authz

package

v0.0.0-...-2fa4df2 Latest Latest Go to latest Published: Jun 11, 2020 License: Apache-2.0 Imports: 15 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/twistlock/authz

Links

Open Source Insights

Documentation ¶

Overview ¶

Package authz consist of specific authorization and auditing implementations supported mechanism: basic authorization - basic policy evaluation based on JSON policy files basic auditing - basic auditing to log file (JSON format) - only incoming request is audited

Index ¶

Constants
func NewBasicAuditor(settings *BasicAuditorSettings) core.Auditor
func NewBasicAuthZAuthorizer(settings *BasicAuthorizerSettings) core.Authorizer
type BasicAuditorSettings
type BasicAuthorizerSettings
type BasicPolicy

Constants ¶

View Source

const (
	// AuditHookSyslog indicates logs are streamed  to local syslog
	AuditHookSyslog = "syslog"

	// AuditHookFile indicates logs are streamed  to local syslog
	AuditHookFile = "file"

	// AuditHookStdout indicates logs are streamed to stdout
	AuditHookStdout = ""
)

Variables ¶

This section is empty.

Functions ¶

func NewBasicAuditor ¶

func NewBasicAuditor(settings *BasicAuditorSettings) core.Auditor

NewBasicAuditor returns a new authz auditor that uses the specified logging hook (e.g., syslog or stdout)

func NewBasicAuthZAuthorizer ¶

func NewBasicAuthZAuthorizer(settings *BasicAuthorizerSettings) core.Authorizer

NewBasicAuthZAuthorizer creates a new basic authorizer

Types ¶

type BasicAuditorSettings ¶

type BasicAuditorSettings struct {
	LogHook string // LogHook is the log hook used to audit authorization data
	LogPath string // LogPath is the path to audit log file (if file hook is specified)
}

BasicAuditorSettings are settings used by the basic auditor

type BasicAuthorizerSettings ¶

type BasicAuthorizerSettings struct {
	PolicyPath string // PolicyPath is the path to the policy settings
}

BasicAuthorizerSettings provides settings for the basic authoerizer flow

type BasicPolicy ¶

type BasicPolicy struct {
	Actions []string `json:"actions"` // Actions are the docker actions (mapped to authz terminology) that are allowed according to this policy
	// Action are are specified as regular expressions
	Users    []string `json:"users"`    // Users are the users for which this policy apply to
	Name     string   `json:"name"`     // Name is the policy name
	Readonly bool     `json:"readonly"` // Readonly indicates this policy only allow get commands
}

BasicPolicy represent a single policy object that is evaluated in the authorization flow. Each policy object consists of multiple users and docker actions, where each user belongs to a single policy.

The policies are evaluated according to the following flow:

For each policy object check
   If the user belongs to the policy
      If action in request in policy allow otherwise deny
If no appropriate policy found, return deny

Remark: In basic flow, each user must have a unique policy. If a user is used by more than one policy, the results may be inconsistent

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL