access

package

v5.0.0-preview.1+incom... Latest Latest Go to latest Published: Jan 13, 2022 License: Apache-2.0 Imports: 8 Imported by: 18

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/neuvector/neuvector

Documentation ¶

Index ¶

Constants
Variables
func AddRole(name string, role *share.CLUSUserRoleInternal)
func CompileUriPermitsMapping()
func DeleteRole(name string)
func GetDomainPermissions(globalRole string, roleDomains map[string][]string) ([]*api.RESTRolePermission, map[string][]*api.RESTRolePermission, error)
func GetReservedRoleNames() utils.Set
func GetRoleDetails(name string) *api.RESTUserRole
func GetRoleList() []*api.RESTUserRole
func GetValidRoles(usage int) []string
func IsValidRole(role string, usage int) bool
func UpdateUserRoleForFedRoleChange(fedRole string)
type AccessControl
type AccessOP
type DomainRole
type UriApiNode

Constants ¶

View Source

const (
	CONST_PERM_SUPPORT_GLOBAL = 0x1
	CONST_PERM_SUPPORT_DOMAIN = 0x2
	CONST_PERM_SUPPORT_BOTH   = 0x3 // CONST_PERM_SUPPORT_GLOBAL + CONST_PERM_SUPPORT_DOMAIN
)

View Source

const (
	CONST_VISIBLE_USER_ROLE   = iota // roles that can be associated with global domain
	CONST_VISIBLE_DOMAIN_ROLE        // domaon roles & mappable group domain roles are the same set
	CONST_MAPPABLE_SERVER_DEFAULT_ROLE
)

View Source

const (
	CONST_API_UNKNOWN = iota
	CONST_API_UNSUPPORTED
	CONST_API_SKIP
	CONST_API_NO_AUTH
	CONST_API_DEBUG // i.e. for admin only
	CONST_API_RT_SCAN
	CONST_API_REG_SCAN
	CONST_API_CICD_SCAN
	CONST_API_CLOUD
	CONST_API_INFRA
	CONST_API_NV_RESOURCE
	CONST_API_WORKLOAD
	CONST_API_GROUP
	CONST_API_RT_POLICIES
	CONST_API_ADM_CONTROL
	CONST_API_COMPLIANCE
	CONST_API_AUDIT_EVENTS
	CONST_API_SECURITY_EVENTS
	CONST_API_EVENTS
	CONST_API_AUTHENTICATION
	CONST_API_AUTHORIZATION
	CONST_API_SYSTEM_CONFIG
	CONST_API_IBMSA
	CONST_API_FED
	CONST_API_PWD_PROFILE   // i.e. for password profile
	CONST_API_VULNERABILITY // i.e. for vulnerability profile
)

apiCategoryID

View Source

const AccessDomainGlobal = ""

Variables ¶

View Source

var HiddenPermissions = utils.NewSet(share.PERM_IBMSA_ID, share.PERM_FED_ID, share.PERM_CLOUD_ID, share.PERM_NV_RESOURCE_ID)

View Source

var PermissionOptions = []*api.RESTRolePermitOptionInternal{
	&api.RESTRolePermitOptionInternal{
		ID:             share.PERM_SYSTEM_CONFIG_ID,
		Value:          share.PERM_SYSTEM_CONFIG,
		SupportScope:   CONST_PERM_SUPPORT_GLOBAL,
		ReadSupported:  true,
		WriteSupported: true,
	},
	&api.RESTRolePermitOptionInternal{
		ID:             share.PERM_IBMSA_ID,
		Value:          share.PERM_IBMSA,
		SupportScope:   CONST_PERM_SUPPORT_GLOBAL,
		ReadSupported:  true,
		WriteSupported: true,
	},
	&api.RESTRolePermitOptionInternal{
		ID:             share.PERM_FED_ID,
		Value:          share.PERM_FED,
		SupportScope:   CONST_PERM_SUPPORT_GLOBAL,
		ReadSupported:  true,
		WriteSupported: true,
	},
	&api.RESTRolePermitOptionInternal{
		ID:             share.PERM_NV_RESOURCE_ID,
		Value:          share.PERM_NV_RESOURCE,
		SupportScope:   CONST_PERM_SUPPORT_BOTH,
		ReadSupported:  true,
		WriteSupported: true,
	},
	&api.RESTRolePermitOptionInternal{
		ID:             share.PERMS_RUNTIME_SCAN_ID,
		Value:          share.PERMS_RUNTIME_SCAN,
		SupportScope:   CONST_PERM_SUPPORT_BOTH,
		ReadSupported:  true,
		WriteSupported: true,
		ComplexPermits: []*api.RESTRolePermitOptionInternal{
			&api.RESTRolePermitOptionInternal{
				ID:             share.PERM_RUNTIME_SCAN_BASIC_ID,
				Value:          share.PERM_RUNTIME_SCAN_BASIC,
				SupportScope:   CONST_PERM_SUPPORT_BOTH,
				ReadSupported:  true,
				WriteSupported: true,
			},
			&api.RESTRolePermitOptionInternal{
				ID:             share.PERM_WORKLOAD_BASIC_ID,
				Value:          share.PERM_WORKLOAD_BASIC,
				SupportScope:   CONST_PERM_SUPPORT_BOTH,
				ReadSupported:  true,
				WriteSupported: true,
			},
			&api.RESTRolePermitOptionInternal{
				ID:             share.PERM_INFRA_BASIC_ID,
				Value:          share.PERM_INFRA_BASIC,
				SupportScope:   CONST_PERM_SUPPORT_GLOBAL,
				ReadSupported:  true,
				WriteSupported: true,
			},
		},
	},
	&api.RESTRolePermitOptionInternal{
		ID:             share.PERM_REG_SCAN_ID,
		Value:          share.PERM_REG_SCAN,
		SupportScope:   CONST_PERM_SUPPORT_BOTH,
		ReadSupported:  true,
		WriteSupported: true,
	},
	&api.RESTRolePermitOptionInternal{
		ID:             share.PERM_CICD_SCAN_ID,
		Value:          share.PERM_CICD_SCAN,
		SupportScope:   CONST_PERM_SUPPORT_GLOBAL,
		WriteSupported: true,
	},
	&api.RESTRolePermitOptionInternal{
		ID:           share.PERM_CLOUD_ID,
		Value:        share.PERM_CLOUD,
		SupportScope: CONST_PERM_SUPPORT_GLOBAL,
	},
	&api.RESTRolePermitOptionInternal{
		ID:             share.PERMS_RUNTIME_POLICIES_ID,
		Value:          share.PERMS_RUNTIME_POLICIES,
		SupportScope:   CONST_PERM_SUPPORT_BOTH,
		ReadSupported:  true,
		WriteSupported: true,
		ComplexPermits: []*api.RESTRolePermitOptionInternal{
			&api.RESTRolePermitOptionInternal{
				ID:             share.PERM_GROUP_BASIC_ID,
				Value:          share.PERM_GROUP_BASIC,
				SupportScope:   CONST_PERM_SUPPORT_BOTH,
				ReadSupported:  true,
				WriteSupported: true,
			},
			&api.RESTRolePermitOptionInternal{
				ID:             share.PERM_NETWORK_POLICY_BASIC_ID,
				Value:          share.PERM_NETWORK_POLICY_BASIC,
				SupportScope:   CONST_PERM_SUPPORT_BOTH,
				ReadSupported:  true,
				WriteSupported: true,
			},
			&api.RESTRolePermitOptionInternal{
				ID:             share.PERM_SYSTEM_POLICY_BASIC_ID,
				Value:          share.PERM_SYSTEM_POLICY_BASIC,
				SupportScope:   CONST_PERM_SUPPORT_BOTH,
				ReadSupported:  true,
				WriteSupported: true,
			},
			&api.RESTRolePermitOptionInternal{
				ID:             share.PERM_WORKLOAD_BASIC_ID,
				Value:          share.PERM_WORKLOAD_BASIC,
				SupportScope:   CONST_PERM_SUPPORT_BOTH,
				ReadSupported:  true,
				WriteSupported: true,
			},
		},
	},
	&api.RESTRolePermitOptionInternal{
		ID:             share.PERM_ADM_CONTROL_ID,
		Value:          share.PERM_ADM_CONTROL,
		SupportScope:   CONST_PERM_SUPPORT_GLOBAL,
		ReadSupported:  true,
		WriteSupported: true,
	},
	&api.RESTRolePermitOptionInternal{
		ID:             share.PERMS_COMPLIANCE_ID,
		Value:          share.PERMS_COMPLIANCE,
		SupportScope:   CONST_PERM_SUPPORT_GLOBAL,
		ReadSupported:  true,
		WriteSupported: true,
		ComplexPermits: []*api.RESTRolePermitOptionInternal{
			&api.RESTRolePermitOptionInternal{
				ID:             share.PERM_COMPLIANCE_BASIC_ID,
				Value:          share.PERM_COMPLIANCE_BASIC,
				SupportScope:   CONST_PERM_SUPPORT_BOTH,
				ReadSupported:  true,
				WriteSupported: true,
			},
			&api.RESTRolePermitOptionInternal{
				ID:             share.PERM_WORKLOAD_BASIC_ID,
				Value:          share.PERM_WORKLOAD_BASIC,
				SupportScope:   CONST_PERM_SUPPORT_BOTH,
				ReadSupported:  true,
				WriteSupported: true,
			},
			&api.RESTRolePermitOptionInternal{
				ID:             share.PERM_INFRA_BASIC_ID,
				Value:          share.PERM_INFRA_BASIC,
				SupportScope:   CONST_PERM_SUPPORT_GLOBAL,
				ReadSupported:  true,
				WriteSupported: true,
			},
		},
	},
	&api.RESTRolePermitOptionInternal{
		ID:            share.PERM_AUDIT_EVENTS_ID,
		Value:         share.PERM_AUDIT_EVENTS,
		SupportScope:  CONST_PERM_SUPPORT_BOTH,
		ReadSupported: true,
	},
	&api.RESTRolePermitOptionInternal{
		ID:            share.PERMS_SECURITY_EVENTS_ID,
		Value:         share.PERMS_SECURITY_EVENTS,
		SupportScope:  CONST_PERM_SUPPORT_BOTH,
		ReadSupported: true,
		ComplexPermits: []*api.RESTRolePermitOptionInternal{
			&api.RESTRolePermitOptionInternal{
				ID:            share.PERM_SECURITY_EVENTS_BASIC_ID,
				Value:         share.PERM_SECURITY_EVENTS_BASIC,
				SupportScope:  CONST_PERM_SUPPORT_BOTH,
				ReadSupported: true,
			},
			&api.RESTRolePermitOptionInternal{
				ID:            share.PERM_WORKLOAD_BASIC_ID,
				Value:         share.PERM_WORKLOAD_BASIC,
				SupportScope:  CONST_PERM_SUPPORT_BOTH,
				ReadSupported: true,
			},
		},
	},
	&api.RESTRolePermitOptionInternal{
		ID:            share.PERM_EVENTS_ID,
		Value:         share.PERM_EVENTS,
		SupportScope:  CONST_PERM_SUPPORT_BOTH,
		ReadSupported: true,
	},
	&api.RESTRolePermitOptionInternal{
		ID:             share.PERM_AUTHENTICATION_ID,
		Value:          share.PERM_AUTHENTICATION,
		SupportScope:   CONST_PERM_SUPPORT_GLOBAL,
		ReadSupported:  true,
		WriteSupported: true,
	},
	&api.RESTRolePermitOptionInternal{
		ID:             share.PERM_AUTHORIZATION_ID,
		Value:          share.PERM_AUTHORIZATION,
		SupportScope:   CONST_PERM_SUPPORT_BOTH,
		ReadSupported:  true,
		WriteSupported: true,
	},
	&api.RESTRolePermitOptionInternal{
		ID:             share.PERM_VULNERABILITY_ID,
		Value:          share.PERM_VULNERABILITY,
		SupportScope:   CONST_PERM_SUPPORT_GLOBAL,
		ReadSupported:  true,
		WriteSupported: true,
	},
}

key is permission id that is visible to the world. Regarding to the value, 1. if len(value.ComplexPermits) == 0, value is the effective internal permission used by controller 2. if len(value.ComplexPermits) > 0, value.ComplexPermits has the effective internal permissions used by controller

Functions ¶

func AddRole ¶

func AddRole(name string, role *share.CLUSUserRoleInternal)

func CompileUriPermitsMapping ¶

func CompileUriPermitsMapping()

func dumpApiUriParts(verb, parentURI string, nodes map[string]*UriApiNode) { // ssUri is like {"v1", "log", "event"} for GET("/v1/log/event"). return true means caller is leaf node.

	if len(nodes) == 0 {
		return
	}
	for part, node := range nodes {
		if node != nil {
			nodeURI := fmt.Sprintf("%s/%s", parentURI, part)
			dumpApiUriParts(verb, nodeURI, node.childNodes)
			fmt.Printf("[dump] --------------> verb=%s, nodeURI=%s, apiID=%d\n", verb, nodeURI, node.apiCategoryID)
		}
	}
	return
}

func DeleteRole ¶

func DeleteRole(name string)

func GetDomainPermissions ¶

func GetDomainPermissions(globalRole string, roleDomains map[string][]string) ([]*api.RESTRolePermission, map[string][]*api.RESTRolePermission, error)

func GetReservedRoleNames ¶

func GetReservedRoleNames() utils.Set

func GetRoleDetails ¶

func GetRoleDetails(name string) *api.RESTUserRole

func GetRoleList ¶

func GetRoleList() []*api.RESTUserRole

func GetValidRoles ¶

func GetValidRoles(usage int) []string

func IsValidRole ¶

func IsValidRole(role string, usage int) bool

func UpdateUserRoleForFedRoleChange ¶

func UpdateUserRoleForFedRoleChange(fedRole string)

Types ¶

type AccessControl ¶

type AccessControl struct {
	// contains filtered or unexported fields
}

func NewAccessControl ¶

func NewAccessControl(r *http.Request, op AccessOP, roles DomainRole) *AccessControl

func NewAdminAccessControl ¶

func NewAdminAccessControl() *AccessControl

func NewFedAdminAccessControl ¶

func NewFedAdminAccessControl() *AccessControl

be careful when using this function because it returns a very powerful access control object

func NewReaderAccessControl ¶

func NewReaderAccessControl() *AccessControl

func (*AccessControl) Authorize ¶

func (acc *AccessControl) Authorize(obj share.AccessObject, f share.GetAccessObjectFunc) bool

Authorize if the access has rights on one of domains which the object is member of.

func (*AccessControl) AuthorizeOwn ¶

func (acc *AccessControl) AuthorizeOwn(obj share.AccessObject, f share.GetAccessObjectFunc) bool

Authorize if the access has rights on all domains which the object is member of.

func (*AccessControl) BoostPermissions ¶

func (acc *AccessControl) BoostPermissions(toBoost uint64) *AccessControl

now we use API-level permission. So it's rare that an API needs to boost permissions for the caller

func (*AccessControl) CanWriteCluster ¶

func (acc *AccessControl) CanWriteCluster() bool

returns true if the write permission of user's global role contains PERMS_CLUSTER_WRITE

func (*AccessControl) GetAdminDomains ¶

func (acc *AccessControl) GetAdminDomains(writePermitsRequired uint64) []string

get all domains over which this access control has the required write permissions

func (*AccessControl) HasGlobalPermissions ¶

func (acc *AccessControl) HasGlobalPermissions(readPermitsRequired, writePermsRequired uint64) bool

returns true only when the access control object is created for user whose global role has the specified read/write permissions

func (*AccessControl) HasRequiredPermissions ¶

func (acc *AccessControl) HasRequiredPermissions() bool

returns true when the access control object is created for user whose role on any domain/global has the specified read/write permissions

func (*AccessControl) IsFedAdmin ¶

func (acc *AccessControl) IsFedAdmin() bool

returns true only when the access control object is created for user whose global role has the same permissions as fedAdmin role for read/write

func (*AccessControl) IsFedReader ¶

func (acc *AccessControl) IsFedReader() bool

returns true only when the access control object is created for user whose global role has the same permissions as fedReader role for read

func (*AccessControl) NewWithOp ¶

func (acc *AccessControl) NewWithOp(op AccessOP) *AccessControl

generate a new access control object that is the same as the calling object except the op is different

type AccessOP ¶

type AccessOP string

--------

const (
	AccessOPRead  AccessOP = "read"
	AccessOPWrite          = "write"
)

type DomainRole ¶

type DomainRole map[string]string // domain -> role

type UriApiNode ¶

type UriApiNode struct {
	// contains filtered or unexported fields
}

Source Files ¶

View all Source files

access.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL