Documentation ¶
Overview ¶
Package lang provides core constructs for describing Aptomi policy, as well as core structures for processing policy.
Let's start with policy objects. Cluster - individual cluster where containers get deployed (e.g. k8s cluster). Contract - contract for a service (e.g. database). Context - a set of contexts, defining how contract can be fulfilled (e.g. MariaDB, MySQL, SQLite). Service - specific service implementation (set of containers to run, and dependencies on other services). Dependency - service use declaration, which triggers instantiation of a service . Rule - rules which constitute policy, allowing to change labels and perform actions during policy resolution. ACLRule - rules which define user roles for accessing Aptomi namespaces.
Now, core structures: LabelSet - set of labels that get processed and transformed LabelOperations - how to transform labels Criteria - bool-based lists of expressions for defining complex criteria
Index ¶
- Constants
- Variables
- func IsPolicyObject(obj runtime.Object) bool
- type ACLResolver
- type ACLRole
- type ACLRule
- type APIPolicy
- type APIPolicyNamespace
- type Allocation
- type Base
- type Cluster
- type Code
- type Context
- type Contract
- type Criteria
- type Dependency
- type DependencyAction
- type GlobalDependencies
- type GlobalRules
- type GlobalUsers
- type IngressAction
- type LabelOperations
- type LabelSet
- type Metadata
- type Policy
- func (policy *Policy) APIPolicy() *APIPolicy
- func (policy *Policy) AddObject(obj Base) error
- func (policy *Policy) GetObject(kind string, locator string, currentNs string) (runtime.Object, error)
- func (policy *Policy) GetObjectsByKind(kind string) []Base
- func (policy *Policy) RemoveObject(obj Base) bool
- func (policy *Policy) Validate() error
- func (policy *Policy) View(user *User) *PolicyView
- type PolicyNamespace
- type PolicyValidator
- type PolicyView
- type Privilege
- type Privileges
- type Rule
- type RuleActionResult
- type RuleActions
- type Service
- type ServiceComponent
- type User
Constants ¶
const LabelCluster = "cluster"
LabelCluster is a special label name where cluster should be stored. It's required by the engine during policy processing
const Reject = "reject"
Reject is a special constant that is used in rule actions for rejecting dependencies, ingress traffic, etc
Variables ¶
var ACLRolesMap = map[string]*ACLRole{
domainAdmin.ID: domainAdmin,
namespaceAdmin.ID: namespaceAdmin,
serviceConsumer.ID: serviceConsumer,
nobody.ID: nobody,
}
ACLRolesMap represents the map of ACL roles (Role ID -> Role)
var ACLRolesOrderedList = []*ACLRole{
domainAdmin,
namespaceAdmin,
serviceConsumer,
nobody,
}
ACLRolesOrderedList represents the ordered list of ACL roles (from most "powerful" to least "powerful")
var ACLRuleObject = &runtime.Info{ Kind: "aclrule", Storable: true, Versioned: true, Deletable: true, Constructor: func() runtime.Object { return &ACLRule{} }, }
ACLRuleObject is an informational data structure with Kind and Constructor for ACLRule
var ClusterObject = &runtime.Info{ Kind: "cluster", Storable: true, Versioned: true, Deletable: true, Constructor: func() runtime.Object { return &Cluster{} }, }
ClusterObject is an informational data structure with Kind and Constructor for Cluster
var ContractObject = &runtime.Info{ Kind: "contract", Storable: true, Versioned: true, Deletable: true, Constructor: func() runtime.Object { return &Contract{} }, }
ContractObject is an informational data structure with Kind and Constructor for Contract
var DependencyObject = &runtime.Info{ Kind: "dependency", Storable: true, Versioned: true, Deletable: true, Constructor: func() runtime.Object { return &Dependency{} }, }
DependencyObject is an informational data structure with Kind and Constructor for Dependency
var ( // PolicyObjects is the list of informational data for all policy objects PolicyObjects = []*runtime.Info{ ServiceObject, ContractObject, DependencyObject, ClusterObject, RuleObject, ACLRuleObject, } )
var RuleObject = &runtime.Info{ Kind: "rule", Storable: true, Versioned: true, Deletable: true, Constructor: func() runtime.Object { return &Rule{} }, }
RuleObject is an informational data structure with Kind and Constructor for Rule
var ServiceObject = &runtime.Info{ Kind: "service", Storable: true, Versioned: true, Deletable: true, Constructor: func() runtime.Object { return &Service{} }, }
ServiceObject is an informational data structure with Kind and Constructor for Service
Functions ¶
func IsPolicyObject ¶
IsPolicyObject returns true if provided object is part of the policy objects list
Types ¶
type ACLResolver ¶
type ACLResolver struct {
// contains filtered or unexported fields
}
ACLResolver is a struct which allows to perform ACL resolution, allowing to retrieve user privileges for the objects they access
func NewACLResolver ¶
func NewACLResolver(globalRules *GlobalRules) *ACLResolver
NewACLResolver creates a new ACLResolver
func (*ACLResolver) GetUserPrivileges ¶
func (resolver *ACLResolver) GetUserPrivileges(user *User, obj Base) (*Privilege, error)
GetUserPrivileges is a main method which determines privileges that a given user has for a given object
func (*ACLResolver) GetUserRoleMap ¶
GetUserRoleMap returns the map role ID -> to which namespaces this role applies, for a given user. Note that user may have multiple roles at the same time. E.g. - domain admin (i.e. for all namespaces within Aptomi domain) - namespace admin for a set of given namespaces - service consumer for a set of given namespaces
type ACLRole ¶
type ACLRole struct { ID string Name string Privileges *Privileges }
ACLRole is a struct for defining user roles and their privileges. Aptomi has 4 built-in user roles: domain admin, namespace admin, service consumer, and nobody. Domain admin has full access rights to all namespaces. It can manage global objects in 'system' namespace (clusters, rules, and ACL rules). Namespace admin has full access right to a given set of namespaces, but it cannot global objects in 'system' namespace (clusters, rules, and ACL rules). Service consumer can only consume services within a given set of namespaces. Service consumption is treated as capability to instantiate services in a given namespace. Nobody cannot do anything except viewing the policy.
type ACLRule ¶
type ACLRule = Rule
ACLRule defines which users have which roles in Aptomi. They should be configured by Aptomi domain admins in the policy. ACLRules allow to pick groups of users and assign ACL roles to them (e.g. give access to a particular namespace)
type APIPolicy ¶
type APIPolicy struct {
Namespace map[string]*APIPolicyNamespace
}
APIPolicy is a Policy representation for API filtered for specific user
type APIPolicyNamespace ¶
type APIPolicyNamespace struct { Services map[string]*Service Contracts map[string]*Contract Clusters map[string]*Cluster Rules map[string]*Rule ACLRules map[string]*Rule Dependencies map[string]*Dependency }
APIPolicyNamespace is a PolicyNamespace representation for API filtered for specific user
type Allocation ¶
type Allocation struct { // Service defined which service to allocated. It can be in form of 'serviceName', referring to service within // current namespace. Or it can be in form of 'namespace/serviceName', referring to service in a different // namespace Service string `validate:"required"` // Keys define a set of unique keys that define this allocation. If keys are not defined, then allocation will // always correspond to a single instance. If keys are defined, it will allow to create different service instances // based on labels. Different keys values resolved during policy processing will result in different service // instances created by Aptomi. For example, if key is set to {{.User.Labels.team}}, it will get dynamically // resolved into a user's team name. And, since users from different teams will have different keys, every team // will get their own service instance from Aptomi Keys []string `yaml:"keys,omitempty" validate:"dive,template"` }
Allocation determines which service should be allocated for by the given context and which additional keys should be added to component instance key
type Cluster ¶
type Cluster struct { runtime.TypeKind `yaml:",inline"` Metadata `validate:"required"` // Type is a cluster type. Based on its type, the appropriate deployment plugin will be called to deploy containers. Type string `validate:"clustertype"` // Labels is a set of labels attached to the cluster Labels map[string]string `yaml:"labels,omitempty" validate:"omitempty,labels"` // Config for a given cluster type Config interface{} `validate:"required"` }
Cluster defines an individual cluster where containers get deployed. Various cloud providers are supported via setting a cluster type (k8s, Amazon ECS, GKE, etc).
func (*Cluster) ParseConfigInto ¶
ParseConfigInto parses cluster config into provided object
type Code ¶
type Code struct { // Type represents code type (e.g. "helm"). It determines the plugin that will get executed for // for this code component Type string `validate:"required,codetype"` // Params define parameters that will be passed down to the deployment plugin. Params follow text template syntax // and can refer to arbitrary labels, as well as discovery parameters exposed by other components (within the // current service) and discovery parameters exposed by services the current service depends on Params util.NestedParameterMap `validate:"omitempty,templateNestedMap"` }
Code with type and parameters, used to instantiate/update/delete component instances
type Context ¶
type Context struct { // Name defines context name in the policy Name string `validate:"identifier"` // Criteria - if it gets evaluated to true during policy resolution, then contract // will get fulfilled by allocating this service context. It's an optional field, so if it's nil then // it is considered to be evaluated to true automatically Criteria *Criteria `validate:"omitempty"` // ChangeLabels defines how current set of labels will get changed/transformed in case // the context gets matched ChangeLabels LabelOperations `yaml:"change-labels,omitempty" validate:"labelOperations"` // Allocation defines how the context will get allocated (which service to allocate and which unique key to use) Allocation *Allocation `validate:"required"` }
Context represents a single context within a service contract. It's essentially a service instance for a given of class of use cases, a given set of consumers, etc.
func (*Context) Matches ¶
func (context *Context) Matches(params *expression.Parameters, cache *expression.Cache) (bool, error)
Matches checks if context criteria is satisfied
func (*Context) ResolveKeys ¶
func (context *Context) ResolveKeys(params *template.Parameters, cache *template.Cache) ([]string, error)
ResolveKeys resolves dynamic allocation keys, which later get added to component instance key
type Contract ¶
type Contract struct { runtime.TypeKind `yaml:",inline"` Metadata `validate:"required"` // ChangeLabels defines how current set of labels will get changed/transformed in case // the contract gets matched ChangeLabels LabelOperations `yaml:"change-labels,omitempty" validate:"labelOperations"` // Contexts contains an ordered list of contexts within a contract. When allocating an instance, Aptomi will pick // and instantiate the first context which matches the criteria Contexts []*Context `validate:"dive"` }
Contract is an object, which allows you to define a contract for a service, as well as a set of specific implementations. For example, contract can be a 'database', with specific service contexts represented by 'MySQL', 'MariaDB', 'SQLite'.
When dependencies get declared, they always get declared on a contract (not on a specific service).
type Criteria ¶
type Criteria struct { // RequireAll follows 'AND' logic RequireAll []string `yaml:"require-all,omitempty" validate:"dive,expression"` // RequireAny follows 'OR' logic RequireAny []string `yaml:"require-any,omitempty" validate:"dive,expression"` // RequireNone follows 'AND NOT' RequireNone []string `yaml:"require-none,omitempty" validate:"dive,expression"` }
Criteria is a structure which allows users to define complex matching expressions in the policy. Criteria expressions can refer to labels through variables. It supports require-all, require-any and require-none clauses, with a list of expressions under each clause.
Criteria gets evaluated to true only when (1) All RequireAll expression evaluate to true, (2) At least one of RequireAny expressions evaluates to true, (3) None of RequireNone expressions evaluate to true.
If any of RequireAll, RequireAny, RequireNone are absent, the corresponding clause will be skipped. So it's perfectly fine to have a criteria with fewer than 3 clauses (e.g. just RequireAll), or with no sections at all. Empty criteria without any clauses always evaluates to true
type Dependency ¶
type Dependency struct { runtime.TypeKind `yaml:",inline"` Metadata `validate:"required"` // User is a user name for a user, who requested this dependency. User string `validate:"required"` // Contract that is being requested. It can be in form of 'contractName', referring to contract within // current namespace. Or it can be in form of 'namespace/contractName', referring to contract in a different // namespace. Contract string `validate:"required"` // Labels which are provided by the user. Labels map[string]string `yaml:"labels,omitempty" validate:"omitempty,labels"` }
Dependency is a declaration of use, defined in a form <User> needs an instance of <Contract> with specified set of <Labels>. It allows users to request contracts, which will translate into instantiation of service instances (and their dependencies) in the cloud
type DependencyAction ¶
type DependencyAction string
DependencyAction is a rule action to allow or disallow dependency to be resolved
type GlobalDependencies ¶
type GlobalDependencies struct { // DependencyMap is a map[name] -> *Dependency DependencyMap map[string]*Dependency `validate:"dive"` // DependenciesByContract contains dependency map <contractName> -> list of dependencies DependenciesByContract map[string][]*Dependency `validate:"-"` }
GlobalDependencies represents the list of global dependencies (see the definition above)
func NewGlobalDependencies ¶
func NewGlobalDependencies() *GlobalDependencies
NewGlobalDependencies creates and initializes a new empty list of global dependencies
type GlobalRules ¶
type GlobalRules struct { // RuleMap is a map[name] -> *Rule RuleMap map[string]*Rule `validate:"dive"` // Rules is an unsorted list of rules Rules []*Rule `validate:"-"` // contains filtered or unexported fields }
GlobalRules contains a map of global rules by name, as well as the list of sorted rules
func NewGlobalRules ¶
func NewGlobalRules() *GlobalRules
NewGlobalRules creates and initializes a new empty list of global rules
func (*GlobalRules) GetRulesSortedByWeight ¶
func (globalRules *GlobalRules) GetRulesSortedByWeight() []*Rule
GetRulesSortedByWeight returns all rules sorted by weight
func (*GlobalRules) Len ¶
func (globalRules *GlobalRules) Len() int
func (*GlobalRules) Less ¶
func (globalRules *GlobalRules) Less(i, j int) bool
func (*GlobalRules) Swap ¶
func (globalRules *GlobalRules) Swap(i, j int)
type GlobalUsers ¶
GlobalUsers contains the map of users by their name
type IngressAction ¶
type IngressAction string
IngressAction is a rule action to to allow or disallow ingres traffic for a component
type LabelOperations ¶
LabelOperations defines label transform operations. It supports two types of operations - 'set' and 'remove', those strings are used as keys in the main map.
When 'set' is used, the inner name->value map defines which labels should be added/overwritten. When 'remove' is used, the inner name->value map defines which labels should be deleted. In this case value doesn't matter and name can even point to an empty string as value
The typical usage of this struct is to take LabelSet and transform it using LabelOperations.
func NewLabelOperations ¶
func NewLabelOperations(setMap map[string]string, removeMap map[string]string) LabelOperations
NewLabelOperations creates a new LabelOperations object, given "set" and "remove" parameters
func NewLabelOperationsSetSingleLabel ¶
func NewLabelOperationsSetSingleLabel(k string, v string) LabelOperations
NewLabelOperationsSetSingleLabel creates a new LabelOperations object to set a single "k"="v" label
type LabelSet ¶
LabelSet defines the set of labels that will be manipulated throughout policy execution. All labels are stored in a 'key' -> 'value' map
func NewLabelSet ¶
NewLabelSet creates a new LabelSet from a given map of text labels
func (*LabelSet) ApplyTransform ¶
func (src *LabelSet) ApplyTransform(ops LabelOperations) bool
ApplyTransform applies a given set of label transformations to the current set of labels. The method teturns true if changes have been made to the current set
type Metadata ¶
type Metadata struct { Namespace string `yaml:",omitempty" validate:"identifier"` Name string `yaml:",omitempty" validate:"identifier"` Generation runtime.Generation `yaml:",omitempty"` Deleted bool `yaml:",omitempty"` }
Metadata is an object metadata implementation (Namespace, Kind, Name, Generation) which works for all standard objects. Namespace defines in which namespace the object is defined. An object always gets placed in only one namespace. Kind describes type of the object (e.g. Service, Contract, Cluster, etc) Name is a user-provided string identifier of an object. Names are usually human readable and must be unique across objects within the same namespace and the same object kind.
func (*Metadata) GetGeneration ¶
func (meta *Metadata) GetGeneration() runtime.Generation
GetGeneration returns object generation
func (*Metadata) GetNamespace ¶
GetNamespace returns object namespace
func (*Metadata) SetDeleted ¶ added in v0.1.10
SetDeleted sets object deleted flag
func (*Metadata) SetGeneration ¶
func (meta *Metadata) SetGeneration(generation runtime.Generation)
SetGeneration sets object generation
type Policy ¶
type Policy struct { // Namespace is a map from namespace name into a PolicyNamespace Namespace map[string]*PolicyNamespace `validate:"dive"` // contains filtered or unexported fields }
Policy describes the entire Aptomi policy.
At the highest level, policy consists of namespaces. Namespaces provide isolation for policy objects and access to namespaces can be controlled via ACL rules. Thus, different users can have different access rights to different parts of Aptomi policy. Namespaces are useful in environments with many users, multiple teams and projects.
Objects get stored in their corresponding namespaces. Names of objects must be unique within a namespace and a given object kind.
Once policy is defined, it can be passed to the engine for policy resolution. Policy resolution translates a given policy (intent) into actual state (what services/components need to created/updated/deleted, how and where) and the corresponding set of actions.
func (*Policy) APIPolicy ¶
APIPolicy returns Policy representation for API filtered for specific user
func (*Policy) AddObject ¶
AddObject adds a given object into the policy. When you add objects to the policy, they get added to the corresponding Namespace. If error occurs (e.g. object has an unknown kind) then the error will be returned
func (*Policy) GetObject ¶
func (policy *Policy) GetObject(kind string, locator string, currentNs string) (runtime.Object, error)
GetObject looks up and returns an object from the policy, given its kind, locator ([namespace/]name), and current namespace relative to which the call is being made
func (*Policy) GetObjectsByKind ¶
GetObjectsByKind returns all objects in a policy with a given kind, across all namespaces
func (*Policy) RemoveObject ¶
RemoveObject removes a given object from the policy. Returns true if removed and false if nothing got removed.
func (*Policy) Validate ¶
Validate performs validation of the entire policy, making sure that all of its objects are well-formed. It also checks that all cross-object references are valid. If policy is malformed, then a list of errors is returned. Otherwise, if policy is correctly formed, then nil is returned. The resulting error can be caster to (validator.ValidationErrors) and iterated over, to get the full list of errors.
func (*Policy) View ¶
func (policy *Policy) View(user *User) *PolicyView
View returns a policy view object, which allows to make all policy operations on behalf of a certain user Policy view object will enforce all ACLs, allowing the user to only perform actions which he is allowed to perform All ACL rules should be loaded and added to the policy before this method gets called
type PolicyNamespace ¶
type PolicyNamespace struct { Name string `validate:"identifier"` Services map[string]*Service `validate:"dive"` Contracts map[string]*Contract `validate:"dive"` Clusters map[string]*Cluster `validate:"dive"` Rules *GlobalRules `validate:"required"` ACLRules *GlobalRules `validate:"required"` Dependencies *GlobalDependencies `validate:"required"` }
PolicyNamespace describes a specific namespace within Aptomi policy. All policy objects get placed in the appropriate maps and structs within PolicyNamespace.
func NewPolicyNamespace ¶
func NewPolicyNamespace(name string) *PolicyNamespace
NewPolicyNamespace creates a new PolicyNamespace
type PolicyValidator ¶
type PolicyValidator struct {
// contains filtered or unexported fields
}
PolicyValidator is a custom validator for the policy
func NewPolicyValidator ¶
func NewPolicyValidator(policy *Policy) *PolicyValidator
NewPolicyValidator creates a new PolicyValidator
func (*PolicyValidator) Validate ¶
func (v *PolicyValidator) Validate() error
Validate validates the entire policy for errors and returns an error (it can be casted to policyValidationError, containing a list of errors inside). When error is printed as string, it will automatically contains the full list of validation errors.
type PolicyView ¶
type PolicyView struct { // Policy which gets viewed Policy *Policy // User who is viewing policy User *User }
PolicyView allows to view/manage policy objects on behalf on a certain user It will enforce all ACLs, allowing the user to only perform actions which he is entitled to perform.
func NewPolicyView ¶
func NewPolicyView(policy *Policy, user *User) *PolicyView
NewPolicyView creates a new PolicyView
func (*PolicyView) APIPolicy ¶
func (view *PolicyView) APIPolicy() *APIPolicy
APIPolicy returns Policy representation for API filtered for specific user
func (*PolicyView) AddObject ¶
func (view *PolicyView) AddObject(obj Base) error
AddObject adds an object into the policy. When you add objects to the policy, they get added to the corresponding Namespace. If error occurs (e.g. object has an unknown kind, etc) then the error will be returned
func (*PolicyView) CanConsume ¶
func (view *PolicyView) CanConsume(service *Service) (bool, error)
CanConsume returns if user has permissions to consume a given service. If a user can declare a dependency in a given namespace, then he can essentially can consume the service
func (*PolicyView) ManageObject ¶
func (view *PolicyView) ManageObject(obj Base) error
ManageObject checks if user has permissions to manage a given object. If user has no permissions, then ACL error will be returned
func (*PolicyView) ViewObject ¶
func (view *PolicyView) ViewObject(obj Base) error
ViewObject checks if user has permissions to view a given object. If user has no permissions, then ACL error will be returned
type Privilege ¶
type Privilege struct { // View indicates whether or not a user can view an object (R) View bool // Manage indicates whether or not a user can manage an object, i.e. perform operations (CUD) Manage bool }
Privilege is a unit of privilege for any single given object
type Privileges ¶
type Privileges struct { // AllNamespaces, when set to true, indicated that user privileges apply to all namespaces. Otherwise it applies // to a set of given namespaces AllNamespaces bool // NamespaceObjects specifies whether or not this role can view/manage a certain object kind within a non-system namespace NamespaceObjects map[string]*Privilege // GlobalObjects specifies whether or not this role can view/manage a certain object kind within a system namespace GlobalObjects map[string]*Privilege }
Privileges defines a set of privileges for a particular role in Aptomi
type Rule ¶
type Rule struct { runtime.TypeKind `yaml:",inline"` Metadata `validate:"required"` // Weight defined for the rule. All rules are sorted in the order of increasing weight and applied in that order Weight int `validate:"min=0"` // Criteria - if it gets evaluated to true during policy resolution, then rules's actions will be executed. // It's an optional field, so if it's nil then it is considered to be evaluated to true automatically Criteria *Criteria `yaml:",omitempty" validate:"omitempty"` // Actions define the set of actions that will be executed if Criteria gets evaluated to true Actions *RuleActions `validate:"required"` }
Rule is a generic mechanism for defining rules in Aptomi.
Rules can be used to set certain labels on certain conditions as well as perform certain actions (such as rejecting dependencies, rejecting ingress traffic, etc)
ACLRule is inherited from Rule, so the same mechanism is used for processing ACLs in Aptomi.
func (*Rule) ApplyActions ¶
func (rule *Rule) ApplyActions(result *RuleActionResult)
ApplyActions applies rule actions and updates result
func (*Rule) Matches ¶
func (rule *Rule) Matches(params *expression.Parameters, cache *expression.Cache) (bool, error)
Matches returns true if a rule matches
type RuleActionResult ¶
type RuleActionResult struct { RejectDependency bool RejectIngress bool ChangedLabelsOnLastApply bool Labels *LabelSet RoleMap map[string]map[string]bool }
RuleActionResult is a result of processing multiple rules on a given component
func NewRuleActionResult ¶
func NewRuleActionResult(labels *LabelSet) *RuleActionResult
NewRuleActionResult creates a new RuleActionResult
type RuleActions ¶
type RuleActions struct { // ChangeLabels defines how labels should be transformed ChangeLabels LabelOperations `yaml:"change-labels,omitempty" validate:"omitempty,labelOperations"` // Dependency defines whether dependency should be rejected Dependency DependencyAction `yaml:"dependency,omitempty" validate:"omitempty,allowReject"` // Ingress defines whether ingress traffic should be rejected Ingress IngressAction `yaml:"ingress,omitempty" validate:"omitempty,allowReject"` // AddRole field is only relevant for ACL rules (have to keep it in this class due to the lack of generics). // Key in the map is role ID, while value is a set of comma-separated namespaces to which this role applies AddRole map[string]string `yaml:"add-role,omitempty" validate:"omitempty,addRoleNS"` }
RuleActions is a set of actions that can be performed by a rule. All fields in this structure are optional. If a field is defined, then the corresponding action will be processed
type Service ¶
type Service struct { runtime.TypeKind `yaml:",inline"` Metadata `validate:"required"` // Labels is a set of labels attached to the service Labels map[string]string `yaml:"labels,omitempty" validate:"omitempty,labels"` // Components is the list of components service consists of Components []*ServiceComponent `validate:"dive"` // contains filtered or unexported fields }
Service defines individual service in Aptomi. The idea is that services get defined by different teams. Those teams define service-specific consumption rules of how others can consume their services.
Service typically consists of one or more components. Each component can either be pointer to the code (e.g. docker container image with metadata that needs to be started/managed) or it can be dependency on another\ contract (which will get fulfilled by Aptomi)
func (*Service) GetComponentsMap ¶
func (service *Service) GetComponentsMap() map[string]*ServiceComponent
GetComponentsMap lazily initializes and returns a map of name -> component, while being thread-safe
func (*Service) GetComponentsSortedTopologically ¶
func (service *Service) GetComponentsSortedTopologically() ([]*ServiceComponent, error)
GetComponentsSortedTopologically returns all components sorted in a topological order This should be thread safe
type ServiceComponent ¶
type ServiceComponent struct { // Name is a user-defined component name Name string `validate:"identifier"` // Criteria - if it gets evaluated to true during policy resolution, then component will be included // into the service. It's an optional field, so if it's nil then it is considered to be true automatically Criteria *Criteria `yaml:",omitempty" validate:"omitempty"` // Contract, if not empty, denoted that the component points to another contract as a dependency. Meaning that // a service needs to have another service running as its dependency (e.g. 'wordpress' service needs a 'database' // contract). This dependency will be fulfilled at policy resolution time. Contract string `yaml:"contract,omitempty" validate:"omitempty"` // Code, if not empty, means that component is a code that can be instantiated with certain parameters (e.g. docker // container image) Code *Code `yaml:"code,omitempty" validate:"omitempty"` // Discovery is a map of discovery parameters that this component exposes to other services Discovery util.NestedParameterMap `yaml:"discovery,omitempty" validate:"omitempty,templateNestedMap"` // Dependencies is cross-component dependencies within a service. Component may need other components within that // service to run, before it gets instantiated Dependencies []string `yaml:"dependencies,omitempty" validate:"dive,identifier"` }
ServiceComponent defines component within a service
func (*ServiceComponent) Matches ¶ added in v0.1.13
func (component *ServiceComponent) Matches(params *expression.Parameters, cache *expression.Cache) (bool, error)
Matches checks if component criteria is satisfied
type User ¶
type User struct { // Name is a unique name of a user Name string // Password hash is a hashed and salted user password PasswordHash string // Labels is a set of 'name'->'value' string labels, attached to the user Labels map[string]string // DomainAdmin is a special bool flag, which allows to mark certain users as domain admins. It's useful for Aptomi // bootstrap process, when someone needs to upload ACL rules into Aptomi (but his role is not defined in ACL, // because ACL list is empty when Aptomi is first installed) DomainAdmin bool }
User represents a user in Aptomi. It has a unique Name and a set of Labels, Users can be retrieved from multiple sources (e.g. file, LDAP, AD, etc)
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
Package builder provides simple and easy-to-use way to construct Aptomi Policy in the source code, primarily for unit tests.
|
Package builder provides simple and easy-to-use way to construct Aptomi Policy in the source code, primarily for unit tests. |
Package expression provides support for evaluating expressions in Aptomi, with support for caching compiled expressions.
|
Package expression provides support for evaluating expressions in Aptomi, with support for caching compiled expressions. |
Package template provides support for evaluating text templates in Aptomi, with support for caching compiled templates.
|
Package template provides support for evaluating text templates in Aptomi, with support for caching compiled templates. |
Package yaml provides support for marshalling YAML objects and loading/unmarshalling them from YAML files.
|
Package yaml provides support for marshalling YAML objects and loading/unmarshalling them from YAML files. |