auth

package

v0.0.0-...-04e0483 Latest Latest Go to latest Published: Apr 25, 2024 License: AGPL-3.0 Imports: 20 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/canonical/lxd

Links

Open Source Insights

Documentation ¶

Rendered for

Index ¶

Constants
Variables
func IsDeniedError(err error) bool
func ValidateAuthenticationMethod(authenticationMethod string) error
func ValidateEntitlement(entityType entity.Type, entitlement Entitlement) error
func WithConfig(c map[string]any) func(*Opts)
func WithOpenFGADatastore(store storage.OpenFGADatastore) func(*Opts)
type Authorizer
- func LoadAuthorizer(ctx context.Context, driver string, logger logger.Logger, ...) (Authorizer, error)
type Entitlement
- func EntitlementsByEntityType(entityType entity.Type) []Entitlement
type Opts
type PermissionChecker

Constants ¶

View Source

const (
	// DriverEmbeddedOpenFGA is the default authorization driver. It currently falls back to DriverTLS for all TLS
	// clients. It cannot be initialised until after the cluster database is operational.
	DriverEmbeddedOpenFGA string = "embedded-openfga"
)

View Source

const (
	// DriverTLS is used at start up to allow communication between cluster members and initialise the cluster database.
	DriverTLS string = "tls"
)

Variables ¶

View Source

var ErrUnknownDriver = fmt.Errorf("Unknown driver")

ErrUnknownDriver is the "Unknown driver" error.

Functions ¶

func IsDeniedError ¶

func IsDeniedError(err error) bool

IsDeniedError returns true if the error is not found or forbidden. This is because the CheckPermission method on Authorizer will return a not found error if the requestor does not have access to view the resource. If a requestor has view access, but not edit access a forbidden error is returned.

func ValidateAuthenticationMethod ¶

func ValidateAuthenticationMethod(authenticationMethod string) error

ValidateAuthenticationMethod returns an api.StatusError with http.StatusBadRequest if the given authentication method is not recognised.

func ValidateEntitlement ¶

func ValidateEntitlement(entityType entity.Type, entitlement Entitlement) error

ValidateEntitlement returns an error if the given Entitlement does not apply to the entity.Type.

func WithConfig ¶

func WithConfig(c map[string]any) func(*Opts)

WithConfig can be passed into LoadAuthorizer to pass in driver specific configuration.

func WithOpenFGADatastore ¶

func WithOpenFGADatastore(store storage.OpenFGADatastore) func(*Opts)

WithOpenFGADatastore should be passed into LoadAuthorizer when using the embedded openfga driver.

Types ¶

type Authorizer ¶

type Authorizer interface {
	Driver() string

	CheckPermission(ctx context.Context, r *http.Request, entityURL *api.URL, entitlement Entitlement) error
	GetPermissionChecker(ctx context.Context, r *http.Request, entitlement Entitlement, entityType entity.Type) (PermissionChecker, error)
}

Authorizer is the primary external API for this package.

func LoadAuthorizer ¶

func LoadAuthorizer(ctx context.Context, driver string, logger logger.Logger, certificateCache *identity.Cache, options ...func(opts *Opts)) (Authorizer, error)

LoadAuthorizer instantiates, configures, and initialises an Authorizer.

type Entitlement ¶

type Entitlement string

Entitlement is a representation of the relations that group members can have with entity types.

const (
	// EntitlementCanView is the "can_view" entitlement. It applies to the following entities: entity.TypeCertificate, entity.TypeAuthGroup, entity.TypeIdentity, entity.TypeIdentityProviderGroup, entity.TypeImage, entity.TypeImageAlias, entity.TypeInstance, entity.TypeNetwork, entity.TypeNetworkACL, entity.TypeNetworkZone, entity.TypeProfile, entity.TypeProject, entity.TypeStorageBucket, entity.TypeStorageVolume.
	EntitlementCanView Entitlement = "can_view"

	// EntitlementCanEdit is the "can_edit" entitlement. It applies to the following entities: entity.TypeCertificate, entity.TypeAuthGroup, entity.TypeIdentity, entity.TypeIdentityProviderGroup, entity.TypeImage, entity.TypeImageAlias, entity.TypeInstance, entity.TypeNetwork, entity.TypeNetworkACL, entity.TypeNetworkZone, entity.TypeProfile, entity.TypeProject, entity.TypeServer, entity.TypeStorageBucket, entity.TypeStoragePool, entity.TypeStorageVolume.
	EntitlementCanEdit Entitlement = "can_edit"

	// EntitlementCanDelete is the "can_delete" entitlement. It applies to the following entities: entity.TypeCertificate, entity.TypeAuthGroup, entity.TypeIdentity, entity.TypeIdentityProviderGroup, entity.TypeImage, entity.TypeImageAlias, entity.TypeInstance, entity.TypeNetwork, entity.TypeNetworkACL, entity.TypeNetworkZone, entity.TypeProfile, entity.TypeProject, entity.TypeStorageBucket, entity.TypeStoragePool, entity.TypeStorageVolume.
	EntitlementCanDelete Entitlement = "can_delete"

	// EntitlementAdmin is the "admin" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementAdmin Entitlement = "admin"

	// EntitlementViewer is the "viewer" entitlement. It applies to the following entities: entity.TypeProject, entity.TypeServer.
	EntitlementViewer Entitlement = "viewer"

	// EntitlementPermissionManager is the "permission_manager" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementPermissionManager Entitlement = "permission_manager"

	// EntitlementCanViewPermissions is the "can_view_permissions" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementCanViewPermissions Entitlement = "can_view_permissions"

	// EntitlementCanCreateIdentities is the "can_create_identities" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementCanCreateIdentities Entitlement = "can_create_identities"

	// EntitlementCanViewIdentities is the "can_view_identities" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementCanViewIdentities Entitlement = "can_view_identities"

	// EntitlementCanEditIdentities is the "can_edit_identities" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementCanEditIdentities Entitlement = "can_edit_identities"

	// EntitlementCanDeleteIdentities is the "can_delete_identities" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementCanDeleteIdentities Entitlement = "can_delete_identities"

	// EntitlementCanCreateGroups is the "can_create_groups" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementCanCreateGroups Entitlement = "can_create_groups"

	// EntitlementCanViewGroups is the "can_view_groups" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementCanViewGroups Entitlement = "can_view_groups"

	// EntitlementCanEditGroups is the "can_edit_groups" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementCanEditGroups Entitlement = "can_edit_groups"

	// EntitlementCanDeleteGroups is the "can_delete_groups" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementCanDeleteGroups Entitlement = "can_delete_groups"

	// EntitlementCanCreateIdentityProviderGroups is the "can_create_identity_provider_groups" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementCanCreateIdentityProviderGroups Entitlement = "can_create_identity_provider_groups"

	// EntitlementCanViewIdentityProviderGroups is the "can_view_identity_provider_groups" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementCanViewIdentityProviderGroups Entitlement = "can_view_identity_provider_groups"

	// EntitlementCanEditIdentityProviderGroups is the "can_edit_identity_provider_groups" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementCanEditIdentityProviderGroups Entitlement = "can_edit_identity_provider_groups"

	// EntitlementCanDeleteIdentityProviderGroups is the "can_delete_identity_provider_groups" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementCanDeleteIdentityProviderGroups Entitlement = "can_delete_identity_provider_groups"

	// EntitlementStoragePoolManager is the "storage_pool_manager" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementStoragePoolManager Entitlement = "storage_pool_manager"

	// EntitlementCanCreateStoragePools is the "can_create_storage_pools" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementCanCreateStoragePools Entitlement = "can_create_storage_pools"

	// EntitlementCanEditStoragePools is the "can_edit_storage_pools" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementCanEditStoragePools Entitlement = "can_edit_storage_pools"

	// EntitlementCanDeleteStoragePools is the "can_delete_storage_pools" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementCanDeleteStoragePools Entitlement = "can_delete_storage_pools"

	// EntitlementProjectManager is the "project_manager" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementProjectManager Entitlement = "project_manager"

	// EntitlementCanCreateProjects is the "can_create_projects" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementCanCreateProjects Entitlement = "can_create_projects"

	// EntitlementCanViewProjects is the "can_view_projects" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementCanViewProjects Entitlement = "can_view_projects"

	// EntitlementCanEditProjects is the "can_edit_projects" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementCanEditProjects Entitlement = "can_edit_projects"

	// EntitlementCanDeleteProjects is the "can_delete_projects" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementCanDeleteProjects Entitlement = "can_delete_projects"

	// EntitlementCanOverrideClusterTargetRestriction is the "can_override_cluster_target_restriction" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementCanOverrideClusterTargetRestriction Entitlement = "can_override_cluster_target_restriction"

	// EntitlementCanViewPrivilegedEvents is the "can_view_privileged_events" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementCanViewPrivilegedEvents Entitlement = "can_view_privileged_events"

	// EntitlementCanViewResources is the "can_view_resources" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementCanViewResources Entitlement = "can_view_resources"

	// EntitlementCanViewMetrics is the "can_view_metrics" entitlement. It applies to the following entities: entity.TypeProject, entity.TypeServer.
	EntitlementCanViewMetrics Entitlement = "can_view_metrics"

	// EntitlementCanViewWarnings is the "can_view_warnings" entitlement. It applies to the following entities: entity.TypeServer.
	EntitlementCanViewWarnings Entitlement = "can_view_warnings"

	// EntitlementOperator is the "operator" entitlement. It applies to the following entities: entity.TypeInstance, entity.TypeProject.
	EntitlementOperator Entitlement = "operator"

	// EntitlementImageManager is the "image_manager" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementImageManager Entitlement = "image_manager"

	// EntitlementCanCreateImages is the "can_create_images" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanCreateImages Entitlement = "can_create_images"

	// EntitlementCanViewImages is the "can_view_images" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanViewImages Entitlement = "can_view_images"

	// EntitlementCanEditImages is the "can_edit_images" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanEditImages Entitlement = "can_edit_images"

	// EntitlementCanDeleteImages is the "can_delete_images" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanDeleteImages Entitlement = "can_delete_images"

	// EntitlementImageAliasManager is the "image_alias_manager" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementImageAliasManager Entitlement = "image_alias_manager"

	// EntitlementCanCreateImageAliases is the "can_create_image_aliases" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanCreateImageAliases Entitlement = "can_create_image_aliases"

	// EntitlementCanViewImageAliases is the "can_view_image_aliases" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanViewImageAliases Entitlement = "can_view_image_aliases"

	// EntitlementCanEditImageAliases is the "can_edit_image_aliases" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanEditImageAliases Entitlement = "can_edit_image_aliases"

	// EntitlementCanDeleteImageAliases is the "can_delete_image_aliases" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanDeleteImageAliases Entitlement = "can_delete_image_aliases"

	// EntitlementInstanceManager is the "instance_manager" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementInstanceManager Entitlement = "instance_manager"

	// EntitlementCanCreateInstances is the "can_create_instances" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanCreateInstances Entitlement = "can_create_instances"

	// EntitlementCanViewInstances is the "can_view_instances" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanViewInstances Entitlement = "can_view_instances"

	// EntitlementCanEditInstances is the "can_edit_instances" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanEditInstances Entitlement = "can_edit_instances"

	// EntitlementCanDeleteInstances is the "can_delete_instances" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanDeleteInstances Entitlement = "can_delete_instances"

	// EntitlementCanOperateInstances is the "can_operate_instances" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanOperateInstances Entitlement = "can_operate_instances"

	// EntitlementNetworkManager is the "network_manager" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementNetworkManager Entitlement = "network_manager"

	// EntitlementCanCreateNetworks is the "can_create_networks" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanCreateNetworks Entitlement = "can_create_networks"

	// EntitlementCanViewNetworks is the "can_view_networks" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanViewNetworks Entitlement = "can_view_networks"

	// EntitlementCanEditNetworks is the "can_edit_networks" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanEditNetworks Entitlement = "can_edit_networks"

	// EntitlementCanDeleteNetworks is the "can_delete_networks" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanDeleteNetworks Entitlement = "can_delete_networks"

	// EntitlementNetworkACLManager is the "network_acl_manager" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementNetworkACLManager Entitlement = "network_acl_manager"

	// EntitlementCanCreateNetworkACLs is the "can_create_network_acls" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanCreateNetworkACLs Entitlement = "can_create_network_acls"

	// EntitlementCanViewNetworkACLs is the "can_view_network_acls" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanViewNetworkACLs Entitlement = "can_view_network_acls"

	// EntitlementCanEditNetworkACLs is the "can_edit_network_acls" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanEditNetworkACLs Entitlement = "can_edit_network_acls"

	// EntitlementCanDeleteNetworkACLs is the "can_delete_network_acls" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanDeleteNetworkACLs Entitlement = "can_delete_network_acls"

	// EntitlementNetworkZoneManager is the "network_zone_manager" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementNetworkZoneManager Entitlement = "network_zone_manager"

	// EntitlementCanCreateNetworkZones is the "can_create_network_zones" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanCreateNetworkZones Entitlement = "can_create_network_zones"

	// EntitlementCanViewNetworkZones is the "can_view_network_zones" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanViewNetworkZones Entitlement = "can_view_network_zones"

	// EntitlementCanEditNetworkZones is the "can_edit_network_zones" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanEditNetworkZones Entitlement = "can_edit_network_zones"

	// EntitlementCanDeleteNetworkZones is the "can_delete_network_zones" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanDeleteNetworkZones Entitlement = "can_delete_network_zones"

	// EntitlementProfileManager is the "profile_manager" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementProfileManager Entitlement = "profile_manager"

	// EntitlementCanCreateProfiles is the "can_create_profiles" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanCreateProfiles Entitlement = "can_create_profiles"

	// EntitlementCanViewProfiles is the "can_view_profiles" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanViewProfiles Entitlement = "can_view_profiles"

	// EntitlementCanEditProfiles is the "can_edit_profiles" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanEditProfiles Entitlement = "can_edit_profiles"

	// EntitlementCanDeleteProfiles is the "can_delete_profiles" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanDeleteProfiles Entitlement = "can_delete_profiles"

	// EntitlementStorageVolumeManager is the "storage_volume_manager" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementStorageVolumeManager Entitlement = "storage_volume_manager"

	// EntitlementCanCreateStorageVolumes is the "can_create_storage_volumes" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanCreateStorageVolumes Entitlement = "can_create_storage_volumes"

	// EntitlementCanViewStorageVolumes is the "can_view_storage_volumes" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanViewStorageVolumes Entitlement = "can_view_storage_volumes"

	// EntitlementCanEditStorageVolumes is the "can_edit_storage_volumes" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanEditStorageVolumes Entitlement = "can_edit_storage_volumes"

	// EntitlementCanDeleteStorageVolumes is the "can_delete_storage_volumes" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanDeleteStorageVolumes Entitlement = "can_delete_storage_volumes"

	// EntitlementStorageBucketManager is the "storage_bucket_manager" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementStorageBucketManager Entitlement = "storage_bucket_manager"

	// EntitlementCanCreateStorageBuckets is the "can_create_storage_buckets" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanCreateStorageBuckets Entitlement = "can_create_storage_buckets"

	// EntitlementCanViewStorageBuckets is the "can_view_storage_buckets" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanViewStorageBuckets Entitlement = "can_view_storage_buckets"

	// EntitlementCanEditStorageBuckets is the "can_edit_storage_buckets" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanEditStorageBuckets Entitlement = "can_edit_storage_buckets"

	// EntitlementCanDeleteStorageBuckets is the "can_delete_storage_buckets" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanDeleteStorageBuckets Entitlement = "can_delete_storage_buckets"

	// EntitlementCanViewOperations is the "can_view_operations" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanViewOperations Entitlement = "can_view_operations"

	// EntitlementCanViewEvents is the "can_view_events" entitlement. It applies to the following entities: entity.TypeProject.
	EntitlementCanViewEvents Entitlement = "can_view_events"

	// EntitlementUser is the "user" entitlement. It applies to the following entities: entity.TypeInstance.
	EntitlementUser Entitlement = "user"

	// EntitlementCanUpdateState is the "can_update_state" entitlement. It applies to the following entities: entity.TypeInstance.
	EntitlementCanUpdateState Entitlement = "can_update_state"

	// EntitlementCanManageSnapshots is the "can_manage_snapshots" entitlement. It applies to the following entities: entity.TypeInstance, entity.TypeStorageVolume.
	EntitlementCanManageSnapshots Entitlement = "can_manage_snapshots"

	// EntitlementCanManageBackups is the "can_manage_backups" entitlement. It applies to the following entities: entity.TypeInstance, entity.TypeStorageVolume.
	EntitlementCanManageBackups Entitlement = "can_manage_backups"

	// EntitlementCanConnectSFTP is the "can_connect_sftp" entitlement. It applies to the following entities: entity.TypeInstance.
	EntitlementCanConnectSFTP Entitlement = "can_connect_sftp"

	// EntitlementCanAccessFiles is the "can_access_files" entitlement. It applies to the following entities: entity.TypeInstance.
	EntitlementCanAccessFiles Entitlement = "can_access_files"

	// EntitlementCanAccessConsole is the "can_access_console" entitlement. It applies to the following entities: entity.TypeInstance.
	EntitlementCanAccessConsole Entitlement = "can_access_console"

	// EntitlementCanExec is the "can_exec" entitlement. It applies to the following entities: entity.TypeInstance.
	EntitlementCanExec Entitlement = "can_exec"
)

func EntitlementsByEntityType ¶

func EntitlementsByEntityType(entityType entity.Type) []Entitlement

EntitlementsByEntityType returns a list of available Entitlement for the entity.Type.

type Opts ¶

type Opts struct {
	// contains filtered or unexported fields
}

Opts is used as part of the LoadAuthorizer function so that only the relevant configuration fields are passed into a particular driver.

type PermissionChecker ¶

type PermissionChecker func(entityURL *api.URL) bool

PermissionChecker is a type alias for a function that returns whether a user has required permissions on an object. It is returned by Authorizer.GetPermissionChecker.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
generate This program reads an OpenFGA model in DSL format and generates a go file containing a type definition for `Entitlement`, an Entitlement each relation in the model that can has a `group#member` as a directly related user type, and a map of entity type to list of entitlements that can be granted for that entity type.	This program reads an OpenFGA model in DSL format and generates a go file containing a type definition for `Entitlement`, an Entitlement each relation in the model that can has a `group#member` as a directly related user type, and a map of entity type to list of entitlements that can be granted for that entity type.
oidc

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL