v4.1.0+incompatible Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: May 1, 2019 License: Apache-2.0 Imports: 29 Imported by: 212



Package auth provides mechanisms for enforcing authorization to Project resources in OpenShift



This section is empty.


This section is empty.


func NewUserProjectWatcher added in v1.3.0

func NewUserProjectWatcher(user user.Info, visibleNamespaces sets.String, projectCache *projectcache.ProjectCache, authCache WatchableCache, includeAllExistingProjects bool, predicate kstorage.SelectionPredicate) *userProjectWatcher


type AuthorizationCache

type AuthorizationCache struct {
	// contains filtered or unexported fields

AuthorizationCache maintains a cache on the set of namespaces a user or group can access.

func NewAuthorizationCache

func NewAuthorizationCache(
	namespaceLister corev1listers.NamespaceLister,
	namespaceLastSyncResourceVersioner LastSyncResourceVersioner,
	reviewer Reviewer,
	informers rbacv1informers.Interface,
) *AuthorizationCache

NewAuthorizationCache creates a new AuthorizationCache

func (*AuthorizationCache) AddWatcher added in v1.3.0

func (ac *AuthorizationCache) AddWatcher(watcher CacheWatcher)

func (*AuthorizationCache) GetClusterRoleLister

func (ac *AuthorizationCache) GetClusterRoleLister() SyncedClusterRoleLister

func (*AuthorizationCache) List

func (ac *AuthorizationCache) List(userInfo user.Info, selector labels.Selector) (*corev1.NamespaceList, error)

List returns the set of namespace names the user has access to view

func (*AuthorizationCache) ReadyForAccess

func (ac *AuthorizationCache) ReadyForAccess() bool

func (*AuthorizationCache) RemoveWatcher added in v1.3.0

func (ac *AuthorizationCache) RemoveWatcher(watcher CacheWatcher)

func (*AuthorizationCache) Run

func (ac *AuthorizationCache) Run(period time.Duration)

Run begins watching and synchronizing the cache

type CacheWatcher added in v1.3.0

type CacheWatcher interface {
	// GroupMembershipChanged is called serially for all changes for all watchers.  This method MUST NOT BLOCK.
	// The serial nature makes reasoning about the code easy, but if you block in this method you will doom all watchers.
	GroupMembershipChanged(namespaceName string, users, groups sets.String)

type LastSyncResourceVersioner

type LastSyncResourceVersioner interface {
	LastSyncResourceVersion() string

LastSyncResourceVersioner is any object that can divulge a LastSyncResourceVersion

type Lister

type Lister interface {
	// List returns the list of Namespace items that the user can access
	List(user user.Info, selector labels.Selector) (*corev1.NamespaceList, error)

Lister enforces ability to enumerate a resource based on role

type Review

type Review interface {
	Users() []string
	Groups() []string
	EvaluationError() string

Review is a list of users and groups that can access a resource

type Reviewer

type Reviewer interface {
	Review(name string) (Review, error)

Reviewer performs access reviews for a project by name

func NewAuthorizerReviewer added in v1.0.8

func NewAuthorizerReviewer(policyChecker rbac.SubjectLocator) Reviewer

type SyncedClusterRoleLister

type SyncedClusterRoleLister interface {

type SyncedRoleBindingLister

type SyncedRoleBindingLister interface {

type SyncedRoleLister

type SyncedRoleLister interface {

type WatchableCache added in v1.3.0

type WatchableCache interface {
	// RemoveWatcher removes a watcher
	// List returns the set of namespace names the user has access to view
	List(userInfo user.Info, selector labels.Selector) (*corev1.NamespaceList, error)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL