acl

package
v1.4.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 23, 2019 License: MPL-2.0 Imports: 11 Imported by: 0

Documentation

Index

Constants

View Source
const (
	PolicyDeny  = "deny"
	PolicyRead  = "read"
	PolicyWrite = "write"
	PolicyList  = "list"
)
View Source
const DefaultPolicyEnforcementLevel = "hard-mandatory"

DefaultPolicyEnforcementLevel will be used if the user leaves the level blank when configuring an ACL.

Variables

View Source
var (
	// ErrNotFound indicates there is no matching ACL.
	ErrNotFound = errors.New(errNotFound)

	// ErrRootDenied is returned when attempting to resolve a root ACL.
	ErrRootDenied = errors.New(errRootDenied)

	// ErrDisabled is returned when ACL changes are not permitted since
	// they are disabled.
	ErrDisabled = errors.New(errDisabled)

	// ErrPermissionDenied is returned when an ACL based rejection
	// happens.
	ErrPermissionDenied = PermissionDeniedError{}

	// ErrInvalidParent is returned when a remotely resolve ACL
	// token claims to have a non-root parent
	ErrInvalidParent = errors.New(errInvalidParent)
)

Functions

func IsErrDisabled added in v0.9.3

func IsErrDisabled(err error) bool

IsErrDisabled checks if the given error message is comparable to ErrDisabled.

func IsErrNotFound added in v0.9.3

func IsErrNotFound(err error) bool

IsErrNotFound checks if the given error message is comparable to ErrNotFound.

func IsErrPermissionDenied added in v0.9.3

func IsErrPermissionDenied(err error) bool

IsErrPermissionDenied checks if the given error message is comparable to ErrPermissionDenied.

func IsErrRootDenied added in v0.9.3

func IsErrRootDenied(err error) bool

IsErrRootDenied checks if the given error message is comparable to ErrRootDenied.

func TranslateLegacyRules added in v1.4.0

func TranslateLegacyRules(policyBytes []byte) ([]byte, error)

Types

type AgentPolicy added in v0.7.2

type AgentPolicy struct {
	Node   string `hcl:",key"`
	Policy string
}

AgentPolicy represents a policy for working with agent endpoints on nodes with specific name prefixes.

func (*AgentPolicy) GoString added in v0.7.2

func (a *AgentPolicy) GoString() string

type Authorizer added in v1.4.0

type Authorizer interface {
	// ACLRead checks for permission to list all the ACLs
	ACLRead() bool

	// ACLWrite checks for permission to manipulate ACLs
	ACLWrite() bool

	// AgentRead checks for permission to read from agent endpoints for a
	// given node.
	AgentRead(string) bool

	// AgentWrite checks for permission to make changes via agent endpoints
	// for a given node.
	AgentWrite(string) bool

	// EventRead determines if a specific event can be queried.
	EventRead(string) bool

	// EventWrite determines if a specific event may be fired.
	EventWrite(string) bool

	// IntentionDefaultAllow determines the default authorized behavior
	// when no intentions match a Connect request.
	IntentionDefaultAllow() bool

	// IntentionRead determines if a specific intention can be read.
	IntentionRead(string) bool

	// IntentionWrite determines if a specific intention can be
	// created, modified, or deleted.
	IntentionWrite(string) bool

	// KeyList checks for permission to list keys under a prefix
	KeyList(string) bool

	// KeyRead checks for permission to read a given key
	KeyRead(string) bool

	// KeyWrite checks for permission to write a given key
	KeyWrite(string, sentinel.ScopeFn) bool

	// KeyWritePrefix checks for permission to write to an
	// entire key prefix. This means there must be no sub-policies
	// that deny a write.
	KeyWritePrefix(string) bool

	// KeyringRead determines if the encryption keyring used in
	// the gossip layer can be read.
	KeyringRead() bool

	// KeyringWrite determines if the keyring can be manipulated
	KeyringWrite() bool

	// NodeRead checks for permission to read (discover) a given node.
	NodeRead(string) bool

	// NodeWrite checks for permission to create or update (register) a
	// given node.
	NodeWrite(string, sentinel.ScopeFn) bool

	// OperatorRead determines if the read-only Consul operator functions
	// can be used.
	OperatorRead() bool

	// OperatorWrite determines if the state-changing Consul operator
	// functions can be used.
	OperatorWrite() bool

	// PreparedQueryRead determines if a specific prepared query can be read
	// to show its contents (this is not used for execution).
	PreparedQueryRead(string) bool

	// PreparedQueryWrite determines if a specific prepared query can be
	// created, modified, or deleted.
	PreparedQueryWrite(string) bool

	// ServiceRead checks for permission to read a given service
	ServiceRead(string) bool

	// ServiceWrite checks for permission to create or update a given
	// service
	ServiceWrite(string, sentinel.ScopeFn) bool

	// SessionRead checks for permission to read sessions for a given node.
	SessionRead(string) bool

	// SessionWrite checks for permission to create sessions for a given
	// node.
	SessionWrite(string) bool

	// Snapshot checks for permission to take and restore snapshots.
	Snapshot() bool
}

Authorizer is the interface for policy enforcement.

func AllowAll

func AllowAll() Authorizer

AllowAll returns an Authorizer that allows all operations

func DenyAll

func DenyAll() Authorizer

DenyAll returns an Authorizer that denies all operations

func ManageAll

func ManageAll() Authorizer

ManageAll returns an Authorizer that can manage all resources

func RootAuthorizer added in v1.4.0

func RootAuthorizer(id string) Authorizer

RootAuthorizer returns a possible Authorizer if the ID matches a root policy

type EventPolicy added in v0.6.0

type EventPolicy struct {
	Event  string `hcl:",key"`
	Policy string
}

EventPolicy represents a user event policy.

func (*EventPolicy) GoString added in v0.6.0

func (e *EventPolicy) GoString() string

type KeyPolicy

type KeyPolicy struct {
	Prefix   string `hcl:",key"`
	Policy   string
	Sentinel Sentinel
}

KeyPolicy represents a policy for a key

func (*KeyPolicy) GoString

func (k *KeyPolicy) GoString() string

type NodePolicy added in v0.7.2

type NodePolicy struct {
	Name     string `hcl:",key"`
	Policy   string
	Sentinel Sentinel
}

NodePolicy represents a policy for a node

func (*NodePolicy) GoString added in v0.7.2

func (n *NodePolicy) GoString() string

type PermissionDeniedError added in v0.9.3

type PermissionDeniedError struct {
	Cause string
}

func (PermissionDeniedError) Error added in v0.9.3

func (e PermissionDeniedError) Error() string

type Policy

type Policy struct {
	ID                    string                 `hcl:"id"`
	Revision              uint64                 `hcl:"revision"`
	ACL                   string                 `hcl:"acl,expand"`
	Agents                []*AgentPolicy         `hcl:"agent,expand"`
	AgentPrefixes         []*AgentPolicy         `hcl:"agent_prefix,expand"`
	Keys                  []*KeyPolicy           `hcl:"key,expand"`
	KeyPrefixes           []*KeyPolicy           `hcl:"key_prefix,expand"`
	Nodes                 []*NodePolicy          `hcl:"node,expand"`
	NodePrefixes          []*NodePolicy          `hcl:"node_prefix,expand"`
	Services              []*ServicePolicy       `hcl:"service,expand"`
	ServicePrefixes       []*ServicePolicy       `hcl:"service_prefix,expand"`
	Sessions              []*SessionPolicy       `hcl:"session,expand"`
	SessionPrefixes       []*SessionPolicy       `hcl:"session_prefix,expand"`
	Events                []*EventPolicy         `hcl:"event,expand"`
	EventPrefixes         []*EventPolicy         `hcl:"event_prefix,expand"`
	PreparedQueries       []*PreparedQueryPolicy `hcl:"query,expand"`
	PreparedQueryPrefixes []*PreparedQueryPolicy `hcl:"query_prefix,expand"`
	Keyring               string                 `hcl:"keyring"`
	Operator              string                 `hcl:"operator"`
}

Policy is used to represent the policy specified by an ACL configuration.

func MergePolicies added in v1.4.0

func MergePolicies(policies []*Policy) *Policy

MergePolicies merges multiple ACL policies into one policy This function will not set either the ID or the Scope fields of the resulting policy as its up to the caller to determine what the merged value is.

func NewPolicyFromSource added in v1.4.0

func NewPolicyFromSource(id string, revision uint64, rules string, syntax SyntaxVersion, sentinel sentinel.Evaluator) (*Policy, error)

NewPolicyFromSource is used to parse the specified ACL rules into an intermediary set of policies, before being compiled into the ACL

func (*Policy) ConvertFromLegacy added in v1.4.0

func (policy *Policy) ConvertFromLegacy() *Policy

func (*Policy) ConvertToLegacy added in v1.4.0

func (policy *Policy) ConvertToLegacy() *Policy

type PolicyAuthorizer added in v1.4.0

type PolicyAuthorizer struct {
	// contains filtered or unexported fields
}

PolicyAuthorizer is used to wrap a set of ACL policies to provide the Authorizer interface.

func NewPolicyAuthorizer added in v1.4.0

func NewPolicyAuthorizer(parent Authorizer, policies []*Policy, sentinel sentinel.Evaluator) (*PolicyAuthorizer, error)

NewPolicyAuthorizer is used to construct a policy based ACL from a set of policies and a parent policy to resolve missing cases.

func (*PolicyAuthorizer) ACLRead added in v1.4.0

func (p *PolicyAuthorizer) ACLRead() bool

ACLRead checks if listing of ACLs is allowed

func (*PolicyAuthorizer) ACLWrite added in v1.4.0

func (p *PolicyAuthorizer) ACLWrite() bool

ACLWrite checks if modification of ACLs is allowed

func (*PolicyAuthorizer) AgentRead added in v1.4.0

func (p *PolicyAuthorizer) AgentRead(node string) bool

AgentRead checks for permission to read from agent endpoints for a given node.

func (*PolicyAuthorizer) AgentWrite added in v1.4.0

func (p *PolicyAuthorizer) AgentWrite(node string) bool

AgentWrite checks for permission to make changes via agent endpoints for a given node.

func (*PolicyAuthorizer) EventRead added in v1.4.0

func (p *PolicyAuthorizer) EventRead(name string) bool

EventRead is used to determine if the policy allows for a specific user event to be read.

func (*PolicyAuthorizer) EventWrite added in v1.4.0

func (p *PolicyAuthorizer) EventWrite(name string) bool

EventWrite is used to determine if new events can be created (fired) by the policy.

func (*PolicyAuthorizer) IntentionDefaultAllow added in v1.4.0

func (p *PolicyAuthorizer) IntentionDefaultAllow() bool

IntentionDefaultAllow returns whether the default behavior when there are no matching intentions is to allow or deny.

func (*PolicyAuthorizer) IntentionRead added in v1.4.0

func (p *PolicyAuthorizer) IntentionRead(prefix string) bool

IntentionRead checks if writing (creating, updating, or deleting) of an intention is allowed.

func (*PolicyAuthorizer) IntentionWrite added in v1.4.0

func (p *PolicyAuthorizer) IntentionWrite(prefix string) bool

IntentionWrite checks if writing (creating, updating, or deleting) of an intention is allowed.

func (*PolicyAuthorizer) KeyList added in v1.4.0

func (p *PolicyAuthorizer) KeyList(key string) bool

KeyList returns if a key is allowed to be listed

func (*PolicyAuthorizer) KeyRead added in v1.4.0

func (p *PolicyAuthorizer) KeyRead(key string) bool

KeyRead returns if a key is allowed to be read

func (*PolicyAuthorizer) KeyWrite added in v1.4.0

func (p *PolicyAuthorizer) KeyWrite(key string, scope sentinel.ScopeFn) bool

KeyWrite returns if a key is allowed to be written

func (*PolicyAuthorizer) KeyWritePrefix added in v1.4.0

func (p *PolicyAuthorizer) KeyWritePrefix(prefix string) bool

KeyWritePrefix returns if a prefix is allowed to be written

This is mainly used to detect whether a whole tree within the KV can be removed. For that reason we must be able to delete everything under the prefix. First we must have "write" on the prefix itself

func (*PolicyAuthorizer) KeyringRead added in v1.4.0

func (p *PolicyAuthorizer) KeyringRead() bool

KeyringRead is used to determine if the keyring can be read by the current ACL token.

func (*PolicyAuthorizer) KeyringWrite added in v1.4.0

func (p *PolicyAuthorizer) KeyringWrite() bool

KeyringWrite determines if the keyring can be manipulated.

func (*PolicyAuthorizer) NodeRead added in v1.4.0

func (p *PolicyAuthorizer) NodeRead(name string) bool

NodeRead checks if reading (discovery) of a node is allowed

func (*PolicyAuthorizer) NodeWrite added in v1.4.0

func (p *PolicyAuthorizer) NodeWrite(name string, scope sentinel.ScopeFn) bool

NodeWrite checks if writing (registering) a node is allowed

func (*PolicyAuthorizer) OperatorRead added in v1.4.0

func (p *PolicyAuthorizer) OperatorRead() bool

OperatorRead determines if the read-only operator functions are allowed.

func (*PolicyAuthorizer) OperatorWrite added in v1.4.0

func (p *PolicyAuthorizer) OperatorWrite() bool

OperatorWrite determines if the state-changing operator functions are allowed.

func (*PolicyAuthorizer) PreparedQueryRead added in v1.4.0

func (p *PolicyAuthorizer) PreparedQueryRead(prefix string) bool

PreparedQueryRead checks if reading (listing) of a prepared query is allowed - this isn't execution, just listing its contents.

func (*PolicyAuthorizer) PreparedQueryWrite added in v1.4.0

func (p *PolicyAuthorizer) PreparedQueryWrite(prefix string) bool

PreparedQueryWrite checks if writing (creating, updating, or deleting) of a prepared query is allowed.

func (*PolicyAuthorizer) ServiceRead added in v1.4.0

func (p *PolicyAuthorizer) ServiceRead(name string) bool

ServiceRead checks if reading (discovery) of a service is allowed

func (*PolicyAuthorizer) ServiceWrite added in v1.4.0

func (p *PolicyAuthorizer) ServiceWrite(name string, scope sentinel.ScopeFn) bool

ServiceWrite checks if writing (registering) a service is allowed

func (*PolicyAuthorizer) SessionRead added in v1.4.0

func (p *PolicyAuthorizer) SessionRead(node string) bool

SessionRead checks for permission to read sessions for a given node.

func (*PolicyAuthorizer) SessionWrite added in v1.4.0

func (p *PolicyAuthorizer) SessionWrite(node string) bool

SessionWrite checks for permission to create sessions for a given node.

func (*PolicyAuthorizer) Snapshot added in v1.4.0

func (p *PolicyAuthorizer) Snapshot() bool

Snapshot checks if taking and restoring snapshots is allowed.

type PreparedQueryPolicy added in v0.6.4

type PreparedQueryPolicy struct {
	Prefix string `hcl:",key"`
	Policy string
}

PreparedQueryPolicy represents a prepared query policy.

func (*PreparedQueryPolicy) GoString added in v0.6.4

func (p *PreparedQueryPolicy) GoString() string

type RulePolicy added in v1.4.0

type RulePolicy struct {
	// contains filtered or unexported fields
}

RulePolicy binds a regular ACL policy along with an optional piece of code to execute.

type Sentinel added in v1.0.0

type Sentinel struct {
	Code             string
	EnforcementLevel string
}

Sentinel defines a snippet of Sentinel code that can be attached to a policy.

type ServicePolicy added in v0.5.0

type ServicePolicy struct {
	Name     string `hcl:",key"`
	Policy   string
	Sentinel Sentinel

	// Intentions is the policy for intentions where this service is the
	// destination. This may be empty, in which case the Policy determines
	// the intentions policy.
	Intentions string
}

ServicePolicy represents a policy for a service

func (*ServicePolicy) GoString added in v0.5.0

func (s *ServicePolicy) GoString() string

type SessionPolicy added in v0.7.2

type SessionPolicy struct {
	Node   string `hcl:",key"`
	Policy string
}

SessionPolicy represents a policy for making sessions tied to specific node name prefixes.

func (*SessionPolicy) GoString added in v0.7.2

func (s *SessionPolicy) GoString() string

type StaticAuthorizer added in v1.4.0

type StaticAuthorizer struct {
	// contains filtered or unexported fields
}

StaticAuthorizer is used to implement a base ACL policy. It either allows or denies all requests. This can be used as a parent ACL to act in a blacklist or whitelist mode.

func (*StaticAuthorizer) ACLRead added in v1.4.0

func (s *StaticAuthorizer) ACLRead() bool

func (*StaticAuthorizer) ACLWrite added in v1.4.0

func (s *StaticAuthorizer) ACLWrite() bool

func (*StaticAuthorizer) AgentRead added in v1.4.0

func (s *StaticAuthorizer) AgentRead(string) bool

func (*StaticAuthorizer) AgentWrite added in v1.4.0

func (s *StaticAuthorizer) AgentWrite(string) bool

func (*StaticAuthorizer) EventRead added in v1.4.0

func (s *StaticAuthorizer) EventRead(string) bool

func (*StaticAuthorizer) EventWrite added in v1.4.0

func (s *StaticAuthorizer) EventWrite(string) bool

func (*StaticAuthorizer) IntentionDefaultAllow added in v1.4.0

func (s *StaticAuthorizer) IntentionDefaultAllow() bool

func (*StaticAuthorizer) IntentionRead added in v1.4.0

func (s *StaticAuthorizer) IntentionRead(string) bool

func (*StaticAuthorizer) IntentionWrite added in v1.4.0

func (s *StaticAuthorizer) IntentionWrite(string) bool

func (*StaticAuthorizer) KeyList added in v1.4.0

func (s *StaticAuthorizer) KeyList(string) bool

func (*StaticAuthorizer) KeyRead added in v1.4.0

func (s *StaticAuthorizer) KeyRead(string) bool

func (*StaticAuthorizer) KeyWrite added in v1.4.0

func (*StaticAuthorizer) KeyWritePrefix added in v1.4.0

func (s *StaticAuthorizer) KeyWritePrefix(string) bool

func (*StaticAuthorizer) KeyringRead added in v1.4.0

func (s *StaticAuthorizer) KeyringRead() bool

func (*StaticAuthorizer) KeyringWrite added in v1.4.0

func (s *StaticAuthorizer) KeyringWrite() bool

func (*StaticAuthorizer) NodeRead added in v1.4.0

func (s *StaticAuthorizer) NodeRead(string) bool

func (*StaticAuthorizer) NodeWrite added in v1.4.0

func (s *StaticAuthorizer) NodeWrite(string, sentinel.ScopeFn) bool

func (*StaticAuthorizer) OperatorRead added in v1.4.0

func (s *StaticAuthorizer) OperatorRead() bool

func (*StaticAuthorizer) OperatorWrite added in v1.4.0

func (s *StaticAuthorizer) OperatorWrite() bool

func (*StaticAuthorizer) PreparedQueryRead added in v1.4.0

func (s *StaticAuthorizer) PreparedQueryRead(string) bool

func (*StaticAuthorizer) PreparedQueryWrite added in v1.4.0

func (s *StaticAuthorizer) PreparedQueryWrite(string) bool

func (*StaticAuthorizer) ServiceRead added in v1.4.0

func (s *StaticAuthorizer) ServiceRead(string) bool

func (*StaticAuthorizer) ServiceWrite added in v1.4.0

func (s *StaticAuthorizer) ServiceWrite(string, sentinel.ScopeFn) bool

func (*StaticAuthorizer) SessionRead added in v1.4.0

func (s *StaticAuthorizer) SessionRead(string) bool

func (*StaticAuthorizer) SessionWrite added in v1.4.0

func (s *StaticAuthorizer) SessionWrite(string) bool

func (*StaticAuthorizer) Snapshot added in v1.4.0

func (s *StaticAuthorizer) Snapshot() bool

type SyntaxVersion added in v1.4.0

type SyntaxVersion int
const (
	SyntaxCurrent SyntaxVersion = iota
	SyntaxLegacy
)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL