Documentation ¶
Index ¶
- Constants
- Variables
- func IsErrDisabled(err error) bool
- func IsErrNotFound(err error) bool
- func IsErrPermissionDenied(err error) bool
- func IsErrRootDenied(err error) bool
- func RequirePermissionDeniedError(t testing.TB, err error, authz Authorizer, _ *AuthorizerContext, ...)
- func RequirePermissionDeniedMessage(t testing.TB, msg string, authz interface{}, _ *AuthorizerContext, ...)
- func TranslateLegacyRules(policyBytes []byte) ([]byte, error)
- type AccessLevel
- type AgentRule
- type AllowAuthorizer
- func (a AllowAuthorizer) ACLReadAllowed(ctx *AuthorizerContext) error
- func (a AllowAuthorizer) ACLWriteAllowed(ctx *AuthorizerContext) error
- func (a AllowAuthorizer) AgentReadAllowed(name string, ctx *AuthorizerContext) error
- func (a AllowAuthorizer) AgentWriteAllowed(name string, ctx *AuthorizerContext) error
- func (a AllowAuthorizer) EventReadAllowed(name string, ctx *AuthorizerContext) error
- func (a AllowAuthorizer) EventWriteAllowed(name string, ctx *AuthorizerContext) error
- func (a AllowAuthorizer) IntentionDefaultAllowAllowed(ctx *AuthorizerContext) error
- func (a AllowAuthorizer) IntentionReadAllowed(name string, ctx *AuthorizerContext) error
- func (a AllowAuthorizer) IntentionWriteAllowed(name string, ctx *AuthorizerContext) error
- func (a AllowAuthorizer) KeyListAllowed(name string, ctx *AuthorizerContext) error
- func (a AllowAuthorizer) KeyReadAllowed(name string, ctx *AuthorizerContext) error
- func (a AllowAuthorizer) KeyWriteAllowed(name string, ctx *AuthorizerContext) error
- func (a AllowAuthorizer) KeyWritePrefixAllowed(name string, ctx *AuthorizerContext) error
- func (a AllowAuthorizer) KeyringReadAllowed(ctx *AuthorizerContext) error
- func (a AllowAuthorizer) KeyringWriteAllowed(ctx *AuthorizerContext) error
- func (a AllowAuthorizer) MeshReadAllowed(ctx *AuthorizerContext) error
- func (a AllowAuthorizer) MeshWriteAllowed(ctx *AuthorizerContext) error
- func (a AllowAuthorizer) NodeReadAllAllowed(ctx *AuthorizerContext) error
- func (a AllowAuthorizer) NodeReadAllowed(name string, ctx *AuthorizerContext) error
- func (a AllowAuthorizer) NodeWriteAllowed(name string, ctx *AuthorizerContext) error
- func (a AllowAuthorizer) OperatorReadAllowed(ctx *AuthorizerContext) error
- func (a AllowAuthorizer) OperatorWriteAllowed(ctx *AuthorizerContext) error
- func (a AllowAuthorizer) PreparedQueryReadAllowed(name string, ctx *AuthorizerContext) error
- func (a AllowAuthorizer) PreparedQueryWriteAllowed(name string, ctx *AuthorizerContext) error
- func (a AllowAuthorizer) ServiceReadAllAllowed(ctx *AuthorizerContext) error
- func (a AllowAuthorizer) ServiceReadAllowed(name string, ctx *AuthorizerContext) error
- func (a AllowAuthorizer) ServiceWriteAllowed(name string, ctx *AuthorizerContext) error
- func (a AllowAuthorizer) ServiceWriteAnyAllowed(ctx *AuthorizerContext) error
- func (a AllowAuthorizer) SessionReadAllowed(name string, ctx *AuthorizerContext) error
- func (a AllowAuthorizer) SessionWriteAllowed(name string, ctx *AuthorizerContext) error
- func (a AllowAuthorizer) SnapshotAllowed(ctx *AuthorizerContext) error
- type Authorizer
- func AllowAll() Authorizer
- func DenyAll() Authorizer
- func ManageAll() Authorizer
- func NewAuthorizerFromRules(rules string, syntax SyntaxVersion, conf *Config, meta *EnterprisePolicyMeta) (Authorizer, error)
- func NewPolicyAuthorizer(policies []*Policy, entConfig *Config) (Authorizer, error)
- func NewPolicyAuthorizerWithDefaults(defaultAuthz Authorizer, policies []*Policy, entConfig *Config) (Authorizer, error)
- func RootAuthorizer(id string) Authorizer
- type AuthorizerContext
- type ChainedAuthorizer
- func (c *ChainedAuthorizer) ACLRead(entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) ACLWrite(entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) AgentRead(node string, entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) AgentWrite(node string, entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) AuthorizerChain() []Authorizer
- func (c *ChainedAuthorizer) EventRead(name string, entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) EventWrite(name string, entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) IntentionDefaultAllow(entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) IntentionRead(prefix string, entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) IntentionWrite(prefix string, entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) KeyList(keyPrefix string, entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) KeyRead(key string, entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) KeyWrite(key string, entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) KeyWritePrefix(keyPrefix string, entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) KeyringRead(entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) KeyringWrite(entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) MeshRead(entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) MeshWrite(entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) NodeRead(node string, entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) NodeReadAll(entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) NodeWrite(node string, entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) OperatorRead(entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) OperatorWrite(entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) PreparedQueryRead(query string, entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) PreparedQueryWrite(query string, entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) ServiceRead(name string, entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) ServiceReadAll(entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) ServiceWrite(name string, entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) ServiceWriteAny(entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) SessionRead(node string, entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) SessionWrite(node string, entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) Snapshot(entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) ToAllowAuthorizer() AllowAuthorizer
- type Config
- type EnforcementDecision
- type EnterpriseConfig
- type EnterprisePolicyMeta
- type EnterprisePolicyRules
- type EnterpriseRule
- type EventRule
- type ExportFetcher
- type ExportedServices
- type KeyRule
- type NodeRule
- type PermissionDeniedError
- func PermissionDenied(msg string, args ...interface{}) PermissionDeniedError
- func PermissionDeniedByACL(authz Authorizer, context *AuthorizerContext, resource Resource, ...) PermissionDeniedError
- func PermissionDeniedByACLUnnamed(authz Authorizer, context *AuthorizerContext, resource Resource, ...) PermissionDeniedError
- type Policy
- type PolicyMerger
- type PolicyRules
- type PreparedQueryRule
- type Resource
- type ResourceDescriptor
- type ServiceRule
- type SessionRule
- type SyntaxVersion
Constants ¶
const ( PolicyDeny = "deny" PolicyRead = "read" PolicyList = "list" PolicyWrite = "write" )
const DefaultPartitionName = ""
const (
WildcardName = "*"
)
Variables ¶
var ( // ErrNotFound indicates there is no matching ACL. ErrNotFound = errors.New(errNotFound) // ErrRootDenied is returned when attempting to resolve a root ACL. ErrRootDenied = errors.New(errRootDenied) // ErrDisabled is returned when ACL changes are not permitted since // they are disabled. ErrDisabled = errors.New(errDisabled) // ErrPermissionDenied is returned when an ACL based rejection // happens. ErrPermissionDenied = PermissionDeniedError{} // ErrInvalidParent is returned when a remotely resolve ACL // token claims to have a non-root parent ErrInvalidParent = errors.New(errInvalidParent) )
Functions ¶
func IsErrDisabled ¶ added in v0.9.3
IsErrDisabled checks if the given error message is comparable to ErrDisabled.
func IsErrNotFound ¶ added in v0.9.3
IsErrNotFound checks if the given error message is comparable to ErrNotFound.
func IsErrPermissionDenied ¶ added in v0.9.3
IsErrPermissionDenied checks if the given error message is comparable to ErrPermissionDenied.
func IsErrRootDenied ¶ added in v0.9.3
IsErrRootDenied checks if the given error message is comparable to ErrRootDenied.
func RequirePermissionDeniedError ¶ added in v1.12.0
func RequirePermissionDeniedError(t testing.TB, err error, authz Authorizer, _ *AuthorizerContext, resource Resource, accessLevel AccessLevel, resourceID string)
func RequirePermissionDeniedMessage ¶ added in v1.12.0
func RequirePermissionDeniedMessage(t testing.TB, msg string, authz interface{}, _ *AuthorizerContext, resource Resource, accessLevel AccessLevel, resourceID string)
func TranslateLegacyRules ¶ added in v1.4.0
Types ¶
type AccessLevel ¶ added in v1.7.0
type AccessLevel int
const ( AccessUnknown AccessLevel = iota AccessDeny AccessRead AccessList AccessWrite )
func AccessLevelFromString ¶ added in v1.7.0
func AccessLevelFromString(level string) (AccessLevel, error)
func (AccessLevel) String ¶ added in v1.7.0
func (l AccessLevel) String() string
type AgentRule ¶ added in v1.7.0
AgentRule represents a rule for working with agent endpoints on nodes with specific name prefixes.
type AllowAuthorizer ¶ added in v1.12.0
type AllowAuthorizer struct { Authorizer AccessorID string }
AllowAuthorizer is a wrapper to expose the *Allowed methods. This and the ToAllowAuthorizer function exist to tide us over until the ResolveResult struct is moved into acl.
func (AllowAuthorizer) ACLReadAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) ACLReadAllowed(ctx *AuthorizerContext) error
ACLReadAllowed checks for permission to list all the ACLs
func (AllowAuthorizer) ACLWriteAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) ACLWriteAllowed(ctx *AuthorizerContext) error
ACLWriteAllowed checks for permission to manipulate ACLs
func (AllowAuthorizer) AgentReadAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) AgentReadAllowed(name string, ctx *AuthorizerContext) error
AgentReadAllowed checks for permission to read from agent endpoints for a given node.
func (AllowAuthorizer) AgentWriteAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) AgentWriteAllowed(name string, ctx *AuthorizerContext) error
AgentWriteAllowed checks for permission to make changes via agent endpoints for a given node.
func (AllowAuthorizer) EventReadAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) EventReadAllowed(name string, ctx *AuthorizerContext) error
EventReadAllowed determines if a specific event can be queried.
func (AllowAuthorizer) EventWriteAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) EventWriteAllowed(name string, ctx *AuthorizerContext) error
EventWriteAllowed determines if a specific event may be fired.
func (AllowAuthorizer) IntentionDefaultAllowAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) IntentionDefaultAllowAllowed(ctx *AuthorizerContext) error
IntentionDefaultAllowAllowed determines the default authorized behavior when no intentions match a Connect request.
func (AllowAuthorizer) IntentionReadAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) IntentionReadAllowed(name string, ctx *AuthorizerContext) error
IntentionReadAllowed determines if a specific intention can be read.
func (AllowAuthorizer) IntentionWriteAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) IntentionWriteAllowed(name string, ctx *AuthorizerContext) error
IntentionWriteAllowed determines if a specific intention can be created, modified, or deleted.
func (AllowAuthorizer) KeyListAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) KeyListAllowed(name string, ctx *AuthorizerContext) error
KeyListAllowed checks for permission to list keys under a prefix
func (AllowAuthorizer) KeyReadAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) KeyReadAllowed(name string, ctx *AuthorizerContext) error
KeyReadAllowed checks for permission to read a given key
func (AllowAuthorizer) KeyWriteAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) KeyWriteAllowed(name string, ctx *AuthorizerContext) error
KeyWriteAllowed checks for permission to write a given key
func (AllowAuthorizer) KeyWritePrefixAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) KeyWritePrefixAllowed(name string, ctx *AuthorizerContext) error
KeyWritePrefixAllowed checks for permission to write to an entire key prefix. This means there must be no sub-policies that deny a write.
func (AllowAuthorizer) KeyringReadAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) KeyringReadAllowed(ctx *AuthorizerContext) error
KeyringReadAllowed determines if the encryption keyring used in the gossip layer can be read.
func (AllowAuthorizer) KeyringWriteAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) KeyringWriteAllowed(ctx *AuthorizerContext) error
KeyringWriteAllowed determines if the keyring can be manipulated
func (AllowAuthorizer) MeshReadAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) MeshReadAllowed(ctx *AuthorizerContext) error
MeshReadAllowed determines if the read-only Consul mesh functions can be used.
func (AllowAuthorizer) MeshWriteAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) MeshWriteAllowed(ctx *AuthorizerContext) error
MeshWriteAllowed determines if the state-changing Consul mesh functions can be used.
func (AllowAuthorizer) NodeReadAllAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) NodeReadAllAllowed(ctx *AuthorizerContext) error
NodeReadAllAllowed checks for permission to read (discover) all nodes.
func (AllowAuthorizer) NodeReadAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) NodeReadAllowed(name string, ctx *AuthorizerContext) error
NodeReadAllowed checks for permission to read (discover) a given node.
func (AllowAuthorizer) NodeWriteAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) NodeWriteAllowed(name string, ctx *AuthorizerContext) error
NodeWriteAllowed checks for permission to create or update (register) a given node.
func (AllowAuthorizer) OperatorReadAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) OperatorReadAllowed(ctx *AuthorizerContext) error
OperatorReadAllowed determines if the read-only Consul operator functions can be used.
func (AllowAuthorizer) OperatorWriteAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) OperatorWriteAllowed(ctx *AuthorizerContext) error
OperatorWriteAllowed determines if the state-changing Consul operator functions can be used.
func (AllowAuthorizer) PreparedQueryReadAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) PreparedQueryReadAllowed(name string, ctx *AuthorizerContext) error
PreparedQueryReadAllowed determines if a specific prepared query can be read to show its contents (this is not used for execution).
func (AllowAuthorizer) PreparedQueryWriteAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) PreparedQueryWriteAllowed(name string, ctx *AuthorizerContext) error
PreparedQueryWriteAllowed determines if a specific prepared query can be created, modified, or deleted.
func (AllowAuthorizer) ServiceReadAllAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) ServiceReadAllAllowed(ctx *AuthorizerContext) error
ServiceReadAllAllowed checks for permission to read all services
func (AllowAuthorizer) ServiceReadAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) ServiceReadAllowed(name string, ctx *AuthorizerContext) error
ServiceReadAllowed checks for permission to read a given service
func (AllowAuthorizer) ServiceWriteAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) ServiceWriteAllowed(name string, ctx *AuthorizerContext) error
ServiceWriteAllowed checks for permission to create or update a given service
func (AllowAuthorizer) ServiceWriteAnyAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) ServiceWriteAnyAllowed(ctx *AuthorizerContext) error
ServiceWriteAnyAllowed checks for write permission on any service
func (AllowAuthorizer) SessionReadAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) SessionReadAllowed(name string, ctx *AuthorizerContext) error
SessionReadAllowed checks for permission to read sessions for a given node.
func (AllowAuthorizer) SessionWriteAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) SessionWriteAllowed(name string, ctx *AuthorizerContext) error
SessionWriteAllowed checks for permission to create sessions for a given node.
func (AllowAuthorizer) SnapshotAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) SnapshotAllowed(ctx *AuthorizerContext) error
SnapshotAllowed checks for permission to take and restore snapshots.
type Authorizer ¶ added in v1.4.0
type Authorizer interface { // ACLRead checks for permission to list all the ACLs ACLRead(*AuthorizerContext) EnforcementDecision // ACLWrite checks for permission to manipulate ACLs ACLWrite(*AuthorizerContext) EnforcementDecision // AgentRead checks for permission to read from agent endpoints for a // given node. AgentRead(string, *AuthorizerContext) EnforcementDecision // AgentWrite checks for permission to make changes via agent endpoints // for a given node. AgentWrite(string, *AuthorizerContext) EnforcementDecision // EventRead determines if a specific event can be queried. EventRead(string, *AuthorizerContext) EnforcementDecision // EventWrite determines if a specific event may be fired. EventWrite(string, *AuthorizerContext) EnforcementDecision // IntentionDefaultAllow determines the default authorized behavior // when no intentions match a Connect request. IntentionDefaultAllow(*AuthorizerContext) EnforcementDecision // IntentionRead determines if a specific intention can be read. IntentionRead(string, *AuthorizerContext) EnforcementDecision // IntentionWrite determines if a specific intention can be // created, modified, or deleted. IntentionWrite(string, *AuthorizerContext) EnforcementDecision // KeyList checks for permission to list keys under a prefix KeyList(string, *AuthorizerContext) EnforcementDecision // KeyRead checks for permission to read a given key KeyRead(string, *AuthorizerContext) EnforcementDecision // KeyWrite checks for permission to write a given key KeyWrite(string, *AuthorizerContext) EnforcementDecision // KeyWritePrefix checks for permission to write to an // entire key prefix. This means there must be no sub-policies // that deny a write. KeyWritePrefix(string, *AuthorizerContext) EnforcementDecision // KeyringRead determines if the encryption keyring used in // the gossip layer can be read. KeyringRead(*AuthorizerContext) EnforcementDecision // KeyringWrite determines if the keyring can be manipulated KeyringWrite(*AuthorizerContext) EnforcementDecision // MeshRead determines if the read-only Consul mesh functions // can be used. MeshRead(*AuthorizerContext) EnforcementDecision // MeshWrite determines if the state-changing Consul mesh // functions can be used. MeshWrite(*AuthorizerContext) EnforcementDecision // NodeRead checks for permission to read (discover) a given node. NodeRead(string, *AuthorizerContext) EnforcementDecision // NodeReadAll checks for permission to read (discover) all nodes. NodeReadAll(*AuthorizerContext) EnforcementDecision // NodeWrite checks for permission to create or update (register) a // given node. NodeWrite(string, *AuthorizerContext) EnforcementDecision // OperatorRead determines if the read-only Consul operator functions // can be used. OperatorRead(*AuthorizerContext) EnforcementDecision // OperatorWrite determines if the state-changing Consul operator // functions can be used. OperatorWrite(*AuthorizerContext) EnforcementDecision // PreparedQueryRead determines if a specific prepared query can be read // to show its contents (this is not used for execution). PreparedQueryRead(string, *AuthorizerContext) EnforcementDecision // PreparedQueryWrite determines if a specific prepared query can be // created, modified, or deleted. PreparedQueryWrite(string, *AuthorizerContext) EnforcementDecision // ServiceRead checks for permission to read a given service ServiceRead(string, *AuthorizerContext) EnforcementDecision // ServiceReadAll checks for permission to read all services ServiceReadAll(*AuthorizerContext) EnforcementDecision // ServiceWrite checks for permission to create or update a given // service ServiceWrite(string, *AuthorizerContext) EnforcementDecision // ServiceWriteAny checks for write permission on any service ServiceWriteAny(*AuthorizerContext) EnforcementDecision // SessionRead checks for permission to read sessions for a given node. SessionRead(string, *AuthorizerContext) EnforcementDecision // SessionWrite checks for permission to create sessions for a given // node. SessionWrite(string, *AuthorizerContext) EnforcementDecision // Snapshot checks for permission to take and restore snapshots. Snapshot(*AuthorizerContext) EnforcementDecision // ToAllowAuthorizer is needed until we can use ResolveResult in all the places this interface is used. ToAllowAuthorizer() AllowAuthorizer // contains filtered or unexported methods }
Authorizer is the interface for policy enforcement.
func AllowAll ¶
func AllowAll() Authorizer
AllowAll returns an Authorizer that allows all operations
func ManageAll ¶
func ManageAll() Authorizer
ManageAll returns an Authorizer that can manage all resources
func NewAuthorizerFromRules ¶ added in v1.7.0
func NewAuthorizerFromRules(rules string, syntax SyntaxVersion, conf *Config, meta *EnterprisePolicyMeta) (Authorizer, error)
NewAuthorizerFromRules is a convenience function to invoke NewPolicyFromSource followed by NewPolicyAuthorizer with the parse policy.
func NewPolicyAuthorizer ¶ added in v1.4.0
func NewPolicyAuthorizer(policies []*Policy, entConfig *Config) (Authorizer, error)
NewPolicyAuthorizer merges the policies and returns an Authorizer that will enforce them
func NewPolicyAuthorizerWithDefaults ¶ added in v1.7.0
func NewPolicyAuthorizerWithDefaults(defaultAuthz Authorizer, policies []*Policy, entConfig *Config) (Authorizer, error)
NewPolicyAuthorizerWithDefaults will actually created a ChainedAuthorizer with the policies compiled into one Authorizer and the backup policy of the defaultAuthz
func RootAuthorizer ¶ added in v1.4.0
func RootAuthorizer(id string) Authorizer
RootAuthorizer returns a possible Authorizer if the ID matches a root policy.
TODO: rename this function. While the returned authorizer is used as a root authorizer in some cases, in others it is not. A more appropriate name might be NewAuthorizerFromPolicyName.
type ChainedAuthorizer ¶ added in v1.7.0
type ChainedAuthorizer struct {
// contains filtered or unexported fields
}
ChainedAuthorizer can combine multiple Authorizers into one. Each Authorizer in the chain is asked (in order) for an enforcement decision. The first non-Default decision that is rendered by an Authorizer in the chain will be used as the overall decision of the ChainedAuthorizer
func NewChainedAuthorizer ¶ added in v1.7.0
func NewChainedAuthorizer(chain []Authorizer) *ChainedAuthorizer
NewChainedAuthorizer creates a ChainedAuthorizer with the provided chain of Authorizers. The slice provided should be in the order of most precedent Authorizer at the beginning and least precedent Authorizer at the end.
func (*ChainedAuthorizer) ACLRead ¶ added in v1.7.0
func (c *ChainedAuthorizer) ACLRead(entCtx *AuthorizerContext) EnforcementDecision
ACLRead checks for permission to list all the ACLs
func (*ChainedAuthorizer) ACLWrite ¶ added in v1.7.0
func (c *ChainedAuthorizer) ACLWrite(entCtx *AuthorizerContext) EnforcementDecision
ACLWrite checks for permission to manipulate ACLs
func (*ChainedAuthorizer) AgentRead ¶ added in v1.7.0
func (c *ChainedAuthorizer) AgentRead(node string, entCtx *AuthorizerContext) EnforcementDecision
AgentRead checks for permission to read from agent endpoints for a given node.
func (*ChainedAuthorizer) AgentWrite ¶ added in v1.7.0
func (c *ChainedAuthorizer) AgentWrite(node string, entCtx *AuthorizerContext) EnforcementDecision
AgentWrite checks for permission to make changes via agent endpoints for a given node.
func (*ChainedAuthorizer) AuthorizerChain ¶ added in v1.7.0
func (c *ChainedAuthorizer) AuthorizerChain() []Authorizer
func (*ChainedAuthorizer) EventRead ¶ added in v1.7.0
func (c *ChainedAuthorizer) EventRead(name string, entCtx *AuthorizerContext) EnforcementDecision
EventRead determines if a specific event can be queried.
func (*ChainedAuthorizer) EventWrite ¶ added in v1.7.0
func (c *ChainedAuthorizer) EventWrite(name string, entCtx *AuthorizerContext) EnforcementDecision
EventWrite determines if a specific event may be fired.
func (*ChainedAuthorizer) IntentionDefaultAllow ¶ added in v1.7.0
func (c *ChainedAuthorizer) IntentionDefaultAllow(entCtx *AuthorizerContext) EnforcementDecision
IntentionDefaultAllow determines the default authorized behavior when no intentions match a Connect request.
func (*ChainedAuthorizer) IntentionRead ¶ added in v1.7.0
func (c *ChainedAuthorizer) IntentionRead(prefix string, entCtx *AuthorizerContext) EnforcementDecision
IntentionRead determines if a specific intention can be read.
func (*ChainedAuthorizer) IntentionWrite ¶ added in v1.7.0
func (c *ChainedAuthorizer) IntentionWrite(prefix string, entCtx *AuthorizerContext) EnforcementDecision
IntentionWrite determines if a specific intention can be created, modified, or deleted.
func (*ChainedAuthorizer) KeyList ¶ added in v1.7.0
func (c *ChainedAuthorizer) KeyList(keyPrefix string, entCtx *AuthorizerContext) EnforcementDecision
KeyList checks for permission to list keys under a prefix
func (*ChainedAuthorizer) KeyRead ¶ added in v1.7.0
func (c *ChainedAuthorizer) KeyRead(key string, entCtx *AuthorizerContext) EnforcementDecision
KeyRead checks for permission to read a given key
func (*ChainedAuthorizer) KeyWrite ¶ added in v1.7.0
func (c *ChainedAuthorizer) KeyWrite(key string, entCtx *AuthorizerContext) EnforcementDecision
KeyWrite checks for permission to write a given key
func (*ChainedAuthorizer) KeyWritePrefix ¶ added in v1.7.0
func (c *ChainedAuthorizer) KeyWritePrefix(keyPrefix string, entCtx *AuthorizerContext) EnforcementDecision
KeyWritePrefix checks for permission to write to an entire key prefix. This means there must be no sub-policies that deny a write.
func (*ChainedAuthorizer) KeyringRead ¶ added in v1.7.0
func (c *ChainedAuthorizer) KeyringRead(entCtx *AuthorizerContext) EnforcementDecision
KeyringRead determines if the encryption keyring used in the gossip layer can be read.
func (*ChainedAuthorizer) KeyringWrite ¶ added in v1.7.0
func (c *ChainedAuthorizer) KeyringWrite(entCtx *AuthorizerContext) EnforcementDecision
KeyringWrite determines if the keyring can be manipulated
func (*ChainedAuthorizer) MeshRead ¶ added in v1.11.0
func (c *ChainedAuthorizer) MeshRead(entCtx *AuthorizerContext) EnforcementDecision
MeshRead determines if the read-only Consul mesh functions can be used.
func (*ChainedAuthorizer) MeshWrite ¶ added in v1.11.0
func (c *ChainedAuthorizer) MeshWrite(entCtx *AuthorizerContext) EnforcementDecision
MeshWrite determines if the state-changing Consul mesh functions can be used.
func (*ChainedAuthorizer) NodeRead ¶ added in v1.7.0
func (c *ChainedAuthorizer) NodeRead(node string, entCtx *AuthorizerContext) EnforcementDecision
NodeRead checks for permission to read (discover) a given node.
func (*ChainedAuthorizer) NodeReadAll ¶ added in v1.9.0
func (c *ChainedAuthorizer) NodeReadAll(entCtx *AuthorizerContext) EnforcementDecision
func (*ChainedAuthorizer) NodeWrite ¶ added in v1.7.0
func (c *ChainedAuthorizer) NodeWrite(node string, entCtx *AuthorizerContext) EnforcementDecision
NodeWrite checks for permission to create or update (register) a given node.
func (*ChainedAuthorizer) OperatorRead ¶ added in v1.7.0
func (c *ChainedAuthorizer) OperatorRead(entCtx *AuthorizerContext) EnforcementDecision
OperatorRead determines if the read-only Consul operator functions can be used.
func (*ChainedAuthorizer) OperatorWrite ¶ added in v1.7.0
func (c *ChainedAuthorizer) OperatorWrite(entCtx *AuthorizerContext) EnforcementDecision
OperatorWrite determines if the state-changing Consul operator functions can be used.
func (*ChainedAuthorizer) PreparedQueryRead ¶ added in v1.7.0
func (c *ChainedAuthorizer) PreparedQueryRead(query string, entCtx *AuthorizerContext) EnforcementDecision
PreparedQueryRead determines if a specific prepared query can be read to show its contents (this is not used for execution).
func (*ChainedAuthorizer) PreparedQueryWrite ¶ added in v1.7.0
func (c *ChainedAuthorizer) PreparedQueryWrite(query string, entCtx *AuthorizerContext) EnforcementDecision
PreparedQueryWrite determines if a specific prepared query can be created, modified, or deleted.
func (*ChainedAuthorizer) ServiceRead ¶ added in v1.7.0
func (c *ChainedAuthorizer) ServiceRead(name string, entCtx *AuthorizerContext) EnforcementDecision
ServiceRead checks for permission to read a given service
func (*ChainedAuthorizer) ServiceReadAll ¶ added in v1.9.0
func (c *ChainedAuthorizer) ServiceReadAll(entCtx *AuthorizerContext) EnforcementDecision
func (*ChainedAuthorizer) ServiceWrite ¶ added in v1.7.0
func (c *ChainedAuthorizer) ServiceWrite(name string, entCtx *AuthorizerContext) EnforcementDecision
ServiceWrite checks for permission to create or update a given service
func (*ChainedAuthorizer) ServiceWriteAny ¶ added in v1.12.0
func (c *ChainedAuthorizer) ServiceWriteAny(entCtx *AuthorizerContext) EnforcementDecision
ServiceWriteAny checks for write permission on any service
func (*ChainedAuthorizer) SessionRead ¶ added in v1.7.0
func (c *ChainedAuthorizer) SessionRead(node string, entCtx *AuthorizerContext) EnforcementDecision
SessionRead checks for permission to read sessions for a given node.
func (*ChainedAuthorizer) SessionWrite ¶ added in v1.7.0
func (c *ChainedAuthorizer) SessionWrite(node string, entCtx *AuthorizerContext) EnforcementDecision
SessionWrite checks for permission to create sessions for a given node.
func (*ChainedAuthorizer) Snapshot ¶ added in v1.7.0
func (c *ChainedAuthorizer) Snapshot(entCtx *AuthorizerContext) EnforcementDecision
Snapshot checks for permission to take and restore snapshots.
func (*ChainedAuthorizer) ToAllowAuthorizer ¶ added in v1.12.0
func (c *ChainedAuthorizer) ToAllowAuthorizer() AllowAuthorizer
type Config ¶ added in v1.7.0
type Config struct { // WildcardName is the string that represents a request to authorize a wildcard permission WildcardName string // embedded enterprise configuration EnterpriseConfig }
Config encapsulates all of the generic configuration parameters used for policy parsing and enforcement
func (*Config) Close ¶ added in v1.7.0
func (c *Config) Close()
Close will relinquish any resources this Config might be holding on to or managing.
func (*Config) GetWildcardName ¶ added in v1.7.0
GetWildcardName will retrieve the configured wildcard name or provide a default in the case that the config is Nil or the wildcard name is unset.
type EnforcementDecision ¶ added in v1.7.0
type EnforcementDecision int
const ( // Deny returned from an Authorizer enforcement method indicates // that a corresponding rule was found and that access should be denied Deny EnforcementDecision = iota // Allow returned from an Authorizer enforcement method indicates // that a corresponding rule was found and that access should be allowed Allow // Default returned from an Authorizer enforcement method indicates // that a corresponding rule was not found and that whether access // should be granted or denied should be deferred to the default // access level Default )
func Enforce ¶ added in v1.7.0
func Enforce(authz Authorizer, rsc Resource, segment string, access string, ctx *AuthorizerContext) (EnforcementDecision, error)
func (EnforcementDecision) String ¶ added in v1.7.0
func (d EnforcementDecision) String() string
type EnterpriseConfig ¶ added in v1.7.0
type EnterpriseConfig struct { }
func (*EnterpriseConfig) Close ¶ added in v1.7.0
func (_ *EnterpriseConfig) Close()
type EnterprisePolicyMeta ¶ added in v1.7.0
type EnterprisePolicyMeta struct{}
EnterprisePolicyMeta stub
type EnterprisePolicyRules ¶ added in v1.7.0
type EnterprisePolicyRules struct{}
EnterprisePolicyRules stub
func (*EnterprisePolicyRules) Validate ¶ added in v1.7.0
func (r *EnterprisePolicyRules) Validate(*Config) error
type ExportFetcher ¶ added in v1.11.0
type ExportFetcher interface { // ExportsForPartition returns the config entry defining exports for a partition ExportsForPartition(partition string) ExportedServices }
type ExportedServices ¶ added in v1.11.0
type KeyRule ¶ added in v1.7.0
type KeyRule struct { Prefix string `hcl:",key"` Policy string EnterpriseRule `hcl:",squash"` }
KeyRule represents a rule for a key
type NodeRule ¶ added in v1.7.0
type NodeRule struct { Name string `hcl:",key"` Policy string EnterpriseRule `hcl:",squash"` }
NodeRule represents a rule for a node
type PermissionDeniedError ¶ added in v0.9.3
type PermissionDeniedError struct { Cause string // Accessor contains information on the accessor used e.g. "token <GUID>" Accessor string // Resource (e.g. Service) Resource Resource // Access leve (e.g. Read) AccessLevel AccessLevel // e.g. "sidecar-proxy-1" ResourceID ResourceDescriptor }
Arguably this should be some sort of union type. The usage of Cause and the rest of the fields is entirely disjoint.
func PermissionDenied ¶ added in v1.8.1
func PermissionDenied(msg string, args ...interface{}) PermissionDeniedError
func PermissionDeniedByACL ¶ added in v1.12.0
func PermissionDeniedByACL(authz Authorizer, context *AuthorizerContext, resource Resource, accessLevel AccessLevel, resourceID string) PermissionDeniedError
TODO Extract information from Authorizer
func PermissionDeniedByACLUnnamed ¶ added in v1.12.0
func PermissionDeniedByACLUnnamed(authz Authorizer, context *AuthorizerContext, resource Resource, accessLevel AccessLevel) PermissionDeniedError
func (PermissionDeniedError) Error ¶ added in v0.9.3
func (e PermissionDeniedError) Error() string
Initially we may not have attribution information; that will become more complete as we work this change through There are generally three classes of errors 1) Named entities without a context 2) Unnamed entities with a context 3) Completely context free checks (global permissions) 4) Errors that only have a cause (for example bad token)
type Policy ¶
type Policy struct { PolicyRules `hcl:",squash"` EnterprisePolicyRules `hcl:",squash"` }
Policy is used to represent the policy specified by an ACL configuration.
func MergePolicies ¶ added in v1.4.0
func NewPolicyFromSource ¶ added in v1.4.0
func NewPolicyFromSource(rules string, syntax SyntaxVersion, conf *Config, meta *EnterprisePolicyMeta) (*Policy, error)
NewPolicyFromSource is used to parse the specified ACL rules into an intermediary set of policies, before being compiled into the ACL
type PolicyMerger ¶ added in v1.7.0
type PolicyMerger struct {
// contains filtered or unexported fields
}
func (*PolicyMerger) Merge ¶ added in v1.7.0
func (m *PolicyMerger) Merge(policy *Policy)
func (*PolicyMerger) Policy ¶ added in v1.7.0
func (m *PolicyMerger) Policy() *Policy
Policy outputs the merged policy
type PolicyRules ¶ added in v1.7.0
type PolicyRules struct { ACL string `hcl:"acl,expand"` Agents []*AgentRule `hcl:"agent,expand"` AgentPrefixes []*AgentRule `hcl:"agent_prefix,expand"` Keys []*KeyRule `hcl:"key,expand"` KeyPrefixes []*KeyRule `hcl:"key_prefix,expand"` Nodes []*NodeRule `hcl:"node,expand"` NodePrefixes []*NodeRule `hcl:"node_prefix,expand"` Services []*ServiceRule `hcl:"service,expand"` ServicePrefixes []*ServiceRule `hcl:"service_prefix,expand"` Sessions []*SessionRule `hcl:"session,expand"` SessionPrefixes []*SessionRule `hcl:"session_prefix,expand"` Events []*EventRule `hcl:"event,expand"` EventPrefixes []*EventRule `hcl:"event_prefix,expand"` PreparedQueries []*PreparedQueryRule `hcl:"query,expand"` PreparedQueryPrefixes []*PreparedQueryRule `hcl:"query_prefix,expand"` Keyring string `hcl:"keyring"` Operator string `hcl:"operator"` Mesh string `hcl:"mesh"` }
func (*PolicyRules) Validate ¶ added in v1.7.0
func (pr *PolicyRules) Validate(conf *Config) error
type PreparedQueryRule ¶ added in v1.7.0
PreparedQueryRule represents a prepared query rule.
type Resource ¶ added in v1.7.0
type Resource string
const ( ResourceACL Resource = "acl" ResourceAgent Resource = "agent" ResourceEvent Resource = "event" ResourceIntention Resource = "intention" ResourceKey Resource = "key" ResourceKeyring Resource = "keyring" ResourceNode Resource = "node" ResourceOperator Resource = "operator" ResourceMesh Resource = "mesh" ResourceQuery Resource = "query" ResourceService Resource = "service" ResourceSession Resource = "session" )
type ResourceDescriptor ¶ added in v1.12.0
type ResourceDescriptor struct {
Name string
}
In some sense we really want this to contain an EnterpriseMeta, but this turns out to be a convenient place to hang helper functions off of.
func NewResourceDescriptor ¶ added in v1.12.0
func NewResourceDescriptor(name string, _ *AuthorizerContext) ResourceDescriptor
func (*ResourceDescriptor) ToString ¶ added in v1.12.0
func (od *ResourceDescriptor) ToString() string
type ServiceRule ¶ added in v1.7.0
type ServiceRule struct { Name string `hcl:",key"` Policy string // Intentions is the policy for intentions where this service is the // destination. This may be empty, in which case the Policy determines // the intentions policy. Intentions string EnterpriseRule `hcl:",squash"` }
ServiceRule represents a policy for a service
type SessionRule ¶ added in v1.7.0
SessionRule represents a rule for making sessions tied to specific node name prefixes.
type SyntaxVersion ¶ added in v1.4.0
type SyntaxVersion int
const ( SyntaxCurrent SyntaxVersion = iota SyntaxLegacy )