rbac

package
v0.16.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 31, 2023 License: Apache-2.0 Imports: 28 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	ActionBatchCount            = 200
	AccessAllowedVerdict        = "Access allowed by Azure RBAC"
	AccessAllowedVerboseVerdict = "Access allowed by Azure RBAC Role Assignment %s of Role %s to user %s"
	Allowed                     = "allowed"
	AccessNotAllowedVerdict     = "User does not have access to the resource in Azure. Update role assignment to allow access."
	NamespaceResourceFormat     = "/providers/Microsoft.KubernetesConfiguration/namespaces"

	NoOpinionVerdict            = "Azure does not have opinion for this user."
	NonAADUserNoOpVerdict       = "" /* 145-byte string literal not displayed */
	NonAADUserNotAllowedVerdict = "" /* 207-byte string literal not displayed */
	PodsResource                = "pods"
)

Variables

View Source 
var (
	CheckAccessErrorFormat = "Error occured during authorization check. Please retry again. Error: %s"
)

Functions

func ConvertCheckAccessResponse 

func ConvertCheckAccessResponse(body []byte) (*authzv1.SubjectAccessReviewStatus, error)

Types

type AccessDecision 

type AccessDecision struct {
	Decision string `json:"accessDecision"`
}

type AccessInfo 

type AccessInfo struct {
	// contains filtered or unexported fields
}

AccessInfo allows you to check user access from MS RBAC

func New 

func New(opts authzOpts.Options, authopts auth.Options, authzInfo *AuthzInfo) (*AccessInfo, error)

func (*AccessInfo) AllowNonResPathDiscoveryAccess 

func (a *AccessInfo) AllowNonResPathDiscoveryAccess(request *authzv1.SubjectAccessReviewSpec) bool

func (*AccessInfo) CheckAccess 

func (a *AccessInfo) CheckAccess(request *authzv1.SubjectAccessReviewSpec) (*authzv1.SubjectAccessReviewStatus, error)

func (*AccessInfo) GetResultFromCache 

func (a *AccessInfo) GetResultFromCache(request *authzv1.SubjectAccessReviewSpec, store authz.Store) (bool, bool)

func (*AccessInfo) IsTokenExpired 

func (a *AccessInfo) IsTokenExpired() bool

func (*AccessInfo) RefreshToken 

func (a *AccessInfo) RefreshToken(ctx context.Context) error

func (*AccessInfo) SetResultInCache 

func (a *AccessInfo) SetResultInCache(request *authzv1.SubjectAccessReviewSpec, result bool, store authz.Store) error

func (*AccessInfo) ShouldSkipAuthzCheckForNonAADUsers 

func (a *AccessInfo) ShouldSkipAuthzCheckForNonAADUsers() bool

func (*AccessInfo) SkipAuthzCheck 

func (a *AccessInfo) SkipAuthzCheck(request *authzv1.SubjectAccessReviewSpec) bool

type AuthorizationDecision 

type AuthorizationDecision struct {
	Decision            string              `json:"accessDecision"`
	ActionId            string              `json:"actionId"`
	IsDataAction        bool                `json:"isDataAction"`
	AzureRoleAssignment AzureRoleAssignment `json:"roleAssignment,omitempty"`
	AzureDenyAssignment AzureDenyAssignment `json:"denyAssignment,omitempty"`
	TimeToLiveInMs      int                 `json:"timeToLiveInMs"`
}

type AuthzInfo 

type AuthzInfo struct {
	AADEndpoint string
	ARMEndPoint string
}

type AzureDenyAssignment 

type AzureDenyAssignment struct {
	MetaData          map[string]interface{} `json:"metadata"`
	IsSystemProtected string                 `json:"isSystemProtected"`
	IsBuiltIn         bool                   `json:"isBuiltIn"`
	DenyAssignment
}

type AzureRoleAssignment 

type AzureRoleAssignment struct {
	DelegatedManagedIdentityResourceId string `json:"delegatedManagedIdentityResourceId"`
	RoleAssignment
}

type CheckAccessRequest 

type CheckAccessRequest struct {
	Subject  SubjectInfo                          `json:"Subject"`
	Actions  []azureutils.AuthorizationActionInfo `json:"Actions"`
	Resource azureutils.AuthorizationEntity       `json:"Resource"`
}

type DenyAssignment 

type DenyAssignment struct {
	Id          string `json:"id"`
	Name        string `json:"name"`
	Description string `json:"description"`
	Permission
	Scope                   string `json:"scope"`
	DoNotApplyToChildScopes bool   `json:"doNotApplyToChildScopes"`
	Principals              []Principal
	ExcludePrincipals       []Principal
	Condition               string `json:"condition"`
	ConditionVersion        string `json:"conditionVersion"`
}

type Permission 

type Permission struct {
	Actions          []string `json:"actions,omitempty"`
	NoActions        []string `json:"noactions,omitempty"`
	DataActions      []string `json:"dataactions,omitempty"`
	NoDataActions    []string `json:"nodataactions,omitempty"`
	Condition        string   `json:"condition"`
	ConditionVersion string   `json:"conditionVersion"`
}

type Principal 

type Principal struct {
	Id   string `json:"id"`
	Type string `json:"type"`
}

type RoleAssignment 

type RoleAssignment struct {
	Id               string `json:"id"`
	RoleDefinitionId string `json:"roleDefinitionId"`
	PrincipalId      string `json:"principalId"`
	PrincipalType    string `json:"principalType"`
	Scope            string `json:"scope"`
	Condition        string `json:"condition"`
	ConditionVersion string `json:"conditionVersion"`
	CanDelegate      bool   `json:"canDelegate"`
}

type SubjectInfo 

type SubjectInfo struct {
	Attributes SubjectInfoAttributes `json:"Attributes"`
}

type SubjectInfoAttributes 

type SubjectInfoAttributes struct {
	ObjectId string   `json:"ObjectId"`
	Groups   []string `json:"Groups,omitempty"`
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.