engine

package
v0.0.0-...-f2d6421 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 4, 2024 License: Apache-2.0 Imports: 13 Imported by: 0

Documentation

Overview

Package engine provides a CEL-based authorization engine for gRPC.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type AuthorizationArgs 

type AuthorizationArgs struct {
	// contains filtered or unexported fields
}

AuthorizationArgs is the input of the CEL-based authorization engine.

type AuthorizationDecision 

type AuthorizationDecision struct {
	// contains filtered or unexported fields
}

AuthorizationDecision is the output of CEL-based authorization engines. If decision is allow or deny, policyNames will either contain the names of all the policies matched in the engine that permitted the action, or be empty as the decision was made after all conditions evaluated to false. If decision is unknown, policyNames will contain the list of policies that evaluated to unknown.

type AuthorizationEngine 

type AuthorizationEngine struct {
	// contains filtered or unexported fields
}

AuthorizationEngine is the struct for the CEL-based authorization engine.

func NewAuthorizationEngine 

func NewAuthorizationEngine(allow, deny *pb.RBAC) (*AuthorizationEngine, error)

NewAuthorizationEngine builds a CEL evaluation engine from at most one allow and one deny Envoy RBAC.

func (*AuthorizationEngine) Evaluate 

func (authorizationEngine *AuthorizationEngine) Evaluate(args *AuthorizationArgs) (AuthorizationDecision, error)

Evaluate is the core function that evaluates whether an RPC is authorized.

ALLOW policy. If one of the RBAC conditions is evaluated as true, then the CEL-based authorization engine evaluation returns allow. If all of the RBAC conditions are evaluated as false, then it returns deny. Otherwise, some conditions are false and some are unknown, it returns undecided.

DENY policy. If one of the RBAC conditions is evaluated as true, then the CEL-based authorization engine evaluation returns deny. If all of the RBAC conditions are evaluated as false, then it returns allow. Otherwise, some conditions are false and some are unknown, it returns undecided.

DENY policy + ALLOW policy. Evaluation is in the following order: If one of the expressions in the DENY policy is true, the authorization engine returns deny. If one of the expressions in the DENY policy is unknown, it returns undecided. Now all the expressions in the DENY policy are false, it returns the evaluation of the ALLOW policy.

type Decision 

type Decision int32

Decision represents different authorization decisions a CEL-based authorization engine can return. 

const (
	// DecisionAllow indicates allowing the RPC to go through.
	DecisionAllow Decision = iota
	// DecisionDeny indicates denying the RPC from going through.
	DecisionDeny
	// DecisionUnknown indicates that there is insufficient information to
	// determine whether or not an RPC call is authorized.
	DecisionUnknown
)

func (Decision) String 

func (d Decision) String() string

String returns the string representation of a Decision object.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.