applies to the following entities: entity.TypeProject. EntitlementCanViewInstances Entitlement = "can_view_instances" // EntitlementCanEditInstances is the "can_edit_instances" entitlement. It applies to the following entities: entity.TypeProject. EntitlementCanEditInstances Entitlement = "can_edit_instances" // EntitlementCanDeleteInstances is the "can_delete_instances" entitlement. It applies to the following entities: entity.TypeProject. EntitlementCanDeleteInstances Entitlement = "can_delete_instances" // EntitlementCanOperateInstances is the "can_operate_instances" entitlement. It applies to the following entities: entity.TypeProject. EntitlementCanOperateInstances Entitlement = "can_operate_instances" // EntitlementNetworkManager is the "network_manager" entitlement. It applies to the following entities: entity.TypeProject. EntitlementNetworkManager Entitlement = "network_manager" // EntitlementCanCreateNetworks is the "can_create_networks" entitlement. It applies to the following entities: entity.TypeProject. EntitlementCanCreateNetworks Entitlement = "can_create_networks" // EntitlementCanViewNetworks is the "can_view_networks" entitlement. It applies to the following entities: entity.TypeProject. EntitlementCanViewNetworks Entitlement = "can_view_networks" // EntitlementCanEditNetworks is the "can_edit_networks" entitlement. It applies to the following entities: entity.TypeProject. EntitlementCanEditNetworks Entitlement = "can_edit_networks" // EntitlementCanDeleteNetworks is the "can_delete_networks" entitlement. It applies to the following entities: entity.TypeProject. EntitlementCanDeleteNetworks Entitlement = "can_delete_networks" // EntitlementNetworkACLManager is the "network_acl_manager" entitlement. It applies to the following entities: entity.TypeProject. EntitlementNetworkACLManager Entitlement = "network_acl_manager" // EntitlementCanCreateNetworkACLs is the "can_create_network_acls" entitlement. It applies to the following entities: entity.TypeProject. EntitlementCanCreateNetworkACLs Entitlement = "can_create_network_acls" // EntitlementCanViewNetworkACLs is the "can_view_network_acls" entitlement. It applies to the following entities: entity.TypeProject. EntitlementCanViewNetworkACLs Entitlement = "can_view_network_acls" // EntitlementCanEditNetworkACLs is the "can_edit_network_acls" entitlement. It applies to the following entities: entity.TypeProject. EntitlementCanEditNetworkACLs Entitlement = "can_edit_network_acls" // EntitlementCanDeleteNetworkACLs is the "can_delete_network_acls" entitlement. It applies to the following entities: entity.TypeProject. EntitlementCanDeleteNetworkACLs Entitlement = "can_delete_network_acls" // EntitlementNetworkZoneManager is the "network_zone_manager" entitlement. It applies to the following entities: entity.TypeProject. EntitlementNetworkZoneManager Entitlement = "network_zone_manager" // EntitlementCanCreateNetworkZones is the "can_create_network_zones" entitlement. It applies to the following entities: entity.TypeProject. EntitlementCanCreateNetworkZones Entitlement = "can_create_network_zones" // EntitlementCanViewNetworkZones is the "can_view_network_zones" entitlement. It applies to the following entities: entity.TypeProject. EntitlementCanViewNetworkZones Entitlement = "can_view_network_zones" // EntitlementCanEditNetworkZones is the "can_edit_network_zones" entitlement. It applies to the following entities: entity.TypeProject. EntitlementCanEditNetworkZones Entitlement = "can_edit_network_zones" // EntitlementCanDeleteNetworkZones is the "can_delete_network_zones" entitlement. It applies to the following entities: entity.TypeProject. EntitlementCanDeleteNetworkZones Entitlement = "can_delete_network_zones" // EntitlementProfileManager is the "profile_manager" entitlement. It applies to the following entities: entity.TypeProject. EntitlementProfileManager Entitlement = "profile_manager" // EntitlementCanCreateProfiles is the "can_create_profiles" entitlement. It applies to the following entities: entity.TypeProject. EntitlementCanCreateProfiles Entitlement = "can_create_profiles" // EntitlementCanViewProfiles is the "can_view_profiles" entitlement. It applies to the following entities: entity.TypeProject. EntitlementCanViewProfiles Entitlement = "can_view_profiles" // EntitlementCanEditProfiles is the "can_edit_profiles" entitlement. It applies to the following entities: entity.TypeProject. EntitlementCanEditProfiles Entitlement = "can_edit_profiles" // EntitlementCanDeleteProfiles is the "can_delete_profiles" entitlement. It applies to the following entities: entity.TypeProject. EntitlementCanDeleteProfiles Entitlement = "can_delete_profiles" // EntitlementStorageVolumeManager is the "storage_volume_manager" entitlement. It applies to the following entities: entity.TypeProject. EntitlementStorageVolumeManager Entitlement = "storage_volume_manager" // EntitlementCanCreateStorageVolumes is the "can_create_storage_volumes" entitlement. It applies to the following entities: entity.TypeProject. EntitlementCanCreateStorageVolumes Entitlement = "can_create_storage_volumes" // EntitlementCanViewStorageVolumes is the "can_view_storage_volumes" entitlement. It applies to the following entities: entity.TypeProject. EntitlementCanViewStorageVolumes Entitlement = "can_view_storage_volumes" // EntitlementCanEditStorageVolumes is the "can_edit_storage_volumes" entitlement. It applies to the following entities: entity.TypeProject. EntitlementCanEditStorageVolumes Entitlement = "can_edit_storage_volumes" // EntitlementCanDeleteStorageVolumes is the "can_delete_storage_volumes" entitlement. It applies to the following entities: entity.TypeProject. EntitlementCanDeleteStorageVolumes Entitlement = "can_delete_storage_volumes" // EntitlementStorageBucketManager is the "storage_bucket_manager" entitlement. It applies to the following entities: entity.TypeProject. EntitlementStorageBucketManager Entitlement = "storage_bucket_manager" // EntitlementCanCreateStorageBuckets is the "can_create_storage_buckets" entitlement. It applies to the following entities: entity.TypeProject. EntitlementCanCreateStorageBuckets Entitlement = "can_create_storage_buckets" // EntitlementCanViewStorageBuckets is the "can_view_storage_buckets" entitlement. It applies to the following entities: entity.TypeProject. EntitlementCanViewStorageBuckets Entitlement = "can_view_storage_buckets" // EntitlementCanEditStorageBuckets is the "can_edit_storage_buckets" entitlement. It applies to the following entities: entity.TypeProject. EntitlementCanEditStorageBuckets Entitlement = "can_edit_storage_buckets" // EntitlementCanDeleteStorageBuckets is the "can_delete_storage_buckets" entitlement. It applies to the following entities: entity.TypeProject. EntitlementCanDeleteStorageBuckets Entitlement = "can_delete_storage_buckets" // EntitlementCanViewOperations is the "can_view_operations" entitlement. It applies to the following entities: entity.TypeProject. EntitlementCanViewOperations Entitlement = "can_view_operations" // EntitlementCanViewEvents is the "can_view_events" entitlement. It applies to the following entities: entity.TypeProject. EntitlementCanViewEvents Entitlement = "can_view_events" // EntitlementUser is the "user" entitlement. It applies to the following entities: entity.TypeInstance. EntitlementUser Entitlement = "user" // EntitlementCanUpdateState is the "can_update_state" entitlement. It applies to the following entities: entity.TypeInstance. EntitlementCanUpdateState Entitlement = "can_update_state" // EntitlementCanManageSnapshots is the "can_manage_snapshots" entitlement. It applies to the following entities: entity.TypeInstance, entity.TypeStorageVolume. EntitlementCanManageSnapshots Entitlement = "can_manage_snapshots" // EntitlementCanManageBackups is the "can_manage_backups" entitlement. It applies to the following entities: entity.TypeInstance, entity.TypeStorageVolume. EntitlementCanManageBackups Entitlement = "can_manage_backups" // EntitlementCanConnectSFTP is the "can_connect_sftp" entitlement. It applies to the following entities: entity.TypeInstance. EntitlementCanConnectSFTP Entitlement = "can_connect_sftp" // EntitlementCanAccessFiles is the "can_access_files" entitlement. It applies to the following entities: entity.TypeInstance. EntitlementCanAccessFiles Entitlement = "can_access_files" // EntitlementCanAccessConsole is the "can_access_console" entitlement. It applies to the following entities: entity.TypeInstance. EntitlementCanAccessConsole Entitlement = "can_access_console" // EntitlementCanExec is the "can_exec" entitlement. It applies to the following entities: entity.TypeInstance. EntitlementCanExec Entitlement = "can_exec" )
func EntitlementsByEntityType ¶
func EntitlementsByEntityType(entityType entity.Type) []Entitlement
EntitlementsByEntityType returns a list of available Entitlement for the entity.Type.
type Opts ¶
type Opts struct {
// contains filtered or unexported fields
}
Opts is used as part of the LoadAuthorizer function so that only the relevant configuration fields are passed into a particular driver.
type PermissionChecker ¶
PermissionChecker is a type alias for a function that returns whether a user has required permissions on an object. It is returned by Authorizer.GetPermissionChecker.
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
This program reads an OpenFGA model in DSL format and generates a go file containing a type definition for `Entitlement`, an Entitlement each relation in the model that can has a `group#member` as a directly related user type, and a map of entity type to list of entitlements that can be granted for that entity type.
|
This program reads an OpenFGA model in DSL format and generates a go file containing a type definition for `Entitlement`, an Entitlement each relation in the model that can has a `group#member` as a directly related user type, and a map of entity type to list of entitlements that can be granted for that entity type. |