Documentation ¶
Index ¶
- Constants
- func AddAuthorization(tenantName string, role types.RoleType, principalName string, isLocal bool) (types.Authorization, error)
- func AddDefaultUsers() error
- func Authenticate(username, password string) (string, error)
- func DeleteAuthorization(authUUID string) error
- func FilterAppProfiles(t *Token, body []byte) []byte
- func FilterEndpointGroups(t *Token, body []byte) []byte
- func FilterExtContractsGroups(t *Token, body []byte) []byte
- func FilterNetProfiles(t *Token, body []byte) []byte
- func FilterNetworks(t *Token, body []byte) []byte
- func FilterPolicies(t *Token, body []byte) []byte
- func FilterRules(t *Token, body []byte) []byte
- func FilterServiceLBs(t *Token, body []byte) []byte
- func FilterTenants(t *Token, body []byte) []byte
- func GenerateClaimKey(object interface{}) (string, error)
- func GetAuthorization(authzUUID string) (types.Authorization, error)
- func ListAuthorizations() ([]types.Authorization, error)
- func NullFilter(t *Token, body []byte) []byte
- type Token
- func (authZ *Token) AddClaim(key string, value interface{})
- func (authZ *Token) AddPrincipalsClaim(principals []string) error
- func (authZ *Token) AddRoleClaim(principal string) error
- func (authZ *Token) CheckClaims(objects ...interface{}) error
- func (authZ *Token) GetClaim(claimKey string) string
- func (authZ *Token) IsSuperuser() bool
- func (authZ *Token) Stringify() (string, error)
Constants ¶
const ( // TokenValidityInHours represents the token validity; used to set token expiry TokenValidityInHours = 10 // UsernameClaimKey is only added to the token, and is not part of authorization db UsernameClaimKey = "username" )
Variables ¶
This section is empty.
Functions ¶
func AddAuthorization ¶
func AddAuthorization(tenantName string, role types.RoleType, principalName string, isLocal bool) (types.Authorization, error)
AddAuthorization stores authorization claim(s) for a specific named principal in the KV store. Success of various tenant related operations will depend on the named principal's capabilities, determined by the role that is associated with the claim. TODO: principal and tenant should exist
Parameters:
tenantName: tenant name, if specified role: type of role that specifies permissions associated with tenant or global permissions principalName: Name of user for whom the authorization is to be added, Can either be a local user or an LDAP group. isLocal: true if the named principal is a local user, false if ldap group.
Return values:
types.Authorization: new authorization that was added error: nil if successful, else auth_errors.ErrIllegalOperation if trying to add authorization to built-in local admin user.
func AddDefaultUsers ¶
func AddDefaultUsers() error
AddDefaultUsers adds pre-defined users(admin,ops) to the system. Names of these users is same as that of role type (admin or ops). Also adds admin role authorization for admin user.
func Authenticate ¶
Authenticate authenticates the user against local DB or AD using the given credentials it returns a token which carries the role, capabilities, etc. params:
username: local or AD username of the user password: password of the user
return values:
`Token` string on successful authentication otherwise ErrADConfigNotFound or any relevant error.
func DeleteAuthorization ¶
DeleteAuthorization deletes an authorization for a tenant. TODO: Also update role claim for principal if needed
Parameters:
authUUID: UUID of the tenant authorization object
Return values:
error: nil if successful, else types.UnauthorizedError: if caller isn't authorized to make this API call. auth_errors.ErrIllegalOperation: if attempting to delete authorization for built-in admin user. : error from db.DeleteAuthorization if deleting an authorization fails
func FilterAppProfiles ¶
FilterAppProfiles filters the response from GET /api/v1/appProfiles/
func FilterEndpointGroups ¶
FilterEndpointGroups filters the response from GET /api/v1/endpointGroups/
func FilterExtContractsGroups ¶
FilterExtContractsGroups filters the response from GET /api/v1/extContractsGroups/
func FilterNetProfiles ¶
FilterNetProfiles filters the response from GET /api/v1/netprofiles/
func FilterNetworks ¶
FilterNetworks filters the response from GET /api/v1/networks/
func FilterPolicies ¶
FilterPolicies filters the response from GET /api/v1/policys/ (sic)
func FilterRules ¶
FilterRules filters the response from GET /api/v1/rules/
func FilterServiceLBs ¶
FilterServiceLBs filters the response from GET /api/v1/serviceLBs/
func FilterTenants ¶
FilterTenants filters the response from GET /api/v1/tenants/
func GenerateClaimKey ¶
GenerateClaimKey is a helper method that creates a string encoding of a claim for an object that our policies care about, e.g role, tenant. This key is usually generated when an authorization is added for an object. The value to store with this key is based on the object type itself, and is provided to the AddClaim method. params:
object: a generic object for which a key needs to be encoded.
return values:
string: encoding of the claim for the object. error: nil if successful, errors.ErrUnsupportedType if claims for a particular object type is not supported.
func GetAuthorization ¶
func GetAuthorization(authzUUID string) ( types.Authorization, error)
GetAuthorization returns a specific authorization identified by the authzUUID
Parameters:
authzUUID : UUID of the authorization that needs to be returned
Return values:
error: nil if successful, else : error from db.GetAuthorization if auth lookup fails
func ListAuthorizations ¶
func ListAuthorizations() ([]types.Authorization, error)
ListAuthorizations returns all authorizations.
Return values:
error: nil if successful, else errors.ErrUnauthorized: if caller isn't authorized to make this API call. : error from db.ListAuthorizations if auth lookup fails
func NullFilter ¶
NullFilter is a filter which just returns what is passed in. It's used by RBAC endpoints which do not require response filtering.
Types ¶
type Token ¶
type Token struct {
// contains filtered or unexported fields
}
Token represents the JSON Web Token which carries the authorization details
func NewToken ¶
func NewToken() *Token
NewToken creates a new authorization token, sets expiry and returns token pointer return values:
*Token: reference to authorization token object
func NewTokenWithClaims ¶
NewTokenWithClaims is a utility method that creates a new token with the list of principals. params:
principals: a list of security principals for a user. In the case of a local user, this list should contain only a single principal. For ldap users, this list potentially contains multiple principals, each belonging to a ldap group.
return values:
*Token: a token object encapsulating authorization claims error: nil if successful, else as returned by sub-routines.
func ParseToken ¶
ParseToken parses a string representation of a token into Token object. params:
tokenStr: string encoding of a JWT object.
return values:
Token: an authorization token object. error: nil if successful, else relevant error if token is expired, couldn't be validated, or any other error that happened during token parsing.
func (*Token) AddClaim ¶
AddClaim adds a claim to an existing authorization token object. A claim is a key value pair, where key is a string which encodes the object, such as a role, tenant, etc. Since Add is called on a map, it also serves to update the claim. Value is generic which may mean different things based on different objects. params:
(Receiver): authorization token object to which more claims need to be added. key: claim key string which corresponds to a claim for specific object or a predicate. value: generic value associated with claim's key.
func (*Token) AddPrincipalsClaim ¶
AddPrincipalsClaim adds a role claim of type key="principals" to the token.
Value of this claim is used to find authorization claims of associated principals at runtime. If this list changes (e.g., if user's ldap group membership changes), user needs to re-authenticate to get updated access.
params:
principals: security principals associated with a user
return values:
error: nil if successful, else relevant error if claim is malformed.
func (*Token) AddRoleClaim ¶
AddRoleClaim adds/updates a role claim of type key="role" value=<RoleType> e.g. value="admin", value="ops" to the token. This claim represents the highest capability role available to the user, hence an update is only performed if principal's role claim is higher than current value of role claim.
This claim is currently only useful for UI to offer differentiation in terms of look and feel based on the type of operations a user can perform. RBAC implementation at API level doesn't look at the role claim in Token - rather it pulls the current state from state store based on principals. This makes authorization changes almost instantaneous, at an increased cost of round trip communication with state store.
params:
principal: a security principal associated with a user
return values:
error: nil if successful, else relevant error if claim is malformed.
func (*Token) CheckClaims ¶
CheckClaims checks for specific claims in an authorization token object. These claims are evaluated based on object type, such as for a tenant or for a role, and an associated policy.
Parameters:
(Receiver): authorization token object that should be carrying appropriate claims. objects: claim targets. These can be specific objects, such as tenants or networks or specific types, such as a role.
Return values:
error: nil if successful, else errors.ErrUnauthorized: if authorization claim for a particular object is not present, or if claims for a particular object type are not supported.
func (*Token) GetClaim ¶
GetClaim returns the value of the given claim key params:
claimKey: string representing the claim key
return values:
string: claim value string obtained from the token
func (*Token) IsSuperuser ¶
IsSuperuser checks if the token belongs to a superuser (i.e. `admin` in our system). It queries the authorization database to obtain this information. params: (Receiver): authorization token object which carries all principals
associated with the user.
return values:
true if the token belongs to superuser else false
func (*Token) Stringify ¶
Stringify returns an encoded string representation of the authorization token. params:
(Receiver): authorization token object that should be carrying appropriate claims.
return values:
string: string representation of the token, if successful, "" otherwise error: nil on success otherwise as returned by SignedString if underlying JWT object cannot be encoded and signed appropriately.