Documentation

Overview

Package authorization is a generated protocol buffer package.

The `authorization` template defines parameters for performing policy enforcement within Istio. It is primarily concerned with enabling Mixer

Example config:

```yaml apiVersion: "config.istio.io/v1alpha2" kind: authorization metadata:

name: authinfo
namespace: istio-system

spec:

subject:
  user: source.principal | request.auth.principal | ""
  groups: request.auth.claims["groups"] | ""
  properties:
   iss: request.auth.claims["iss"]
action:
  namespace: destination.namespace | "default"
  service: destination.service.host | ""
  path: request.path | "/"
  method: request.method | "post"
  properties:
    version: destination.labels[version] | ""

```

The `authorization` template defines parameters for performing policy enforcement within Istio. It is primarily concerned with enabling Mixer adapters to make decisions about who is allowed to do what. In this template, the "who" is defined in a Subject message. The "what" is defined in an Action message. During a Mixer Check call, these values will be populated based on configuration from request attributes and passed to individual authorization adapters to adjudicate.

It is generated from these files:

mixer/template/authorization/template_handler_service.proto

It has these top-level messages:

HandleAuthorizationRequest
InstanceMsg
SubjectMsg
ActionMsg
Type
SubjectType
ActionType
InstanceParam
SubjectInstanceParam
ActionInstanceParam

Index

Constants

const TemplateName = "authorization"

Fully qualified name of the template


Variables

var (
	ErrInvalidLengthTemplateHandlerService = fmt.Errorf("proto: negative length found during unmarshaling")
	ErrIntOverflowTemplateHandlerService   = fmt.Errorf("proto: integer overflow")
)

Functions

func RegisterHandleAuthorizationServiceServer

func RegisterHandleAuthorizationServiceServer(s *grpc.Server, srv HandleAuthorizationServiceServer)

Types

type Action

type Action struct {

	// Namespace the target action is taking place in.
	Namespace string

	// The Service the action is being taken on.
	Service string

	// What action is being taken.
	Method string

	// HTTP REST path within the service
	Path string

	// Additional data about the action for use in policy.
	Properties map[string]interface{}
}

An action defines "how a resource is accessed".

type ActionInstanceParam

type ActionInstanceParam struct {
	Namespace string `protobuf:"bytes,1,opt,name=namespace,proto3" json:"namespace,omitempty"`

	Service string `protobuf:"bytes,2,opt,name=service,proto3" json:"service,omitempty"`

	Method string `protobuf:"bytes,3,opt,name=method,proto3" json:"method,omitempty"`

	Path string `protobuf:"bytes,4,opt,name=path,proto3" json:"path,omitempty"`

	Properties map[string]string "" /* 154 byte string literal not displayed */
}

An action defines "how a resource is accessed".

func (*ActionInstanceParam) Descriptor

func (*ActionInstanceParam) Descriptor() ([]byte, []int)

func (*ActionInstanceParam) Marshal

func (m *ActionInstanceParam) Marshal() (dAtA []byte, err error)

func (*ActionInstanceParam) MarshalTo

func (m *ActionInstanceParam) MarshalTo(dAtA []byte) (int, error)

func (*ActionInstanceParam) ProtoMessage

func (*ActionInstanceParam) ProtoMessage()

func (*ActionInstanceParam) Reset

func (m *ActionInstanceParam) Reset()

func (*ActionInstanceParam) Size

func (m *ActionInstanceParam) Size() (n int)

func (*ActionInstanceParam) String

func (this *ActionInstanceParam) String() string

func (*ActionInstanceParam) Unmarshal

func (m *ActionInstanceParam) Unmarshal(dAtA []byte) error

type ActionMsg

type ActionMsg struct {
	Namespace string `protobuf:"bytes,1,opt,name=namespace,proto3" json:"namespace,omitempty"`

	Service string `protobuf:"bytes,2,opt,name=service,proto3" json:"service,omitempty"`

	Method string `protobuf:"bytes,3,opt,name=method,proto3" json:"method,omitempty"`

	Path string `protobuf:"bytes,4,opt,name=path,proto3" json:"path,omitempty"`

	Properties map[string]*istio_policy_v1beta11.Value "" /* 147 byte string literal not displayed */
}

An action defines "how a resource is accessed".

func (*ActionMsg) Descriptor

func (*ActionMsg) Descriptor() ([]byte, []int)

func (*ActionMsg) Marshal

func (m *ActionMsg) Marshal() (dAtA []byte, err error)

func (*ActionMsg) MarshalTo

func (m *ActionMsg) MarshalTo(dAtA []byte) (int, error)

func (*ActionMsg) ProtoMessage

func (*ActionMsg) ProtoMessage()

func (*ActionMsg) Reset

func (m *ActionMsg) Reset()

func (*ActionMsg) Size

func (m *ActionMsg) Size() (n int)

func (*ActionMsg) String

func (this *ActionMsg) String() string

func (*ActionMsg) Unmarshal

func (m *ActionMsg) Unmarshal(dAtA []byte) error

type ActionType

type ActionType struct {
	Properties map[string]istio_policy_v1beta1.ValueType "" /* 191 byte string literal not displayed */
}

An action defines "how a resource is accessed".

func (*ActionType) Descriptor

func (*ActionType) Descriptor() ([]byte, []int)

func (*ActionType) Marshal

func (m *ActionType) Marshal() (dAtA []byte, err error)

func (*ActionType) MarshalTo

func (m *ActionType) MarshalTo(dAtA []byte) (int, error)

func (*ActionType) ProtoMessage

func (*ActionType) ProtoMessage()

func (*ActionType) Reset

func (m *ActionType) Reset()

func (*ActionType) Size

func (m *ActionType) Size() (n int)

func (*ActionType) String

func (this *ActionType) String() string

func (*ActionType) Unmarshal

func (m *ActionType) Unmarshal(dAtA []byte) error

type HandleAuthorizationRequest

type HandleAuthorizationRequest struct {
	// 'authorization' instance.
	Instance *InstanceMsg `protobuf:"bytes,1,opt,name=instance" json:"instance,omitempty"`
	// Adapter specific handler configuration.
	//
	// Note: Backends can also implement [InfrastructureBackend][https://istio.io/docs/reference/config/mixer/istio.mixer.adapter.model.v1beta1.html#InfrastructureBackend]
	// service and therefore opt to receive handler configuration during session creation through [InfrastructureBackend.CreateSession][TODO: Link to this fragment]
	// call. In that case, adapter_config will have type_url as 'google.protobuf.Any.type_url' and would contain string
	// value of session_id (returned from InfrastructureBackend.CreateSession).
	AdapterConfig *google_protobuf1.Any `protobuf:"bytes,2,opt,name=adapter_config,json=adapterConfig" json:"adapter_config,omitempty"`
	// Id to dedupe identical requests from Mixer.
	DedupId string `protobuf:"bytes,3,opt,name=dedup_id,json=dedupId,proto3" json:"dedup_id,omitempty"`
}

Request message for HandleAuthorization method.

func (*HandleAuthorizationRequest) Descriptor

func (*HandleAuthorizationRequest) Descriptor() ([]byte, []int)

func (*HandleAuthorizationRequest) Marshal

func (m *HandleAuthorizationRequest) Marshal() (dAtA []byte, err error)

func (*HandleAuthorizationRequest) MarshalTo

func (m *HandleAuthorizationRequest) MarshalTo(dAtA []byte) (int, error)

func (*HandleAuthorizationRequest) ProtoMessage

func (*HandleAuthorizationRequest) ProtoMessage()

func (*HandleAuthorizationRequest) Reset

func (m *HandleAuthorizationRequest) Reset()

func (*HandleAuthorizationRequest) Size

func (m *HandleAuthorizationRequest) Size() (n int)

func (*HandleAuthorizationRequest) String

func (this *HandleAuthorizationRequest) String() string

func (*HandleAuthorizationRequest) Unmarshal

func (m *HandleAuthorizationRequest) Unmarshal(dAtA []byte) error

type HandleAuthorizationServiceClient

type HandleAuthorizationServiceClient interface {
	// HandleAuthorization is called by Mixer at request-time to deliver 'authorization' instances to the backend.
	HandleAuthorization(ctx context.Context, in *HandleAuthorizationRequest, opts ...grpc.CallOption) (*istio_mixer_adapter_model_v1beta11.CheckResult, error)
}

func NewHandleAuthorizationServiceClient

func NewHandleAuthorizationServiceClient(cc *grpc.ClientConn) HandleAuthorizationServiceClient

type HandleAuthorizationServiceServer

type HandleAuthorizationServiceServer interface {
	// HandleAuthorization is called by Mixer at request-time to deliver 'authorization' instances to the backend.
	HandleAuthorization(context.Context, *HandleAuthorizationRequest) (*istio_mixer_adapter_model_v1beta11.CheckResult, error)
}

type Handler

type Handler interface {
	adapter.Handler

	// HandleAuthorization is called by Mixer at request time to deliver instances to
	// to an adapter.
	HandleAuthorization(context.Context, *Instance) (adapter.CheckResult, error)
}

Handler must be implemented by adapter code if it wants to process data associated with the 'authorization' template.

Mixer uses this interface to call into the adapter at request time in order to dispatch created instances to the adapter. Adapters take the incoming instances and do what they need to achieve their primary function.

The name of each instance can be used as a key into the Type map supplied to the adapter at configuration time via the method 'SetAuthorizationTypes'. These Type associated with an instance describes the shape of the instance

type HandlerBuilder

type HandlerBuilder interface {
	adapter.HandlerBuilder

	// SetAuthorizationTypes is invoked by Mixer to pass the template-specific Type information for instances that an adapter
	// may receive at runtime. The type information describes the shape of the instance.
	SetAuthorizationTypes(map[string]*Type)
}

HandlerBuilder must be implemented by adapters if they want to process data associated with the 'authorization' template.

Mixer uses this interface to call into the adapter at configuration time to configure it with adapter-specific configuration as well as all template-specific type information.

type Instance

type Instance struct {
	// Name of the instance as specified in configuration.
	Name string

	// A subject contains a list of attributes that identify
	// the caller identity.
	Subject *Subject

	// An action defines "how a resource is accessed".
	Action *Action
}

Instance is constructed by Mixer for the 'authorization' template.

The `authorization` template defines parameters for performing policy enforcement within Istio. It is primarily concerned with enabling Mixer adapters to make decisions about who is allowed to do what. In this template, the "who" is defined in a Subject message. The "what" is defined in an Action message. During a Mixer Check call, these values will be populated based on configuration from request attributes and passed to individual authorization adapters to adjudicate.

type InstanceMsg

type InstanceMsg struct {
	// Name of the instance as specified in configuration.
	Name string `protobuf:"bytes,72295727,opt,name=name,proto3" json:"name,omitempty"`
	// A subject contains a list of attributes that identify
	// the caller identity.
	Subject *SubjectMsg `protobuf:"bytes,1,opt,name=subject" json:"subject,omitempty"`
	// An action defines "how a resource is accessed".
	Action *ActionMsg `protobuf:"bytes,2,opt,name=action" json:"action,omitempty"`
}

Contains instance payload for 'authorization' template. This is passed to infrastructure backends during request-time through HandleAuthorizationService.HandleAuthorization.

func (*InstanceMsg) Descriptor

func (*InstanceMsg) Descriptor() ([]byte, []int)

func (*InstanceMsg) Marshal

func (m *InstanceMsg) Marshal() (dAtA []byte, err error)

func (*InstanceMsg) MarshalTo

func (m *InstanceMsg) MarshalTo(dAtA []byte) (int, error)

func (*InstanceMsg) ProtoMessage

func (*InstanceMsg) ProtoMessage()

func (*InstanceMsg) Reset

func (m *InstanceMsg) Reset()

func (*InstanceMsg) Size

func (m *InstanceMsg) Size() (n int)

func (*InstanceMsg) String

func (this *InstanceMsg) String() string

func (*InstanceMsg) Unmarshal

func (m *InstanceMsg) Unmarshal(dAtA []byte) error

type InstanceParam

type InstanceParam struct {
	// A subject contains a list of attributes that identify
	// the caller identity.
	Subject *SubjectInstanceParam `protobuf:"bytes,1,opt,name=subject" json:"subject,omitempty"`
	// An action defines "how a resource is accessed".
	Action *ActionInstanceParam `protobuf:"bytes,2,opt,name=action" json:"action,omitempty"`
}

Represents instance configuration schema for 'authorization' template.

func (*InstanceParam) Descriptor

func (*InstanceParam) Descriptor() ([]byte, []int)

func (*InstanceParam) Marshal

func (m *InstanceParam) Marshal() (dAtA []byte, err error)

func (*InstanceParam) MarshalTo

func (m *InstanceParam) MarshalTo(dAtA []byte) (int, error)

func (*InstanceParam) ProtoMessage

func (*InstanceParam) ProtoMessage()

func (*InstanceParam) Reset

func (m *InstanceParam) Reset()

func (*InstanceParam) Size

func (m *InstanceParam) Size() (n int)

func (*InstanceParam) String

func (this *InstanceParam) String() string

func (*InstanceParam) Unmarshal

func (m *InstanceParam) Unmarshal(dAtA []byte) error

type Subject

type Subject struct {

	// The user name/ID that the subject represents.
	User string

	// Groups the subject belongs to depending on the authentication mechanism,
	// "groups" are normally populated from JWT claim or client certificate.
	// The operator can define how it is populated when creating an instance of
	// the template.
	Groups string

	// Additional attributes about the subject.
	Properties map[string]interface{}
}

A subject contains a list of attributes that identify the caller identity.

type SubjectInstanceParam

type SubjectInstanceParam struct {
	User string `protobuf:"bytes,1,opt,name=user,proto3" json:"user,omitempty"`

	Groups string `protobuf:"bytes,2,opt,name=groups,proto3" json:"groups,omitempty"`

	Properties map[string]string "" /* 154 byte string literal not displayed */
}

A subject contains a list of attributes that identify the caller identity.

func (*SubjectInstanceParam) Descriptor

func (*SubjectInstanceParam) Descriptor() ([]byte, []int)

func (*SubjectInstanceParam) Marshal

func (m *SubjectInstanceParam) Marshal() (dAtA []byte, err error)

func (*SubjectInstanceParam) MarshalTo

func (m *SubjectInstanceParam) MarshalTo(dAtA []byte) (int, error)

func (*SubjectInstanceParam) ProtoMessage

func (*SubjectInstanceParam) ProtoMessage()

func (*SubjectInstanceParam) Reset

func (m *SubjectInstanceParam) Reset()

func (*SubjectInstanceParam) Size

func (m *SubjectInstanceParam) Size() (n int)

func (*SubjectInstanceParam) String

func (this *SubjectInstanceParam) String() string

func (*SubjectInstanceParam) Unmarshal

func (m *SubjectInstanceParam) Unmarshal(dAtA []byte) error

type SubjectMsg

type SubjectMsg struct {
	User string `protobuf:"bytes,1,opt,name=user,proto3" json:"user,omitempty"`

	Groups string `protobuf:"bytes,2,opt,name=groups,proto3" json:"groups,omitempty"`

	Properties map[string]*istio_policy_v1beta11.Value "" /* 147 byte string literal not displayed */
}

A subject contains a list of attributes that identify the caller identity.

func (*SubjectMsg) Descriptor

func (*SubjectMsg) Descriptor() ([]byte, []int)

func (*SubjectMsg) Marshal

func (m *SubjectMsg) Marshal() (dAtA []byte, err error)

func (*SubjectMsg) MarshalTo

func (m *SubjectMsg) MarshalTo(dAtA []byte) (int, error)

func (*SubjectMsg) ProtoMessage

func (*SubjectMsg) ProtoMessage()

func (*SubjectMsg) Reset

func (m *SubjectMsg) Reset()

func (*SubjectMsg) Size

func (m *SubjectMsg) Size() (n int)

func (*SubjectMsg) String

func (this *SubjectMsg) String() string

func (*SubjectMsg) Unmarshal

func (m *SubjectMsg) Unmarshal(dAtA []byte) error

type SubjectType

type SubjectType struct {
	Properties map[string]istio_policy_v1beta1.ValueType "" /* 191 byte string literal not displayed */
}

A subject contains a list of attributes that identify the caller identity.

func (*SubjectType) Descriptor

func (*SubjectType) Descriptor() ([]byte, []int)

func (*SubjectType) Marshal

func (m *SubjectType) Marshal() (dAtA []byte, err error)

func (*SubjectType) MarshalTo

func (m *SubjectType) MarshalTo(dAtA []byte) (int, error)

func (*SubjectType) ProtoMessage

func (*SubjectType) ProtoMessage()

func (*SubjectType) Reset

func (m *SubjectType) Reset()

func (*SubjectType) Size

func (m *SubjectType) Size() (n int)

func (*SubjectType) String

func (this *SubjectType) String() string

func (*SubjectType) Unmarshal

func (m *SubjectType) Unmarshal(dAtA []byte) error

type Type

type Type struct {
	// A subject contains a list of attributes that identify
	// the caller identity.
	Subject *SubjectType `protobuf:"bytes,1,opt,name=subject" json:"subject,omitempty"`
	// An action defines "how a resource is accessed".
	Action *ActionType `protobuf:"bytes,2,opt,name=action" json:"action,omitempty"`
}

Contains inferred type information about specific instance of 'authorization' template. This is passed to infrastructure backends during configuration-time through [InfrastructureBackend.CreateSession][TODO: Link to this fragment].

func (*Type) Descriptor

func (*Type) Descriptor() ([]byte, []int)

func (*Type) Marshal

func (m *Type) Marshal() (dAtA []byte, err error)

func (*Type) MarshalTo

func (m *Type) MarshalTo(dAtA []byte) (int, error)

func (*Type) ProtoMessage

func (*Type) ProtoMessage()

func (*Type) Reset

func (m *Type) Reset()

func (*Type) Size

func (m *Type) Size() (n int)

func (*Type) String

func (this *Type) String() string

func (*Type) Unmarshal

func (m *Type) Unmarshal(dAtA []byte) error