/
authz_config.go
138 lines (116 loc) · 3.45 KB
/
authz_config.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
package config
import (
"fmt"
"strings"
"sync"
"golang.org/x/exp/maps"
"github.com/determined-ai/determined/master/pkg/ptrs"
)
var (
knownAuthZTypes map[string]bool
authZConfigMutex sync.Mutex
)
// Authz string ids.
const (
// BasicAuthZType is the default authz string id.
BasicAuthZType = "basic"
RBACAuthZType = "rbac"
)
// AuthZConfig is a authz-related section of master config.
type AuthZConfig struct {
Type string `json:"type"`
FallbackType *string `json:"fallback"`
RBACUIEnabled *bool `json:"rbac_ui_enabled"`
// Removed: this option is removed and will not have any effect.
StrictNTSCEnabled bool `json:"_strict_ntsc_enabled"`
AssignWorkspaceCreator AssignWorkspaceCreatorConfig `json:"workspace_creator_assign_role"`
StrictJobQueueControl bool `json:"strict_job_queue_control"`
}
// DefaultAuthZConfig returns default authz config.
func DefaultAuthZConfig() *AuthZConfig {
return &AuthZConfig{
Type: BasicAuthZType,
// TODO(ilia): Maybe default to nil?
FallbackType: ptrs.Ptr(BasicAuthZType),
AssignWorkspaceCreator: AssignWorkspaceCreatorConfig{
Enabled: true,
RoleID: 2, // WorkspaceAdmin.
},
StrictJobQueueControl: false,
}
}
// Validate the authz config.
func (c *AuthZConfig) Validate() []error {
var errs []error
okTypes := strings.Join(maps.Keys(knownAuthZTypes), ", ")
errorTmpl := "\"%s\" is not a known authz type, must be one of: %s"
if _, ok := knownAuthZTypes[c.Type]; !ok {
errs = append(errs, fmt.Errorf(errorTmpl, c.Type, okTypes))
}
if c.FallbackType != nil {
if _, ok := knownAuthZTypes[*c.FallbackType]; !ok {
errs = append(errs, fmt.Errorf(errorTmpl, *c.FallbackType, okTypes))
}
}
return errs
}
// AssignWorkspaceCreatorConfig configures behavior of assigning a role on workspace creation.
type AssignWorkspaceCreatorConfig struct {
Enabled bool `json:"enabled"`
RoleID int `json:"role_id"`
}
// Validate the RoleID of the config.
func (a AssignWorkspaceCreatorConfig) Validate() []error {
if a.RoleID <= 0 {
return []error{
fmt.Errorf("workspace_creator_assign_role.role_id must be >= 0 got %d", a.RoleID),
}
}
return nil
}
// IsRBACUIEnabled returns if the feature flag RBAC should be enabled.
func (c AuthZConfig) IsRBACUIEnabled() bool {
if c.RBACUIEnabled != nil {
return *c.RBACUIEnabled
}
return c.Type != BasicAuthZType
}
// IsRBACEnabled returns if the authz config type is using the RBAC implementation
// and will attempt to use Fallback and Default types if necessary.
func (c AuthZConfig) IsRBACEnabled() bool {
var authzType string
if _, ok := knownAuthZTypes[c.Type]; !ok {
if c.FallbackType != nil {
if _, ok := knownAuthZTypes[*c.FallbackType]; !ok {
authzType = DefaultAuthZConfig().Type
} else {
authzType = *c.FallbackType
}
} else {
authzType = DefaultAuthZConfig().Type
}
} else {
authzType = c.Type
}
return authzType == RBACAuthZType
}
func initAuthZTypes() {
authZConfigMutex.Lock()
defer authZConfigMutex.Unlock()
if knownAuthZTypes != nil {
return
}
knownAuthZTypes = make(map[string]bool)
knownAuthZTypes[BasicAuthZType] = true
}
// RegisterAuthZType adds new known authz type.
func RegisterAuthZType(authzType string) {
initAuthZTypes()
authZConfigMutex.Lock()
defer authZConfigMutex.Unlock()
knownAuthZTypes[authzType] = true
}
// GetAuthZConfig returns current global authz config.
func GetAuthZConfig() AuthZConfig {
return GetMasterConfig().Security.AuthZ
}