-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[draft] Implement Rbac Engine #1
base: master
Are you sure you want to change the base?
Conversation
7457f83
to
b3fa6ef
Compare
// based on the Envoy RBAC Proto, and will be created in two use cases, one in regular | ||
// gRPC and one from XDS and TrafficDirector. The engine will then be passed in data pulled | ||
// from incoming RPC's to the server side. | ||
type RbacEngine struct { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
RBACEngine
(if not exported:)
rbacEngine
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Made acronym capital.
// based on a policy. This policy will be used to instantiate a tree | ||
// of matchers that will be used to make an authorization decision on | ||
// an incoming RPC. | ||
func NewRbacEngine(policy *v3rbacpb.RBAC) *RbacEngine { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
NewRBACEngine
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Made capital.
// evaluateArgs represents the data pulled from an incoming RPC to a gRPC server. | ||
// This data will be passed around the RBAC Engine and pass through the logical tree of matchers, | ||
// and will help determine whether a RPC is allowed to proceed. | ||
type evaluateArgs struct { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Export
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Exported all api level data and fields.
// This data will be passed around the RBAC Engine and pass through the logical tree of matchers, | ||
// and will help determine whether a RPC is allowed to proceed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Impl detail; remove
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Deleted impl details from top level API comments.
// authorizationDecision is what will be returned from the RBAC Engine | ||
// when it is asked to see if an rpc should be allowed or denied. | ||
type authorizationDecision struct { | ||
decision v3rbacpb.RBAC_Action | ||
matchingPolicyName string | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Needs export
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Exported.
@@ -0,0 +1,71 @@ | |||
package authorization |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
package rbac
type Engine struct {}
internal/authorization/matchers.go
Outdated
principals *orMatcher | ||
} | ||
|
||
func createPolicyMatcher(policy *v3rbacpb.Policy) *policyMatcher { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
newPolicyMatcher
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Switched all createX to newX. Left createListFromPermission/Policy as that is not a tree node.
For comments and guidance