README
¶
A go implementation of OpenStack's oslo.policy
This repository provides a reimplementation of the original oslo.policy library written in python. It is meant to provide the same RBAC semantics for OpenStack enabled applications written in go.
You can view the API docs here: https://pkg.go.dev/github.com/databus23/goslo.policy
Usage
package main
import (
"log"
policy "github.com/databus23/goslo.policy"
)
func main() {
rules := map[string]string{
"admin_required": "role:admin",
"cloud_admin": "rule:admin_required and domain_id:default",
"owner": "user_id:%(user_id)s",
}
//Load and parse policy
enforcer, err := policy.NewEnforcer(rules)
if err != nil {
log.Fatal("Failed to parse policy ", err)
}
//Context provides the current token & request information needed for enforcement
ctx := policy.Context{
Auth: map[string]string{
"user_id": "u-1",
"domain_id": "default",
},
Roles: []string{"admin"},
Request: map[string]string{
"user_id": "u-1",
},
}
if enforcer.Enforce("cloud_admin", ctx) {
log.Println("user is a cloud admin")
}
if enforcer.Enforce("owner", ctx) {
log.Println("user is owner")
}
}
The package includes optional debug logging that can be enabled per context:
if os.Getenv("DEBUG") == "1" {
ctx.Logger = log.Printf //or any other function with the same signature
}
Documentation
¶
Overview ¶
Package policy provides RBAC policy enforcement similar to the OpenStack oslo.policy library.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func DefaultCheck ¶
DefaultCheck is used whenever there is no specific check registered for the left hand side. It simply tries to match the right side if the check to the authentication credential given by the left side. E.g. user_id:%(target.user_id)
Types ¶
type Context ¶
type Context struct {
//Authentication context information from the keystone token, e.g. user_id, user_domain_id...
Auth map[string]string
//Roles assigned to the user for the current scope
Roles []string
//Request variables that are referenced in policy rules
Request map[string]string
//Logger can be used to enable debug logging for this context.
Logger func(msg string, args ...interface{})
// contains filtered or unexported fields
}
Context encapsulates the external data required for enforcing a rules. Populating a Context object is left to the application using the policy engine.
type Enforcer ¶
type Enforcer struct {
// contains filtered or unexported fields
}
Enforcer is responsible for loading and enforcing rules.
func NewEnforcer ¶
NewEnforcer parses the provided rule set and returns a policy enforcer By default the Enforcer registers the following checks "rule": RuleCheck "role": RoleCheck "http": HttpCheck "default": DefaultCheck
Source Files