lang

package
v0.1.13 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 19, 2018 License: Apache-2.0 Imports: 17 Imported by: 0

Documentation

Overview

Package lang provides core constructs for describing Aptomi policy, as well as core structures for processing policy.

Let's start with policy objects. Cluster - individual cluster where containers get deployed (e.g. k8s cluster). Contract - contract for a service (e.g. database). Context - a set of contexts, defining how contract can be fulfilled (e.g. MariaDB, MySQL, SQLite). Service - specific service implementation (set of containers to run, and dependencies on other services). Dependency - service use declaration, which triggers instantiation of a service . Rule - rules which constitute policy, allowing to change labels and perform actions during policy resolution. ACLRule - rules which define user roles for accessing Aptomi namespaces.

Now, core structures: LabelSet - set of labels that get processed and transformed LabelOperations - how to transform labels Criteria - bool-based lists of expressions for defining complex criteria

Index

Constants

View Source
const LabelCluster = "cluster"

LabelCluster is a special label name where cluster should be stored. It's required by the engine during policy processing

View Source
const Reject = "reject"

Reject is a special constant that is used in rule actions for rejecting dependencies, ingress traffic, etc

Variables

View Source
var ACLRolesMap = map[string]*ACLRole{
	domainAdmin.ID:     domainAdmin,
	namespaceAdmin.ID:  namespaceAdmin,
	serviceConsumer.ID: serviceConsumer,
	nobody.ID:          nobody,
}

ACLRolesMap represents the map of ACL roles (Role ID -> Role)

View Source
var ACLRolesOrderedList = []*ACLRole{
	domainAdmin,
	namespaceAdmin,
	serviceConsumer,
	nobody,
}

ACLRolesOrderedList represents the ordered list of ACL roles (from most "powerful" to least "powerful")

View Source
var ACLRuleObject = &runtime.Info{
	Kind:        "aclrule",
	Storable:    true,
	Versioned:   true,
	Deletable:   true,
	Constructor: func() runtime.Object { return &ACLRule{} },
}

ACLRuleObject is an informational data structure with Kind and Constructor for ACLRule

View Source
var ClusterObject = &runtime.Info{
	Kind:        "cluster",
	Storable:    true,
	Versioned:   true,
	Deletable:   true,
	Constructor: func() runtime.Object { return &Cluster{} },
}

ClusterObject is an informational data structure with Kind and Constructor for Cluster

View Source
var ContractObject = &runtime.Info{
	Kind:        "contract",
	Storable:    true,
	Versioned:   true,
	Deletable:   true,
	Constructor: func() runtime.Object { return &Contract{} },
}

ContractObject is an informational data structure with Kind and Constructor for Contract

View Source
var DependencyObject = &runtime.Info{
	Kind:        "dependency",
	Storable:    true,
	Versioned:   true,
	Deletable:   true,
	Constructor: func() runtime.Object { return &Dependency{} },
}

DependencyObject is an informational data structure with Kind and Constructor for Dependency

View Source
var (
	// PolicyObjects is the list of informational data for all policy objects
	PolicyObjects = []*runtime.Info{
		ServiceObject,
		ContractObject,
		DependencyObject,
		ClusterObject,
		RuleObject,
		ACLRuleObject,
	}
)
View Source
var RuleObject = &runtime.Info{
	Kind:        "rule",
	Storable:    true,
	Versioned:   true,
	Deletable:   true,
	Constructor: func() runtime.Object { return &Rule{} },
}

RuleObject is an informational data structure with Kind and Constructor for Rule

View Source
var ServiceObject = &runtime.Info{
	Kind:        "service",
	Storable:    true,
	Versioned:   true,
	Deletable:   true,
	Constructor: func() runtime.Object { return &Service{} },
}

ServiceObject is an informational data structure with Kind and Constructor for Service

Functions

func IsPolicyObject

func IsPolicyObject(obj runtime.Object) bool

IsPolicyObject returns true if provided object is part of the policy objects list

Types

type ACLResolver

type ACLResolver struct {
	// contains filtered or unexported fields
}

ACLResolver is a struct which allows to perform ACL resolution, allowing to retrieve user privileges for the objects they access

func NewACLResolver

func NewACLResolver(globalRules *GlobalRules) *ACLResolver

NewACLResolver creates a new ACLResolver

func (*ACLResolver) GetUserPrivileges

func (resolver *ACLResolver) GetUserPrivileges(user *User, obj Base) (*Privilege, error)

GetUserPrivileges is a main method which determines privileges that a given user has for a given object

func (*ACLResolver) GetUserRoleMap

func (resolver *ACLResolver) GetUserRoleMap(user *User) (map[string]map[string]bool, error)

GetUserRoleMap returns the map role ID -> to which namespaces this role applies, for a given user. Note that user may have multiple roles at the same time. E.g. - domain admin (i.e. for all namespaces within Aptomi domain) - namespace admin for a set of given namespaces - service consumer for a set of given namespaces

type ACLRole

type ACLRole struct {
	ID         string
	Name       string
	Privileges *Privileges
}

ACLRole is a struct for defining user roles and their privileges. Aptomi has 4 built-in user roles: domain admin, namespace admin, service consumer, and nobody. Domain admin has full access rights to all namespaces. It can manage global objects in 'system' namespace (clusters, rules, and ACL rules). Namespace admin has full access right to a given set of namespaces, but it cannot global objects in 'system' namespace (clusters, rules, and ACL rules). Service consumer can only consume services within a given set of namespaces. Service consumption is treated as capability to instantiate services in a given namespace. Nobody cannot do anything except viewing the policy.

type ACLRule

type ACLRule = Rule

ACLRule defines which users have which roles in Aptomi. They should be configured by Aptomi domain admins in the policy. ACLRules allow to pick groups of users and assign ACL roles to them (e.g. give access to a particular namespace)

type APIPolicy

type APIPolicy struct {
	Namespace map[string]*APIPolicyNamespace
}

APIPolicy is a Policy representation for API filtered for specific user

type APIPolicyNamespace

type APIPolicyNamespace struct {
	Services     map[string]*Service
	Contracts    map[string]*Contract
	Clusters     map[string]*Cluster
	Rules        map[string]*Rule
	ACLRules     map[string]*Rule
	Dependencies map[string]*Dependency
}

APIPolicyNamespace is a PolicyNamespace representation for API filtered for specific user

type Allocation

type Allocation struct {
	// Service defined which service to allocated. It can be in form of 'serviceName', referring to service within
	// current namespace. Or it can be in form of 'namespace/serviceName', referring to service in a different
	// namespace
	Service string `validate:"required"`

	// Keys define a set of unique keys that define this allocation. If keys are not defined, then allocation will
	// always correspond to a single instance. If keys are defined, it will allow to create different service instances
	// based on labels. Different keys values resolved during policy processing will result in different service
	// instances created by Aptomi. For example, if key is set to {{.User.Labels.team}}, it will get dynamically
	// resolved into a user's team name. And, since users from different teams will have different keys, every team
	// will get their own service instance from Aptomi
	Keys []string `yaml:"keys,omitempty" validate:"dive,template"`
}

Allocation determines which service should be allocated for by the given context and which additional keys should be added to component instance key

type Base

type Base interface {
	runtime.Deletable
}

Base interface represents unified base object that could be part of the policy

type Cluster

type Cluster struct {
	runtime.TypeKind `yaml:",inline"`
	Metadata         `validate:"required"`

	// Type is a cluster type. Based on its type, the appropriate deployment plugin will be called to deploy containers.
	Type string `validate:"clustertype"`

	// Labels is a set of labels attached to the cluster
	Labels map[string]string `yaml:"labels,omitempty" validate:"omitempty,labels"`

	// Config for a given cluster type
	Config interface{} `validate:"required"`
}

Cluster defines an individual cluster where containers get deployed. Various cloud providers are supported via setting a cluster type (k8s, Amazon ECS, GKE, etc).

func (*Cluster) MakeCopy

func (cluster *Cluster) MakeCopy() *Cluster

MakeCopy makes a shallow copy of the Cluster struct

func (*Cluster) ParseConfigInto

func (cluster *Cluster) ParseConfigInto(obj interface{}) error

ParseConfigInto parses cluster config into provided object

type Code

type Code struct {
	// Type represents code type (e.g. "helm"). It determines the plugin that will get executed for
	// for this code component
	Type string `validate:"required,codetype"`

	// Params define parameters that will be passed down to the deployment plugin. Params follow text template syntax
	// and can refer to arbitrary labels, as well as discovery parameters exposed by other components (within the
	// current service) and discovery parameters exposed by services the current service depends on
	Params util.NestedParameterMap `validate:"omitempty,templateNestedMap"`
}

Code with type and parameters, used to instantiate/update/delete component instances

type Context

type Context struct {
	// Name defines context name in the policy
	Name string `validate:"identifier"`

	// Criteria - if it gets evaluated to true during policy resolution, then contract
	// will get fulfilled by allocating this service context. It's an optional field, so if it's nil then
	// it is considered to be evaluated to true automatically
	Criteria *Criteria `validate:"omitempty"`

	// ChangeLabels defines how current set of labels will get changed/transformed in case
	// the context gets matched
	ChangeLabels LabelOperations `yaml:"change-labels,omitempty" validate:"labelOperations"`

	// Allocation defines how the context will get allocated (which service to allocate and which unique key to use)
	Allocation *Allocation `validate:"required"`
}

Context represents a single context within a service contract. It's essentially a service instance for a given of class of use cases, a given set of consumers, etc.

func (*Context) Matches

func (context *Context) Matches(params *expression.Parameters, cache *expression.Cache) (bool, error)

Matches checks if context criteria is satisfied

func (*Context) ResolveKeys

func (context *Context) ResolveKeys(params *template.Parameters, cache *template.Cache) ([]string, error)

ResolveKeys resolves dynamic allocation keys, which later get added to component instance key

type Contract

type Contract struct {
	runtime.TypeKind `yaml:",inline"`
	Metadata         `validate:"required"`

	// ChangeLabels defines how current set of labels will get changed/transformed in case
	// the contract gets matched
	ChangeLabels LabelOperations `yaml:"change-labels,omitempty" validate:"labelOperations"`

	// Contexts contains an ordered list of contexts within a contract. When allocating an instance, Aptomi will pick
	// and instantiate the first context which matches the criteria
	Contexts []*Context `validate:"dive"`
}

Contract is an object, which allows you to define a contract for a service, as well as a set of specific implementations. For example, contract can be a 'database', with specific service contexts represented by 'MySQL', 'MariaDB', 'SQLite'.

When dependencies get declared, they always get declared on a contract (not on a specific service).

type Criteria

type Criteria struct {
	// RequireAll follows 'AND' logic
	RequireAll []string `yaml:"require-all,omitempty" validate:"dive,expression"`

	// RequireAny follows 'OR' logic
	RequireAny []string `yaml:"require-any,omitempty" validate:"dive,expression"`

	// RequireNone follows 'AND NOT'
	RequireNone []string `yaml:"require-none,omitempty" validate:"dive,expression"`
}

Criteria is a structure which allows users to define complex matching expressions in the policy. Criteria expressions can refer to labels through variables. It supports require-all, require-any and require-none clauses, with a list of expressions under each clause.

Criteria gets evaluated to true only when (1) All RequireAll expression evaluate to true, (2) At least one of RequireAny expressions evaluates to true, (3) None of RequireNone expressions evaluate to true.

If any of RequireAll, RequireAny, RequireNone are absent, the corresponding clause will be skipped. So it's perfectly fine to have a criteria with fewer than 3 clauses (e.g. just RequireAll), or with no sections at all. Empty criteria without any clauses always evaluates to true

type Dependency

type Dependency struct {
	runtime.TypeKind `yaml:",inline"`
	Metadata         `validate:"required"`

	// User is a user name for a user, who requested this dependency.
	User string `validate:"required"`

	// Contract that is being requested. It can be in form of 'contractName', referring to contract within
	// current namespace. Or it can be in form of 'namespace/contractName', referring to contract in a different
	// namespace.
	Contract string `validate:"required"`

	// Labels which are provided by the user.
	Labels map[string]string `yaml:"labels,omitempty" validate:"omitempty,labels"`
}

Dependency is a declaration of use, defined in a form <User> needs an instance of <Contract> with specified set of <Labels>. It allows users to request contracts, which will translate into instantiation of service instances (and their dependencies) in the cloud

type DependencyAction

type DependencyAction string

DependencyAction is a rule action to allow or disallow dependency to be resolved

type GlobalDependencies

type GlobalDependencies struct {
	// DependencyMap is a map[name] -> *Dependency
	DependencyMap map[string]*Dependency `validate:"dive"`

	// DependenciesByContract contains dependency map <contractName> -> list of dependencies
	DependenciesByContract map[string][]*Dependency `validate:"-"`
}

GlobalDependencies represents the list of global dependencies (see the definition above)

func NewGlobalDependencies

func NewGlobalDependencies() *GlobalDependencies

NewGlobalDependencies creates and initializes a new empty list of global dependencies

type GlobalRules

type GlobalRules struct {
	// RuleMap is a map[name] -> *Rule
	RuleMap map[string]*Rule `validate:"dive"`

	// Rules is an unsorted list of rules
	Rules []*Rule `validate:"-"`
	// contains filtered or unexported fields
}

GlobalRules contains a map of global rules by name, as well as the list of sorted rules

func NewGlobalRules

func NewGlobalRules() *GlobalRules

NewGlobalRules creates and initializes a new empty list of global rules

func (*GlobalRules) GetRulesSortedByWeight

func (globalRules *GlobalRules) GetRulesSortedByWeight() []*Rule

GetRulesSortedByWeight returns all rules sorted by weight

func (*GlobalRules) Len

func (globalRules *GlobalRules) Len() int

func (*GlobalRules) Less

func (globalRules *GlobalRules) Less(i, j int) bool

func (*GlobalRules) Swap

func (globalRules *GlobalRules) Swap(i, j int)

type GlobalUsers

type GlobalUsers struct {
	// Users is a map[name] -> *User
	Users map[string]*User
}

GlobalUsers contains the map of users by their name

type IngressAction

type IngressAction string

IngressAction is a rule action to to allow or disallow ingres traffic for a component

type LabelOperations

type LabelOperations map[string]map[string]string

LabelOperations defines label transform operations. It supports two types of operations - 'set' and 'remove', those strings are used as keys in the main map.

When 'set' is used, the inner name->value map defines which labels should be added/overwritten. When 'remove' is used, the inner name->value map defines which labels should be deleted. In this case value doesn't matter and name can even point to an empty string as value

The typical usage of this struct is to take LabelSet and transform it using LabelOperations.

func NewLabelOperations

func NewLabelOperations(setMap map[string]string, removeMap map[string]string) LabelOperations

NewLabelOperations creates a new LabelOperations object, given "set" and "remove" parameters

func NewLabelOperationsSetSingleLabel

func NewLabelOperationsSetSingleLabel(k string, v string) LabelOperations

NewLabelOperationsSetSingleLabel creates a new LabelOperations object to set a single "k"="v" label

type LabelSet

type LabelSet struct {
	Labels map[string]string
}

LabelSet defines the set of labels that will be manipulated throughout policy execution. All labels are stored in a 'key' -> 'value' map

func NewLabelSet

func NewLabelSet(labels map[string]string) *LabelSet

NewLabelSet creates a new LabelSet from a given map of text labels

func (*LabelSet) AddLabels

func (src *LabelSet) AddLabels(addMap map[string]string)

AddLabels adds new labels to the current set of labels

func (*LabelSet) ApplyTransform

func (src *LabelSet) ApplyTransform(ops LabelOperations) bool

ApplyTransform applies a given set of label transformations to the current set of labels. The method teturns true if changes have been made to the current set

func (*LabelSet) Equal

func (src *LabelSet) Equal(dst *LabelSet) bool

Equal compares two labels sets. If one is nil and another one is empty, it will return true as well

type Metadata

type Metadata struct {
	Namespace  string             `yaml:",omitempty" validate:"identifier"`
	Name       string             `yaml:",omitempty" validate:"identifier"`
	Generation runtime.Generation `yaml:",omitempty"`
	Deleted    bool               `yaml:",omitempty"`
}

Metadata is an object metadata implementation (Namespace, Kind, Name, Generation) which works for all standard objects. Namespace defines in which namespace the object is defined. An object always gets placed in only one namespace. Kind describes type of the object (e.g. Service, Contract, Cluster, etc) Name is a user-provided string identifier of an object. Names are usually human readable and must be unique across objects within the same namespace and the same object kind.

func (*Metadata) GetGeneration

func (meta *Metadata) GetGeneration() runtime.Generation

GetGeneration returns object generation

func (*Metadata) GetName

func (meta *Metadata) GetName() string

GetName returns object name

func (*Metadata) GetNamespace

func (meta *Metadata) GetNamespace() string

GetNamespace returns object namespace

func (*Metadata) IsDeleted added in v0.1.10

func (meta *Metadata) IsDeleted() bool

IsDeleted returns if object deleted or not

func (*Metadata) SetDeleted added in v0.1.10

func (meta *Metadata) SetDeleted(deleted bool)

SetDeleted sets object deleted flag

func (*Metadata) SetGeneration

func (meta *Metadata) SetGeneration(generation runtime.Generation)

SetGeneration sets object generation

type Policy

type Policy struct {
	// Namespace is a map from namespace name into a PolicyNamespace
	Namespace map[string]*PolicyNamespace `validate:"dive"`
	// contains filtered or unexported fields
}

Policy describes the entire Aptomi policy.

At the highest level, policy consists of namespaces. Namespaces provide isolation for policy objects and access to namespaces can be controlled via ACL rules. Thus, different users can have different access rights to different parts of Aptomi policy. Namespaces are useful in environments with many users, multiple teams and projects.

Objects get stored in their corresponding namespaces. Names of objects must be unique within a namespace and a given object kind.

Once policy is defined, it can be passed to the engine for policy resolution. Policy resolution translates a given policy (intent) into actual state (what services/components need to created/updated/deleted, how and where) and the corresponding set of actions.

func NewPolicy

func NewPolicy() *Policy

NewPolicy creates a new Policy

func (*Policy) APIPolicy

func (policy *Policy) APIPolicy() *APIPolicy

APIPolicy returns Policy representation for API filtered for specific user

func (*Policy) AddObject

func (policy *Policy) AddObject(obj Base) error

AddObject adds a given object into the policy. When you add objects to the policy, they get added to the corresponding Namespace. If error occurs (e.g. object has an unknown kind) then the error will be returned

func (*Policy) GetObject

func (policy *Policy) GetObject(kind string, locator string, currentNs string) (runtime.Object, error)

GetObject looks up and returns an object from the policy, given its kind, locator ([namespace/]name), and current namespace relative to which the call is being made

func (*Policy) GetObjectsByKind

func (policy *Policy) GetObjectsByKind(kind string) []Base

GetObjectsByKind returns all objects in a policy with a given kind, across all namespaces

func (*Policy) RemoveObject

func (policy *Policy) RemoveObject(obj Base) bool

RemoveObject removes a given object from the policy. Returns true if removed and false if nothing got removed.

func (*Policy) Validate

func (policy *Policy) Validate() error

Validate performs validation of the entire policy, making sure that all of its objects are well-formed. It also checks that all cross-object references are valid. If policy is malformed, then a list of errors is returned. Otherwise, if policy is correctly formed, then nil is returned. The resulting error can be caster to (validator.ValidationErrors) and iterated over, to get the full list of errors.

func (*Policy) View

func (policy *Policy) View(user *User) *PolicyView

View returns a policy view object, which allows to make all policy operations on behalf of a certain user Policy view object will enforce all ACLs, allowing the user to only perform actions which he is allowed to perform All ACL rules should be loaded and added to the policy before this method gets called

type PolicyNamespace

type PolicyNamespace struct {
	Name         string               `validate:"identifier"`
	Services     map[string]*Service  `validate:"dive"`
	Contracts    map[string]*Contract `validate:"dive"`
	Clusters     map[string]*Cluster  `validate:"dive"`
	Rules        *GlobalRules         `validate:"required"`
	ACLRules     *GlobalRules         `validate:"required"`
	Dependencies *GlobalDependencies  `validate:"required"`
}

PolicyNamespace describes a specific namespace within Aptomi policy. All policy objects get placed in the appropriate maps and structs within PolicyNamespace.

func NewPolicyNamespace

func NewPolicyNamespace(name string) *PolicyNamespace

NewPolicyNamespace creates a new PolicyNamespace

type PolicyValidator

type PolicyValidator struct {
	// contains filtered or unexported fields
}

PolicyValidator is a custom validator for the policy

func NewPolicyValidator

func NewPolicyValidator(policy *Policy) *PolicyValidator

NewPolicyValidator creates a new PolicyValidator

func (*PolicyValidator) Validate

func (v *PolicyValidator) Validate() error

Validate validates the entire policy for errors and returns an error (it can be casted to policyValidationError, containing a list of errors inside). When error is printed as string, it will automatically contains the full list of validation errors.

type PolicyView

type PolicyView struct {
	// Policy which gets viewed
	Policy *Policy

	// User who is viewing policy
	User *User
}

PolicyView allows to view/manage policy objects on behalf on a certain user It will enforce all ACLs, allowing the user to only perform actions which he is entitled to perform.

func NewPolicyView

func NewPolicyView(policy *Policy, user *User) *PolicyView

NewPolicyView creates a new PolicyView

func (*PolicyView) APIPolicy

func (view *PolicyView) APIPolicy() *APIPolicy

APIPolicy returns Policy representation for API filtered for specific user

func (*PolicyView) AddObject

func (view *PolicyView) AddObject(obj Base) error

AddObject adds an object into the policy. When you add objects to the policy, they get added to the corresponding Namespace. If error occurs (e.g. object has an unknown kind, etc) then the error will be returned

func (*PolicyView) CanConsume

func (view *PolicyView) CanConsume(service *Service) (bool, error)

CanConsume returns if user has permissions to consume a given service. If a user can declare a dependency in a given namespace, then he can essentially can consume the service

func (*PolicyView) ManageObject

func (view *PolicyView) ManageObject(obj Base) error

ManageObject checks if user has permissions to manage a given object. If user has no permissions, then ACL error will be returned

func (*PolicyView) ViewObject

func (view *PolicyView) ViewObject(obj Base) error

ViewObject checks if user has permissions to view a given object. If user has no permissions, then ACL error will be returned

type Privilege

type Privilege struct {
	// View indicates whether or not a user can view an object (R)
	View bool

	// Manage indicates whether or not a user can manage an object, i.e. perform operations (CUD)
	Manage bool
}

Privilege is a unit of privilege for any single given object

type Privileges

type Privileges struct {
	// AllNamespaces, when set to true, indicated that user privileges apply to all namespaces. Otherwise it applies
	// to a set of given namespaces
	AllNamespaces bool

	// NamespaceObjects specifies whether or not this role can view/manage a certain object kind within a non-system namespace
	NamespaceObjects map[string]*Privilege

	// GlobalObjects specifies whether or not this role can view/manage a certain object kind within a system namespace
	GlobalObjects map[string]*Privilege
}

Privileges defines a set of privileges for a particular role in Aptomi

type Rule

type Rule struct {
	runtime.TypeKind `yaml:",inline"`
	Metadata         `validate:"required"`

	// Weight defined for the rule. All rules are sorted in the order of increasing weight and applied in that order
	Weight int `validate:"min=0"`

	// Criteria - if it gets evaluated to true during policy resolution, then rules's actions will be executed.
	// It's an optional field, so if it's nil then it is considered to be evaluated to true automatically
	Criteria *Criteria `yaml:",omitempty" validate:"omitempty"`

	// Actions define the set of actions that will be executed if Criteria gets evaluated to true
	Actions *RuleActions `validate:"required"`
}

Rule is a generic mechanism for defining rules in Aptomi.

Rules can be used to set certain labels on certain conditions as well as perform certain actions (such as rejecting dependencies, rejecting ingress traffic, etc)

ACLRule is inherited from Rule, so the same mechanism is used for processing ACLs in Aptomi.

func (*Rule) ApplyActions

func (rule *Rule) ApplyActions(result *RuleActionResult)

ApplyActions applies rule actions and updates result

func (*Rule) Matches

func (rule *Rule) Matches(params *expression.Parameters, cache *expression.Cache) (bool, error)

Matches returns true if a rule matches

type RuleActionResult

type RuleActionResult struct {
	RejectDependency bool
	RejectIngress    bool

	ChangedLabelsOnLastApply bool
	Labels                   *LabelSet

	RoleMap map[string]map[string]bool
}

RuleActionResult is a result of processing multiple rules on a given component

func NewRuleActionResult

func NewRuleActionResult(labels *LabelSet) *RuleActionResult

NewRuleActionResult creates a new RuleActionResult

type RuleActions

type RuleActions struct {
	// ChangeLabels defines how labels should be transformed
	ChangeLabels LabelOperations `yaml:"change-labels,omitempty" validate:"omitempty,labelOperations"`

	// Dependency defines whether dependency should be rejected
	Dependency DependencyAction `yaml:"dependency,omitempty" validate:"omitempty,allowReject"`

	// Ingress defines whether ingress traffic should be rejected
	Ingress IngressAction `yaml:"ingress,omitempty" validate:"omitempty,allowReject"`

	// AddRole field is only relevant for ACL rules (have to keep it in this class due to the lack of generics).
	// Key in the map is role ID, while value is a set of comma-separated namespaces to which this role applies
	AddRole map[string]string `yaml:"add-role,omitempty" validate:"omitempty,addRoleNS"`
}

RuleActions is a set of actions that can be performed by a rule. All fields in this structure are optional. If a field is defined, then the corresponding action will be processed

type Service

type Service struct {
	runtime.TypeKind `yaml:",inline"`
	Metadata         `validate:"required"`

	// Labels is a set of labels attached to the service
	Labels map[string]string `yaml:"labels,omitempty" validate:"omitempty,labels"`

	// Components is the list of components service consists of
	Components []*ServiceComponent `validate:"dive"`
	// contains filtered or unexported fields
}

Service defines individual service in Aptomi. The idea is that services get defined by different teams. Those teams define service-specific consumption rules of how others can consume their services.

Service typically consists of one or more components. Each component can either be pointer to the code (e.g. docker container image with metadata that needs to be started/managed) or it can be dependency on another\ contract (which will get fulfilled by Aptomi)

func (*Service) GetComponentsMap

func (service *Service) GetComponentsMap() map[string]*ServiceComponent

GetComponentsMap lazily initializes and returns a map of name -> component, while being thread-safe

func (*Service) GetComponentsSortedTopologically

func (service *Service) GetComponentsSortedTopologically() ([]*ServiceComponent, error)

GetComponentsSortedTopologically returns all components sorted in a topological order This should be thread safe

type ServiceComponent

type ServiceComponent struct {
	// Name is a user-defined component name
	Name string `validate:"identifier"`

	// Criteria - if it gets evaluated to true during policy resolution, then component will be included
	// into the service. It's an optional field, so if it's nil then it is considered to be true automatically
	Criteria *Criteria `yaml:",omitempty" validate:"omitempty"`

	// Contract, if not empty, denoted that the component points to another contract as a dependency. Meaning that
	// a service needs to have another service running as its dependency (e.g. 'wordpress' service needs a 'database'
	// contract). This dependency will be fulfilled at policy resolution time.
	Contract string `yaml:"contract,omitempty" validate:"omitempty"`

	// Code, if not empty, means that component is a code that can be instantiated with certain parameters (e.g. docker
	// container image)
	Code *Code `yaml:"code,omitempty" validate:"omitempty"`

	// Discovery is a map of discovery parameters that this component exposes to other services
	Discovery util.NestedParameterMap `yaml:"discovery,omitempty" validate:"omitempty,templateNestedMap"`

	// Dependencies is cross-component dependencies within a service. Component may need other components within that
	// service to run, before it gets instantiated
	Dependencies []string `yaml:"dependencies,omitempty" validate:"dive,identifier"`
}

ServiceComponent defines component within a service

func (*ServiceComponent) Matches added in v0.1.13

func (component *ServiceComponent) Matches(params *expression.Parameters, cache *expression.Cache) (bool, error)

Matches checks if component criteria is satisfied

type User

type User struct {
	// Name is a unique name of a user
	Name string

	// Password hash is a hashed and salted user password
	PasswordHash string

	// Labels is a set of 'name'->'value' string labels, attached to the user
	Labels map[string]string

	// DomainAdmin is a special bool flag, which allows to mark certain users as domain admins. It's useful for Aptomi
	// bootstrap process, when someone needs to upload ACL rules into Aptomi (but his role is not defined in ACL,
	// because ACL list is empty when Aptomi is first installed)
	DomainAdmin bool
}

User represents a user in Aptomi. It has a unique Name and a set of Labels, Users can be retrieved from multiple sources (e.g. file, LDAP, AD, etc)

Directories

Path Synopsis
Package builder provides simple and easy-to-use way to construct Aptomi Policy in the source code, primarily for unit tests.
Package builder provides simple and easy-to-use way to construct Aptomi Policy in the source code, primarily for unit tests.
Package expression provides support for evaluating expressions in Aptomi, with support for caching compiled expressions.
Package expression provides support for evaluating expressions in Aptomi, with support for caching compiled expressions.
Package template provides support for evaluating text templates in Aptomi, with support for caching compiled templates.
Package template provides support for evaluating text templates in Aptomi, with support for caching compiled templates.
Package yaml provides support for marshalling YAML objects and loading/unmarshalling them from YAML files.
Package yaml provides support for marshalling YAML objects and loading/unmarshalling them from YAML files.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL