Documentation ¶
Index ¶
- Constants
- Variables
- func EqualNamespaces(_, _ string) bool
- func EqualPartitions(_, _ string) bool
- func IsDefaultPartition(partition string) bool
- func IsErrDisabled(err error) bool
- func IsErrNotFound(err error) bool
- func IsErrPermissionDenied(err error) bool
- func IsErrRootDenied(err error) bool
- func IsValidAuthMethodName(name string) bool
- func IsValidNodeIdentityName(name string) bool
- func IsValidPolicyName(name string) bool
- func IsValidRoleName(name string) bool
- func IsValidServiceIdentityName(name string) bool
- func NamespaceOrDefault(_ string) string
- func NormalizeNamespace(_ string) string
- func PartitionOrDefault(_ string) string
- func RequirePermissionDeniedError(t testing.TB, err error, authz Authorizer, _ *AuthorizerContext, ...)
- func RequirePermissionDeniedMessage(t testing.TB, msg string, authz interface{}, _ *AuthorizerContext, ...)
- func TranslateLegacyRules(policyBytes []byte) ([]byte, error)
- type AccessLevel
- type AgentRule
- type AllowAuthorizer
- func (a AllowAuthorizer) ACLReadAllowed(ctx *AuthorizerContext) error
- func (a AllowAuthorizer) ACLWriteAllowed(ctx *AuthorizerContext) error
- func (a AllowAuthorizer) AgentReadAllowed(name string, ctx *AuthorizerContext) error
- func (a AllowAuthorizer) AgentWriteAllowed(name string, ctx *AuthorizerContext) error
- func (a AllowAuthorizer) EventReadAllowed(name string, ctx *AuthorizerContext) error
- func (a AllowAuthorizer) EventWriteAllowed(name string, ctx *AuthorizerContext) error
- func (a AllowAuthorizer) IntentionDefaultAllowAllowed(ctx *AuthorizerContext) error
- func (a AllowAuthorizer) IntentionReadAllowed(name string, ctx *AuthorizerContext) error
- func (a AllowAuthorizer) IntentionWriteAllowed(name string, ctx *AuthorizerContext) error
- func (a AllowAuthorizer) KeyListAllowed(name string, ctx *AuthorizerContext) error
- func (a AllowAuthorizer) KeyReadAllowed(name string, ctx *AuthorizerContext) error
- func (a AllowAuthorizer) KeyWriteAllowed(name string, ctx *AuthorizerContext) error
- func (a AllowAuthorizer) KeyWritePrefixAllowed(name string, ctx *AuthorizerContext) error
- func (a AllowAuthorizer) KeyringReadAllowed(ctx *AuthorizerContext) error
- func (a AllowAuthorizer) KeyringWriteAllowed(ctx *AuthorizerContext) error
- func (a AllowAuthorizer) MeshReadAllowed(ctx *AuthorizerContext) error
- func (a AllowAuthorizer) MeshWriteAllowed(ctx *AuthorizerContext) error
- func (a AllowAuthorizer) NodeReadAllAllowed(ctx *AuthorizerContext) error
- func (a AllowAuthorizer) NodeReadAllowed(name string, ctx *AuthorizerContext) error
- func (a AllowAuthorizer) NodeWriteAllowed(name string, ctx *AuthorizerContext) error
- func (a AllowAuthorizer) OperatorReadAllowed(ctx *AuthorizerContext) error
- func (a AllowAuthorizer) OperatorWriteAllowed(ctx *AuthorizerContext) error
- func (a AllowAuthorizer) PreparedQueryReadAllowed(name string, ctx *AuthorizerContext) error
- func (a AllowAuthorizer) PreparedQueryWriteAllowed(name string, ctx *AuthorizerContext) error
- func (a AllowAuthorizer) ServiceReadAllAllowed(ctx *AuthorizerContext) error
- func (a AllowAuthorizer) ServiceReadAllowed(name string, ctx *AuthorizerContext) error
- func (a AllowAuthorizer) ServiceWriteAllowed(name string, ctx *AuthorizerContext) error
- func (a AllowAuthorizer) ServiceWriteAnyAllowed(ctx *AuthorizerContext) error
- func (a AllowAuthorizer) SessionReadAllowed(name string, ctx *AuthorizerContext) error
- func (a AllowAuthorizer) SessionWriteAllowed(name string, ctx *AuthorizerContext) error
- func (a AllowAuthorizer) SnapshotAllowed(ctx *AuthorizerContext) error
- type Authorizer
- func AllowAll() Authorizer
- func DenyAll() Authorizer
- func ManageAll() Authorizer
- func NewAuthorizerFromRules(rules string, syntax SyntaxVersion, conf *Config, meta *EnterprisePolicyMeta) (Authorizer, error)
- func NewPolicyAuthorizer(policies []*Policy, entConfig *Config) (Authorizer, error)
- func NewPolicyAuthorizerWithDefaults(defaultAuthz Authorizer, policies []*Policy, entConfig *Config) (Authorizer, error)
- func RootAuthorizer(id string) Authorizer
- type AuthorizerContext
- type ChainedAuthorizer
- func (c *ChainedAuthorizer) ACLRead(entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) ACLWrite(entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) AgentRead(node string, entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) AgentWrite(node string, entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) AuthorizerChain() []Authorizer
- func (c *ChainedAuthorizer) EventRead(name string, entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) EventWrite(name string, entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) IntentionDefaultAllow(entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) IntentionRead(prefix string, entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) IntentionWrite(prefix string, entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) KeyList(keyPrefix string, entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) KeyRead(key string, entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) KeyWrite(key string, entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) KeyWritePrefix(keyPrefix string, entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) KeyringRead(entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) KeyringWrite(entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) MeshRead(entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) MeshWrite(entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) NodeRead(node string, entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) NodeReadAll(entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) NodeWrite(node string, entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) OperatorRead(entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) OperatorWrite(entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) PreparedQueryRead(query string, entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) PreparedQueryWrite(query string, entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) ServiceRead(name string, entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) ServiceReadAll(entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) ServiceWrite(name string, entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) ServiceWriteAny(entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) SessionRead(node string, entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) SessionWrite(node string, entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) Snapshot(entCtx *AuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) ToAllowAuthorizer() AllowAuthorizer
- type Config
- type EnforcementDecision
- type EnterpriseConfig
- type EnterpriseMeta
- func (m *EnterpriseMeta) AddToHash(_ hash.Hash, _ bool)
- func (m *EnterpriseMeta) EstimateSize() int
- func (_ *EnterpriseMeta) FillAuthzContext(_ *AuthorizerContext)
- func (m *EnterpriseMeta) InDefaultNamespace() bool
- func (m *EnterpriseMeta) InDefaultPartition() bool
- func (m *EnterpriseMeta) IsSame(_ *EnterpriseMeta) bool
- func (m *EnterpriseMeta) LessThan(_ *EnterpriseMeta) bool
- func (m *EnterpriseMeta) Matches(_ *EnterpriseMeta) bool
- func (m *EnterpriseMeta) Merge(_ *EnterpriseMeta)
- func (m *EnterpriseMeta) MergeNoWildcard(_ *EnterpriseMeta)
- func (m *EnterpriseMeta) NamespaceOrDefault() string
- func (m *EnterpriseMeta) NamespaceOrEmpty() string
- func (_ *EnterpriseMeta) Normalize()
- func (_ *EnterpriseMeta) NormalizeNamespace()
- func (_ *EnterpriseMeta) NormalizePartition()
- func (m *EnterpriseMeta) OverridePartition(_ string)
- func (m *EnterpriseMeta) PartitionOrDefault() string
- func (m *EnterpriseMeta) PartitionOrEmpty() string
- func (m *EnterpriseMeta) ToEnterprisePolicyMeta() *EnterprisePolicyMeta
- func (m *EnterpriseMeta) UnsetPartition()
- func (m *EnterpriseMeta) WithWildcardNamespace() *EnterpriseMeta
- type EnterprisePolicyMeta
- type EnterprisePolicyRules
- type EnterpriseRule
- type EventRule
- type ExportFetcher
- type ExportedServices
- type KeyRule
- type NodeRule
- type PermissionDeniedError
- func PermissionDenied(msg string, args ...interface{}) PermissionDeniedError
- func PermissionDeniedByACL(authz Authorizer, context *AuthorizerContext, resource Resource, ...) PermissionDeniedError
- func PermissionDeniedByACLUnnamed(authz Authorizer, context *AuthorizerContext, resource Resource, ...) PermissionDeniedError
- type Policy
- type PolicyMerger
- type PolicyRules
- type PreparedQueryRule
- type Resource
- type ResourceDescriptor
- type ServiceRule
- type SessionRule
- type SyntaxVersion
Constants ¶
const ( PolicyDeny = "deny" PolicyRead = "read" PolicyList = "list" PolicyWrite = "write" )
const ( ServiceIdentityNameMaxLength = 256 NodeIdentityNameMaxLength = 256 )
const DefaultNamespaceName = "default"
Reviewer Note: This is a little bit strange; one might want it to be "" like partition name However in consul/structs/intention.go we define IntentionDefaultNamespace as 'default' and so we use the same here
const (
DefaultPartitionName = ""
)
const (
WildcardName = "*"
)
Variables ¶
var ( // ErrNotFound indicates there is no matching ACL. ErrNotFound = errors.New(errNotFound) // ErrRootDenied is returned when attempting to resolve a root ACL. ErrRootDenied = errors.New(errRootDenied) // ErrDisabled is returned when ACL changes are not permitted since // they are disabled. ErrDisabled = errors.New(errDisabled) // ErrPermissionDenied is returned when an ACL based rejection // happens. ErrPermissionDenied = PermissionDeniedError{} // ErrInvalidParent is returned when a remotely resolve ACL // token claims to have a non-root parent ErrInvalidParent = errors.New(errInvalidParent) )
Functions ¶
func EqualNamespaces ¶ added in v1.13.0
func EqualPartitions ¶ added in v1.12.0
func IsDefaultPartition ¶ added in v1.12.0
func IsErrDisabled ¶ added in v0.9.3
IsErrDisabled checks if the given error message is comparable to ErrDisabled.
func IsErrNotFound ¶ added in v0.9.3
IsErrNotFound checks if the given error message is comparable to ErrNotFound.
func IsErrPermissionDenied ¶ added in v0.9.3
IsErrPermissionDenied checks if the given error message is comparable to ErrPermissionDenied.
func IsErrRootDenied ¶ added in v0.9.3
IsErrRootDenied checks if the given error message is comparable to ErrRootDenied.
func IsValidAuthMethodName ¶ added in v1.13.0
IsValidRoleName returns true if the provided name can be used as an ACLAuthMethod Name.
func IsValidNodeIdentityName ¶ added in v1.13.0
IsValidNodeIdentityName returns true if the provided name can be used as an ACLNodeIdentity NodeName. This is more restrictive than standard catalog registration, which basically takes the view that "everything is valid".
func IsValidPolicyName ¶ added in v1.13.0
IsValidPolicyName returns true if the provided name can be used as an ACLPolicy Name.
func IsValidRoleName ¶ added in v1.13.0
IsValidRoleName returns true if the provided name can be used as an ACLRole Name.
func IsValidServiceIdentityName ¶ added in v1.13.0
IsValidServiceIdentityName returns true if the provided name can be used as an ACLServiceIdentity ServiceName. This is more restrictive than standard catalog registration, which basically takes the view that "everything is valid".
func NamespaceOrDefault ¶ added in v1.12.0
func NormalizeNamespace ¶ added in v1.13.0
func PartitionOrDefault ¶ added in v1.12.0
func RequirePermissionDeniedError ¶ added in v1.12.0
func RequirePermissionDeniedError(t testing.TB, err error, authz Authorizer, _ *AuthorizerContext, resource Resource, accessLevel AccessLevel, resourceID string)
func RequirePermissionDeniedMessage ¶ added in v1.12.0
func RequirePermissionDeniedMessage(t testing.TB, msg string, authz interface{}, _ *AuthorizerContext, resource Resource, accessLevel AccessLevel, resourceID string)
func TranslateLegacyRules ¶ added in v1.4.0
Types ¶
type AccessLevel ¶ added in v1.7.0
type AccessLevel int
const ( AccessUnknown AccessLevel = iota AccessDeny AccessRead AccessList AccessWrite )
func AccessLevelFromString ¶ added in v1.7.0
func AccessLevelFromString(level string) (AccessLevel, error)
func (AccessLevel) String ¶ added in v1.7.0
func (l AccessLevel) String() string
type AgentRule ¶ added in v1.7.0
AgentRule represents a rule for working with agent endpoints on nodes with specific name prefixes.
type AllowAuthorizer ¶ added in v1.12.0
type AllowAuthorizer struct { Authorizer AccessorID string }
AllowAuthorizer is a wrapper to expose the *Allowed methods. This and the ToAllowAuthorizer function exist to tide us over until the ResolveResult struct is moved into acl.
func (AllowAuthorizer) ACLReadAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) ACLReadAllowed(ctx *AuthorizerContext) error
ACLReadAllowed checks for permission to list all the ACLs
func (AllowAuthorizer) ACLWriteAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) ACLWriteAllowed(ctx *AuthorizerContext) error
ACLWriteAllowed checks for permission to manipulate ACLs
func (AllowAuthorizer) AgentReadAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) AgentReadAllowed(name string, ctx *AuthorizerContext) error
AgentReadAllowed checks for permission to read from agent endpoints for a given node.
func (AllowAuthorizer) AgentWriteAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) AgentWriteAllowed(name string, ctx *AuthorizerContext) error
AgentWriteAllowed checks for permission to make changes via agent endpoints for a given node.
func (AllowAuthorizer) EventReadAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) EventReadAllowed(name string, ctx *AuthorizerContext) error
EventReadAllowed determines if a specific event can be queried.
func (AllowAuthorizer) EventWriteAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) EventWriteAllowed(name string, ctx *AuthorizerContext) error
EventWriteAllowed determines if a specific event may be fired.
func (AllowAuthorizer) IntentionDefaultAllowAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) IntentionDefaultAllowAllowed(ctx *AuthorizerContext) error
IntentionDefaultAllowAllowed determines the default authorized behavior when no intentions match a Connect request.
func (AllowAuthorizer) IntentionReadAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) IntentionReadAllowed(name string, ctx *AuthorizerContext) error
IntentionReadAllowed determines if a specific intention can be read.
func (AllowAuthorizer) IntentionWriteAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) IntentionWriteAllowed(name string, ctx *AuthorizerContext) error
IntentionWriteAllowed determines if a specific intention can be created, modified, or deleted.
func (AllowAuthorizer) KeyListAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) KeyListAllowed(name string, ctx *AuthorizerContext) error
KeyListAllowed checks for permission to list keys under a prefix
func (AllowAuthorizer) KeyReadAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) KeyReadAllowed(name string, ctx *AuthorizerContext) error
KeyReadAllowed checks for permission to read a given key
func (AllowAuthorizer) KeyWriteAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) KeyWriteAllowed(name string, ctx *AuthorizerContext) error
KeyWriteAllowed checks for permission to write a given key
func (AllowAuthorizer) KeyWritePrefixAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) KeyWritePrefixAllowed(name string, ctx *AuthorizerContext) error
KeyWritePrefixAllowed checks for permission to write to an entire key prefix. This means there must be no sub-policies that deny a write.
func (AllowAuthorizer) KeyringReadAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) KeyringReadAllowed(ctx *AuthorizerContext) error
KeyringReadAllowed determines if the encryption keyring used in the gossip layer can be read.
func (AllowAuthorizer) KeyringWriteAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) KeyringWriteAllowed(ctx *AuthorizerContext) error
KeyringWriteAllowed determines if the keyring can be manipulated
func (AllowAuthorizer) MeshReadAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) MeshReadAllowed(ctx *AuthorizerContext) error
MeshReadAllowed determines if the read-only Consul mesh functions can be used.
func (AllowAuthorizer) MeshWriteAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) MeshWriteAllowed(ctx *AuthorizerContext) error
MeshWriteAllowed determines if the state-changing Consul mesh functions can be used.
func (AllowAuthorizer) NodeReadAllAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) NodeReadAllAllowed(ctx *AuthorizerContext) error
NodeReadAllAllowed checks for permission to read (discover) all nodes.
func (AllowAuthorizer) NodeReadAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) NodeReadAllowed(name string, ctx *AuthorizerContext) error
NodeReadAllowed checks for permission to read (discover) a given node.
func (AllowAuthorizer) NodeWriteAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) NodeWriteAllowed(name string, ctx *AuthorizerContext) error
NodeWriteAllowed checks for permission to create or update (register) a given node.
func (AllowAuthorizer) OperatorReadAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) OperatorReadAllowed(ctx *AuthorizerContext) error
OperatorReadAllowed determines if the read-only Consul operator functions can be used.
func (AllowAuthorizer) OperatorWriteAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) OperatorWriteAllowed(ctx *AuthorizerContext) error
OperatorWriteAllowed determines if the state-changing Consul operator functions can be used.
func (AllowAuthorizer) PreparedQueryReadAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) PreparedQueryReadAllowed(name string, ctx *AuthorizerContext) error
PreparedQueryReadAllowed determines if a specific prepared query can be read to show its contents (this is not used for execution).
func (AllowAuthorizer) PreparedQueryWriteAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) PreparedQueryWriteAllowed(name string, ctx *AuthorizerContext) error
PreparedQueryWriteAllowed determines if a specific prepared query can be created, modified, or deleted.
func (AllowAuthorizer) ServiceReadAllAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) ServiceReadAllAllowed(ctx *AuthorizerContext) error
ServiceReadAllAllowed checks for permission to read all services
func (AllowAuthorizer) ServiceReadAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) ServiceReadAllowed(name string, ctx *AuthorizerContext) error
ServiceReadAllowed checks for permission to read a given service
func (AllowAuthorizer) ServiceWriteAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) ServiceWriteAllowed(name string, ctx *AuthorizerContext) error
ServiceWriteAllowed checks for permission to create or update a given service
func (AllowAuthorizer) ServiceWriteAnyAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) ServiceWriteAnyAllowed(ctx *AuthorizerContext) error
ServiceWriteAnyAllowed checks for write permission on any service
func (AllowAuthorizer) SessionReadAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) SessionReadAllowed(name string, ctx *AuthorizerContext) error
SessionReadAllowed checks for permission to read sessions for a given node.
func (AllowAuthorizer) SessionWriteAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) SessionWriteAllowed(name string, ctx *AuthorizerContext) error
SessionWriteAllowed checks for permission to create sessions for a given node.
func (AllowAuthorizer) SnapshotAllowed ¶ added in v1.12.0
func (a AllowAuthorizer) SnapshotAllowed(ctx *AuthorizerContext) error
SnapshotAllowed checks for permission to take and restore snapshots.
type Authorizer ¶ added in v1.4.0
type Authorizer interface { // ACLRead checks for permission to list all the ACLs ACLRead(*AuthorizerContext) EnforcementDecision // ACLWrite checks for permission to manipulate ACLs ACLWrite(*AuthorizerContext) EnforcementDecision // AgentRead checks for permission to read from agent endpoints for a // given node. AgentRead(string, *AuthorizerContext) EnforcementDecision // AgentWrite checks for permission to make changes via agent endpoints // for a given node. AgentWrite(string, *AuthorizerContext) EnforcementDecision // EventRead determines if a specific event can be queried. EventRead(string, *AuthorizerContext) EnforcementDecision // EventWrite determines if a specific event may be fired. EventWrite(string, *AuthorizerContext) EnforcementDecision // IntentionDefaultAllow determines the default authorized behavior // when no intentions match a Connect request. IntentionDefaultAllow(*AuthorizerContext) EnforcementDecision // IntentionRead determines if a specific intention can be read. IntentionRead(string, *AuthorizerContext) EnforcementDecision // IntentionWrite determines if a specific intention can be // created, modified, or deleted. IntentionWrite(string, *AuthorizerContext) EnforcementDecision // KeyList checks for permission to list keys under a prefix KeyList(string, *AuthorizerContext) EnforcementDecision // KeyRead checks for permission to read a given key KeyRead(string, *AuthorizerContext) EnforcementDecision // KeyWrite checks for permission to write a given key KeyWrite(string, *AuthorizerContext) EnforcementDecision // KeyWritePrefix checks for permission to write to an // entire key prefix. This means there must be no sub-policies // that deny a write. KeyWritePrefix(string, *AuthorizerContext) EnforcementDecision // KeyringRead determines if the encryption keyring used in // the gossip layer can be read. KeyringRead(*AuthorizerContext) EnforcementDecision // KeyringWrite determines if the keyring can be manipulated KeyringWrite(*AuthorizerContext) EnforcementDecision // MeshRead determines if the read-only Consul mesh functions // can be used. MeshRead(*AuthorizerContext) EnforcementDecision // MeshWrite determines if the state-changing Consul mesh // functions can be used. MeshWrite(*AuthorizerContext) EnforcementDecision // NodeRead checks for permission to read (discover) a given node. NodeRead(string, *AuthorizerContext) EnforcementDecision // NodeReadAll checks for permission to read (discover) all nodes. NodeReadAll(*AuthorizerContext) EnforcementDecision // NodeWrite checks for permission to create or update (register) a // given node. NodeWrite(string, *AuthorizerContext) EnforcementDecision // OperatorRead determines if the read-only Consul operator functions // can be used. OperatorRead(*AuthorizerContext) EnforcementDecision // OperatorWrite determines if the state-changing Consul operator // functions can be used. OperatorWrite(*AuthorizerContext) EnforcementDecision // PreparedQueryRead determines if a specific prepared query can be read // to show its contents (this is not used for execution). PreparedQueryRead(string, *AuthorizerContext) EnforcementDecision // PreparedQueryWrite determines if a specific prepared query can be // created, modified, or deleted. PreparedQueryWrite(string, *AuthorizerContext) EnforcementDecision // ServiceRead checks for permission to read a given service ServiceRead(string, *AuthorizerContext) EnforcementDecision // ServiceReadAll checks for permission to read all services ServiceReadAll(*AuthorizerContext) EnforcementDecision // ServiceWrite checks for permission to create or update a given // service ServiceWrite(string, *AuthorizerContext) EnforcementDecision // ServiceWriteAny checks for write permission on any service ServiceWriteAny(*AuthorizerContext) EnforcementDecision // SessionRead checks for permission to read sessions for a given node. SessionRead(string, *AuthorizerContext) EnforcementDecision // SessionWrite checks for permission to create sessions for a given // node. SessionWrite(string, *AuthorizerContext) EnforcementDecision // Snapshot checks for permission to take and restore snapshots. Snapshot(*AuthorizerContext) EnforcementDecision // ToAllowAuthorizer is needed until we can use ResolveResult in all the places this interface is used. ToAllowAuthorizer() AllowAuthorizer // contains filtered or unexported methods }
Authorizer is the interface for policy enforcement.
func AllowAll ¶
func AllowAll() Authorizer
AllowAll returns an Authorizer that allows all operations
func ManageAll ¶
func ManageAll() Authorizer
ManageAll returns an Authorizer that can manage all resources
func NewAuthorizerFromRules ¶ added in v1.7.0
func NewAuthorizerFromRules(rules string, syntax SyntaxVersion, conf *Config, meta *EnterprisePolicyMeta) (Authorizer, error)
NewAuthorizerFromRules is a convenience function to invoke NewPolicyFromSource followed by NewPolicyAuthorizer with the parse policy.
func NewPolicyAuthorizer ¶ added in v1.4.0
func NewPolicyAuthorizer(policies []*Policy, entConfig *Config) (Authorizer, error)
NewPolicyAuthorizer merges the policies and returns an Authorizer that will enforce them
func NewPolicyAuthorizerWithDefaults ¶ added in v1.7.0
func NewPolicyAuthorizerWithDefaults(defaultAuthz Authorizer, policies []*Policy, entConfig *Config) (Authorizer, error)
NewPolicyAuthorizerWithDefaults will actually created a ChainedAuthorizer with the policies compiled into one Authorizer and the backup policy of the defaultAuthz
func RootAuthorizer ¶ added in v1.4.0
func RootAuthorizer(id string) Authorizer
RootAuthorizer returns a possible Authorizer if the ID matches a root policy.
TODO: rename this function. While the returned authorizer is used as a root authorizer in some cases, in others it is not. A more appropriate name might be NewAuthorizerFromPolicyName.
type ChainedAuthorizer ¶ added in v1.7.0
type ChainedAuthorizer struct {
// contains filtered or unexported fields
}
ChainedAuthorizer can combine multiple Authorizers into one. Each Authorizer in the chain is asked (in order) for an enforcement decision. The first non-Default decision that is rendered by an Authorizer in the chain will be used as the overall decision of the ChainedAuthorizer
func NewChainedAuthorizer ¶ added in v1.7.0
func NewChainedAuthorizer(chain []Authorizer) *ChainedAuthorizer
NewChainedAuthorizer creates a ChainedAuthorizer with the provided chain of Authorizers. The slice provided should be in the order of most precedent Authorizer at the beginning and least precedent Authorizer at the end.
func (*ChainedAuthorizer) ACLRead ¶ added in v1.7.0
func (c *ChainedAuthorizer) ACLRead(entCtx *AuthorizerContext) EnforcementDecision
ACLRead checks for permission to list all the ACLs
func (*ChainedAuthorizer) ACLWrite ¶ added in v1.7.0
func (c *ChainedAuthorizer) ACLWrite(entCtx *AuthorizerContext) EnforcementDecision
ACLWrite checks for permission to manipulate ACLs
func (*ChainedAuthorizer) AgentRead ¶ added in v1.7.0
func (c *ChainedAuthorizer) AgentRead(node string, entCtx *AuthorizerContext) EnforcementDecision
AgentRead checks for permission to read from agent endpoints for a given node.
func (*ChainedAuthorizer) AgentWrite ¶ added in v1.7.0
func (c *ChainedAuthorizer) AgentWrite(node string, entCtx *AuthorizerContext) EnforcementDecision
AgentWrite checks for permission to make changes via agent endpoints for a given node.
func (*ChainedAuthorizer) AuthorizerChain ¶ added in v1.7.0
func (c *ChainedAuthorizer) AuthorizerChain() []Authorizer
func (*ChainedAuthorizer) EventRead ¶ added in v1.7.0
func (c *ChainedAuthorizer) EventRead(name string, entCtx *AuthorizerContext) EnforcementDecision
EventRead determines if a specific event can be queried.
func (*ChainedAuthorizer) EventWrite ¶ added in v1.7.0
func (c *ChainedAuthorizer) EventWrite(name string, entCtx *AuthorizerContext) EnforcementDecision
EventWrite determines if a specific event may be fired.
func (*ChainedAuthorizer) IntentionDefaultAllow ¶ added in v1.7.0
func (c *ChainedAuthorizer) IntentionDefaultAllow(entCtx *AuthorizerContext) EnforcementDecision
IntentionDefaultAllow determines the default authorized behavior when no intentions match a Connect request.
func (*ChainedAuthorizer) IntentionRead ¶ added in v1.7.0
func (c *ChainedAuthorizer) IntentionRead(prefix string, entCtx *AuthorizerContext) EnforcementDecision
IntentionRead determines if a specific intention can be read.
func (*ChainedAuthorizer) IntentionWrite ¶ added in v1.7.0
func (c *ChainedAuthorizer) IntentionWrite(prefix string, entCtx *AuthorizerContext) EnforcementDecision
IntentionWrite determines if a specific intention can be created, modified, or deleted.
func (*ChainedAuthorizer) KeyList ¶ added in v1.7.0
func (c *ChainedAuthorizer) KeyList(keyPrefix string, entCtx *AuthorizerContext) EnforcementDecision
KeyList checks for permission to list keys under a prefix
func (*ChainedAuthorizer) KeyRead ¶ added in v1.7.0
func (c *ChainedAuthorizer) KeyRead(key string, entCtx *AuthorizerContext) EnforcementDecision
KeyRead checks for permission to read a given key
func (*ChainedAuthorizer) KeyWrite ¶ added in v1.7.0
func (c *ChainedAuthorizer) KeyWrite(key string, entCtx *AuthorizerContext) EnforcementDecision
KeyWrite checks for permission to write a given key
func (*ChainedAuthorizer) KeyWritePrefix ¶ added in v1.7.0
func (c *ChainedAuthorizer) KeyWritePrefix(keyPrefix string, entCtx *AuthorizerContext) EnforcementDecision
KeyWritePrefix checks for permission to write to an entire key prefix. This means there must be no sub-policies that deny a write.
func (*ChainedAuthorizer) KeyringRead ¶ added in v1.7.0
func (c *ChainedAuthorizer) KeyringRead(entCtx *AuthorizerContext) EnforcementDecision
KeyringRead determines if the encryption keyring used in the gossip layer can be read.
func (*ChainedAuthorizer) KeyringWrite ¶ added in v1.7.0
func (c *ChainedAuthorizer) KeyringWrite(entCtx *AuthorizerContext) EnforcementDecision
KeyringWrite determines if the keyring can be manipulated
func (*ChainedAuthorizer) MeshRead ¶ added in v1.11.0
func (c *ChainedAuthorizer) MeshRead(entCtx *AuthorizerContext) EnforcementDecision
MeshRead determines if the read-only Consul mesh functions can be used.
func (*ChainedAuthorizer) MeshWrite ¶ added in v1.11.0
func (c *ChainedAuthorizer) MeshWrite(entCtx *AuthorizerContext) EnforcementDecision
MeshWrite determines if the state-changing Consul mesh functions can be used.
func (*ChainedAuthorizer) NodeRead ¶ added in v1.7.0
func (c *ChainedAuthorizer) NodeRead(node string, entCtx *AuthorizerContext) EnforcementDecision
NodeRead checks for permission to read (discover) a given node.
func (*ChainedAuthorizer) NodeReadAll ¶ added in v1.9.0
func (c *ChainedAuthorizer) NodeReadAll(entCtx *AuthorizerContext) EnforcementDecision
func (*ChainedAuthorizer) NodeWrite ¶ added in v1.7.0
func (c *ChainedAuthorizer) NodeWrite(node string, entCtx *AuthorizerContext) EnforcementDecision
NodeWrite checks for permission to create or update (register) a given node.
func (*ChainedAuthorizer) OperatorRead ¶ added in v1.7.0
func (c *ChainedAuthorizer) OperatorRead(entCtx *AuthorizerContext) EnforcementDecision
OperatorRead determines if the read-only Consul operator functions can be used.
func (*ChainedAuthorizer) OperatorWrite ¶ added in v1.7.0
func (c *ChainedAuthorizer) OperatorWrite(entCtx *AuthorizerContext) EnforcementDecision
OperatorWrite determines if the state-changing Consul operator functions can be used.
func (*ChainedAuthorizer) PreparedQueryRead ¶ added in v1.7.0
func (c *ChainedAuthorizer) PreparedQueryRead(query string, entCtx *AuthorizerContext) EnforcementDecision
PreparedQueryRead determines if a specific prepared query can be read to show its contents (this is not used for execution).
func (*ChainedAuthorizer) PreparedQueryWrite ¶ added in v1.7.0
func (c *ChainedAuthorizer) PreparedQueryWrite(query string, entCtx *AuthorizerContext) EnforcementDecision
PreparedQueryWrite determines if a specific prepared query can be created, modified, or deleted.
func (*ChainedAuthorizer) ServiceRead ¶ added in v1.7.0
func (c *ChainedAuthorizer) ServiceRead(name string, entCtx *AuthorizerContext) EnforcementDecision
ServiceRead checks for permission to read a given service
func (*ChainedAuthorizer) ServiceReadAll ¶ added in v1.9.0
func (c *ChainedAuthorizer) ServiceReadAll(entCtx *AuthorizerContext) EnforcementDecision
func (*ChainedAuthorizer) ServiceWrite ¶ added in v1.7.0
func (c *ChainedAuthorizer) ServiceWrite(name string, entCtx *AuthorizerContext) EnforcementDecision
ServiceWrite checks for permission to create or update a given service
func (*ChainedAuthorizer) ServiceWriteAny ¶ added in v1.12.0
func (c *ChainedAuthorizer) ServiceWriteAny(entCtx *AuthorizerContext) EnforcementDecision
ServiceWriteAny checks for write permission on any service
func (*ChainedAuthorizer) SessionRead ¶ added in v1.7.0
func (c *ChainedAuthorizer) SessionRead(node string, entCtx *AuthorizerContext) EnforcementDecision
SessionRead checks for permission to read sessions for a given node.
func (*ChainedAuthorizer) SessionWrite ¶ added in v1.7.0
func (c *ChainedAuthorizer) SessionWrite(node string, entCtx *AuthorizerContext) EnforcementDecision
SessionWrite checks for permission to create sessions for a given node.
func (*ChainedAuthorizer) Snapshot ¶ added in v1.7.0
func (c *ChainedAuthorizer) Snapshot(entCtx *AuthorizerContext) EnforcementDecision
Snapshot checks for permission to take and restore snapshots.
func (*ChainedAuthorizer) ToAllowAuthorizer ¶ added in v1.12.0
func (c *ChainedAuthorizer) ToAllowAuthorizer() AllowAuthorizer
type Config ¶ added in v1.7.0
type Config struct { // WildcardName is the string that represents a request to authorize a wildcard permission WildcardName string // embedded enterprise configuration EnterpriseConfig }
Config encapsulates all of the generic configuration parameters used for policy parsing and enforcement
func (*Config) Close ¶ added in v1.7.0
func (c *Config) Close()
Close will relinquish any resources this Config might be holding on to or managing.
func (*Config) GetWildcardName ¶ added in v1.7.0
GetWildcardName will retrieve the configured wildcard name or provide a default in the case that the config is Nil or the wildcard name is unset.
type EnforcementDecision ¶ added in v1.7.0
type EnforcementDecision int
const ( // Deny returned from an Authorizer enforcement method indicates // that a corresponding rule was found and that access should be denied Deny EnforcementDecision = iota // Allow returned from an Authorizer enforcement method indicates // that a corresponding rule was found and that access should be allowed Allow // Default returned from an Authorizer enforcement method indicates // that a corresponding rule was not found and that whether access // should be granted or denied should be deferred to the default // access level Default )
func Enforce ¶ added in v1.7.0
func Enforce(authz Authorizer, rsc Resource, segment string, access string, ctx *AuthorizerContext) (EnforcementDecision, error)
func (EnforcementDecision) String ¶ added in v1.7.0
func (d EnforcementDecision) String() string
type EnterpriseConfig ¶ added in v1.7.0
type EnterpriseConfig struct { }
func (*EnterpriseConfig) Close ¶ added in v1.7.0
func (_ *EnterpriseConfig) Close()
type EnterpriseMeta ¶ added in v1.12.0
type EnterpriseMeta struct{}
EnterpriseMeta stub
func DefaultEnterpriseMeta ¶ added in v1.12.0
func DefaultEnterpriseMeta() *EnterpriseMeta
func NewEnterpriseMetaWithPartition ¶ added in v1.12.0
func NewEnterpriseMetaWithPartition(_, _ string) EnterpriseMeta
func WildcardEnterpriseMeta ¶ added in v1.12.0
func WildcardEnterpriseMeta() *EnterpriseMeta
func (*EnterpriseMeta) AddToHash ¶ added in v1.12.0
func (m *EnterpriseMeta) AddToHash(_ hash.Hash, _ bool)
func (*EnterpriseMeta) EstimateSize ¶ added in v1.12.0
func (m *EnterpriseMeta) EstimateSize() int
func (*EnterpriseMeta) FillAuthzContext ¶ added in v1.12.0
func (_ *EnterpriseMeta) FillAuthzContext(_ *AuthorizerContext)
FillAuthzContext stub
func (*EnterpriseMeta) InDefaultNamespace ¶ added in v1.12.0
func (m *EnterpriseMeta) InDefaultNamespace() bool
func (*EnterpriseMeta) InDefaultPartition ¶ added in v1.12.0
func (m *EnterpriseMeta) InDefaultPartition() bool
func (*EnterpriseMeta) IsSame ¶ added in v1.12.0
func (m *EnterpriseMeta) IsSame(_ *EnterpriseMeta) bool
func (*EnterpriseMeta) LessThan ¶ added in v1.12.0
func (m *EnterpriseMeta) LessThan(_ *EnterpriseMeta) bool
func (*EnterpriseMeta) Matches ¶ added in v1.12.0
func (m *EnterpriseMeta) Matches(_ *EnterpriseMeta) bool
func (*EnterpriseMeta) Merge ¶ added in v1.12.0
func (m *EnterpriseMeta) Merge(_ *EnterpriseMeta)
func (*EnterpriseMeta) MergeNoWildcard ¶ added in v1.12.0
func (m *EnterpriseMeta) MergeNoWildcard(_ *EnterpriseMeta)
func (*EnterpriseMeta) NamespaceOrDefault ¶ added in v1.12.0
func (m *EnterpriseMeta) NamespaceOrDefault() string
func (*EnterpriseMeta) NamespaceOrEmpty ¶ added in v1.12.0
func (m *EnterpriseMeta) NamespaceOrEmpty() string
func (*EnterpriseMeta) Normalize ¶ added in v1.12.0
func (_ *EnterpriseMeta) Normalize()
func (*EnterpriseMeta) NormalizeNamespace ¶ added in v1.13.0
func (_ *EnterpriseMeta) NormalizeNamespace()
func (*EnterpriseMeta) NormalizePartition ¶ added in v1.13.0
func (_ *EnterpriseMeta) NormalizePartition()
func (*EnterpriseMeta) OverridePartition ¶ added in v1.13.0
func (m *EnterpriseMeta) OverridePartition(_ string)
func (*EnterpriseMeta) PartitionOrDefault ¶ added in v1.12.0
func (m *EnterpriseMeta) PartitionOrDefault() string
func (*EnterpriseMeta) PartitionOrEmpty ¶ added in v1.12.0
func (m *EnterpriseMeta) PartitionOrEmpty() string
func (*EnterpriseMeta) ToEnterprisePolicyMeta ¶ added in v1.12.0
func (m *EnterpriseMeta) ToEnterprisePolicyMeta() *EnterprisePolicyMeta
func (*EnterpriseMeta) UnsetPartition ¶ added in v1.12.0
func (m *EnterpriseMeta) UnsetPartition()
func (*EnterpriseMeta) WithWildcardNamespace ¶ added in v1.12.0
func (m *EnterpriseMeta) WithWildcardNamespace() *EnterpriseMeta
type EnterprisePolicyMeta ¶ added in v1.7.0
type EnterprisePolicyMeta struct{}
EnterprisePolicyMeta stub
type EnterprisePolicyRules ¶ added in v1.7.0
type EnterprisePolicyRules struct{}
EnterprisePolicyRules stub
func (*EnterprisePolicyRules) Validate ¶ added in v1.7.0
func (r *EnterprisePolicyRules) Validate(*Config) error
type ExportFetcher ¶ added in v1.11.0
type ExportFetcher interface { // ExportsForPartition returns the config entry defining exports for a partition ExportsForPartition(partition string) ExportedServices }
type ExportedServices ¶ added in v1.11.0
type KeyRule ¶ added in v1.7.0
type KeyRule struct { Prefix string `hcl:",key"` Policy string EnterpriseRule `hcl:",squash"` }
KeyRule represents a rule for a key
type NodeRule ¶ added in v1.7.0
type NodeRule struct { Name string `hcl:",key"` Policy string EnterpriseRule `hcl:",squash"` }
NodeRule represents a rule for a node
type PermissionDeniedError ¶ added in v0.9.3
type PermissionDeniedError struct { Cause string // Accessor contains information on the accessor used e.g. "token <GUID>" Accessor string // Resource (e.g. Service) Resource Resource // Access leve (e.g. Read) AccessLevel AccessLevel // e.g. "sidecar-proxy-1" ResourceID ResourceDescriptor }
Arguably this should be some sort of union type. The usage of Cause and the rest of the fields is entirely disjoint.
func PermissionDenied ¶ added in v1.8.1
func PermissionDenied(msg string, args ...interface{}) PermissionDeniedError
func PermissionDeniedByACL ¶ added in v1.12.0
func PermissionDeniedByACL(authz Authorizer, context *AuthorizerContext, resource Resource, accessLevel AccessLevel, resourceID string) PermissionDeniedError
TODO Extract information from Authorizer
func PermissionDeniedByACLUnnamed ¶ added in v1.12.0
func PermissionDeniedByACLUnnamed(authz Authorizer, context *AuthorizerContext, resource Resource, accessLevel AccessLevel) PermissionDeniedError
func (PermissionDeniedError) Error ¶ added in v0.9.3
func (e PermissionDeniedError) Error() string
Initially we may not have attribution information; that will become more complete as we work this change through There are generally three classes of errors 1) Named entities without a context 2) Unnamed entities with a context 3) Completely context free checks (global permissions) 4) Errors that only have a cause (for example bad token)
type Policy ¶
type Policy struct { PolicyRules `hcl:",squash"` EnterprisePolicyRules `hcl:",squash"` }
Policy is used to represent the policy specified by an ACL configuration.
func MergePolicies ¶ added in v1.4.0
func NewPolicyFromSource ¶ added in v1.4.0
func NewPolicyFromSource(rules string, syntax SyntaxVersion, conf *Config, meta *EnterprisePolicyMeta) (*Policy, error)
NewPolicyFromSource is used to parse the specified ACL rules into an intermediary set of policies, before being compiled into the ACL
type PolicyMerger ¶ added in v1.7.0
type PolicyMerger struct {
// contains filtered or unexported fields
}
func (*PolicyMerger) Merge ¶ added in v1.7.0
func (m *PolicyMerger) Merge(policy *Policy)
func (*PolicyMerger) Policy ¶ added in v1.7.0
func (m *PolicyMerger) Policy() *Policy
Policy outputs the merged policy
type PolicyRules ¶ added in v1.7.0
type PolicyRules struct { ACL string `hcl:"acl,expand"` Agents []*AgentRule `hcl:"agent,expand"` AgentPrefixes []*AgentRule `hcl:"agent_prefix,expand"` Keys []*KeyRule `hcl:"key,expand"` KeyPrefixes []*KeyRule `hcl:"key_prefix,expand"` Nodes []*NodeRule `hcl:"node,expand"` NodePrefixes []*NodeRule `hcl:"node_prefix,expand"` Services []*ServiceRule `hcl:"service,expand"` ServicePrefixes []*ServiceRule `hcl:"service_prefix,expand"` Sessions []*SessionRule `hcl:"session,expand"` SessionPrefixes []*SessionRule `hcl:"session_prefix,expand"` Events []*EventRule `hcl:"event,expand"` EventPrefixes []*EventRule `hcl:"event_prefix,expand"` PreparedQueries []*PreparedQueryRule `hcl:"query,expand"` PreparedQueryPrefixes []*PreparedQueryRule `hcl:"query_prefix,expand"` Keyring string `hcl:"keyring"` Operator string `hcl:"operator"` Mesh string `hcl:"mesh"` }
func (*PolicyRules) Validate ¶ added in v1.7.0
func (pr *PolicyRules) Validate(conf *Config) error
type PreparedQueryRule ¶ added in v1.7.0
PreparedQueryRule represents a prepared query rule.
type Resource ¶ added in v1.7.0
type Resource string
const ( ResourceACL Resource = "acl" ResourceAgent Resource = "agent" ResourceEvent Resource = "event" ResourceIntention Resource = "intention" ResourceKey Resource = "key" ResourceKeyring Resource = "keyring" ResourceNode Resource = "node" ResourceOperator Resource = "operator" ResourceMesh Resource = "mesh" ResourceQuery Resource = "query" ResourceService Resource = "service" ResourceSession Resource = "session" )
type ResourceDescriptor ¶ added in v1.12.0
type ResourceDescriptor struct {
Name string
}
In some sense we really want this to contain an EnterpriseMeta, but this turns out to be a convenient place to hang helper functions off of.
func NewResourceDescriptor ¶ added in v1.12.0
func NewResourceDescriptor(name string, _ *AuthorizerContext) ResourceDescriptor
func (*ResourceDescriptor) ToString ¶ added in v1.12.0
func (od *ResourceDescriptor) ToString() string
type ServiceRule ¶ added in v1.7.0
type ServiceRule struct { Name string `hcl:",key"` Policy string // Intentions is the policy for intentions where this service is the // destination. This may be empty, in which case the Policy determines // the intentions policy. Intentions string EnterpriseRule `hcl:",squash"` }
ServiceRule represents a policy for a service
type SessionRule ¶ added in v1.7.0
SessionRule represents a rule for making sessions tied to specific node name prefixes.
type SyntaxVersion ¶ added in v1.4.0
type SyntaxVersion int
const ( SyntaxCurrent SyntaxVersion = iota SyntaxLegacy )