go.temporal.io/server@v1.23.0/common/authorization/default_authorizer.go (about) 1 // The MIT License 2 // 3 // Copyright (c) 2020 Temporal Technologies Inc. All rights reserved. 4 // 5 // Copyright (c) 2020 Uber Technologies, Inc. 6 // 7 // Permission is hereby granted, free of charge, to any person obtaining a copy 8 // of this software and associated documentation files (the "Software"), to deal 9 // in the Software without restriction, including without limitation the rights 10 // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 11 // copies of the Software, and to permit persons to whom the Software is 12 // furnished to do so, subject to the following conditions: 13 // 14 // The above copyright notice and this permission notice shall be included in 15 // all copies or substantial portions of the Software. 16 // 17 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 18 // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 19 // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 20 // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 21 // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 22 // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 23 // THE SOFTWARE. 24 25 package authorization 26 27 import ( 28 "context" 29 30 "go.temporal.io/server/common/api" 31 ) 32 33 type ( 34 defaultAuthorizer struct { 35 } 36 ) 37 38 var _ Authorizer = (*defaultAuthorizer)(nil) 39 40 // NewDefaultAuthorizer creates a default authorizer 41 func NewDefaultAuthorizer() Authorizer { 42 return &defaultAuthorizer{} 43 } 44 45 var resultAllow = Result{Decision: DecisionAllow} 46 var resultDeny = Result{Decision: DecisionDeny} 47 48 // Authorize determines if an API call by given claims should be allowed or denied. 49 // Rules: 50 // 51 // Health check APIs are allowed to everyone. 52 // System Admin is allowed to access all APIs on all namespaces and cluster-level. 53 // System Writer is allowed to access non admin APIs on all namespaces and cluster-level. 54 // System Reader is allowed to access readonly APIs on all namespaces and cluster-level. 55 // Namespace Admin is allowed to access all APIs on their namespaces. 56 // Namespace Writer is allowed to access non admin APIs on their namespaces. 57 // Namespace Reader is allowed to access non admin readonly APIs on their namespaces. 58 func (a *defaultAuthorizer) Authorize(_ context.Context, claims *Claims, target *CallTarget) (Result, error) { 59 // APIs that are essentially read-only health checks with no sensitive information are 60 // always allowed 61 if IsHealthCheckAPI(target.APIName) { 62 return resultAllow, nil 63 } 64 if claims == nil { 65 return resultDeny, nil 66 } 67 68 metadata := api.GetMethodMetadata(target.APIName) 69 70 var hasRole Role 71 switch metadata.Scope { 72 case api.ScopeCluster: 73 hasRole = claims.System 74 case api.ScopeNamespace: 75 // Note: system-level claims apply across all namespaces. 76 // Note: if claims.Namespace is nil or target.Namespace is not found, the lookup will return zero. 77 hasRole = claims.System | claims.Namespaces[target.Namespace] 78 default: 79 return resultDeny, nil 80 } 81 82 if hasRole >= getRequiredRole(metadata.Access) { 83 return resultAllow, nil 84 } 85 return resultDeny, nil 86 } 87 88 // Convert from api.Access to Role 89 func getRequiredRole(access api.Access) Role { 90 switch access { 91 case api.AccessReadOnly: 92 return RoleReader 93 case api.AccessWrite: 94 return RoleWriter 95 default: 96 return RoleAdmin 97 } 98 }