Documentation ¶
Index ¶
- Constants
- func NamespaceValidator(ops ...string) func(*ACL, string) bool
- type ACL
- func (a *ACL) AllowAgentRead() bool
- func (a *ACL) AllowAgentWrite() bool
- func (a *ACL) AllowNamespace(ns string) bool
- func (a *ACL) AllowNamespaceOperation(ns string, op string) bool
- func (a *ACL) AllowNodeRead() bool
- func (a *ACL) AllowNodeWrite() bool
- func (a *ACL) AllowNsOp(ns string, op string) bool
- func (a *ACL) AllowOperatorRead() bool
- func (a *ACL) AllowOperatorWrite() bool
- func (a *ACL) AllowQuotaRead() bool
- func (a *ACL) AllowQuotaWrite() bool
- func (a *ACL) IsManagement() bool
- type AgentPolicy
- type NamespacePolicy
- type NodePolicy
- type OperatorPolicy
- type Policy
- type QuotaPolicy
Constants ¶
const ( // The following levels are the only valid values for the `policy = "read"` stanza. // When policies are merged together, the most privilege is granted, except for deny // which always takes precedence and supercedes. PolicyDeny = "deny" PolicyRead = "read" PolicyWrite = "write" )
const ( // The following are the fine-grained capabilities that can be granted within a namespace. // The Policy stanza is a short hand for granting several of these. When capabilities are // combined we take the union of all capabilities. If the deny capability is present, it // takes precedence and overwrites all other capabilities. NamespaceCapabilityDeny = "deny" NamespaceCapabilityListJobs = "list-jobs" NamespaceCapabilityReadJob = "read-job" NamespaceCapabilitySubmitJob = "submit-job" NamespaceCapabilityDispatchJob = "dispatch-job" NamespaceCapabilityReadLogs = "read-logs" NamespaceCapabilityReadFS = "read-fs" NamespaceCapabilityAllocExec = "alloc-exec" NamespaceCapabilityAllocNodeExec = "alloc-node-exec" NamespaceCapabilityAllocLifecycle = "alloc-lifecycle" NamespaceCapabilitySentinelOverride = "sentinel-override" )
Variables ¶
This section is empty.
Functions ¶
Types ¶
type ACL ¶
type ACL struct {
// contains filtered or unexported fields
}
ACL object is used to convert a set of policies into a structure that can be efficiently evaluated to determine if an action is allowed.
var ManagementACL *ACL
ManagementACL is a singleton used for management tokens
func (*ACL) AllowAgentRead ¶
AllowAgentRead checks if read operations are allowed for an agent
func (*ACL) AllowAgentWrite ¶
AllowAgentWrite checks if write operations are allowed for an agent
func (*ACL) AllowNamespace ¶
AllowNamespace checks if any operations are allowed for a namespace
func (*ACL) AllowNamespaceOperation ¶
AllowNamespaceOperation checks if a given operation is allowed for a namespace
func (*ACL) AllowNodeRead ¶
AllowNodeRead checks if read operations are allowed for a node
func (*ACL) AllowNodeWrite ¶
AllowNodeWrite checks if write operations are allowed for a node
func (*ACL) AllowOperatorRead ¶
AllowOperatorRead checks if read operations are allowed for a operator
func (*ACL) AllowOperatorWrite ¶
AllowOperatorWrite checks if write operations are allowed for a operator
func (*ACL) AllowQuotaRead ¶
AllowQuotaRead checks if read operations are allowed for all quotas
func (*ACL) AllowQuotaWrite ¶
AllowQuotaWrite checks if write operations are allowed for quotas
func (*ACL) IsManagement ¶
IsManagement checks if this represents a management token
type AgentPolicy ¶
type AgentPolicy struct {
Policy string
}
type NamespacePolicy ¶
NamespacePolicy is the policy for a specific namespace
type NodePolicy ¶
type NodePolicy struct {
Policy string
}
type OperatorPolicy ¶
type OperatorPolicy struct {
Policy string
}
type Policy ¶
type Policy struct { Namespaces []*NamespacePolicy `hcl:"namespace,expand"` Agent *AgentPolicy `hcl:"agent"` Node *NodePolicy `hcl:"node"` Operator *OperatorPolicy `hcl:"operator"` Quota *QuotaPolicy `hcl:"quota"` Raw string `hcl:"-"` }
Policy represents a parsed HCL or JSON policy.
type QuotaPolicy ¶
type QuotaPolicy struct {
Policy string
}