/staging/src/k8s.io/api/authorization/v1beta1/types.go
Go | 268 lines | 83 code | 33 blank | 152 comment | 0 complexity | 783cd2157166f876b3b580f5db0f7aa8 MD5 | raw file
- /*
- Copyright 2015 The Kubernetes Authors.
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
- http://www.apache.org/licenses/LICENSE-2.0
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
- */
- package v1beta1
- import (
- "fmt"
- metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
- )
- // +genclient
- // +genclient:nonNamespaced
- // +genclient:noVerbs
- // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
- // SubjectAccessReview checks whether or not a user or group can perform an action.
- type SubjectAccessReview struct {
- metav1.TypeMeta `json:",inline"`
- // +optional
- metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
- // Spec holds information about the request being evaluated
- Spec SubjectAccessReviewSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"`
- // Status is filled in by the server and indicates whether the request is allowed or not
- // +optional
- Status SubjectAccessReviewStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
- }
- // +genclient
- // +genclient:nonNamespaced
- // +genclient:noVerbs
- // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
- // SelfSubjectAccessReview checks whether or the current user can perform an action. Not filling in a
- // spec.namespace means "in all namespaces". Self is a special case, because users should always be able
- // to check whether they can perform an action
- type SelfSubjectAccessReview struct {
- metav1.TypeMeta `json:",inline"`
- // +optional
- metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
- // Spec holds information about the request being evaluated. user and groups must be empty
- Spec SelfSubjectAccessReviewSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"`
- // Status is filled in by the server and indicates whether the request is allowed or not
- // +optional
- Status SubjectAccessReviewStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
- }
- // +genclient
- // +genclient:noVerbs
- // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
- // LocalSubjectAccessReview checks whether or not a user or group can perform an action in a given namespace.
- // Having a namespace scoped resource makes it much easier to grant namespace scoped policy that includes permissions
- // checking.
- type LocalSubjectAccessReview struct {
- metav1.TypeMeta `json:",inline"`
- // +optional
- metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
- // Spec holds information about the request being evaluated. spec.namespace must be equal to the namespace
- // you made the request against. If empty, it is defaulted.
- Spec SubjectAccessReviewSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"`
- // Status is filled in by the server and indicates whether the request is allowed or not
- // +optional
- Status SubjectAccessReviewStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
- }
- // ResourceAttributes includes the authorization attributes available for resource requests to the Authorizer interface
- type ResourceAttributes struct {
- // Namespace is the namespace of the action being requested. Currently, there is no distinction between no namespace and all namespaces
- // "" (empty) is defaulted for LocalSubjectAccessReviews
- // "" (empty) is empty for cluster-scoped resources
- // "" (empty) means "all" for namespace scoped resources from a SubjectAccessReview or SelfSubjectAccessReview
- // +optional
- Namespace string `json:"namespace,omitempty" protobuf:"bytes,1,opt,name=namespace"`
- // Verb is a kubernetes resource API verb, like: get, list, watch, create, update, delete, proxy. "*" means all.
- // +optional
- Verb string `json:"verb,omitempty" protobuf:"bytes,2,opt,name=verb"`
- // Group is the API Group of the Resource. "*" means all.
- // +optional
- Group string `json:"group,omitempty" protobuf:"bytes,3,opt,name=group"`
- // Version is the API Version of the Resource. "*" means all.
- // +optional
- Version string `json:"version,omitempty" protobuf:"bytes,4,opt,name=version"`
- // Resource is one of the existing resource types. "*" means all.
- // +optional
- Resource string `json:"resource,omitempty" protobuf:"bytes,5,opt,name=resource"`
- // Subresource is one of the existing resource types. "" means none.
- // +optional
- Subresource string `json:"subresource,omitempty" protobuf:"bytes,6,opt,name=subresource"`
- // Name is the name of the resource being requested for a "get" or deleted for a "delete". "" (empty) means all.
- // +optional
- Name string `json:"name,omitempty" protobuf:"bytes,7,opt,name=name"`
- }
- // NonResourceAttributes includes the authorization attributes available for non-resource requests to the Authorizer interface
- type NonResourceAttributes struct {
- // Path is the URL path of the request
- // +optional
- Path string `json:"path,omitempty" protobuf:"bytes,1,opt,name=path"`
- // Verb is the standard HTTP verb
- // +optional
- Verb string `json:"verb,omitempty" protobuf:"bytes,2,opt,name=verb"`
- }
- // SubjectAccessReviewSpec is a description of the access request. Exactly one of ResourceAuthorizationAttributes
- // and NonResourceAuthorizationAttributes must be set
- type SubjectAccessReviewSpec struct {
- // ResourceAuthorizationAttributes describes information for a resource access request
- // +optional
- ResourceAttributes *ResourceAttributes `json:"resourceAttributes,omitempty" protobuf:"bytes,1,opt,name=resourceAttributes"`
- // NonResourceAttributes describes information for a non-resource access request
- // +optional
- NonResourceAttributes *NonResourceAttributes `json:"nonResourceAttributes,omitempty" protobuf:"bytes,2,opt,name=nonResourceAttributes"`
- // User is the user you're testing for.
- // If you specify "User" but not "Group", then is it interpreted as "What if User were not a member of any groups
- // +optional
- User string `json:"user,omitempty" protobuf:"bytes,3,opt,name=user"`
- // Groups is the groups you're testing for.
- // +optional
- Groups []string `json:"group,omitempty" protobuf:"bytes,4,rep,name=group"`
- // Extra corresponds to the user.Info.GetExtra() method from the authenticator. Since that is input to the authorizer
- // it needs a reflection here.
- // +optional
- Extra map[string]ExtraValue `json:"extra,omitempty" protobuf:"bytes,5,rep,name=extra"`
- // UID information about the requesting user.
- // +optional
- UID string `json:"uid,omitempty" protobuf:"bytes,6,opt,name=uid"`
- }
- // ExtraValue masks the value so protobuf can generate
- // +protobuf.nullable=true
- // +protobuf.options.(gogoproto.goproto_stringer)=false
- type ExtraValue []string
- func (t ExtraValue) String() string {
- return fmt.Sprintf("%v", []string(t))
- }
- // SelfSubjectAccessReviewSpec is a description of the access request. Exactly one of ResourceAuthorizationAttributes
- // and NonResourceAuthorizationAttributes must be set
- type SelfSubjectAccessReviewSpec struct {
- // ResourceAuthorizationAttributes describes information for a resource access request
- // +optional
- ResourceAttributes *ResourceAttributes `json:"resourceAttributes,omitempty" protobuf:"bytes,1,opt,name=resourceAttributes"`
- // NonResourceAttributes describes information for a non-resource access request
- // +optional
- NonResourceAttributes *NonResourceAttributes `json:"nonResourceAttributes,omitempty" protobuf:"bytes,2,opt,name=nonResourceAttributes"`
- }
- // SubjectAccessReviewStatus
- type SubjectAccessReviewStatus struct {
- // Allowed is required. True if the action would be allowed, false otherwise.
- Allowed bool `json:"allowed" protobuf:"varint,1,opt,name=allowed"`
- // Denied is optional. True if the action would be denied, otherwise
- // false. If both allowed is false and denied is false, then the
- // authorizer has no opinion on whether to authorize the action. Denied
- // may not be true if Allowed is true.
- // +optional
- Denied bool `json:"denied,omitempty" protobuf:"varint,4,opt,name=denied"`
- // Reason is optional. It indicates why a request was allowed or denied.
- // +optional
- Reason string `json:"reason,omitempty" protobuf:"bytes,2,opt,name=reason"`
- // EvaluationError is an indication that some error occurred during the authorization check.
- // It is entirely possible to get an error and be able to continue determine authorization status in spite of it.
- // For instance, RBAC can be missing a role, but enough roles are still present and bound to reason about the request.
- // +optional
- EvaluationError string `json:"evaluationError,omitempty" protobuf:"bytes,3,opt,name=evaluationError"`
- }
- // +genclient
- // +genclient:nonNamespaced
- // +genclient:noVerbs
- // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
- // SelfSubjectRulesReview enumerates the set of actions the current user can perform within a namespace.
- // The returned list of actions may be incomplete depending on the server's authorization mode,
- // and any errors experienced during the evaluation. SelfSubjectRulesReview should be used by UIs to show/hide actions,
- // or to quickly let an end user reason about their permissions. It should NOT Be used by external systems to
- // drive authorization decisions as this raises confused deputy, cache lifetime/revocation, and correctness concerns.
- // SubjectAccessReview, and LocalAccessReview are the correct way to defer authorization decisions to the API server.
- type SelfSubjectRulesReview struct {
- metav1.TypeMeta `json:",inline"`
- // +optional
- metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
- // Spec holds information about the request being evaluated.
- Spec SelfSubjectRulesReviewSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"`
- // Status is filled in by the server and indicates the set of actions a user can perform.
- // +optional
- Status SubjectRulesReviewStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
- }
- type SelfSubjectRulesReviewSpec struct {
- // Namespace to evaluate rules for. Required.
- Namespace string `json:"namespace,omitempty" protobuf:"bytes,1,opt,name=namespace"`
- }
- // SubjectRulesReviewStatus contains the result of a rules check. This check can be incomplete depending on
- // the set of authorizers the server is configured with and any errors experienced during evaluation.
- // Because authorization rules are additive, if a rule appears in a list it's safe to assume the subject has that permission,
- // even if that list is incomplete.
- type SubjectRulesReviewStatus struct {
- // ResourceRules is the list of actions the subject is allowed to perform on resources.
- // The list ordering isn't significant, may contain duplicates, and possibly be incomplete.
- ResourceRules []ResourceRule `json:"resourceRules" protobuf:"bytes,1,rep,name=resourceRules"`
- // NonResourceRules is the list of actions the subject is allowed to perform on non-resources.
- // The list ordering isn't significant, may contain duplicates, and possibly be incomplete.
- NonResourceRules []NonResourceRule `json:"nonResourceRules" protobuf:"bytes,2,rep,name=nonResourceRules"`
- // Incomplete is true when the rules returned by this call are incomplete. This is most commonly
- // encountered when an authorizer, such as an external authorizer, doesn't support rules evaluation.
- Incomplete bool `json:"incomplete" protobuf:"bytes,3,rep,name=incomplete"`
- // EvaluationError can appear in combination with Rules. It indicates an error occurred during
- // rule evaluation, such as an authorizer that doesn't support rule evaluation, and that
- // ResourceRules and/or NonResourceRules may be incomplete.
- // +optional
- EvaluationError string `json:"evaluationError,omitempty" protobuf:"bytes,4,opt,name=evaluationError"`
- }
- // ResourceRule is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant,
- // may contain duplicates, and possibly be incomplete.
- type ResourceRule struct {
- // Verb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy. "*" means all.
- Verbs []string `json:"verbs" protobuf:"bytes,1,rep,name=verbs"`
- // APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of
- // the enumerated resources in any API group will be allowed. "*" means all.
- // +optional
- APIGroups []string `json:"apiGroups,omitempty" protobuf:"bytes,2,rep,name=apiGroups"`
- // Resources is a list of resources this rule applies to. "*" means all in the specified apiGroups.
- // "*/foo" represents the subresource 'foo' for all resources in the specified apiGroups.
- // +optional
- Resources []string `json:"resources,omitempty" protobuf:"bytes,3,rep,name=resources"`
- // ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. "*" means all.
- // +optional
- ResourceNames []string `json:"resourceNames,omitempty" protobuf:"bytes,4,rep,name=resourceNames"`
- }
- // NonResourceRule holds information that describes a rule for the non-resource
- type NonResourceRule struct {
- // Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options. "*" means all.
- Verbs []string `json:"verbs" protobuf:"bytes,1,rep,name=verbs"`
- // NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full,
- // final step in the path. "*" means all.
- // +optional
- NonResourceURLs []string `json:"nonResourceURLs,omitempty" protobuf:"bytes,2,rep,name=nonResourceURLs"`
- }