AuthSuperAdmin authorizes the operations for the users who belong to the guardians group in the galaxy namespace. This authorization is used for admin usages like creation and deletion of a namespace, resetting passwords across namespaces etc. NOTE: The caller should not wrap the error returned. If
(ctx context.Context)
| 1120 | // deletion of a namespace, resetting passwords across namespaces etc. |
| 1121 | // NOTE: The caller should not wrap the error returned. If needed, propagate the GRPC error code. |
| 1122 | func AuthSuperAdmin(ctx context.Context) error { |
| 1123 | if !x.WorkerConfig.AclEnabled { |
| 1124 | return nil |
| 1125 | } |
| 1126 | ns, err := x.ExtractNamespaceFrom(ctx) |
| 1127 | if err != nil { |
| 1128 | return errors.Wrap(err, "Authorize guardian of the galaxy, extracting jwt token, error:") |
| 1129 | } |
| 1130 | if ns != 0 { |
| 1131 | return status.Error( |
| 1132 | codes.PermissionDenied, "Only superadmin is allowed to do this operation") |
| 1133 | } |
| 1134 | // AuthorizeGuardians will extract (user, []groups) from the JWT claims and will check if |
| 1135 | // any of the group to which the user belongs is "guardians" or not. |
| 1136 | if err := AuthorizeGuardians(ctx); err != nil { |
| 1137 | s := status.Convert(err) |
| 1138 | return status.Error( |
| 1139 | s.Code(), "AuthSuperAdmin: failed to authorize guardians. "+s.Message()) |
| 1140 | } |
| 1141 | glog.V(3).Info("Successfully authorised guardian of the galaxy") |
| 1142 | return nil |
| 1143 | } |
| 1144 | |
| 1145 | // AuthorizeGuardians authorizes the operation for users which belong to Guardians group. |
| 1146 | // NOTE: The caller should not wrap the error returned. If needed, propagate the GRPC error code. |
no test coverage detected