groupauth

package

v0.2.2-beta Latest Latest Go to latest Published: Apr 8, 2026 License: Apache-2.0 Imports: 7 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/krkn-chaos/krkn-operator

Links

Open Source Insights

Documentation ¶

Overview ¶

Package groupauth provides group-based authorization and permission management for cluster access control. It supports label-based group membership and permission aggregation across multiple user groups.

Index ¶

Constants
func AggregateClusterPermissions(userGroups []krknv1alpha1.KrknUserGroup) map[string][]Action
func CanPerformAction(userGroups []krknv1alpha1.KrknUserGroup, clusterAPIURL string, action Action) bool
func CountGroupMembers(ctx context.Context, k8sClient client.Client, groupName, namespace string) (int, error)
func ExtractGroupNamesFromLabels(labels map[string]string) []string
func FilterClustersByPermission(ctx context.Context, k8sClient client.Client, userID string, namespace string, ...) (map[string][]krknv1alpha1.ClusterTarget, error)
func GetUserGroups(ctx context.Context, k8sClient client.Client, userID, namespace string) ([]krknv1alpha1.KrknUserGroup, error)
func GroupLabelKey(groupName string) string
func HasClusterPermission(ctx context.Context, k8sClient client.Client, userID string, namespace string, ...) (bool, error)
func IsValidAction(action string) bool
func SanitizeGroupName(groupName string) string
func ValidateScenarioRunAccess(ctx context.Context, k8sClient client.Client, userID string, namespace string, ...) error
type Action

Constants ¶

View Source

const GroupLabelPrefix = "group.krkn.krkn-chaos.dev/"

GroupLabelPrefix is the label prefix for group membership on KrknUser CRs Format: group.krkn.krkn-chaos.dev/<group-name>=true

Variables ¶

This section is empty.

Functions ¶

func AggregateClusterPermissions ¶

func AggregateClusterPermissions(userGroups []krknv1alpha1.KrknUserGroup) map[string][]Action

AggregateClusterPermissions aggregates permissions from all user groups. Permissions are combined using union logic - if any group grants an action, it's allowed.

Parameters:

userGroups: List of groups the user belongs to

Returns a map of clusterAPIURL -> list of allowed actions.

func CanPerformAction ¶

func CanPerformAction(userGroups []krknv1alpha1.KrknUserGroup, clusterAPIURL string, action Action) bool

CanPerformAction checks if the user can perform the given action on the cluster.

Parameters:

userGroups: List of groups the user belongs to
clusterAPIURL: The cluster API URL to check
action: The action to validate (view, run, cancel)

Returns true if the user has permission, false otherwise.

func CountGroupMembers ¶

func CountGroupMembers(ctx context.Context, k8sClient client.Client, groupName, namespace string) (int, error)

CountGroupMembers counts the number of KrknUsers that belong to a group. Used for populating group metadata/stats.

Parameters:

ctx: Context for the request
k8sClient: Kubernetes client
groupName: Name of the group
namespace: Namespace where users are located

Returns the count of members, or an error.

func ExtractGroupNamesFromLabels ¶

func ExtractGroupNamesFromLabels(labels map[string]string) []string

ExtractGroupNamesFromLabels extracts group names from KrknUser labels Returns a list of group names the user belongs to

func FilterClustersByPermission ¶

func FilterClustersByPermission(
	ctx context.Context,
	k8sClient client.Client,
	userID string,
	namespace string,
	targetData map[string][]krknv1alpha1.ClusterTarget,
	requiredAction Action,
) (map[string][]krknv1alpha1.ClusterTarget, error)

FilterClustersByPermission filters clusters based on user permissions. Only returns clusters the user has the specified action permission for.

Parameters:

ctx: Context for the request
k8sClient: Kubernetes client
userID: Email address of the user
namespace: Namespace where CRs are located
targetData: Map of provider -> cluster targets from KrknTargetRequest
requiredAction: The action required (typically ActionView for GET /clusters)

Returns filtered targetData containing only permitted clusters.

func GetUserGroups ¶

func GetUserGroups(ctx context.Context, k8sClient client.Client, userID, namespace string) ([]krknv1alpha1.KrknUserGroup, error)

GetUserGroups fetches all KrknUserGroup CRs that the user belongs to. Membership is determined by labels on the KrknUser CR.

Parameters:

ctx: Context for the request
k8sClient: Kubernetes client for API calls
userID: Email address of the user
namespace: Namespace where CRs are located

Returns the list of groups the user belongs to, or an error.

func GroupLabelKey ¶

func GroupLabelKey(groupName string) string

GroupLabelKey returns the label key for a group name Example: "dev-team" -> "group.krkn.krkn-chaos.dev/dev-team"

func HasClusterPermission ¶

func HasClusterPermission(
	ctx context.Context,
	k8sClient client.Client,
	userID string,
	namespace string,
	clusterAPIURL string,
	action Action,
) (bool, error)

HasClusterPermission checks if a user has a specific permission on a cluster. This is a convenience wrapper that combines GetUserGroups and CanPerformAction.

Parameters:

ctx: Context for the request
k8sClient: Kubernetes client
userID: Email address of the user
namespace: Namespace where user and group CRs are located
clusterAPIURL: The cluster API URL to check permission for
action: The action to check (e.g., ActionView, ActionRun, ActionCancel)

Returns true if the user has the permission, false otherwise.

func IsValidAction ¶

func IsValidAction(action string) bool

IsValidAction checks if the given action is valid

func SanitizeGroupName ¶

func SanitizeGroupName(groupName string) string

SanitizeGroupName sanitizes a group name to be valid as a Kubernetes label name - Replaces invalid characters with hyphens - Converts to lowercase - Ensures it starts/ends with alphanumeric Note: Does NOT truncate. Caller must validate length (63 char limit for K8s labels).

func ValidateScenarioRunAccess ¶

func ValidateScenarioRunAccess(
	ctx context.Context,
	k8sClient client.Client,
	userID string,
	namespace string,
	targetClusters map[string][]string,
	targetRequest *krknv1alpha1.KrknTargetRequest,
) error

ValidateScenarioRunAccess validates that a user has permission to run scenarios on all specified target clusters.

This function: 1. Fetches the user's groups 2. Aggregates permissions from all groups 3. Validates the user has 'run' permission on each target cluster

Parameters:

ctx: Context for the request
k8sClient: Kubernetes client for API calls
userID: Email address of the user
namespace: Namespace where CRs are located
targetClusters: Map of provider -> cluster names to validate
targetRequest: The KrknTargetRequest containing cluster API URLs

Returns nil if validation passes, or an error describing the permission violation.

Types ¶

type Action ¶

type Action string

Action represents a permission action that can be performed on a cluster

const (
	// ActionView allows viewing cluster details and scenario runs
	ActionView Action = "view"

	// ActionRun allows launching chaos scenarios on the cluster
	ActionRun Action = "run"

	// ActionCancel allows canceling running chaos scenarios
	ActionCancel Action = "cancel"
)

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL