authorization

package
v2.0.0+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 13, 2017 License: Apache-2.0 Imports: 11 Imported by: 0

Documentation

Overview

+groupName=authorization.k8s.io

Index

Constants

View Source
const GroupName = "authorization.k8s.io"

GroupName is the group name use in this package

Variables

View Source
var (
	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
	AddToScheme   = SchemeBuilder.AddToScheme
)
View Source
var SchemeGroupVersion = unversioned.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal}

SchemeGroupVersion is group version used to register these objects

Functions

func DeepCopy_authorization_LocalSubjectAccessReview

func DeepCopy_authorization_LocalSubjectAccessReview(in interface{}, out interface{}, c *conversion.Cloner) error

func DeepCopy_authorization_NonResourceAttributes

func DeepCopy_authorization_NonResourceAttributes(in interface{}, out interface{}, c *conversion.Cloner) error

func DeepCopy_authorization_ResourceAttributes

func DeepCopy_authorization_ResourceAttributes(in interface{}, out interface{}, c *conversion.Cloner) error

func DeepCopy_authorization_SelfSubjectAccessReview

func DeepCopy_authorization_SelfSubjectAccessReview(in interface{}, out interface{}, c *conversion.Cloner) error

func DeepCopy_authorization_SelfSubjectAccessReviewSpec

func DeepCopy_authorization_SelfSubjectAccessReviewSpec(in interface{}, out interface{}, c *conversion.Cloner) error

func DeepCopy_authorization_SubjectAccessReview

func DeepCopy_authorization_SubjectAccessReview(in interface{}, out interface{}, c *conversion.Cloner) error

func DeepCopy_authorization_SubjectAccessReviewSpec

func DeepCopy_authorization_SubjectAccessReviewSpec(in interface{}, out interface{}, c *conversion.Cloner) error

func DeepCopy_authorization_SubjectAccessReviewStatus

func DeepCopy_authorization_SubjectAccessReviewStatus(in interface{}, out interface{}, c *conversion.Cloner) error

func Kind

func Kind(kind string) unversioned.GroupKind

Kind takes an unqualified kind and returns a Group qualified GroupKind

func RegisterDeepCopies

func RegisterDeepCopies(scheme *runtime.Scheme) error

RegisterDeepCopies adds deep-copy functions to the given scheme. Public to allow building arbitrary schemes.

func Resource

func Resource(resource string) unversioned.GroupResource

Resource takes an unqualified resource and returns a Group qualified GroupResource

Types

type ExtraValue

type ExtraValue []string

ExtraValue masks the value so protobuf can generate +protobuf.nullable=true

func (*ExtraValue) CodecDecodeSelf

func (x *ExtraValue) CodecDecodeSelf(d *codec1978.Decoder)

func (ExtraValue) CodecEncodeSelf

func (x ExtraValue) CodecEncodeSelf(e *codec1978.Encoder)

type LocalSubjectAccessReview

type LocalSubjectAccessReview struct {
	unversioned.TypeMeta
	api.ObjectMeta

	// Spec holds information about the request being evaluated.  spec.namespace must be equal to the namespace
	// you made the request against.  If empty, it is defaulted.
	Spec SubjectAccessReviewSpec

	// Status is filled in by the server and indicates whether the request is allowed or not
	Status SubjectAccessReviewStatus
}

LocalSubjectAccessReview checks whether or not a user or group can perform an action in a given namespace. Having a namespace scoped resource makes it much easier to grant namespace scoped policy that includes permissions checking.

func (*LocalSubjectAccessReview) CodecDecodeSelf

func (x *LocalSubjectAccessReview) CodecDecodeSelf(d *codec1978.Decoder)

func (*LocalSubjectAccessReview) CodecEncodeSelf

func (x *LocalSubjectAccessReview) CodecEncodeSelf(e *codec1978.Encoder)

type NonResourceAttributes

type NonResourceAttributes struct {
	// Path is the URL path of the request
	Path string
	// Verb is the standard HTTP verb
	Verb string
}

NonResourceAttributes includes the authorization attributes available for non-resource requests to the Authorizer interface

func (*NonResourceAttributes) CodecDecodeSelf

func (x *NonResourceAttributes) CodecDecodeSelf(d *codec1978.Decoder)

func (*NonResourceAttributes) CodecEncodeSelf

func (x *NonResourceAttributes) CodecEncodeSelf(e *codec1978.Encoder)

type ResourceAttributes

type ResourceAttributes struct {
	// Namespace is the namespace of the action being requested.  Currently, there is no distinction between no namespace and all namespaces
	// "" (empty) is defaulted for LocalSubjectAccessReviews
	// "" (empty) is empty for cluster-scoped resources
	// "" (empty) means "all" for namespace scoped resources from a SubjectAccessReview or SelfSubjectAccessReview
	Namespace string
	// Verb is a kubernetes resource API verb, like: get, list, watch, create, update, delete, proxy.  "*" means all.
	Verb string
	// Group is the API Group of the Resource.  "*" means all.
	Group string
	// Version is the API Version of the Resource.  "*" means all.
	Version string
	// Resource is one of the existing resource types.  "*" means all.
	Resource string
	// Subresource is one of the existing resource types.  "" means none.
	Subresource string
	// Name is the name of the resource being requested for a "get" or deleted for a "delete". "" (empty) means all.
	Name string
}

ResourceAttributes includes the authorization attributes available for resource requests to the Authorizer interface

func (*ResourceAttributes) CodecDecodeSelf

func (x *ResourceAttributes) CodecDecodeSelf(d *codec1978.Decoder)

func (*ResourceAttributes) CodecEncodeSelf

func (x *ResourceAttributes) CodecEncodeSelf(e *codec1978.Encoder)

type SelfSubjectAccessReview

type SelfSubjectAccessReview struct {
	unversioned.TypeMeta
	api.ObjectMeta

	// Spec holds information about the request being evaluated.
	Spec SelfSubjectAccessReviewSpec

	// Status is filled in by the server and indicates whether the request is allowed or not
	Status SubjectAccessReviewStatus
}

SelfSubjectAccessReview checks whether or the current user can perform an action. Not filling in a spec.namespace means "in all namespaces". Self is a special case, because users should always be able to check whether they can perform an action

func (*SelfSubjectAccessReview) CodecDecodeSelf

func (x *SelfSubjectAccessReview) CodecDecodeSelf(d *codec1978.Decoder)

func (*SelfSubjectAccessReview) CodecEncodeSelf

func (x *SelfSubjectAccessReview) CodecEncodeSelf(e *codec1978.Encoder)

type SelfSubjectAccessReviewSpec

type SelfSubjectAccessReviewSpec struct {
	// ResourceAttributes describes information for a resource access request
	ResourceAttributes *ResourceAttributes
	// NonResourceAttributes describes information for a non-resource access request
	NonResourceAttributes *NonResourceAttributes
}

SelfSubjectAccessReviewSpec is a description of the access request. Exactly one of ResourceAttributes and NonResourceAttributes must be set

func (*SelfSubjectAccessReviewSpec) CodecDecodeSelf

func (x *SelfSubjectAccessReviewSpec) CodecDecodeSelf(d *codec1978.Decoder)

func (*SelfSubjectAccessReviewSpec) CodecEncodeSelf

func (x *SelfSubjectAccessReviewSpec) CodecEncodeSelf(e *codec1978.Encoder)

type SubjectAccessReview

type SubjectAccessReview struct {
	unversioned.TypeMeta
	api.ObjectMeta

	// Spec holds information about the request being evaluated
	Spec SubjectAccessReviewSpec

	// Status is filled in by the server and indicates whether the request is allowed or not
	Status SubjectAccessReviewStatus
}

SubjectAccessReview checks whether or not a user or group can perform an action. Not filling in a spec.namespace means "in all namespaces".

func (*SubjectAccessReview) CodecDecodeSelf

func (x *SubjectAccessReview) CodecDecodeSelf(d *codec1978.Decoder)

func (*SubjectAccessReview) CodecEncodeSelf

func (x *SubjectAccessReview) CodecEncodeSelf(e *codec1978.Encoder)

type SubjectAccessReviewSpec

type SubjectAccessReviewSpec struct {
	// ResourceAttributes describes information for a resource access request
	ResourceAttributes *ResourceAttributes
	// NonResourceAttributes describes information for a non-resource access request
	NonResourceAttributes *NonResourceAttributes

	// User is the user you're testing for.
	// If you specify "User" but not "Group", then is it interpreted as "What if User were not a member of any groups
	User string
	// Groups is the groups you're testing for.
	Groups []string
	// Extra corresponds to the user.Info.GetExtra() method from the authenticator.  Since that is input to the authorizer
	// it needs a reflection here.
	Extra map[string]ExtraValue
}

SubjectAccessReviewSpec is a description of the access request. Exactly one of ResourceAttributes and NonResourceAttributes must be set

func (*SubjectAccessReviewSpec) CodecDecodeSelf

func (x *SubjectAccessReviewSpec) CodecDecodeSelf(d *codec1978.Decoder)

func (*SubjectAccessReviewSpec) CodecEncodeSelf

func (x *SubjectAccessReviewSpec) CodecEncodeSelf(e *codec1978.Encoder)

type SubjectAccessReviewStatus

type SubjectAccessReviewStatus struct {
	// Allowed is required.  True if the action would be allowed, false otherwise.
	Allowed bool
	// Reason is optional.  It indicates why a request was allowed or denied.
	Reason string
	// EvaluationError is an indication that some error occurred during the authorization check.
	// It is entirely possible to get an error and be able to continue determine authorization status in spite of it.
	// For instance, RBAC can be missing a role, but enough roles are still present and bound to reason about the request.
	EvaluationError string
}

SubjectAccessReviewStatus

func (*SubjectAccessReviewStatus) CodecDecodeSelf

func (x *SubjectAccessReviewStatus) CodecDecodeSelf(d *codec1978.Decoder)

func (*SubjectAccessReviewStatus) CodecEncodeSelf

func (x *SubjectAccessReviewStatus) CodecEncodeSelf(e *codec1978.Encoder)

Directories

Path Synopsis
Package install installs the experimental API group, making it available as an option to all of the API encoding/decoding machinery.
Package install installs the experimental API group, making it available as an option to all of the API encoding/decoding machinery.
+groupName=authorization.k8s.io Package v1beta1 is a generated protocol buffer package.
+groupName=authorization.k8s.io Package v1beta1 is a generated protocol buffer package.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL