Documentation
¶
Overview ¶
Package auth provides mechanisms for enforcing authorization to Project resources in OpenShift
Index ¶
- func NewUserProjectWatcher(user user.Info, visibleNamespaces sets.String, ...) *userProjectWatcher
- type AuthorizationCache
- func (ac *AuthorizationCache) AddWatcher(watcher CacheWatcher)
- func (ac *AuthorizationCache) GetClusterPolicyLister() SyncedClusterPolicyLister
- func (ac *AuthorizationCache) List(userInfo user.Info) (*kapi.NamespaceList, error)
- func (ac *AuthorizationCache) ReadyForAccess() bool
- func (ac *AuthorizationCache) RemoveWatcher(watcher CacheWatcher)
- func (ac *AuthorizationCache) Run(period time.Duration)
- type CacheWatcher
- type LastSyncResourceVersioner
- type Lister
- type Review
- type Reviewer
- type SyncedClusterPolicyBindingLister
- type SyncedClusterPolicyLister
- type SyncedPolicyBindingLister
- type SyncedPolicyLister
- type WatchableCache
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func NewUserProjectWatcher ¶ added in v1.3.0
func NewUserProjectWatcher(user user.Info, visibleNamespaces sets.String, projectCache *projectcache.ProjectCache, authCache WatchableCache, includeAllExistingProjects bool) *userProjectWatcher
Types ¶
type AuthorizationCache ¶
type AuthorizationCache struct {
// contains filtered or unexported fields
}
AuthorizationCache maintains a cache on the set of namespaces a user or group can access.
func NewAuthorizationCache ¶
func NewAuthorizationCache(namespaces cache.SharedIndexInformer, reviewer Reviewer,
clusterPolicyLister SyncedClusterPolicyLister, clusterPolicyBindingLister SyncedClusterPolicyBindingLister,
policyNamespacer SyncedPolicyLister, policyBindingNamespacer SyncedPolicyBindingLister,
) *AuthorizationCache
NewAuthorizationCache creates a new AuthorizationCache
func (*AuthorizationCache) AddWatcher ¶ added in v1.3.0
func (ac *AuthorizationCache) AddWatcher(watcher CacheWatcher)
func (*AuthorizationCache) GetClusterPolicyLister ¶ added in v1.3.0
func (ac *AuthorizationCache) GetClusterPolicyLister() SyncedClusterPolicyLister
func (*AuthorizationCache) List ¶
func (ac *AuthorizationCache) List(userInfo user.Info) (*kapi.NamespaceList, error)
List returns the set of namespace names the user has access to view
func (*AuthorizationCache) ReadyForAccess ¶ added in v0.6.1
func (ac *AuthorizationCache) ReadyForAccess() bool
func (*AuthorizationCache) RemoveWatcher ¶ added in v1.3.0
func (ac *AuthorizationCache) RemoveWatcher(watcher CacheWatcher)
type CacheWatcher ¶ added in v1.3.0
type CacheWatcher interface {
// GroupMembershipChanged is called serially for all changes for all watchers. This method MUST NOT BLOCK.
// The serial nature makes reasoning about the code easy, but if you block in this method you will doom all watchers.
GroupMembershipChanged(namespaceName string, users, groups sets.String)
}
type LastSyncResourceVersioner ¶ added in v0.6.1
type LastSyncResourceVersioner interface {
LastSyncResourceVersion() string
}
LastSyncResourceVersioner is any object that can divulge a LastSyncResourceVersion
type Lister ¶
type Lister interface {
// List returns the list of Namespace items that the user can access
List(user user.Info) (*kapi.NamespaceList, error)
}
Lister enforces ability to enumerate a resource based on policy
type Review ¶
type Review interface {
Users() []string
Groups() []string
EvaluationError() string
}
Review is a list of users and groups that can access a resource
type Reviewer ¶
type Reviewer interface {
Review(name string) (Review, error)
}
Reviewer performs access reviews for a project by name
func NewAuthorizerReviewer ¶ added in v1.0.8
func NewAuthorizerReviewer(policyChecker authorizer.SubjectLocator) Reviewer
func NewReviewer ¶
func NewReviewer(resourceAccessReviewsNamespacer client.LocalResourceAccessReviewsNamespacer) Reviewer
NewReviewer knows how to make access control reviews for a resource by name
type SyncedClusterPolicyBindingLister ¶
type SyncedClusterPolicyBindingLister interface {
authorizationlister.ClusterPolicyBindingLister
LastSyncResourceVersioner
}
type SyncedClusterPolicyLister ¶
type SyncedClusterPolicyLister interface {
authorizationlister.ClusterPolicyLister
LastSyncResourceVersioner
}
type SyncedPolicyBindingLister ¶
type SyncedPolicyBindingLister interface {
authorizationlister.PolicyBindingLister
LastSyncResourceVersioner
}
type SyncedPolicyLister ¶
type SyncedPolicyLister interface {
authorizationlister.PolicyLister
LastSyncResourceVersioner
}
type WatchableCache ¶ added in v1.3.0
type WatchableCache interface {
// RemoveWatcher removes a watcher
RemoveWatcher(CacheWatcher)
// List returns the set of namespace names the user has access to view
List(userInfo user.Info) (*kapi.NamespaceList, error)
}