This interface is used to enable an identity service or any other back end to check authorization policies for a set of predefined actions. More...
#include <authorizer.hpp>
Public Member Functions | |
| virtual | ~Authorizer () |
| virtual process::Future< bool > | authorized (const authorization::Request &request)=0 |
Checks with the identity server back end whether request is allowed by the policies of the identity server, i.e. More... | |
| virtual process::Future< std::shared_ptr< const ObjectApprover > > | getApprover (const Option< authorization::Subject > &subject, const authorization::Action &action)=0 |
Returns an ObjectApprover which can synchronously check authorization on an object. More... | |
Static Public Member Functions | |
| static Try< Authorizer * > | create (const std::string &name) |
Factory method used to create instances of authorizer which are loaded from the ModuleManager. More... | |
| static Try< Authorizer * > | create (const ACLs &acls) |
| Factory method used to create instances of the default 'local' authorizer. More... | |
Protected Member Functions | |
| Authorizer () | |
Detailed Description
This interface is used to enable an identity service or any other back end to check authorization policies for a set of predefined actions.
The authorized() method returns Future<bool>. If the action is allowed, the future is set to true, otherwise to false. A third possible outcome is that the future fails, which usually indicates that the back end could not be contacted or it does not understand the requested action. This may be a temporary condition.
A description of the behavior of the default implementation of this interface can be found in "docs/authorization.md".
- See also
- authorizer.proto
Constructor & Destructor Documentation
|
inlinevirtual |
|
inlineprotected |
Member Function Documentation
|
pure virtual |
Checks with the identity server back end whether request is allowed by the policies of the identity server, i.e.
request.subject can perform request.action with request.object. For details on how the request is built and what its parts are, refer to "authorizer.proto".
- Parameters
-
request authorization::Requestinstance packing all the parameters needed to verify whether a subject can perform a given action with an object.
- Returns
trueif the action is allowed, the future is set totrue, otherwisefalse. A failed future indicates a problem processing the request, and it might be retried in the future.
Implemented in mesos::internal::LocalAuthorizer.
|
static |
Factory method used to create instances of authorizer which are loaded from the ModuleManager.
The parameters necessary to instantiate the authorizer are taken from the contents of the --modules flag.
- Parameters
-
name The name of the module to be loaded as registered in the --modulesflag.
- Returns
- An instance of
Authorizer*if the module with the given name could be constructed. An error otherwise.
|
static |
Factory method used to create instances of the default 'local' authorizer.
- Parameters
-
acls The access control lists used to initialize the 'local' authorizer.
- Returns
- An instance of the default 'local' authorizer.
|
pure virtual |
Returns an ObjectApprover which can synchronously check authorization on an object.
The returned ObjectApprover is valid throuhout its whole lifetime or the lifetime of the authorizer, whichever is smaller.
Calls to approved(...) method can return different values depending on the internal state maintained by the authorizer (which can change due to the need to keep ObjectApprover up-to-date).
- Parameters
-
subject authorization::Subjectsubject for which theObjectApprovershould be created.action authorization::Actionaction for which theObjectApprovershould be created.
- Returns
- An
ObjectApproverfor the givensubjectandaction.
Implemented in mesos::internal::LocalAuthorizer.
The documentation for this class was generated from the following file:
- include/mesos/authorizer/authorizer.hpp
