func (p policy) matches(a authorizer.Attributes) bool { if p.User == "" || p.User == a.GetUserName() { if p.Readonly == false || (p.Readonly == a.IsReadOnly()) { if p.Kind == "" || (p.Kind == a.GetKind()) { if p.Namespace == "" || (p.Namespace == a.GetNamespace()) { return true } } } } return false }
func (p policy) subjectMatches(a authorizer.Attributes) bool { if p.User != "" { // Require user match if p.User != a.GetUserName() { return false } } if p.Group != "" { // Require group match for _, group := range a.GetGroups() { if p.Group == group { return true } } return false } return true }
func (allowAliceAuthorizer) Authorize(a authorizer.Attributes) error { if a.GetUserName() == "alice" { return nil } return errors.New("I can't allow that. Go ask alice.") }