github/paralus
1
0
Fork 0
mirror of https://github.com/paralus/paralus.git synced 2026-02-14 17:49:51 +00:00
Code Issues Packages Projects Releases Wiki Activity

changes to support namespaces

Browse Source
This commit is contained in:
niravparikh05
2022-05-23 12:42:51 +05:30
parent 2bca7b4624
commit 8ab85e57c9
28 changed files with 275 additions and 1407 deletions
Download Patch File Download Diff File Expand all files Collapse all files

139
gen/openapi/proto/rpc/authz/authz.swagger.json
View File

@@ -1,139 +0,0 @@
{
"swagger": "2.0",
"info": {
"title": "proto/rpc/authz/authz.proto",
"version": "version not set"
},
"tags": [
{
"name": "Authz"
}
],
"consumes": [
"application/json"
],
"produces": [
"application/json"
],
"paths": {},
"definitions": {
"protobufAny": {
"type": "object",
"properties": {
"@type": {
"type": "string"
}
},
"additionalProperties": {}
},
"rpcStatus": {
"type": "object",
"properties": {
"code": {
"type": "integer",
"format": "int32"
},
"message": {
"type": "string"
},
"details": {
"type": "array",
"items": {
"$ref": "#/definitions/protobufAny"
}
}
}
},
"v1BoolReply": {
"type": "object",
"properties": {
"res": {
"type": "boolean"
}
}
},
"v1Policies": {
"type": "object",
"properties": {
"policies": {
"type": "array",
"items": {
"$ref": "#/definitions/v1Policy"
}
}
}
},
"v1Policy": {
"type": "object",
"properties": {
"sub": {
"type": "string",
"title": "Who needs the access"
},
"ns": {
"type": "string",
"title": "Namespace scope, * for all ns"
},
"proj": {
"type": "string",
"title": "Project scope, * for all projects"
},
"org": {
"type": "string",
"title": "Org scope"
},
"obj": {
"type": "string",
"title": "Resource for which the access is needed"
}
}
},
"v1RolePermissionMapping": {
"type": "object",
"properties": {
"role": {
"type": "string"
},
"permission": {
"type": "array",
"items": {
"type": "string"
}
}
}
},
"v1RolePermissionMappingList": {
"type": "object",
"properties": {
"rolePermissionMappingList": {
"type": "array",
"items": {
"$ref": "#/definitions/v1RolePermissionMapping"
}
}
}
},
"v1UserGroup": {
"type": "object",
"properties": {
"user": {
"type": "string"
},
"grp": {
"type": "string"
}
}
},
"v1UserGroups": {
"type": "object",
"properties": {
"userGroups": {
"type": "array",
"items": {
"$ref": "#/definitions/v1UserGroup"
}
}
}
}
}
}

1
gen/openapi/proto/rpc/system/project.swagger.json
View File

@@ -874,7 +874,6 @@
},
"namespace": {
"type": "string",
"format": "int64",
"description": "Namespace",
"title": "Namespace"
},

1
gen/openapi/proto/rpc/user/group.swagger.json
View File

@@ -984,7 +984,6 @@
},
"namespace": {
"type": "string",
"format": "int64",
"description": "Namespace",
"title": "Namespace"
},

2
gen/openapi/proto/rpc/user/user.swagger.json
View File

@@ -1353,7 +1353,6 @@
},
"namespace": {
"type": "string",
"format": "int64",
"description": "Namespace",
"title": "Namespace"
},
@@ -1384,7 +1383,6 @@
},
"namespace": {
"type": "string",
"format": "int64",
"description": "Namespace",
"title": "Namespace"
},

93
internal/cluster/dao/namespaces.go
View File

@@ -1,93 +0,0 @@
package dao
import (
"context"
"time"
"github.com/RafayLabs/rcloud-base/internal/dao"
"github.com/RafayLabs/rcloud-base/internal/models"
commonv3 "github.com/RafayLabs/rcloud-base/proto/types/commonpb/v3"
infrav3 "github.com/RafayLabs/rcloud-base/proto/types/infrapb/v3"
"github.com/RafayLabs/rcloud-base/proto/types/scheduler"
"github.com/google/uuid"
"github.com/uptrace/bun"
)
func GetNamespace(ctx context.Context, db bun.IDB, clusterID uuid.UUID, name string) (models.ClusterNamespace, error) {
var cn models.ClusterNamespace
err := db.NewSelect().Model(&cn).
Where("cluster_id = ?", clusterID).
Where("name = ?", name).
Scan(ctx)
if err != nil {
return cn, err
}
return cn, nil
}
func GetNamespaces(ctx context.Context, db bun.IDB, clusterID uuid.UUID) ([]models.ClusterNamespace, error) {
var cns []models.ClusterNamespace
_, err := dao.GetX(ctx, db, "cluster_id", clusterID, &cns)
return cns, err
}
func GetNamespacesForConditions(ctx context.Context, db bun.IDB, clusterID uuid.UUID, conditions []scheduler.ClusterNamespaceCondition) ([]models.ClusterNamespace, int, error) {
var cns []models.ClusterNamespace
q := db.NewSelect().Model(&cns).Where("cluster_id = ?", clusterID)
for _, condition := range conditions {
q.WhereGroup("", func(sq *bun.SelectQuery) *bun.SelectQuery {
sq = sq.Where(conditionStatusQ, int(condition.Type), map[string]string{
"status": condition.Status.String(),
})
since := time.Now().Add(-time.Minute)
if !condition.LastUpdated.IsValid() {
since = condition.LastUpdated.AsTime().Add(-time.Minute)
}
sq = sq.Where(conditionLastUpdatedQ, int(condition.Type), since)
return sq
})
}
count, err := q.ScanAndCount(ctx)
return cns, count, err
}
func UpdateNamespaceStatus(ctx context.Context, db bun.IDB, updated *models.ClusterNamespace) error {
_, err := db.NewUpdate().Model(updated).
Set("conditions = ?", updated.Conditions).
Set("status = ?", updated.Status).
Where("cluster_id = ?", updated.ClusterId).
Where("name = ?", updated.Name).
Exec(ctx, updated)
return err
}
func GetNamespaceHashes(ctx context.Context, db bun.IDB, clusterID uuid.UUID) ([]infrav3.NameHash, error) {
var nameHashes []infrav3.NameHash
err := db.NewSelect().
Model((*models.ClusterNamespace)(nil)).
Column("name", "hash").
//TODO: to be changed to ClusterTaskDeleted later once task is supported
ColumnExpr(deletingExpr, 3, map[string]string{"status": commonv3.RafayConditionStatus_NotSet.String()}).
Where("cluster_id = ?", clusterID).
Scan(ctx, &nameHashes)
if err != nil {
return nil, err
}
return nameHashes, nil
}

135
internal/cluster/fixtures/data/download.yaml
View File

@@ -252,141 +252,6 @@ subjects:
name: default
namespace: rafay-system
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: namespaces.cluster.rafay.dev
spec:
conversion:
strategy: None
group: cluster.rafay.dev
names:
kind: Namespace
listKind: NamespaceList
plural: namespaces
shortNames:
- rns
singular: namespace
scope: Namespaced
versions:
- name: v2
served: true
storage: true
schema:
openAPIV3Schema:
properties:
apiVersion:
type: string
kind:
type: string
metadata:
type: object
spec:
type: object
x-kubernetes-preserve-unknown-fields: true
status:
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: tasklets.cluster.rafay.dev
spec:
conversion:
strategy: None
group: cluster.rafay.dev
names:
kind: Tasklet
listKind: TaskletList
plural: tasklets
shortNames:
- rtl
singular: tasklet
scope: Namespaced
versions:
- name: v2
served: true
storage: true
schema:
openAPIV3Schema:
properties:
apiVersion:
type: string
kind:
type: string
metadata:
type: object
spec:
type: object
x-kubernetes-preserve-unknown-fields: true
status:
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: tasks.cluster.rafay.dev
spec:
conversion:
strategy: None
group: cluster.rafay.dev
names:
kind: Task
listKind: TaskList
plural: tasks
shortNames:
- rt
singular: task
scope: Namespaced
versions:
- name: v2
served: true
storage: true
schema:
openAPIV3Schema:
properties:
apiVersion:
type: string
kind:
type: string
metadata:
type: object
spec:
type: object
x-kubernetes-preserve-unknown-fields: true
status:
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: v1
kind: ConfigMap
metadata:

68
internal/dao/namespaces.go Normal file
View File

@@ -0,0 +1,68 @@
package dao
import (
"context"
"database/sql"
"github.com/RafayLabs/rcloud-base/internal/models"
"github.com/google/uuid"
"github.com/uptrace/bun"
)
func GetProjectNamespaces(ctx context.Context, db bun.IDB, projectID uuid.UUID) ([]string, error) {
var cns []string
var panr []models.ProjectAccountNamespaceRole
err := db.NewSelect().Model(&panr).Where("project_id = ?", projectID).Where("trash = ?", false).Scan(ctx)
if err != sql.ErrNoRows {
return nil, err
}
for _, nr := range panr {
cns = append(cns, nr.NamespaceId)
}
var pgnr []models.ProjectGroupNamespaceRole
err = db.NewSelect().Model(&pgnr).Where("project_id = ?", projectID).Where("trash = ?", false).Scan(ctx)
if err != sql.ErrNoRows {
return nil, err
}
for _, nr := range pgnr {
cns = append(cns, nr.NamespaceId)
}
return cns, err
}
func GetAccountProjectNamespaces(ctx context.Context, db bun.IDB, projectID uuid.UUID, accountID uuid.UUID) ([]string, error) {
var cns []string
var panr []models.ProjectAccountNamespaceRole
err := db.NewSelect().Model(&panr).Where("project_id = ?", projectID).Where("account_id = ?", accountID).Scan(ctx)
if err != nil {
return nil, err
}
for _, nr := range panr {
cns = append(cns, nr.NamespaceId)
}
return cns, err
}
func GetGroupProjectNamespaces(ctx context.Context, db bun.IDB, projectID uuid.UUID, accountID uuid.UUID) ([]string, error) {
var cns []string
var pgnr []models.ProjectGroupNamespaceRole
err := db.NewSelect().Model(&pgnr).Where("project_id = ?", projectID).
Join(`JOIN authsrv_groupaccount ON projectgroupnamespacerole.group_id=authsrv_groupaccount.group_id`).
Where("authsrv_groupaccount.account_id = ?", accountID).
Where("projectgroupnamespacerole.trash = ?", false).
Where("authsrv_groupaccount.trash = ?", false).Scan(ctx)
if err != nil {
return nil, err
}
for _, nr := range pgnr {
cns = append(cns, nr.NamespaceId)
}
return cns, err
}

2
internal/models/projectaccountnamespacerole.go
View File

@@ -21,6 +21,6 @@ type ProjectAccountNamespaceRole struct {
RoleId uuid.UUID `bun:"role_id,type:uuid"`
AccountId uuid.UUID `bun:"account_id,type:uuid"`
ProjectId uuid.UUID `bun:"project_id,type:uuid"`
NamespaceId int64 `bun:"namespace_id,type:uuid"`
NamespaceId string `bun:"namespace_id"`
Active bool `bun:"active,notnull"`
}

2
internal/models/projectgroupnamespacerole.go
View File

@@ -21,6 +21,6 @@ type ProjectGroupNamespaceRole struct {
RoleId uuid.UUID `bun:"role_id,type:uuid"`
GroupId uuid.UUID `bun:"group_id,type:uuid"`
ProjectId uuid.UUID `bun:"project_id,type:uuid"`
NamespaceId int64 `bun:"namespace_id,type:uuid"`
NamespaceId string `bun:"namespace_id"`
Active bool `bun:"active,notnull"`
}

6
main.go
View File

@@ -141,6 +141,7 @@ var (
gps service.GroupPermissionService
krs service.KubeconfigRevocationService
kss service.KubeconfigSettingService
ns service.NamespaceService
kcs service.KubectlClusterSettingsService
as service.AuthzService
cs service.ClusterService
@@ -345,6 +346,7 @@ func setup() {
bs = service.NewBootstrapService(db)
krs = service.NewKubeconfigRevocationService(db)
kss = service.NewKubeconfigSettingService(db)
ns = service.NewNamespaceService(db)
kcs = service.NewkubectlClusterSettingsService(db)
aps = service.NewAccountPermissionService(db)
gps = service.NewGroupPermissionService(db)
@@ -504,7 +506,7 @@ func runRelayPeerRPC(wg *sync.WaitGroup, ctx context.Context) {
if err != nil {
_log.Fatalw("unable to get create relay peer service")
}
clusterAuthzServer := server.NewClusterAuthzServer(bs, aps, gps, krs, kcs, kss)
clusterAuthzServer := server.NewClusterAuthzServer(bs, aps, gps, krs, kcs, kss, ns)
auditInfoServer := server.NewAuditInfoServer(bs, aps)
s, err := grpc.NewSecureServerWithPEM(cert, key, ca)
@@ -551,7 +553,7 @@ func runRPC(wg *sync.WaitGroup, ctx context.Context) {
bootstrapServer := server.NewBootstrapServer(bs, kekFunc, cs)
kubeConfigServer := server.NewKubeConfigServer(bs, aps, gps, kss, krs, kekFunc, ks, os, ps)
auditInfoServer := server.NewAuditInfoServer(bs, aps)
clusterAuthzServer := server.NewClusterAuthzServer(bs, aps, gps, krs, kcs, kss)
clusterAuthzServer := server.NewClusterAuthzServer(bs, aps, gps, krs, kcs, kss, ns)
kubectlClusterSettingsServer := server.NewKubectlClusterSettingsServer(bs, kcs)
crpc := server.NewClusterServer(cs, downloadData)
mserver := server.NewLocationServer(ms)

2
persistence/migrations/admindb/000011_authsrv_projectaccountnamespacerole.up.sql
View File

@@ -5,7 +5,7 @@ CREATE TABLE IF NOT EXISTS authsrv_projectaccountnamespacerole (
created_at timestamp with time zone NOT NULL,
modified_at timestamp with time zone NOT NULL,
trash boolean NOT NULL,
namespace_id integer NOT NULL,
namespace_id character varying(64) NOT NULL,
active boolean NOT NULL,
account_id uuid NOT NULL,
organization_id uuid,

2
persistence/migrations/admindb/000012_authsrv_projectgroupnamespacerole.up.sql
View File

@@ -5,7 +5,7 @@ CREATE TABLE IF NOT EXISTS authsrv_projectgroupnamespacerole (
created_at timestamp with time zone NOT NULL,
modified_at timestamp with time zone NOT NULL,
trash boolean NOT NULL,
namespace_id integer NOT NULL,
namespace_id character varying(64) NOT NULL,
active boolean NOT NULL,
group_id uuid NOT NULL,
organization_id uuid,

60
pkg/reconcile/cluster_conditions_reconciler.go
View File

@@ -2,10 +2,7 @@ package reconcile
import (
"context"
"fmt"
clstrutil "github.com/RafayLabs/rcloud-base/internal/cluster"
"github.com/RafayLabs/rcloud-base/internal/cluster/constants"
"github.com/RafayLabs/rcloud-base/pkg/log"
"github.com/RafayLabs/rcloud-base/pkg/service"
infrav3 "github.com/RafayLabs/rcloud-base/proto/types/infrapb/v3"
@@ -44,22 +41,8 @@ func NewClusterConditionReconciler(cs service.ClusterService) ClusterConditionRe
func (r *clusterConditionReconciler) Reconcile(ctx context.Context, cluster *infrav3.Cluster) error {
_log.Debugw("reconciling cluster conditions", "cluster", cluster.Metadata)
namespaceConditions, err := r.getNamespaceConditions(ctx, cluster)
if err != nil {
_log.Infow("unable to get namespace condition of cluster", "error", err, "cluster", cluster.Metadata)
return err
}
/*TODO
auxillaryConditions, err := r.getAuxillaryCondition(ctx, cluster)
if err != nil {
_log.Infow("unable to get auxillary condition of cluster", "error", err, "cluster", cluster.Metadata)
return err
}*/
var conditions []*infrav3.ClusterCondition
conditions = append(conditions, namespaceConditions...)
clusterStatus := &infrav3.Cluster{
Metadata: cluster.Metadata,
Spec: &infrav3.ClusterSpec{
@@ -72,7 +55,7 @@ func (r *clusterConditionReconciler) Reconcile(ctx context.Context, cluster *inf
}
if shouldUpdateClusterStatus(clusterStatus, cluster) {
err = r.cs.UpdateClusterConditionStatus(ctx, cluster)
err := r.cs.UpdateClusterConditionStatus(ctx, cluster)
if err != nil {
_log.Infow("unable to update cluster status", "error", err)
return err
@@ -121,44 +104,3 @@ func shouldUpdateClusterStatus(current, modified *infrav3.Cluster) bool {
return false
}
func (r *clusterConditionReconciler) getNamespaceConditions(ctx context.Context, cluster *infrav3.Cluster) ([]*infrav3.ClusterCondition, error) {
var conditions []*infrav3.ClusterCondition
cnl, err := r.cs.GetNamespaces(ctx, cluster.Metadata.Id)
if err != nil {
_log.Infow("unable to get namespaces ", "error", err, "cluster", cluster.Metadata)
return nil, err
}
ready := true
failed := false
failedReason := ""
for _, namespace := range cnl.Items {
if clstrutil.IsNamespaceConvergeFailed(namespace) {
failed = true
failedReason = fmt.Sprintf("Namespace: %s, failed reason %s", namespace.Metadata.Name, clstrutil.NamespaceConvergeFailedReason(namespace))
} else if clstrutil.IsNamespaceReadyFailed(namespace) {
failed = true
failedReason = fmt.Sprintf("Namespace: %s, failed reason %s", namespace.Metadata.Name, clstrutil.NamespaceReadyFailedReason(namespace))
}
if !clstrutil.IsNamespaceReady(namespace) {
ready = false
}
}
if len(cnl.Items) > 0 {
if failed {
conditions = append(conditions, clstrutil.NewClusterNamespaceSync(constants.Failed, failedReason))
_log.Infow("cluster namespace sync failed", "cluster", cluster.Metadata)
} else if ready {
conditions = append(conditions, clstrutil.NewClusterNamespaceSync(constants.Success, "all namespaces synced"))
}
}
return conditions, nil
}

116
pkg/sentry/authz/authz.go
View File

@@ -17,6 +17,7 @@ import (
commonv3 "github.com/RafayLabs/rcloud-base/proto/types/commonpb/v3"
"github.com/RafayLabs/rcloud-base/proto/types/controller"
"github.com/RafayLabs/rcloud-base/proto/types/sentry"
"github.com/google/uuid"
corev1 "k8s.io/api/core/v1"
rbacv1 "k8s.io/api/rbac/v1"
)
@@ -66,53 +67,26 @@ func getAuthzLabels(userName string) map[string]string {
}
}
/*TODO: pending along with namespaces
func getAccountProjectNamespace(ctx context.Context, projectID, accountID, orgID int64, apn service.AccountProjectNamespaceService) ([]string, error) {
var ns []string
func getAccountProjectNamespace(ctx context.Context, projectID, accountID string, pns service.NamespaceService) ([]string, error) {
apns, err := apn.GetAccountProjectNamesapce(ctx, orgID, accountID, projectID)
apns, err := pns.GetAccountProjectNamespaces(ctx, uuid.MustParse(projectID), uuid.MustParse(accountID))
if err != nil {
return nil, err
}
for _, apn := range apns {
ns = append(ns, apn.NamespaceName)
}
return ns, nil
return apns, nil
}
func getSSOAccountProjectNamespace(ctx context.Context, projectID, accountID, orgID int64, apn service.AccountProjectNamespaceService) ([]string, error) {
var ns []string
func getGroupAccountProjectNamespace(ctx context.Context, projectID, accountID string, apn service.NamespaceService) ([]string, error) {
apns, err := apn.GetSSOAccountProjectNamesapce(ctx, orgID, accountID, projectID)
apns, err := apn.GetGroupProjectNamespaces(ctx, uuid.MustParse(projectID), uuid.MustParse(accountID))
if err != nil {
return nil, err
}
for _, apn := range apns {
ns = append(ns, apn.NamespaceName)
}
return ns, nil
return apns, nil
}
func getGroupAccountProjectNamespace(ctx context.Context, projectID, accountID, orgID int64, apn service.AccountProjectNamespaceService) ([]string, error) {
var ns []string
apns, err := apn.GetGroupProjectNamesapce(ctx, orgID, accountID, projectID)
if err != nil {
return nil, err
}
for _, apn := range apns {
ns = append(ns, apn.NamespaceName)
}
return ns, nil
}
*/
func getProjectPermissions(ctx context.Context, projects []string, accountID, orgID, partnerID string, aps service.AccountPermissionService) (map[string][]string, string, error) {
projects = append(projects, "")
accountPermissions, err := aps.GetAccountPermissionsByProjectIDPermissions(ctx, accountID, orgID, partnerID, projects, permissions)
@@ -333,7 +307,7 @@ func getProjectsFromLabels(labels map[string]string) ([]string, error) {
// ENV_READ
// - NO Access to cluster scoped resources
// - Read Access to namespace scoped resources (only within the environment)
func GetAuthorization(ctx context.Context, req *sentryrpc.GetUserAuthorizationRequest, bs service.BootstrapService, aps service.AccountPermissionService, gps service.GroupPermissionService, krs service.KubeconfigRevocationService, kcs service.KubectlClusterSettingsService, kss service.KubeconfigSettingService) (resp *sentryrpc.GetUserAuthorizationResponse, err error) {
func GetAuthorization(ctx context.Context, req *sentryrpc.GetUserAuthorizationRequest, bs service.BootstrapService, aps service.AccountPermissionService, gps service.GroupPermissionService, krs service.KubeconfigRevocationService, kcs service.KubectlClusterSettingsService, kss service.KubeconfigSettingService, ns service.NamespaceService) (resp *sentryrpc.GetUserAuthorizationResponse, err error) {
var userName string
var groups []string
var rolePrevilage int
@@ -429,10 +403,13 @@ func GetAuthorization(ctx context.Context, req *sentryrpc.GetUserAuthorizationRe
}
}
_log.Infow("before !cnAttr.IsSSO")
// is user active
if !cnAttr.IsSSO {
active, err := aps.IsAccountActive(ctx, accountID, orgID)
_log.Infow("accountID ", accountID, "orgID ", orgID, "active ", active)
if err != nil {
_log.Infow("failed ", err.Error())
return nil, err
}
if !active {
@@ -440,6 +417,7 @@ func GetAuthorization(ctx context.Context, req *sentryrpc.GetUserAuthorizationRe
}
}
_log.Infow("before get revocation timestamp")
// get revocation timestamp
kr, err := krs.Get(ctx, orgID, accountID, cnAttr.IsSSO)
if err != nil && err != constants.ErrNotFound {
@@ -475,6 +453,7 @@ func GetAuthorization(ctx context.Context, req *sentryrpc.GetUserAuthorizationRe
return nil, err
}
_log.Infow("before get project permissions")
// get permissions in the cluster's projects
var projectPermissions map[string][]string
if !cnAttr.IsSSO {
@@ -502,31 +481,20 @@ func GetAuthorization(ctx context.Context, req *sentryrpc.GetUserAuthorizationRe
crbExclusionMap := make(map[string]bool)
rbExclusionMap := make(map[string]*roleBindExclusionList)
projectNamespaces := make([]string, 0)
/*TODO: pending with namespaces
// Get all namespaces
projectNamespaces, err := func() ([]string, error) {
var nsl []string
configClient, err := cPool.NewClient(ctx)
if err != nil {
err = errors.Wrap(err, "unable to get config client")
return nil, err
}
defer configClient.Close()
nsl := make([]string, 0)
for _, project := range projects {
namespaces, err := configClient.GetNamespaces(ctx, &configrpc.GetAllNamespacesRequest{
QueryOptions: commonv3.QueryOptions{
Project: project,
Organization: orgID,
Partner: partnerID,
},
})
_log.Infow("before get project namespaces ", project)
namespaces, err := ns.GetProjectNamespaces(ctx, uuid.MustParse(project))
if err != nil {
_log.Infow("error ", err.Error())
}
if err == nil {
_log.Debugw("Get namespaces ", "orgID", orgID, "partnerID", partnerID, "project", project, "namespaces", namespaces.Items, "itemslen", len(namespaces.Items))
for _, namespace := range namespaces.Items {
nsl = append(nsl, namespace.Name)
}
_log.Infow("Get namespaces ", "project", project, "namespaces", namespaces, "itemslen", len(namespaces))
nsl = append(nsl, namespaces...)
}
}
return nsl, nil
@@ -537,8 +505,7 @@ func GetAuthorization(ctx context.Context, req *sentryrpc.GetUserAuthorizationRe
return nil, err
}
_log.Debugw("projectNamespaces", "names", projectNamespaces)
*/
_log.Infow("projectNamespaces", "names", projectNamespaces)
for _, pm := range sentry.GetKubeConfigClusterPermissions() {
cr, err := getClusterRole(pm)
@@ -564,23 +531,17 @@ func GetAuthorization(ctx context.Context, req *sentryrpc.GetUserAuthorizationRe
var namespaces []string
_log.Infow("authorization", "project", project, "user", sa.Name, "permissions", permissions)
groups = append(groups, permissions...)
/* TODO: pending with namespaces
// need to get the namesapces assigned to this user.
if !cnAttr.IsSSO {
ns1, _ := getAccountProjectNamespace(ctx, project, accountID, orgID, apn)
ns2, _ := getGroupAccountProjectNamespace(ctx, project, accountID, orgID, apn)
if len(ns1) > 0 {
namespaces = append(namespaces, ns1...)
}
if len(ns2) > 0 {
namespaces = append(namespaces, ns2...)
}
_log.Infow("namespaces", "project", project, "accountID", accountID, "orgID", orgID, "namespaces", namespaces)
} else {
namespaces, _ = getSSOAccountProjectNamespace(ctx, project, accountID, orgID, apn)
_log.Infow("namespacesSSO", "project", project, "accountID", accountID, "orgID", orgID, "namespaces", namespaces)
ns1, _ := getAccountProjectNamespace(ctx, project, accountID, ns)
ns2, _ := getGroupAccountProjectNamespace(ctx, project, accountID, ns)
if len(ns1) > 0 {
namespaces = append(namespaces, ns1...)
}
*/
if len(ns2) > 0 {
namespaces = append(namespaces, ns2...)
}
_log.Infow("namespaces", "project", project, "accountID", accountID, "namespaces", namespaces)
// org scope
if project == "" {
for _, permission := range permissions {
@@ -732,13 +693,7 @@ func GetAuthorization(ctx context.Context, req *sentryrpc.GetUserAuthorizationRe
resp.EnforceOrgAdminOnlySecretAccess = enforceOrgAdminOnlySecretAccess
resp.IsOrgAdmin = isOrgAdmin
//to be removed along with events
_log.Infow("username", userName)
/*TODO: pending with events
// system audit log event to notify success authz
clusterName := labels["rafay.dev/clusterName"]
kubectlAuthzEvent("user.login.success", req.ClusterID, clusterName, cnAttr.OrganizationID, cnAttr.PartnerID, userName, cnAttr.AccountID, groups)
*/
return resp, nil
}
@@ -814,13 +769,6 @@ func verifyClusterKubectlSettings(ctx context.Context, bs service.BootstrapServi
return err
}
/*
if cnAttr.RelayNetwork {
_log.Debugw("skip verify cluster kubectl settings for relaynetwork sessions")
return nil // allow
}
*/
kc, err := kcs.Get(ctx, orgID, clusterID)
if err == constants.ErrNotFound {
// no settings found, hence there is no restriction.

11
pkg/service/cluster.go
View File

@@ -25,7 +25,6 @@ import (
sentryutil "github.com/RafayLabs/rcloud-base/pkg/sentry/util"
commonv3 "github.com/RafayLabs/rcloud-base/proto/types/commonpb/v3"
infrav3 "github.com/RafayLabs/rcloud-base/proto/types/infrapb/v3"
"github.com/RafayLabs/rcloud-base/proto/types/scheduler"
"github.com/RafayLabs/rcloud-base/proto/types/sentry"
"github.com/google/uuid"
"github.com/pkg/errors"
@@ -74,16 +73,6 @@ type ClusterService interface {
GetRelaysConfigForCluster(ctx context.Context, cluster *infrav3.Cluster) ([]common.Relay, error)
// Update projects for bootstrap agents for cluster
UpdateProjectsForBootstrapAgentForCluster(ctx context.Context, cluster *infrav3.Cluster) error
// Get Namespaces for cluster and conditions
GetNamespacesForConditions(ctx context.Context, conditions []scheduler.ClusterNamespaceCondition, clusterID string) (*scheduler.ClusterNamespaceList, error)
// Get Namespaces for given cluster
GetNamespaces(ctx context.Context, clusterID string) (*scheduler.ClusterNamespaceList, error)
// Get Namespace
GetNamespace(ctx context.Context, namespace string, clusterID string) (*scheduler.ClusterNamespace, error)
// Update Namespace Status
UpdateNamespaceStatus(ctx context.Context, current *scheduler.ClusterNamespace) error
// Get Namespace hashes
GetNamespaceHashes(ctx context.Context, clusterID string) ([]infrav3.NameHash, error)
//Add event handlers
AddEventHandler(evh event.Handler)
}

46
pkg/service/group.go
View File

@@ -98,6 +98,7 @@ func (s *groupService) createGroupRoleRelations(ctx context.Context, db bun.IDB,
projectNamespaceRoles := group.GetSpec().GetProjectNamespaceRoles()
var pgrs []models.ProjectGroupRole
var pgnr []models.ProjectGroupNamespaceRole
var grs []models.GroupRole
var ps []*authzv1.Policy
var rids []uuid.UUID
@@ -171,6 +172,7 @@ func (s *groupService) createGroupRoleRelations(ctx context.Context, db bun.IDB,
if err != nil {
return &userv3.Group{}, nil, fmt.Errorf("unable to find project '%v'", project)
}
pgr := models.ProjectGroupRole{
Trash: false,
RoleId: roleId,
@@ -189,6 +191,44 @@ func (s *groupService) createGroupRoleRelations(ctx context.Context, db bun.IDB,
Org: org,
Obj: role,
})
case "namespace":
if org == "" {
return &userv3.Group{}, nil, fmt.Errorf("no org name provided for role '%v'", roleName)
}
if project == "" {
return &userv3.Group{}, nil, fmt.Errorf("no project name provided for role '%v'", roleName)
}
projectId, err := dao.GetProjectId(ctx, s.db, project)
if err != nil {
return &userv3.Group{}, nil, fmt.Errorf("unable to find project '%v'", project)
}
namespace := pnr.GetNamespace()
pgnrObj := models.ProjectGroupNamespaceRole{
CreatedAt: time.Now(),
ModifiedAt: time.Now(),
Trash: false,
PartnerId: ids.Partner,
OrganizationId: ids.Organization,
RoleId: roleId,
GroupId: ids.Id,
ProjectId: projectId,
NamespaceId: namespace,
Active: true,
}
pgnr = append(pgnr, pgnrObj)
ps = append(ps, &authzv1.Policy{
Sub: "g:" + group.GetMetadata().GetName(),
Ns: namespace,
Proj: project,
Org: org,
Obj: role,
})
default:
if err != nil {
return group, nil, fmt.Errorf("other scoped roles are not handled")
}
}
}
if len(pgrs) > 0 {
@@ -197,6 +237,12 @@ func (s *groupService) createGroupRoleRelations(ctx context.Context, db bun.IDB,
return &userv3.Group{}, nil, err
}
}
if len(pgnr) > 0 {
_, err := dao.Create(ctx, db, &pgnr)
if err != nil {
return &userv3.Group{}, nil, err
}
}
if len(grs) > 0 {
_, err := dao.Create(ctx, db, &grs)
if err != nil {

6
pkg/service/group_test.go
View File

@@ -267,7 +267,7 @@ func TestCreateGroupNoUsersWithRoles(t *testing.T) {
func TestCreateGroupWithUsersWithRoles(t *testing.T) {
projectid := uuid.New().String()
var namespaceid int64 = 7
var namespaceid string = "7"
tt := []struct {
name string
users []string
@@ -503,7 +503,7 @@ func TestGroupGetByName(t *testing.T) {
if len(group.GetSpec().GetProjectNamespaceRoles()) != 3 {
t.Errorf("invalid number of roles returned for user, expected 3; got '%v'", len(group.GetSpec().GetProjectNamespaceRoles()))
}
if group.GetSpec().GetProjectNamespaceRoles()[2].GetNamespace() != 7 {
if group.GetSpec().GetProjectNamespaceRoles()[2].GetNamespace() != "7" {
t.Errorf("invalid namespace in role returned for user, expected 7; got '%v'", group.GetSpec().GetProjectNamespaceRoles()[2].Namespace)
}
}
@@ -549,7 +549,7 @@ func TestGroupGetById(t *testing.T) {
if len(group.GetSpec().GetProjectNamespaceRoles()) != 3 {
t.Errorf("invalid number of roles returned for user, expected 3; got '%v'", len(group.GetSpec().GetProjectNamespaceRoles()))
}
if group.GetSpec().GetProjectNamespaceRoles()[2].GetNamespace() != 9 {
if group.GetSpec().GetProjectNamespaceRoles()[2].GetNamespace() != "9" {
t.Errorf("invalid namespace in role returned for user, expected 9; got '%v'", group.GetSpec().GetProjectNamespaceRoles()[2].Namespace)
}
}

202
pkg/service/namespace.go
View File

@@ -2,197 +2,55 @@ package service
import (
"context"
"encoding/json"
"strconv"
"github.com/RafayLabs/rcloud-base/internal/cluster/dao"
"github.com/RafayLabs/rcloud-base/internal/models"
"github.com/RafayLabs/rcloud-base/pkg/converter"
"github.com/RafayLabs/rcloud-base/pkg/patch"
commonv3 "github.com/RafayLabs/rcloud-base/proto/types/commonpb/v3"
"github.com/RafayLabs/rcloud-base/proto/types/controller"
infrav3 "github.com/RafayLabs/rcloud-base/proto/types/infrapb/v3"
"github.com/RafayLabs/rcloud-base/proto/types/scheduler"
"github.com/RafayLabs/rcloud-base/internal/dao"
"github.com/RafayLabs/rcloud-base/pkg/utils"
"github.com/google/uuid"
"github.com/uptrace/bun"
)
func (s *clusterService) GetNamespacesForConditions(ctx context.Context, conditions []scheduler.ClusterNamespaceCondition, clusterID string) (*scheduler.ClusterNamespaceList, error) {
// NamespaceService is the interface for namespace operations
type NamespaceService interface {
// GetProjectNamespaces
GetProjectNamespaces(ctx context.Context, projectID uuid.UUID) ([]string, error)
GetAccountProjectNamespaces(ctx context.Context, projectID uuid.UUID, accountID uuid.UUID) ([]string, error)
GetGroupProjectNamespaces(ctx context.Context, projectID uuid.UUID, accountID uuid.UUID) ([]string, error)
}
cns, count, err := dao.GetNamespacesForConditions(ctx, s.db, uuid.MustParse(clusterID), conditions)
// namespaceService implements NamespaceService
type namespaceService struct {
db *bun.DB
}
// NewNamespaceService return new namespace service
func NewNamespaceService(db *bun.DB) NamespaceService {
return &namespaceService{db}
}
func (s *namespaceService) GetProjectNamespaces(ctx context.Context, projectID uuid.UUID) ([]string, error) {
cns, err := dao.GetProjectNamespaces(ctx, s.db, projectID)
if err != nil {
return nil, err
}
cnl := scheduler.ClusterNamespaceList{}
cnl.Metadata.Count = int64(count)
var items []*scheduler.ClusterNamespace
for _, cn := range cns {
ns := &scheduler.NamespaceTemplate{}
if err = json.Unmarshal(cn.Namespace, ns); err != nil {
return nil, nil
}
cnd := make([]*scheduler.ClusterNamespaceCondition, 0, 10)
if err = json.Unmarshal(cn.Conditions, &cnd); err != nil {
return nil, nil
}
st := &controller.NamespaceStatus{}
if err = json.Unmarshal(cn.Status, st); err != nil {
return nil, nil
}
nstype, err := strconv.Atoi(cn.Type)
if err != nil {
return nil, nil
}
items = append(items, &scheduler.ClusterNamespace{
Metadata: &commonv3.Metadata{
Name: cn.Name,
},
Spec: &scheduler.ClusterNamespaceSpec{
Type: scheduler.ClusterNamespaceType(nstype),
ClusterID: cn.ClusterId.String(),
Namespace: ns,
},
Status: &scheduler.ClusterNamespaceStatus{
Conditions: cnd,
Status: st,
},
})
}
cnl.Items = items
return &cnl, nil
return utils.Unique(cns), nil
}
func (s *clusterService) GetNamespaces(ctx context.Context, clusterID string) (*scheduler.ClusterNamespaceList, error) {
cns, err := dao.GetNamespaces(ctx, s.db, uuid.MustParse(clusterID))
func (s *namespaceService) GetAccountProjectNamespaces(ctx context.Context, projectID, accountID uuid.UUID) ([]string, error) {
cns, err := dao.GetAccountProjectNamespaces(ctx, s.db, projectID, accountID)
if err != nil {
return nil, err
}
cnl := scheduler.ClusterNamespaceList{}
var items []*scheduler.ClusterNamespace
for _, cn := range cns {
ns := &scheduler.NamespaceTemplate{}
if err = json.Unmarshal(cn.Namespace, ns); err != nil {
return nil, nil
}
cnd := make([]*scheduler.ClusterNamespaceCondition, 0, 10)
if err = json.Unmarshal(cn.Conditions, &cnd); err != nil {
return nil, nil
}
st := &controller.NamespaceStatus{}
if err = json.Unmarshal(cn.Status, st); err != nil {
return nil, nil
}
nstype, err := strconv.Atoi(cn.Type)
if err != nil {
return nil, nil
}
items = append(items, &scheduler.ClusterNamespace{
Metadata: &commonv3.Metadata{
Name: cn.Name,
},
Spec: &scheduler.ClusterNamespaceSpec{
Type: scheduler.ClusterNamespaceType(nstype),
ClusterID: cn.ClusterId.String(),
Namespace: ns,
},
Status: &scheduler.ClusterNamespaceStatus{
Conditions: cnd,
Status: st,
},
})
}
cnl.Items = items
cnl.Metadata.Count = int64(len(items))
return &cnl, nil
return utils.Unique(cns), nil
}
func (s *clusterService) GetNamespace(ctx context.Context, namespace string, clusterID string) (*scheduler.ClusterNamespace, error) {
cn, err := dao.GetNamespace(ctx, s.db, uuid.MustParse(clusterID), namespace)
func (s *namespaceService) GetGroupProjectNamespaces(ctx context.Context, projectID, accountID uuid.UUID) ([]string, error) {
cns, err := dao.GetGroupProjectNamespaces(ctx, s.db, projectID, accountID)
if err != nil {
return nil, err
}
ns := &scheduler.NamespaceTemplate{}
if err = json.Unmarshal(cn.Namespace, ns); err != nil {
return nil, nil
}
cnd := make([]*scheduler.ClusterNamespaceCondition, 0, 10)
if err = json.Unmarshal(cn.Conditions, &cnd); err != nil {
return nil, nil
}
st := &controller.NamespaceStatus{}
if err = json.Unmarshal(cn.Status, st); err != nil {
return nil, nil
}
nstype, err := strconv.Atoi(cn.Type)
if err != nil {
return nil, nil
}
cns := &scheduler.ClusterNamespace{
Metadata: &commonv3.Metadata{
Name: cn.Name,
},
Spec: &scheduler.ClusterNamespaceSpec{
Type: scheduler.ClusterNamespaceType(nstype),
ClusterID: cn.ClusterId.String(),
Namespace: ns,
},
Status: &scheduler.ClusterNamespaceStatus{
Conditions: cnd,
Status: st,
},
}
return cns, nil
}
func (s *clusterService) UpdateNamespaceStatus(ctx context.Context, current *scheduler.ClusterNamespace) error {
existing, err := s.GetNamespace(ctx, current.Metadata.Name, current.Spec.ClusterID)
if err != nil {
return err
}
err = patch.NamespaceStatus(existing.Status, current.Status)
if err != nil {
return err
}
cn := models.ClusterNamespace{
ClusterId: uuid.MustParse(existing.Spec.ClusterID),
Name: existing.Metadata.Name,
Type: existing.Spec.Type.String(),
Namespace: converter.ConvertToJsonRawMessage(existing.Spec.Namespace),
Conditions: converter.ConvertToJsonRawMessage(existing.Status.Conditions),
Status: converter.ConvertToJsonRawMessage(existing.Status),
}
err = dao.UpdateNamespaceStatus(ctx, s.db, &cn)
if err != nil {
return err
}
//TODO: as part of gitops
/*ev := event.Resource{
EventType: event.ResourceUpdateStatus,
ID: namespace.ClusterID,
}
for _, h := range s.workloadHandlers {
h.OnChange(ev)
}*/
return nil
}
func (s *clusterService) GetNamespaceHashes(ctx context.Context, clusterID string) ([]infrav3.NameHash, error) {
nameHashes, err := dao.GetNamespaceHashes(ctx, s.db, uuid.MustParse(clusterID))
return nameHashes, err
return utils.Unique(cns), nil
}

2
pkg/service/role.go
View File

@@ -134,7 +134,7 @@ func (s *roleService) Create(ctx context.Context, role *rolev3.Role) (*rolev3.Ro
}
scope := role.GetSpec().GetScope()
if !utils.Contains([]string{"system", "organization", "project"}, strings.ToLower(scope)) {
if !utils.Contains([]string{"system", "organization", "project", "namespace"}, strings.ToLower(scope)) {
return nil, fmt.Errorf("unknown scope '%v'", scope)
}

44
pkg/service/user.go
View File

@@ -125,6 +125,7 @@ func (s *userService) createUserRoleRelations(ctx context.Context, db bun.IDB, u
projectNamespaceRoles := user.GetSpec().GetProjectNamespaceRoles()
var pars []models.ProjectAccountResourcerole
var panr []models.ProjectAccountNamespaceRole
var ars []models.AccountResourcerole
var ps []*authzv1.Policy
var rids []uuid.UUID
@@ -211,6 +212,7 @@ func (s *userService) createUserRoleRelations(ctx context.Context, db bun.IDB, u
if err != nil {
return user, nil, fmt.Errorf("unable to find project '%v'", project)
}
par := models.ProjectAccountResourcerole{
CreatedAt: time.Now(),
ModifiedAt: time.Now(),
@@ -232,9 +234,43 @@ func (s *userService) createUserRoleRelations(ctx context.Context, db bun.IDB, u
Org: org,
Obj: role,
})
case "namespace":
if org == "" {
return &userv3.User{}, nil, fmt.Errorf("no org name provided for role '%v'", roleName)
}
if project == "" {
return &userv3.User{}, nil, fmt.Errorf("no project name provided for role '%v'", roleName)
}
projectId, err := dao.GetProjectId(ctx, db, project)
if err != nil {
return user, nil, fmt.Errorf("unable to find project '%v'", project)
}
namespace := pnr.GetNamespace()
panrObj := models.ProjectAccountNamespaceRole{
CreatedAt: time.Now(),
ModifiedAt: time.Now(),
Trash: false,
PartnerId: ids.Partner,
OrganizationId: ids.Organization,
RoleId: roleId,
AccountId: ids.Id,
ProjectId: projectId,
NamespaceId: namespace,
Active: true,
}
panr = append(panr, panrObj)
ps = append(ps, &authzv1.Policy{
Sub: "u:" + user.GetMetadata().GetName(),
Ns: namespace,
Proj: project,
Org: org,
Obj: role,
})
default:
if err != nil {
return user, nil, fmt.Errorf("namespace specific roles are not handled")
return user, nil, fmt.Errorf("other scoped roles are not handled")
}
}
}
@@ -244,6 +280,12 @@ func (s *userService) createUserRoleRelations(ctx context.Context, db bun.IDB, u
return &userv3.User{}, nil, err
}
}
if len(panr) > 0 {
_, err := dao.Create(ctx, db, &panr)
if err != nil {
return &userv3.User{}, nil, err
}
}
if len(ars) > 0 {
_, err := dao.Create(ctx, db, &ars)
if err != nil {

14
pkg/service/user_test.go
View File

@@ -127,7 +127,7 @@ func TestCreateUserWithRole(t *testing.T) {
role.Project = &pruuid
}
if tc.namespace {
var ns int64 = 7
var ns string = "7"
role.Namespace = &ns
}
mock.ExpectQuery(fmt.Sprintf(`INSERT INTO "%v"`, tc.dbname)).
@@ -181,7 +181,7 @@ func TestUpdateUser(t *testing.T) {
WithArgs().WillReturnRows(sqlmock.NewRows([]string{"id"}).AddRow(uuid.New().String()))
mock.ExpectCommit()
var ns int64 = 7
var ns string = "7"
user := &userv3.User{
Metadata: &v3.Metadata{Partner: "partner-" + puuid, Organization: "org-" + ouuid, Name: "user-" + uuuid},
Spec: &userv3.UserSpec{ProjectNamespaceRoles: []*userv3.ProjectNamespaceRole{{Project: idnamea(pruuid, "project"), Namespace: &ns, Role: idname(ruuid, "role")}}},
@@ -220,7 +220,7 @@ func TestUpdateUserWithGroup(t *testing.T) {
WithArgs().WillReturnRows(sqlmock.NewRows([]string{"id"}).AddRow(uuid.New().String()))
mock.ExpectCommit()
var ns int64 = 7
var ns string = "7"
user := &userv3.User{
Metadata: &v3.Metadata{Partner: "partner-" + puuid, Organization: "org-" + ouuid, Name: "user-" + uuuid},
Spec: &userv3.UserSpec{
@@ -259,7 +259,7 @@ func TestUpdateUserInvalid(t *testing.T) {
WithArgs().WillReturnRows(sqlmock.NewRows([]string{"id"}).AddRow(uuid.New().String()))
mock.ExpectCommit()
var ns int64 = 7
var ns string = "7"
user := &userv3.User{
Metadata: &v3.Metadata{Partner: "partner-" + puuid, Organization: "org-" + ouuid, Name: "user-" + uuuid},
Spec: &userv3.UserSpec{
@@ -332,7 +332,7 @@ func TestUserGetByName(t *testing.T) {
if len(user.GetSpec().GetProjectNamespaceRoles()) != 6 {
t.Errorf("invalid number of roles returned for user, expected 3; got '%v'", len(user.GetSpec().GetProjectNamespaceRoles()))
}
if user.GetSpec().GetProjectNamespaceRoles()[2].GetNamespace() != 9 {
if user.GetSpec().GetProjectNamespaceRoles()[2].GetNamespace() != "9" {
t.Errorf("invalid namespace in role returned for user, expected 9; got '%v'", user.GetSpec().GetProjectNamespaceRoles()[2].Namespace)
}
performBasicAuthProviderChecks(t, *ap, 0, 0, 0, 0)
@@ -445,7 +445,7 @@ func TestUserGetById(t *testing.T) {
if len(user.GetSpec().GetProjectNamespaceRoles()) != 6 {
t.Errorf("invalid number of roles returned for user, expected 6; got '%v'", len(user.GetSpec().GetProjectNamespaceRoles()))
}
if user.GetSpec().GetProjectNamespaceRoles()[2].GetNamespace() != 7 {
if user.GetSpec().GetProjectNamespaceRoles()[2].GetNamespace() != "7" {
t.Errorf("invalid namespace in role returned for user, expected 7; got '%v'", user.GetSpec().GetProjectNamespaceRoles()[2].Namespace)
}
@@ -563,7 +563,7 @@ func TestUserList(t *testing.T) {
if len(userlist.Items[0].GetSpec().GetProjectNamespaceRoles()) != 6 {
t.Errorf("invalid number of roles returned for user, expected 6; got '%v'", len(userlist.Items[0].GetSpec().GetProjectNamespaceRoles()))
}
if userlist.Items[0].GetSpec().GetProjectNamespaceRoles()[2].GetNamespace() != 7 {
if userlist.Items[0].GetSpec().GetProjectNamespaceRoles()[2].GetNamespace() != "7" {
t.Errorf("invalid namespace in role returned for user, expected 7; got '%v'", userlist.Items[0].GetSpec().GetProjectNamespaceRoles()[2].Namespace)
}

174
proto/rpc/authz/authz.pb.go
View File

@@ -1,174 +0,0 @@
// Code generated by protoc-gen-go. DO NOT EDIT.
// versions:
// protoc-gen-go v1.27.1
// protoc (unknown)
// source: proto/rpc/authz/authz.proto
package authzv1
import (
authz "github.com/RafayLabs/rcloud-base/proto/types/authz"
protoreflect "google.golang.org/protobuf/reflect/protoreflect"
protoimpl "google.golang.org/protobuf/runtime/protoimpl"
reflect "reflect"
)
const (
// Verify that this generated code is sufficiently up-to-date.
_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
// Verify that runtime/protoimpl is sufficiently up-to-date.
_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
)
var File_proto_rpc_authz_authz_proto protoreflect.FileDescriptor
var file_proto_rpc_authz_authz_proto_rawDesc = []byte{
0x0a, 0x1b, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x72, 0x70, 0x63, 0x2f, 0x61, 0x75, 0x74, 0x68,
0x7a, 0x2f, 0x61, 0x75, 0x74, 0x68, 0x7a, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x16, 0x72,
0x61, 0x66, 0x61, 0x79, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x72, 0x70, 0x63, 0x2e, 0x61, 0x75, 0x74,
0x68, 0x7a, 0x2e, 0x76, 0x31, 0x1a, 0x1d, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x74, 0x79, 0x70,
0x65, 0x73, 0x2f, 0x61, 0x75, 0x74, 0x68, 0x7a, 0x2f, 0x61, 0x75, 0x74, 0x68, 0x7a, 0x2e, 0x70,
0x72, 0x6f, 0x74, 0x6f, 0x32, 0x9e, 0x08, 0x0a, 0x05, 0x41, 0x75, 0x74, 0x68, 0x7a, 0x12, 0x5a,
0x0a, 0x07, 0x45, 0x6e, 0x66, 0x6f, 0x72, 0x63, 0x65, 0x12, 0x28, 0x2e, 0x72, 0x61, 0x66, 0x61,
0x79, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x74, 0x79, 0x70, 0x65, 0x73, 0x2e, 0x61, 0x75, 0x74, 0x68,
0x7a, 0x2e, 0x76, 0x31, 0x2e, 0x45, 0x6e, 0x66, 0x6f, 0x72, 0x63, 0x65, 0x52, 0x65, 0x71, 0x75,
0x65, 0x73, 0x74, 0x1a, 0x23, 0x2e, 0x72, 0x61, 0x66, 0x61, 0x79, 0x2e, 0x64, 0x65, 0x76, 0x2e,
0x74, 0x79, 0x70, 0x65, 0x73, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x7a, 0x2e, 0x76, 0x31, 0x2e, 0x42,
0x6f, 0x6f, 0x6c, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x22, 0x00, 0x12, 0x56, 0x0a, 0x0c, 0x4c, 0x69,
0x73, 0x74, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x69, 0x65, 0x73, 0x12, 0x20, 0x2e, 0x72, 0x61, 0x66,
0x61, 0x79, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x74, 0x79, 0x70, 0x65, 0x73, 0x2e, 0x61, 0x75, 0x74,
0x68, 0x7a, 0x2e, 0x76, 0x31, 0x2e, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x1a, 0x22, 0x2e, 0x72,
0x61, 0x66, 0x61, 0x79, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x74, 0x79, 0x70, 0x65, 0x73, 0x2e, 0x61,
0x75, 0x74, 0x68, 0x7a, 0x2e, 0x76, 0x31, 0x2e, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x69, 0x65, 0x73,
0x22, 0x00, 0x12, 0x5b, 0x0a, 0x0e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x50, 0x6f, 0x6c, 0x69,
0x63, 0x69, 0x65, 0x73, 0x12, 0x22, 0x2e, 0x72, 0x61, 0x66, 0x61, 0x79, 0x2e, 0x64, 0x65, 0x76,
0x2e, 0x74, 0x79, 0x70, 0x65, 0x73, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x7a, 0x2e, 0x76, 0x31, 0x2e,
0x50, 0x6f, 0x6c, 0x69, 0x63, 0x69, 0x65, 0x73, 0x1a, 0x23, 0x2e, 0x72, 0x61, 0x66, 0x61, 0x79,
0x2e, 0x64, 0x65, 0x76, 0x2e, 0x74, 0x79, 0x70, 0x65, 0x73, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x7a,
0x2e, 0x76, 0x31, 0x2e, 0x42, 0x6f, 0x6f, 0x6c, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x22, 0x00, 0x12,
0x59, 0x0a, 0x0e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x69, 0x65,
0x73, 0x12, 0x20, 0x2e, 0x72, 0x61, 0x66, 0x61, 0x79, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x74, 0x79,
0x70, 0x65, 0x73, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x7a, 0x2e, 0x76, 0x31, 0x2e, 0x50, 0x6f, 0x6c,
0x69, 0x63, 0x79, 0x1a, 0x23, 0x2e, 0x72, 0x61, 0x66, 0x61, 0x79, 0x2e, 0x64, 0x65, 0x76, 0x2e,
0x74, 0x79, 0x70, 0x65, 0x73, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x7a, 0x2e, 0x76, 0x31, 0x2e, 0x42,
0x6f, 0x6f, 0x6c, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x22, 0x00, 0x12, 0x5d, 0x0a, 0x0e, 0x4c, 0x69,
0x73, 0x74, 0x55, 0x73, 0x65, 0x72, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x12, 0x23, 0x2e, 0x72,
0x61, 0x66, 0x61, 0x79, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x74, 0x79, 0x70, 0x65, 0x73, 0x2e, 0x61,
0x75, 0x74, 0x68, 0x7a, 0x2e, 0x76, 0x31, 0x2e, 0x55, 0x73, 0x65, 0x72, 0x47, 0x72, 0x6f, 0x75,
0x70, 0x1a, 0x24, 0x2e, 0x72, 0x61, 0x66, 0x61, 0x79, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x74, 0x79,
0x70, 0x65, 0x73, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x7a, 0x2e, 0x76, 0x31, 0x2e, 0x55, 0x73, 0x65,
0x72, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x22, 0x00, 0x12, 0x5f, 0x0a, 0x10, 0x43, 0x72, 0x65,
0x61, 0x74, 0x65, 0x55, 0x73, 0x65, 0x72, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x12, 0x24, 0x2e,
0x72, 0x61, 0x66, 0x61, 0x79, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x74, 0x79, 0x70, 0x65, 0x73, 0x2e,
0x61, 0x75, 0x74, 0x68, 0x7a, 0x2e, 0x76, 0x31, 0x2e, 0x55, 0x73, 0x65, 0x72, 0x47, 0x72, 0x6f,
0x75, 0x70, 0x73, 0x1a, 0x23, 0x2e, 0x72, 0x61, 0x66, 0x61, 0x79, 0x2e, 0x64, 0x65, 0x76, 0x2e,
0x74, 0x79, 0x70, 0x65, 0x73, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x7a, 0x2e, 0x76, 0x31, 0x2e, 0x42,
0x6f, 0x6f, 0x6c, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x22, 0x00, 0x12, 0x5e, 0x0a, 0x10, 0x44, 0x65,
0x6c, 0x65, 0x74, 0x65, 0x55, 0x73, 0x65, 0x72, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x12, 0x23,
0x2e, 0x72, 0x61, 0x66, 0x61, 0x79, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x74, 0x79, 0x70, 0x65, 0x73,
0x2e, 0x61, 0x75, 0x74, 0x68, 0x7a, 0x2e, 0x76, 0x31, 0x2e, 0x55, 0x73, 0x65, 0x72, 0x47, 0x72,
0x6f, 0x75, 0x70, 0x1a, 0x23, 0x2e, 0x72, 0x61, 0x66, 0x61, 0x79, 0x2e, 0x64, 0x65, 0x76, 0x2e,
0x74, 0x79, 0x70, 0x65, 0x73, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x7a, 0x2e, 0x76, 0x31, 0x2e, 0x42,
0x6f, 0x6f, 0x6c, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x22, 0x00, 0x12, 0x8c, 0x01, 0x0a, 0x1a, 0x4c,
0x69, 0x73, 0x74, 0x52, 0x6f, 0x6c, 0x65, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f,
0x6e, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x12, 0x37, 0x2e, 0x72, 0x61, 0x66, 0x61,
0x79, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x74, 0x79, 0x70, 0x65, 0x73, 0x2e, 0x61, 0x75, 0x74, 0x68,
0x7a, 0x2e, 0x76, 0x31, 0x2e, 0x46, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x65, 0x64, 0x52, 0x6f, 0x6c,
0x65, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x4d, 0x61, 0x70, 0x70, 0x69,
0x6e, 0x67, 0x1a, 0x33, 0x2e, 0x72, 0x61, 0x66, 0x61, 0x79, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x74,
0x79, 0x70, 0x65, 0x73, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x7a, 0x2e, 0x76, 0x31, 0x2e, 0x52, 0x6f,
0x6c, 0x65, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x4d, 0x61, 0x70, 0x70,
0x69, 0x6e, 0x67, 0x4c, 0x69, 0x73, 0x74, 0x22, 0x00, 0x12, 0x7a, 0x0a, 0x1c, 0x43, 0x72, 0x65,
0x61, 0x74, 0x65, 0x52, 0x6f, 0x6c, 0x65, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f,
0x6e, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x12, 0x33, 0x2e, 0x72, 0x61, 0x66, 0x61,
0x79, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x74, 0x79, 0x70, 0x65, 0x73, 0x2e, 0x61, 0x75, 0x74, 0x68,
0x7a, 0x2e, 0x76, 0x31, 0x2e, 0x52, 0x6f, 0x6c, 0x65, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73,
0x69, 0x6f, 0x6e, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x4c, 0x69, 0x73, 0x74, 0x1a, 0x23,
0x2e, 0x72, 0x61, 0x66, 0x61, 0x79, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x74, 0x79, 0x70, 0x65, 0x73,
0x2e, 0x61, 0x75, 0x74, 0x68, 0x7a, 0x2e, 0x76, 0x31, 0x2e, 0x42, 0x6f, 0x6f, 0x6c, 0x52, 0x65,
0x70, 0x6c, 0x79, 0x22, 0x00, 0x12, 0x7e, 0x0a, 0x1c, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x52,
0x6f, 0x6c, 0x65, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x4d, 0x61, 0x70,
0x70, 0x69, 0x6e, 0x67, 0x73, 0x12, 0x37, 0x2e, 0x72, 0x61, 0x66, 0x61, 0x79, 0x2e, 0x64, 0x65,
0x76, 0x2e, 0x74, 0x79, 0x70, 0x65, 0x73, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x7a, 0x2e, 0x76, 0x31,
0x2e, 0x46, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x65, 0x64, 0x52, 0x6f, 0x6c, 0x65, 0x50, 0x65, 0x72,
0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x1a, 0x23,
0x2e, 0x72, 0x61, 0x66, 0x61, 0x79, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x74, 0x79, 0x70, 0x65, 0x73,
0x2e, 0x61, 0x75, 0x74, 0x68, 0x7a, 0x2e, 0x76, 0x31, 0x2e, 0x42, 0x6f, 0x6f, 0x6c, 0x52, 0x65,
0x70, 0x6c, 0x79, 0x22, 0x00, 0x42, 0xdf, 0x01, 0x0a, 0x1a, 0x63, 0x6f, 0x6d, 0x2e, 0x72, 0x61,
0x66, 0x61, 0x79, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x72, 0x70, 0x63, 0x2e, 0x61, 0x75, 0x74, 0x68,
0x7a, 0x2e, 0x76, 0x31, 0x42, 0x0a, 0x41, 0x75, 0x74, 0x68, 0x7a, 0x50, 0x72, 0x6f, 0x74, 0x6f,
0x50, 0x01, 0x5a, 0x38, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x52,
0x61, 0x66, 0x61, 0x79, 0x4c, 0x61, 0x62, 0x73, 0x2f, 0x72, 0x63, 0x6c, 0x6f, 0x75, 0x64, 0x2d,
0x62, 0x61, 0x73, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x72, 0x70, 0x63, 0x2f, 0x61,
0x75, 0x74, 0x68, 0x7a, 0x3b, 0x61, 0x75, 0x74, 0x68, 0x7a, 0x76, 0x31, 0xa2, 0x02, 0x04, 0x52,
0x44, 0x52, 0x41, 0xaa, 0x02, 0x16, 0x52, 0x61, 0x66, 0x61, 0x79, 0x2e, 0x44, 0x65, 0x76, 0x2e,
0x52, 0x70, 0x63, 0x2e, 0x41, 0x75, 0x74, 0x68, 0x7a, 0x2e, 0x56, 0x31, 0xca, 0x02, 0x16, 0x52,
0x61, 0x66, 0x61, 0x79, 0x5c, 0x44, 0x65, 0x76, 0x5c, 0x52, 0x70, 0x63, 0x5c, 0x41, 0x75, 0x74,
0x68, 0x7a, 0x5c, 0x56, 0x31, 0xe2, 0x02, 0x22, 0x52, 0x61, 0x66, 0x61, 0x79, 0x5c, 0x44, 0x65,
0x76, 0x5c, 0x52, 0x70, 0x63, 0x5c, 0x41, 0x75, 0x74, 0x68, 0x7a, 0x5c, 0x56, 0x31, 0x5c, 0x47,
0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02, 0x1a, 0x52, 0x61, 0x66,
0x61, 0x79, 0x3a, 0x3a, 0x44, 0x65, 0x76, 0x3a, 0x3a, 0x52, 0x70, 0x63, 0x3a, 0x3a, 0x41, 0x75,
0x74, 0x68, 0x7a, 0x3a, 0x3a, 0x56, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
}
var file_proto_rpc_authz_authz_proto_goTypes = []interface{}{
(*authz.EnforceRequest)(nil), // 0: rafay.dev.types.authz.v1.EnforceRequest
(*authz.Policy)(nil), // 1: rafay.dev.types.authz.v1.Policy
(*authz.Policies)(nil), // 2: rafay.dev.types.authz.v1.Policies
(*authz.UserGroup)(nil), // 3: rafay.dev.types.authz.v1.UserGroup
(*authz.UserGroups)(nil), // 4: rafay.dev.types.authz.v1.UserGroups
(*authz.FilteredRolePermissionMapping)(nil), // 5: rafay.dev.types.authz.v1.FilteredRolePermissionMapping
(*authz.RolePermissionMappingList)(nil), // 6: rafay.dev.types.authz.v1.RolePermissionMappingList
(*authz.BoolReply)(nil), // 7: rafay.dev.types.authz.v1.BoolReply
}
var file_proto_rpc_authz_authz_proto_depIdxs = []int32{
0, // 0: rafay.dev.rpc.authz.v1.Authz.Enforce:input_type -> rafay.dev.types.authz.v1.EnforceRequest
1, // 1: rafay.dev.rpc.authz.v1.Authz.ListPolicies:input_type -> rafay.dev.types.authz.v1.Policy
2, // 2: rafay.dev.rpc.authz.v1.Authz.CreatePolicies:input_type -> rafay.dev.types.authz.v1.Policies
1, // 3: rafay.dev.rpc.authz.v1.Authz.DeletePolicies:input_type -> rafay.dev.types.authz.v1.Policy
3, // 4: rafay.dev.rpc.authz.v1.Authz.ListUserGroups:input_type -> rafay.dev.types.authz.v1.UserGroup
4, // 5: rafay.dev.rpc.authz.v1.Authz.CreateUserGroups:input_type -> rafay.dev.types.authz.v1.UserGroups
3, // 6: rafay.dev.rpc.authz.v1.Authz.DeleteUserGroups:input_type -> rafay.dev.types.authz.v1.UserGroup
5, // 7: rafay.dev.rpc.authz.v1.Authz.ListRolePermissionMappings:input_type -> rafay.dev.types.authz.v1.FilteredRolePermissionMapping
6, // 8: rafay.dev.rpc.authz.v1.Authz.CreateRolePermissionMappings:input_type -> rafay.dev.types.authz.v1.RolePermissionMappingList
5, // 9: rafay.dev.rpc.authz.v1.Authz.DeleteRolePermissionMappings:input_type -> rafay.dev.types.authz.v1.FilteredRolePermissionMapping
7, // 10: rafay.dev.rpc.authz.v1.Authz.Enforce:output_type -> rafay.dev.types.authz.v1.BoolReply
2, // 11: rafay.dev.rpc.authz.v1.Authz.ListPolicies:output_type -> rafay.dev.types.authz.v1.Policies
7, // 12: rafay.dev.rpc.authz.v1.Authz.CreatePolicies:output_type -> rafay.dev.types.authz.v1.BoolReply
7, // 13: rafay.dev.rpc.authz.v1.Authz.DeletePolicies:output_type -> rafay.dev.types.authz.v1.BoolReply
4, // 14: rafay.dev.rpc.authz.v1.Authz.ListUserGroups:output_type -> rafay.dev.types.authz.v1.UserGroups
7, // 15: rafay.dev.rpc.authz.v1.Authz.CreateUserGroups:output_type -> rafay.dev.types.authz.v1.BoolReply
7, // 16: rafay.dev.rpc.authz.v1.Authz.DeleteUserGroups:output_type -> rafay.dev.types.authz.v1.BoolReply
6, // 17: rafay.dev.rpc.authz.v1.Authz.ListRolePermissionMappings:output_type -> rafay.dev.types.authz.v1.RolePermissionMappingList
7, // 18: rafay.dev.rpc.authz.v1.Authz.CreateRolePermissionMappings:output_type -> rafay.dev.types.authz.v1.BoolReply
7, // 19: rafay.dev.rpc.authz.v1.Authz.DeleteRolePermissionMappings:output_type -> rafay.dev.types.authz.v1.BoolReply
10, // [10:20] is the sub-list for method output_type
0, // [0:10] is the sub-list for method input_type
0, // [0:0] is the sub-list for extension type_name
0, // [0:0] is the sub-list for extension extendee
0, // [0:0] is the sub-list for field type_name
}
func init() { file_proto_rpc_authz_authz_proto_init() }
func file_proto_rpc_authz_authz_proto_init() {
if File_proto_rpc_authz_authz_proto != nil {
return
}
type x struct{}
out := protoimpl.TypeBuilder{
File: protoimpl.DescBuilder{
GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
RawDescriptor: file_proto_rpc_authz_authz_proto_rawDesc,
NumEnums: 0,
NumMessages: 0,
NumExtensions: 0,
NumServices: 1,
},
GoTypes: file_proto_rpc_authz_authz_proto_goTypes,
DependencyIndexes: file_proto_rpc_authz_authz_proto_depIdxs,
}.Build()
File_proto_rpc_authz_authz_proto = out.File
file_proto_rpc_authz_authz_proto_rawDesc = nil
file_proto_rpc_authz_authz_proto_goTypes = nil
file_proto_rpc_authz_authz_proto_depIdxs = nil
}

55
proto/rpc/authz/authz.proto
View File

@@ -1,55 +0,0 @@
syntax = "proto3";
package rafay.dev.rpc.authz.v1;
import "proto/types/authz/authz.proto";
service Authz {
rpc Enforce (rafay.dev.types.authz.v1.EnforceRequest)
returns (rafay.dev.types.authz.v1.BoolReply) {};
// List Policies accpets Policy whose fileds are used for filtering
// Filtering is done per field for the policy
// For Example:
// The Policy obj:
// sub => ""
// ns => ""
// proj => project1
// org => org1
// obj => ""
// act => ""
// Returns policies related to project1 and org1 (Empty string matches all)
rpc ListPolicies (rafay.dev.types.authz.v1.Policy)
returns (rafay.dev.types.authz.v1.Policies) {};
rpc CreatePolicies (rafay.dev.types.authz.v1.Policies)
returns (rafay.dev.types.authz.v1.BoolReply) {};
/* rpc CreateUserSubPolicies (rafay.dev.types.authz.v1.Policies) */
/* returns (rafay.dev.types.authz.v1.BoolReply) {}; */
/* rpc CreateGroupSubPolicies (rafay.dev.types.authz.v1.Policies) */
/* returns (rafay.dev.types.authz.v1.BoolReply) {}; */
rpc DeletePolicies (rafay.dev.types.authz.v1.Policy)
returns (rafay.dev.types.authz.v1.BoolReply) {};
rpc ListUserGroups (rafay.dev.types.authz.v1.UserGroup)
returns (rafay.dev.types.authz.v1.UserGroups) {};
rpc CreateUserGroups (rafay.dev.types.authz.v1.UserGroups)
returns (rafay.dev.types.authz.v1.BoolReply) {};
rpc DeleteUserGroups (rafay.dev.types.authz.v1.UserGroup)
returns (rafay.dev.types.authz.v1.BoolReply) {};
rpc ListRolePermissionMappings (rafay.dev.types.authz.v1.FilteredRolePermissionMapping)
returns (rafay.dev.types.authz.v1.RolePermissionMappingList) {}
rpc CreateRolePermissionMappings (rafay.dev.types.authz.v1.RolePermissionMappingList)
returns (rafay.dev.types.authz.v1.BoolReply) {};
rpc DeleteRolePermissionMappings (rafay.dev.types.authz.v1.FilteredRolePermissionMapping)
returns (rafay.dev.types.authz.v1.BoolReply) {};
// TODO: Check if HasPolicy etc, hl RBAC APIs, Update APIs are needed
}

450
proto/rpc/authz/authz_grpc.pb.go
View File

@@ -1,450 +0,0 @@
// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
// versions:
// - protoc-gen-go-grpc v1.2.0
// - protoc (unknown)
// source: proto/rpc/authz/authz.proto
package authzv1
import (
context "context"
authz "github.com/RafayLabs/rcloud-base/proto/types/authz"
grpc "google.golang.org/grpc"
codes "google.golang.org/grpc/codes"
status "google.golang.org/grpc/status"
)
// This is a compile-time assertion to ensure that this generated file
// is compatible with the grpc package it is being compiled against.
// Requires gRPC-Go v1.32.0 or later.
const _ = grpc.SupportPackageIsVersion7
// AuthzClient is the client API for Authz service.
//
// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
type AuthzClient interface {
Enforce(ctx context.Context, in *authz.EnforceRequest, opts ...grpc.CallOption) (*authz.BoolReply, error)
// List Policies accpets Policy whose fileds are used for filtering
// Filtering is done per field for the policy
// For Example:
// The Policy obj:
// sub => ""
// ns => ""
// proj => project1
// org => org1
// obj => ""
// act => ""
// Returns policies related to project1 and org1 (Empty string matches all)
ListPolicies(ctx context.Context, in *authz.Policy, opts ...grpc.CallOption) (*authz.Policies, error)
CreatePolicies(ctx context.Context, in *authz.Policies, opts ...grpc.CallOption) (*authz.BoolReply, error)
DeletePolicies(ctx context.Context, in *authz.Policy, opts ...grpc.CallOption) (*authz.BoolReply, error)
ListUserGroups(ctx context.Context, in *authz.UserGroup, opts ...grpc.CallOption) (*authz.UserGroups, error)
CreateUserGroups(ctx context.Context, in *authz.UserGroups, opts ...grpc.CallOption) (*authz.BoolReply, error)
DeleteUserGroups(ctx context.Context, in *authz.UserGroup, opts ...grpc.CallOption) (*authz.BoolReply, error)
ListRolePermissionMappings(ctx context.Context, in *authz.FilteredRolePermissionMapping, opts ...grpc.CallOption) (*authz.RolePermissionMappingList, error)
CreateRolePermissionMappings(ctx context.Context, in *authz.RolePermissionMappingList, opts ...grpc.CallOption) (*authz.BoolReply, error)
DeleteRolePermissionMappings(ctx context.Context, in *authz.FilteredRolePermissionMapping, opts ...grpc.CallOption) (*authz.BoolReply, error)
}
type authzClient struct {
cc grpc.ClientConnInterface
}
func NewAuthzClient(cc grpc.ClientConnInterface) AuthzClient {
return &authzClient{cc}
}
func (c *authzClient) Enforce(ctx context.Context, in *authz.EnforceRequest, opts ...grpc.CallOption) (*authz.BoolReply, error) {
out := new(authz.BoolReply)
err := c.cc.Invoke(ctx, "/rafay.dev.rpc.authz.v1.Authz/Enforce", in, out, opts...)
if err != nil {
return nil, err
}
return out, nil
}
func (c *authzClient) ListPolicies(ctx context.Context, in *authz.Policy, opts ...grpc.CallOption) (*authz.Policies, error) {
out := new(authz.Policies)
err := c.cc.Invoke(ctx, "/rafay.dev.rpc.authz.v1.Authz/ListPolicies", in, out, opts...)
if err != nil {
return nil, err
}
return out, nil
}
func (c *authzClient) CreatePolicies(ctx context.Context, in *authz.Policies, opts ...grpc.CallOption) (*authz.BoolReply, error) {
out := new(authz.BoolReply)
err := c.cc.Invoke(ctx, "/rafay.dev.rpc.authz.v1.Authz/CreatePolicies", in, out, opts...)
if err != nil {
return nil, err
}
return out, nil
}
func (c *authzClient) DeletePolicies(ctx context.Context, in *authz.Policy, opts ...grpc.CallOption) (*authz.BoolReply, error) {
out := new(authz.BoolReply)
err := c.cc.Invoke(ctx, "/rafay.dev.rpc.authz.v1.Authz/DeletePolicies", in, out, opts...)
if err != nil {
return nil, err
}
return out, nil
}
func (c *authzClient) ListUserGroups(ctx context.Context, in *authz.UserGroup, opts ...grpc.CallOption) (*authz.UserGroups, error) {
out := new(authz.UserGroups)
err := c.cc.Invoke(ctx, "/rafay.dev.rpc.authz.v1.Authz/ListUserGroups", in, out, opts...)
if err != nil {
return nil, err
}
return out, nil
}
func (c *authzClient) CreateUserGroups(ctx context.Context, in *authz.UserGroups, opts ...grpc.CallOption) (*authz.BoolReply, error) {
out := new(authz.BoolReply)
err := c.cc.Invoke(ctx, "/rafay.dev.rpc.authz.v1.Authz/CreateUserGroups", in, out, opts...)
if err != nil {
return nil, err
}
return out, nil
}
func (c *authzClient) DeleteUserGroups(ctx context.Context, in *authz.UserGroup, opts ...grpc.CallOption) (*authz.BoolReply, error) {
out := new(authz.BoolReply)
err := c.cc.Invoke(ctx, "/rafay.dev.rpc.authz.v1.Authz/DeleteUserGroups", in, out, opts...)
if err != nil {
return nil, err
}
return out, nil
}
func (c *authzClient) ListRolePermissionMappings(ctx context.Context, in *authz.FilteredRolePermissionMapping, opts ...grpc.CallOption) (*authz.RolePermissionMappingList, error) {
out := new(authz.RolePermissionMappingList)
err := c.cc.Invoke(ctx, "/rafay.dev.rpc.authz.v1.Authz/ListRolePermissionMappings", in, out, opts...)
if err != nil {
return nil, err
}
return out, nil
}
func (c *authzClient) CreateRolePermissionMappings(ctx context.Context, in *authz.RolePermissionMappingList, opts ...grpc.CallOption) (*authz.BoolReply, error) {
out := new(authz.BoolReply)
err := c.cc.Invoke(ctx, "/rafay.dev.rpc.authz.v1.Authz/CreateRolePermissionMappings", in, out, opts...)
if err != nil {
return nil, err
}
return out, nil
}
func (c *authzClient) DeleteRolePermissionMappings(ctx context.Context, in *authz.FilteredRolePermissionMapping, opts ...grpc.CallOption) (*authz.BoolReply, error) {
out := new(authz.BoolReply)
err := c.cc.Invoke(ctx, "/rafay.dev.rpc.authz.v1.Authz/DeleteRolePermissionMappings", in, out, opts...)
if err != nil {
return nil, err
}
return out, nil
}
// AuthzServer is the server API for Authz service.
// All implementations should embed UnimplementedAuthzServer
// for forward compatibility
type AuthzServer interface {
Enforce(context.Context, *authz.EnforceRequest) (*authz.BoolReply, error)
// List Policies accpets Policy whose fileds are used for filtering
// Filtering is done per field for the policy
// For Example:
// The Policy obj:
// sub => ""
// ns => ""
// proj => project1
// org => org1
// obj => ""
// act => ""
// Returns policies related to project1 and org1 (Empty string matches all)
ListPolicies(context.Context, *authz.Policy) (*authz.Policies, error)
CreatePolicies(context.Context, *authz.Policies) (*authz.BoolReply, error)
DeletePolicies(context.Context, *authz.Policy) (*authz.BoolReply, error)
ListUserGroups(context.Context, *authz.UserGroup) (*authz.UserGroups, error)
CreateUserGroups(context.Context, *authz.UserGroups) (*authz.BoolReply, error)
DeleteUserGroups(context.Context, *authz.UserGroup) (*authz.BoolReply, error)
ListRolePermissionMappings(context.Context, *authz.FilteredRolePermissionMapping) (*authz.RolePermissionMappingList, error)
CreateRolePermissionMappings(context.Context, *authz.RolePermissionMappingList) (*authz.BoolReply, error)
DeleteRolePermissionMappings(context.Context, *authz.FilteredRolePermissionMapping) (*authz.BoolReply, error)
}
// UnimplementedAuthzServer should be embedded to have forward compatible implementations.
type UnimplementedAuthzServer struct {
}
func (UnimplementedAuthzServer) Enforce(context.Context, *authz.EnforceRequest) (*authz.BoolReply, error) {
return nil, status.Errorf(codes.Unimplemented, "method Enforce not implemented")
}
func (UnimplementedAuthzServer) ListPolicies(context.Context, *authz.Policy) (*authz.Policies, error) {
return nil, status.Errorf(codes.Unimplemented, "method ListPolicies not implemented")
}
func (UnimplementedAuthzServer) CreatePolicies(context.Context, *authz.Policies) (*authz.BoolReply, error) {
return nil, status.Errorf(codes.Unimplemented, "method CreatePolicies not implemented")
}
func (UnimplementedAuthzServer) DeletePolicies(context.Context, *authz.Policy) (*authz.BoolReply, error) {
return nil, status.Errorf(codes.Unimplemented, "method DeletePolicies not implemented")
}
func (UnimplementedAuthzServer) ListUserGroups(context.Context, *authz.UserGroup) (*authz.UserGroups, error) {
return nil, status.Errorf(codes.Unimplemented, "method ListUserGroups not implemented")
}
func (UnimplementedAuthzServer) CreateUserGroups(context.Context, *authz.UserGroups) (*authz.BoolReply, error) {
return nil, status.Errorf(codes.Unimplemented, "method CreateUserGroups not implemented")
}
func (UnimplementedAuthzServer) DeleteUserGroups(context.Context, *authz.UserGroup) (*authz.BoolReply, error) {
return nil, status.Errorf(codes.Unimplemented, "method DeleteUserGroups not implemented")
}
func (UnimplementedAuthzServer) ListRolePermissionMappings(context.Context, *authz.FilteredRolePermissionMapping) (*authz.RolePermissionMappingList, error) {
return nil, status.Errorf(codes.Unimplemented, "method ListRolePermissionMappings not implemented")
}
func (UnimplementedAuthzServer) CreateRolePermissionMappings(context.Context, *authz.RolePermissionMappingList) (*authz.BoolReply, error) {
return nil, status.Errorf(codes.Unimplemented, "method CreateRolePermissionMappings not implemented")
}
func (UnimplementedAuthzServer) DeleteRolePermissionMappings(context.Context, *authz.FilteredRolePermissionMapping) (*authz.BoolReply, error) {
return nil, status.Errorf(codes.Unimplemented, "method DeleteRolePermissionMappings not implemented")
}
// UnsafeAuthzServer may be embedded to opt out of forward compatibility for this service.
// Use of this interface is not recommended, as added methods to AuthzServer will
// result in compilation errors.
type UnsafeAuthzServer interface {
mustEmbedUnimplementedAuthzServer()
}
func RegisterAuthzServer(s grpc.ServiceRegistrar, srv AuthzServer) {
s.RegisterService(&Authz_ServiceDesc, srv)
}
func _Authz_Enforce_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
in := new(authz.EnforceRequest)
if err := dec(in); err != nil {
return nil, err
}
if interceptor == nil {
return srv.(AuthzServer).Enforce(ctx, in)
}
info := &grpc.UnaryServerInfo{
Server: srv,
FullMethod: "/rafay.dev.rpc.authz.v1.Authz/Enforce",
}
handler := func(ctx context.Context, req interface{}) (interface{}, error) {
return srv.(AuthzServer).Enforce(ctx, req.(*authz.EnforceRequest))
}
return interceptor(ctx, in, info, handler)
}
func _Authz_ListPolicies_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
in := new(authz.Policy)
if err := dec(in); err != nil {
return nil, err
}
if interceptor == nil {
return srv.(AuthzServer).ListPolicies(ctx, in)
}
info := &grpc.UnaryServerInfo{
Server: srv,
FullMethod: "/rafay.dev.rpc.authz.v1.Authz/ListPolicies",
}
handler := func(ctx context.Context, req interface{}) (interface{}, error) {
return srv.(AuthzServer).ListPolicies(ctx, req.(*authz.Policy))
}
return interceptor(ctx, in, info, handler)
}
func _Authz_CreatePolicies_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
in := new(authz.Policies)
if err := dec(in); err != nil {
return nil, err
}
if interceptor == nil {
return srv.(AuthzServer).CreatePolicies(ctx, in)
}
info := &grpc.UnaryServerInfo{
Server: srv,
FullMethod: "/rafay.dev.rpc.authz.v1.Authz/CreatePolicies",
}
handler := func(ctx context.Context, req interface{}) (interface{}, error) {
return srv.(AuthzServer).CreatePolicies(ctx, req.(*authz.Policies))
}
return interceptor(ctx, in, info, handler)
}
func _Authz_DeletePolicies_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
in := new(authz.Policy)
if err := dec(in); err != nil {
return nil, err
}
if interceptor == nil {
return srv.(AuthzServer).DeletePolicies(ctx, in)
}
info := &grpc.UnaryServerInfo{
Server: srv,
FullMethod: "/rafay.dev.rpc.authz.v1.Authz/DeletePolicies",
}
handler := func(ctx context.Context, req interface{}) (interface{}, error) {
return srv.(AuthzServer).DeletePolicies(ctx, req.(*authz.Policy))
}
return interceptor(ctx, in, info, handler)
}
func _Authz_ListUserGroups_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
in := new(authz.UserGroup)
if err := dec(in); err != nil {
return nil, err
}
if interceptor == nil {
return srv.(AuthzServer).ListUserGroups(ctx, in)
}
info := &grpc.UnaryServerInfo{
Server: srv,
FullMethod: "/rafay.dev.rpc.authz.v1.Authz/ListUserGroups",
}
handler := func(ctx context.Context, req interface{}) (interface{}, error) {
return srv.(AuthzServer).ListUserGroups(ctx, req.(*authz.UserGroup))
}
return interceptor(ctx, in, info, handler)
}
func _Authz_CreateUserGroups_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
in := new(authz.UserGroups)
if err := dec(in); err != nil {
return nil, err
}
if interceptor == nil {
return srv.(AuthzServer).CreateUserGroups(ctx, in)
}
info := &grpc.UnaryServerInfo{
Server: srv,
FullMethod: "/rafay.dev.rpc.authz.v1.Authz/CreateUserGroups",
}
handler := func(ctx context.Context, req interface{}) (interface{}, error) {
return srv.(AuthzServer).CreateUserGroups(ctx, req.(*authz.UserGroups))
}
return interceptor(ctx, in, info, handler)
}
func _Authz_DeleteUserGroups_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
in := new(authz.UserGroup)
if err := dec(in); err != nil {
return nil, err
}
if interceptor == nil {
return srv.(AuthzServer).DeleteUserGroups(ctx, in)
}
info := &grpc.UnaryServerInfo{
Server: srv,
FullMethod: "/rafay.dev.rpc.authz.v1.Authz/DeleteUserGroups",
}
handler := func(ctx context.Context, req interface{}) (interface{}, error) {
return srv.(AuthzServer).DeleteUserGroups(ctx, req.(*authz.UserGroup))
}
return interceptor(ctx, in, info, handler)
}
func _Authz_ListRolePermissionMappings_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
in := new(authz.FilteredRolePermissionMapping)
if err := dec(in); err != nil {
return nil, err
}
if interceptor == nil {
return srv.(AuthzServer).ListRolePermissionMappings(ctx, in)
}
info := &grpc.UnaryServerInfo{
Server: srv,
FullMethod: "/rafay.dev.rpc.authz.v1.Authz/ListRolePermissionMappings",
}
handler := func(ctx context.Context, req interface{}) (interface{}, error) {
return srv.(AuthzServer).ListRolePermissionMappings(ctx, req.(*authz.FilteredRolePermissionMapping))
}
return interceptor(ctx, in, info, handler)
}
func _Authz_CreateRolePermissionMappings_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
in := new(authz.RolePermissionMappingList)
if err := dec(in); err != nil {
return nil, err
}
if interceptor == nil {
return srv.(AuthzServer).CreateRolePermissionMappings(ctx, in)
}
info := &grpc.UnaryServerInfo{
Server: srv,
FullMethod: "/rafay.dev.rpc.authz.v1.Authz/CreateRolePermissionMappings",
}
handler := func(ctx context.Context, req interface{}) (interface{}, error) {
return srv.(AuthzServer).CreateRolePermissionMappings(ctx, req.(*authz.RolePermissionMappingList))
}
return interceptor(ctx, in, info, handler)
}
func _Authz_DeleteRolePermissionMappings_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
in := new(authz.FilteredRolePermissionMapping)
if err := dec(in); err != nil {
return nil, err
}
if interceptor == nil {
return srv.(AuthzServer).DeleteRolePermissionMappings(ctx, in)
}
info := &grpc.UnaryServerInfo{
Server: srv,
FullMethod: "/rafay.dev.rpc.authz.v1.Authz/DeleteRolePermissionMappings",
}
handler := func(ctx context.Context, req interface{}) (interface{}, error) {
return srv.(AuthzServer).DeleteRolePermissionMappings(ctx, req.(*authz.FilteredRolePermissionMapping))
}
return interceptor(ctx, in, info, handler)
}
// Authz_ServiceDesc is the grpc.ServiceDesc for Authz service.
// It's only intended for direct use with grpc.RegisterService,
// and not to be introspected or modified (even as a copy)
var Authz_ServiceDesc = grpc.ServiceDesc{
ServiceName: "rafay.dev.rpc.authz.v1.Authz",
HandlerType: (*AuthzServer)(nil),
Methods: []grpc.MethodDesc{
{
MethodName: "Enforce",
Handler: _Authz_Enforce_Handler,
},
{
MethodName: "ListPolicies",
Handler: _Authz_ListPolicies_Handler,
},
{
MethodName: "CreatePolicies",
Handler: _Authz_CreatePolicies_Handler,
},
{
MethodName: "DeletePolicies",
Handler: _Authz_DeletePolicies_Handler,
},
{
MethodName: "ListUserGroups",
Handler: _Authz_ListUserGroups_Handler,
},
{
MethodName: "CreateUserGroups",
Handler: _Authz_CreateUserGroups_Handler,
},
{
MethodName: "DeleteUserGroups",
Handler: _Authz_DeleteUserGroups_Handler,
},
{
MethodName: "ListRolePermissionMappings",
Handler: _Authz_ListRolePermissionMappings_Handler,
},
{
MethodName: "CreateRolePermissionMappings",
Handler: _Authz_CreateRolePermissionMappings_Handler,
},
{
MethodName: "DeleteRolePermissionMappings",
Handler: _Authz_DeleteRolePermissionMappings_Handler,
},
},
Streams: []grpc.StreamDesc{},
Metadata: "proto/rpc/authz/authz.proto",
}

16
proto/types/userpb/v3/group.pb.go
View File

@@ -108,7 +108,7 @@ type ProjectNamespaceRole struct {
unknownFields protoimpl.UnknownFields
Project *string `protobuf:"bytes,1,opt,name=project,proto3,oneof" json:"project,omitempty"`
Namespace *int64 `protobuf:"varint,2,opt,name=namespace,proto3,oneof" json:"namespace,omitempty"`
Namespace *string `protobuf:"bytes,2,opt,name=namespace,proto3,oneof" json:"namespace,omitempty"`
Role string `protobuf:"bytes,3,opt,name=role,proto3" json:"role,omitempty"`
Group *string `protobuf:"bytes,4,opt,name=group,proto3,oneof" json:"group,omitempty"`
}
@@ -152,11 +152,11 @@ func (x *ProjectNamespaceRole) GetProject() string {
return ""
}
func (x *ProjectNamespaceRole) GetNamespace() int64 {
func (x *ProjectNamespaceRole) GetNamespace() string {
if x != nil && x.Namespace != nil {
return *x.Namespace
}
return 0
return ""
}
func (x *ProjectNamespaceRole) GetRole() string {
@@ -179,7 +179,7 @@ type Permission struct {
unknownFields protoimpl.UnknownFields
Project *string `protobuf:"bytes,1,opt,name=project,proto3,oneof" json:"project,omitempty"`
Namespace *int64 `protobuf:"varint,2,opt,name=namespace,proto3,oneof" json:"namespace,omitempty"`
Namespace *string `protobuf:"bytes,2,opt,name=namespace,proto3,oneof" json:"namespace,omitempty"`
Role string `protobuf:"bytes,3,opt,name=role,proto3" json:"role,omitempty"`
Permissions []string `protobuf:"bytes,4,rep,name=permissions,proto3" json:"permissions,omitempty"`
}
@@ -223,11 +223,11 @@ func (x *Permission) GetProject() string {
return ""
}
func (x *Permission) GetNamespace() int64 {
func (x *Permission) GetNamespace() string {
if x != nil && x.Namespace != nil {
return *x.Namespace
}
return 0
return ""
}
func (x *Permission) GetRole() string {
@@ -433,7 +433,7 @@ var file_proto_types_userpb_v3_group_proto_rawDesc = []byte{
0x50, 0x72, 0x6f, 0x6a, 0x65, 0x63, 0x74, 0x32, 0x07, 0x50, 0x72, 0x6f, 0x6a, 0x65, 0x63, 0x74,
0x48, 0x00, 0x52, 0x07, 0x70, 0x72, 0x6f, 0x6a, 0x65, 0x63, 0x74, 0x88, 0x01, 0x01, 0x12, 0x3c,
0x0a, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28,
0x03, 0x42, 0x19, 0x92, 0x41, 0x16, 0x2a, 0x09, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63,
0x09, 0x42, 0x19, 0x92, 0x41, 0x16, 0x2a, 0x09, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63,
0x65, 0x32, 0x09, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x48, 0x01, 0x52, 0x09,
0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x88, 0x01, 0x01, 0x12, 0x23, 0x0a, 0x04,
0x72, 0x6f, 0x6c, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x42, 0x0f, 0x92, 0x41, 0x0c, 0x2a,
@@ -453,7 +453,7 @@ var file_proto_types_userpb_v3_group_proto_rawDesc = []byte{
0x20, 0x01, 0x28, 0x09, 0x42, 0x15, 0x92, 0x41, 0x12, 0x2a, 0x07, 0x50, 0x72, 0x6f, 0x6a, 0x65,
0x63, 0x74, 0x32, 0x07, 0x50, 0x72, 0x6f, 0x6a, 0x65, 0x63, 0x74, 0x48, 0x00, 0x52, 0x07, 0x70,
0x72, 0x6f, 0x6a, 0x65, 0x63, 0x74, 0x88, 0x01, 0x01, 0x12, 0x3c, 0x0a, 0x09, 0x6e, 0x61, 0x6d,
0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x03, 0x42, 0x19, 0x92, 0x41,
0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x42, 0x19, 0x92, 0x41,
0x16, 0x2a, 0x09, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x32, 0x09, 0x4e, 0x61,
0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x48, 0x01, 0x52, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73,
0x70, 0x61, 0x63, 0x65, 0x88, 0x01, 0x01, 0x12, 0x23, 0x0a, 0x04, 0x72, 0x6f, 0x6c, 0x65, 0x18,

4
proto/types/userpb/v3/group.proto
View File

@@ -55,7 +55,7 @@ message ProjectNamespaceRole {
title : "Project"
description : "Project"
} ];
optional int64 namespace = 2
optional string namespace = 2
[ (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
title : "Namespace"
description : "Namespace"
@@ -84,7 +84,7 @@ message Permission {
title : "Project"
description : "Project"
} ];
optional int64 namespace = 2
optional string namespace = 2
[ (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
title : "Namespace"
description : "Namespace"

22
scripts/initialize/roles/ztka/roles.json
View File

@@ -113,5 +113,27 @@
"cluster.write",
"kubectl.fullaccess"
]
},
"NAMESPACE": {
"NAMESPACE_ADMIN": [
"console.all",
"partner.read",
"organization.read",
"project.read",
"cluster.read",
"kubeconfig.read",
"v2debug.read",
"kubectl.namespace.read",
"kubectl.namespace.write"
],
"NAMESPACE_READ_ONLY": [
"partner.read",
"organization.read",
"project.read",
"cluster.read",
"kubeconfig.read",
"v2debug.read",
"kubectl.namespace.read"
]
}
}

7
server/cluster_authz.go
View File

@@ -16,12 +16,12 @@ type clusterAuthzServer struct {
krs service.KubeconfigRevocationService
kcs service.KubectlClusterSettingsService
kss service.KubeconfigSettingService
//apn models.AccountProjectNamespaceService
ns service.NamespaceService
}
// GetUserAuthorization return authorization profile of user for a given cluster
func (s *clusterAuthzServer) GetUserAuthorization(ctx context.Context, req *sentryrpc.GetUserAuthorizationRequest) (*sentryrpc.GetUserAuthorizationResponse, error) {
resp, err := authz.GetAuthorization(ctx, req, s.bs, s.aps, s.gps, s.krs, s.kcs, s.kss)
resp, err := authz.GetAuthorization(ctx, req, s.bs, s.aps, s.gps, s.krs, s.kcs, s.kss, s.ns)
if err != nil {
_log.Errorw("error getting auth profile", "req", req, "error", err.Error())
return nil, err
@@ -30,7 +30,7 @@ func (s *clusterAuthzServer) GetUserAuthorization(ctx context.Context, req *sent
}
// NewClusterAuthzServer returns New ClusterAuthzServer
func NewClusterAuthzServer(bs service.BootstrapService, aps service.AccountPermissionService, gps service.GroupPermissionService, krs service.KubeconfigRevocationService, kcs service.KubectlClusterSettingsService, kss service.KubeconfigSettingService) sentryrpc.ClusterAuthorizationServer {
func NewClusterAuthzServer(bs service.BootstrapService, aps service.AccountPermissionService, gps service.GroupPermissionService, krs service.KubeconfigRevocationService, kcs service.KubectlClusterSettingsService, kss service.KubeconfigSettingService, ns service.NamespaceService) sentryrpc.ClusterAuthorizationServer {
return &clusterAuthzServer{
bs: bs,
aps: aps,
@@ -38,5 +38,6 @@ func NewClusterAuthzServer(bs service.BootstrapService, aps service.AccountPermi
krs: krs,
kcs: kcs,
kss: kss,
ns: ns,
}
}