Documentation

Overview

    Package auth provides client role authentication for accessing keys in etcd.

    Index

    Constants

    This section is empty.

    Variables

    View Source
    var (
    	ErrRootUserNotExist     = errors.New("auth: root user does not exist")
    	ErrRootRoleNotExist     = errors.New("auth: root user does not have root role")
    	ErrUserAlreadyExist     = errors.New("auth: user already exists")
    	ErrUserEmpty            = errors.New("auth: user name is empty")
    	ErrUserNotFound         = errors.New("auth: user not found")
    	ErrRoleAlreadyExist     = errors.New("auth: role already exists")
    	ErrRoleNotFound         = errors.New("auth: role not found")
    	ErrAuthFailed           = errors.New("auth: authentication failed, invalid user ID or password")
    	ErrPermissionDenied     = errors.New("auth: permission denied")
    	ErrRoleNotGranted       = errors.New("auth: role is not granted to the user")
    	ErrPermissionNotGranted = errors.New("auth: permission is not granted to the role")
    	ErrAuthNotEnabled       = errors.New("auth: authentication is not enabled")
    	ErrAuthOldRevision      = errors.New("auth: revision in header is old")
    	ErrInvalidAuthToken     = errors.New("auth: invalid auth token")
    	ErrInvalidAuthOpts      = errors.New("auth: invalid auth options")
    	ErrInvalidAuthMgmt      = errors.New("auth: invalid auth management")
    
    	// BcryptCost is the algorithm cost / strength for hashing auth passwords
    	BcryptCost = bcrypt.DefaultCost
    )

    Functions

    func NewAuthStore

    func NewAuthStore(be backend.Backend, tp TokenProvider) *authStore

    Types

    type AuthInfo

    type AuthInfo struct {
    	Username string
    	Revision uint64
    }

    type AuthStore

    type AuthStore interface {
    	// AuthEnable turns on the authentication feature
    	AuthEnable() error
    
    	// AuthDisable turns off the authentication feature
    	AuthDisable()
    
    	// Authenticate does authentication based on given user name and password
    	Authenticate(ctx context.Context, username, password string) (*pb.AuthenticateResponse, error)
    
    	// Recover recovers the state of auth store from the given backend
    	Recover(b backend.Backend)
    
    	// UserAdd adds a new user
    	UserAdd(r *pb.AuthUserAddRequest) (*pb.AuthUserAddResponse, error)
    
    	// UserDelete deletes a user
    	UserDelete(r *pb.AuthUserDeleteRequest) (*pb.AuthUserDeleteResponse, error)
    
    	// UserChangePassword changes a password of a user
    	UserChangePassword(r *pb.AuthUserChangePasswordRequest) (*pb.AuthUserChangePasswordResponse, error)
    
    	// UserGrantRole grants a role to the user
    	UserGrantRole(r *pb.AuthUserGrantRoleRequest) (*pb.AuthUserGrantRoleResponse, error)
    
    	// UserGet gets the detailed information of a users
    	UserGet(r *pb.AuthUserGetRequest) (*pb.AuthUserGetResponse, error)
    
    	// UserRevokeRole revokes a role of a user
    	UserRevokeRole(r *pb.AuthUserRevokeRoleRequest) (*pb.AuthUserRevokeRoleResponse, error)
    
    	// RoleAdd adds a new role
    	RoleAdd(r *pb.AuthRoleAddRequest) (*pb.AuthRoleAddResponse, error)
    
    	// RoleGrantPermission grants a permission to a role
    	RoleGrantPermission(r *pb.AuthRoleGrantPermissionRequest) (*pb.AuthRoleGrantPermissionResponse, error)
    
    	// RoleGet gets the detailed information of a role
    	RoleGet(r *pb.AuthRoleGetRequest) (*pb.AuthRoleGetResponse, error)
    
    	// RoleRevokePermission gets the detailed information of a role
    	RoleRevokePermission(r *pb.AuthRoleRevokePermissionRequest) (*pb.AuthRoleRevokePermissionResponse, error)
    
    	// RoleDelete gets the detailed information of a role
    	RoleDelete(r *pb.AuthRoleDeleteRequest) (*pb.AuthRoleDeleteResponse, error)
    
    	// UserList gets a list of all users
    	UserList(r *pb.AuthUserListRequest) (*pb.AuthUserListResponse, error)
    
    	// RoleList gets a list of all roles
    	RoleList(r *pb.AuthRoleListRequest) (*pb.AuthRoleListResponse, error)
    
    	// IsPutPermitted checks put permission of the user
    	IsPutPermitted(authInfo *AuthInfo, key []byte) error
    
    	// IsRangePermitted checks range permission of the user
    	IsRangePermitted(authInfo *AuthInfo, key, rangeEnd []byte) error
    
    	// IsDeleteRangePermitted checks delete-range permission of the user
    	IsDeleteRangePermitted(authInfo *AuthInfo, key, rangeEnd []byte) error
    
    	// IsAdminPermitted checks admin permission of the user
    	IsAdminPermitted(authInfo *AuthInfo) error
    
    	// GenTokenPrefix produces a random string in a case of simple token
    	// in a case of JWT, it produces an empty string
    	GenTokenPrefix() (string, error)
    
    	// Revision gets current revision of authStore
    	Revision() uint64
    
    	// CheckPassword checks a given pair of username and password is correct
    	CheckPassword(username, password string) (uint64, error)
    
    	// Close does cleanup of AuthStore
    	Close() error
    
    	// AuthInfoFromCtx gets AuthInfo from gRPC's context
    	AuthInfoFromCtx(ctx context.Context) (*AuthInfo, error)
    
    	// AuthInfoFromTLS gets AuthInfo from TLS info of gRPC's context
    	AuthInfoFromTLS(ctx context.Context) *AuthInfo
    
    	// WithRoot generates and installs a token that can be used as a root credential
    	WithRoot(ctx context.Context) context.Context
    
    	// HasRole checks that user has role
    	HasRole(user, role string) bool
    
    	// SetConsistentIndexSyncer sets consistentIndex syncer
    	SetConsistentIndexSyncer(syncer saveConsistentIndexFunc)
    }

      AuthStore defines auth storage interface.

      type AuthenticateParamIndex

      type AuthenticateParamIndex struct{}

        AuthenticateParamIndex is used for a key of context in the parameters of Authenticate()

        type AuthenticateParamSimpleTokenPrefix

        type AuthenticateParamSimpleTokenPrefix struct{}

          AuthenticateParamSimpleTokenPrefix is used for a key of context in the parameters of Authenticate()

          type TokenProvider

          type TokenProvider interface {
          	// contains filtered or unexported methods
          }

          func NewTokenProvider

          func NewTokenProvider(
          	tokenOpts string,
          	indexWaiter func(uint64) <-chan struct{},
          	TokenTTL time.Duration) (TokenProvider, error)

            NewTokenProvider creates a new token provider.

            Directories

            Path Synopsis