authz

package

v0.0.8 Latest Latest Go to latest Published: Jun 5, 2023 License: MIT Imports: 13 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/wish/mongoproxy

Links

Open Source Insights

README ¶

authz

Authz is an authorization plugin that maps mongo commands to a Global/DB/Collection/Field CRUD operation and enforces policies using authzlib.

Notes:

doing an un-projected read on a collection requires collection level perms or * field within the collection

Authorized Commands:

Command	CRUD	Level
aggregate	Read	DB/Collection
collstats	Read	Collection
count	Read	Collection
create	Create	DB
createIndexes	Create	DB
currentOp	Read	Global
delete	Delete	Collection
deleteIndexes	Delete	Collection
distinct	Read	Field
dropDatabase	Delete	Global
drop	Delete	DB
dropIndexes	Delete	Collection
endSesions	Delete	Global
explain	Read	Collection
findAndModify	Read/Create/Update	Collection/Field
find	Read	Field
getMore	Read	(same as initial Q)
hostInfo	Read	Global
insert	Create	Collection
killAllSessions	Delete	Global
killCursors	Delete	Global
killop	Delete	Global
listCollections	Read	DB
listDatabases	Read	Global
listIndexes	Read	Collection
serverStatus	Read	Global
shardCollection	Update	Global
update	Create/Update	Collection/Field

OPEN_COMMAND / Unauthorized Commands:

connectionStatus
saslStart
getnonce
logout
ping
isMaster
ismaster
buildInfo
buildinfo

TODO:

mapReduce (block)
validate (block)

Documentation ¶

Constants ¶

View Source

const Name = "authz"

View Source

const UNAUTHENTICATED_ROLE = "UNAUTHENTICATED"

Variables ¶

View Source

var (
	OPEN_COMMAND = map[string]struct{}{
		"isMaster":         {},
		"ismaster":         {},
		"buildInfo":        {},
		"buildinfo":        {},
		"connectionStatus": {},
		"saslStart":        {},
		"getnonce":         {},
		"logout":           {},
		"ping":             {},
		"dbStats":          {},
		"dbstats":          {},
	}
)

Functions ¶

This section is empty.

Types ¶

type AuthzPlugin ¶

type AuthzPlugin struct {
	// contains filtered or unexported fields
}

This is a plugin that handles sending the request to the acutual downstream mongo

func (*AuthzPlugin) Configure ¶

func (p *AuthzPlugin) Configure(d bson.D) error

Configure configures this plugin with the given configuration object. Returns an error if the configuration is invalid for the plugin.

func (*AuthzPlugin) LoadConfig ¶

func (p *AuthzPlugin) LoadConfig() (err error)

func (*AuthzPlugin) Name ¶

func (p *AuthzPlugin) Name() string

func (*AuthzPlugin) Process ¶

func (p *AuthzPlugin) Process(ctx context.Context, r *plugins.Request, next plugins.PipelineFunc) (bson.D, error)

Process is the function executed when a message is called in the pipeline.

type AuthzPluginConfig ¶

type AuthzPluginConfig struct {
	// Paths is the path on disk to load authz policies/roles/config from
	Paths              []string `bson:"paths"`
	LogUnauthenticated bool     `bson:"logUnauthenticated"` // Log all unauthenticated requests

	// DenyByDefault controls whether the default policy is to deny (true) or not (false)
	DenyByDefault           bool            `bson:"denyByDefault"`
	DenyByDefaultNamespaces map[string]bool `bson:"denyByDefaultNamespaces"`
}

Source Files ¶

View all Source files

plugin.go

Directories ¶

Path	Synopsis
authzlib

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL