Documentation ¶
Index ¶
Constants ¶
View Source
const ( // TenantsListRole is a tenant scoped role with optional tenant // allows only default paths (list tenants and read token_owner) // it is stub role, to use it if nothing specific is needed TenantsListRole = "tenants.list.auth" // SSHOpenRole is project scoped role, definitely needs tenant and project // allows UPDATE at ssh/sign/signer with calculated allowed_parameters SSHOpenRole = "ssh.open" // ServersQueryRole is a project scoped role with optional tenant and project // allows READ at one of: // auth/flant/query_server // auth/flant/tenant/<tenant_uuid>/query_server // auth/flant/tenant/<tenant_uuid>/project/<project_uuid>/query_server ServersQueryRole = "servers.query" // TenantReadAuthRole is a tenant scoped role, definitely needs tenant // allows: // READ at auth/flant/tenant/<tenant_uuid> // LIST at auth/flant/tenant/<tenant_uuid>/project // READ at auth/flant/tenant/<tenant_uuid>/project/+ TenantReadAuthRole = "tenant.read.auth" // ServersRegisterRole is a project scoped role, definitely needs tenant and project // allows: // PUT at flant/tenant/<tenant_uuid>/project/<project_uuid>/register_server // PUT at flant/tenant/<tenant_uuid>/project/<project_uuid>/server/+/connection_info ServersRegisterRole = "servers.register" )
These roles should be placed into allowedRoles of authd config
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type VaultClient ¶
type VaultClient interface { GetTenants() ([]iam.Tenant, error) GetProjects(tenantUUID iam.TenantUUID) ([]auth.Project, error) GetUser() (*auth.User, error) GetServersByTenantAndProject(tenantUUID iam.TenantUUID, projectUUID iam.ProjectUUID, serverIdentifiers []string, labelSelector string) ([]ext.Server, error) GetSafeServersByTenant(tenantUUID iam.TenantUUID, serverIdentifiers []string, labelSelector string) ([]auth_ext.SafeServer, error) GetSafeServers(serverIdentifiers []string, labelSelector string) ([]auth_ext.SafeServer, error) SignPublicSSHCertificate(tenantUUID iam.TenantUUID, projectUUID iam.ProjectUUID, serverUUIDs []ext.ServerUUID, vaultReq VaultSSHSignRequest) ([]byte, error) GetTenantByUUID(tenantUUID string) (*iam.Tenant, error) GetProjectByUUID(tenantUUID string, projectUUID string) (*iam.Project, error) GetTenantByIdentifier(tenantIdentifier string) (*iam.Tenant, error) GetProjectByIdentifier(tenantUUID iam.TenantUUID, projectIdentifier string) (*auth.Project, error) RegisterServer(server ext.Server) (ext.ServerUUID, iam.MultipassJWT, error) UpdateServerConnectionInfo(tenantUUID iam.TenantUUID, projectUUID iam.ProjectUUID, serverUUID ext.ServerUUID, connInfo ext.ConnectionInfo) (*ext.Server, error) }
VaultClient wrap requests to vault knows about needed roles, can escalate roles, if run by DefaultVaultClient
func ConfiguredVaultClient ¶
func ConfiguredVaultClient(authorizedClient *vault_api.Client, roles []authdapi.RoleWithClaim) VaultClient
func DefaultVaultClient ¶
func DefaultVaultClient() (VaultClient, error)
func VaultClientAuthorizedWithSAPass ¶
func VaultClientAuthorizedWithSAPass(vaultURL string, password iam.ServiceAccountPassword, roles []authdapi.RoleWithClaim) (VaultClient, error)
type VaultSSHSignRequest ¶
Click to show internal directories.
Click to hide internal directories.