acl

package
v1.7.0-beta1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 10, 2019 License: MPL-2.0 Imports: 13 Imported by: 651

Documentation

Index

Constants

View Source
const (
	PolicyDeny  = "deny"
	PolicyRead  = "read"
	PolicyList  = "list"
	PolicyWrite = "write"
)

Variables

View Source
var (
	// ErrNotFound indicates there is no matching ACL.
	ErrNotFound = errors.New(errNotFound)

	// ErrRootDenied is returned when attempting to resolve a root ACL.
	ErrRootDenied = errors.New(errRootDenied)

	// ErrDisabled is returned when ACL changes are not permitted since
	// they are disabled.
	ErrDisabled = errors.New(errDisabled)

	// ErrPermissionDenied is returned when an ACL based rejection
	// happens.
	ErrPermissionDenied = PermissionDeniedError{}

	// ErrInvalidParent is returned when a remotely resolve ACL
	// token claims to have a non-root parent
	ErrInvalidParent = errors.New(errInvalidParent)
)

Functions

func IsErrDisabled added in v0.9.3

func IsErrDisabled(err error) bool

IsErrDisabled checks if the given error message is comparable to ErrDisabled.

func IsErrNotFound added in v0.9.3

func IsErrNotFound(err error) bool

IsErrNotFound checks if the given error message is comparable to ErrNotFound.

func IsErrPermissionDenied added in v0.9.3

func IsErrPermissionDenied(err error) bool

IsErrPermissionDenied checks if the given error message is comparable to ErrPermissionDenied.

func IsErrRootDenied added in v0.9.3

func IsErrRootDenied(err error) bool

IsErrRootDenied checks if the given error message is comparable to ErrRootDenied.

func TranslateLegacyRules added in v1.4.0

func TranslateLegacyRules(policyBytes []byte) ([]byte, error)

Types

type AccessLevel added in v1.7.0

type AccessLevel int
const (
	AccessUnknown AccessLevel = iota
	AccessDeny
	AccessRead
	AccessList
	AccessWrite
)

func AccessLevelFromString added in v1.7.0

func AccessLevelFromString(level string) (AccessLevel, error)

func (AccessLevel) String added in v1.7.0

func (l AccessLevel) String() string

type AgentRule added in v1.7.0

type AgentRule struct {
	Node   string `hcl:",key"`
	Policy string
}

AgentRule represents a rule for working with agent endpoints on nodes with specific name prefixes.

type Authorizer added in v1.4.0

type Authorizer interface {
	// ACLRead checks for permission to list all the ACLs
	ACLRead(*EnterpriseAuthorizerContext) EnforcementDecision

	// ACLWrite checks for permission to manipulate ACLs
	ACLWrite(*EnterpriseAuthorizerContext) EnforcementDecision

	// AgentRead checks for permission to read from agent endpoints for a
	// given node.
	AgentRead(string, *EnterpriseAuthorizerContext) EnforcementDecision

	// AgentWrite checks for permission to make changes via agent endpoints
	// for a given node.
	AgentWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision

	// EventRead determines if a specific event can be queried.
	EventRead(string, *EnterpriseAuthorizerContext) EnforcementDecision

	// EventWrite determines if a specific event may be fired.
	EventWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision

	// IntentionDefaultAllow determines the default authorized behavior
	// when no intentions match a Connect request.
	IntentionDefaultAllow(*EnterpriseAuthorizerContext) EnforcementDecision

	// IntentionRead determines if a specific intention can be read.
	IntentionRead(string, *EnterpriseAuthorizerContext) EnforcementDecision

	// IntentionWrite determines if a specific intention can be
	// created, modified, or deleted.
	IntentionWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision

	// KeyList checks for permission to list keys under a prefix
	KeyList(string, *EnterpriseAuthorizerContext) EnforcementDecision

	// KeyRead checks for permission to read a given key
	KeyRead(string, *EnterpriseAuthorizerContext) EnforcementDecision

	// KeyWrite checks for permission to write a given key
	KeyWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision

	// KeyWritePrefix checks for permission to write to an
	// entire key prefix. This means there must be no sub-policies
	// that deny a write.
	KeyWritePrefix(string, *EnterpriseAuthorizerContext) EnforcementDecision

	// KeyringRead determines if the encryption keyring used in
	// the gossip layer can be read.
	KeyringRead(*EnterpriseAuthorizerContext) EnforcementDecision

	// KeyringWrite determines if the keyring can be manipulated
	KeyringWrite(*EnterpriseAuthorizerContext) EnforcementDecision

	// NodeRead checks for permission to read (discover) a given node.
	NodeRead(string, *EnterpriseAuthorizerContext) EnforcementDecision

	// NodeWrite checks for permission to create or update (register) a
	// given node.
	NodeWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision

	// OperatorRead determines if the read-only Consul operator functions
	// can be used.
	OperatorRead(*EnterpriseAuthorizerContext) EnforcementDecision

	// OperatorWrite determines if the state-changing Consul operator
	// functions can be used.
	OperatorWrite(*EnterpriseAuthorizerContext) EnforcementDecision

	// PreparedQueryRead determines if a specific prepared query can be read
	// to show its contents (this is not used for execution).
	PreparedQueryRead(string, *EnterpriseAuthorizerContext) EnforcementDecision

	// PreparedQueryWrite determines if a specific prepared query can be
	// created, modified, or deleted.
	PreparedQueryWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision

	// ServiceRead checks for permission to read a given service
	ServiceRead(string, *EnterpriseAuthorizerContext) EnforcementDecision

	// ServiceWrite checks for permission to create or update a given
	// service
	ServiceWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision

	// SessionRead checks for permission to read sessions for a given node.
	SessionRead(string, *EnterpriseAuthorizerContext) EnforcementDecision

	// SessionWrite checks for permission to create sessions for a given
	// node.
	SessionWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision

	// Snapshot checks for permission to take and restore snapshots.
	Snapshot(*EnterpriseAuthorizerContext) EnforcementDecision

	// Embedded Interface for Consul Enterprise specific ACL enforcement
	EnterpriseAuthorizer
}

Authorizer is the interface for policy enforcement.

func AllowAll

func AllowAll() Authorizer

AllowAll returns an Authorizer that allows all operations

func DenyAll

func DenyAll() Authorizer

DenyAll returns an Authorizer that denies all operations

func ManageAll

func ManageAll() Authorizer

ManageAll returns an Authorizer that can manage all resources

func NewPolicyAuthorizer added in v1.4.0

func NewPolicyAuthorizer(policies []*Policy, entConfig *EnterpriseACLConfig) (Authorizer, error)

NewPolicyAuthorizer merges the policies and returns an Authorizer that will enforce them

func NewPolicyAuthorizerWithDefaults added in v1.7.0

func NewPolicyAuthorizerWithDefaults(defaultAuthz Authorizer, policies []*Policy, entConfig *EnterpriseACLConfig) (Authorizer, error)

NewPolicyAuthorizerWithDefaults will actually created a ChainedAuthorizer with the policies compiled into one Authorizer and the backup policy of the defaultAuthz

func RootAuthorizer added in v1.4.0

func RootAuthorizer(id string) Authorizer

RootAuthorizer returns a possible Authorizer if the ID matches a root policy

type ChainedAuthorizer added in v1.7.0

type ChainedAuthorizer struct {
	// contains filtered or unexported fields
}

ChainedAuthorizer can combine multiple Authorizers into one. Each Authorizer in the chain is asked (in order) for an enforcement decision. The first non-Default decision that is rendered by an Authorizer in the chain will be used as the overall decision of the ChainedAuthorizer

func NewChainedAuthorizer added in v1.7.0

func NewChainedAuthorizer(chain []Authorizer) *ChainedAuthorizer

NewChainedAuthorizer creates a ChainedAuthorizer with the provided chain of Authorizers. The slice provided should be in the order of most precedent Authorizer at the beginning and least precedent Authorizer at the end.

func (*ChainedAuthorizer) ACLRead added in v1.7.0

ACLRead checks for permission to list all the ACLs

func (*ChainedAuthorizer) ACLWrite added in v1.7.0

ACLWrite checks for permission to manipulate ACLs

func (*ChainedAuthorizer) AgentRead added in v1.7.0

AgentRead checks for permission to read from agent endpoints for a given node.

func (*ChainedAuthorizer) AgentWrite added in v1.7.0

AgentWrite checks for permission to make changes via agent endpoints for a given node.

func (*ChainedAuthorizer) AuthorizerChain added in v1.7.0

func (c *ChainedAuthorizer) AuthorizerChain() []Authorizer

func (*ChainedAuthorizer) EventRead added in v1.7.0

EventRead determines if a specific event can be queried.

func (*ChainedAuthorizer) EventWrite added in v1.7.0

EventWrite determines if a specific event may be fired.

func (*ChainedAuthorizer) IntentionDefaultAllow added in v1.7.0

func (c *ChainedAuthorizer) IntentionDefaultAllow(entCtx *EnterpriseAuthorizerContext) EnforcementDecision

IntentionDefaultAllow determines the default authorized behavior when no intentions match a Connect request.

func (*ChainedAuthorizer) IntentionRead added in v1.7.0

func (c *ChainedAuthorizer) IntentionRead(prefix string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision

IntentionRead determines if a specific intention can be read.

func (*ChainedAuthorizer) IntentionWrite added in v1.7.0

func (c *ChainedAuthorizer) IntentionWrite(prefix string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision

IntentionWrite determines if a specific intention can be created, modified, or deleted.

func (*ChainedAuthorizer) KeyList added in v1.7.0

KeyList checks for permission to list keys under a prefix

func (*ChainedAuthorizer) KeyRead added in v1.7.0

KeyRead checks for permission to read a given key

func (*ChainedAuthorizer) KeyWrite added in v1.7.0

KeyWrite checks for permission to write a given key

func (*ChainedAuthorizer) KeyWritePrefix added in v1.7.0

func (c *ChainedAuthorizer) KeyWritePrefix(keyPrefix string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision

KeyWritePrefix checks for permission to write to an entire key prefix. This means there must be no sub-policies that deny a write.

func (*ChainedAuthorizer) KeyringRead added in v1.7.0

KeyringRead determines if the encryption keyring used in the gossip layer can be read.

func (*ChainedAuthorizer) KeyringWrite added in v1.7.0

KeyringWrite determines if the keyring can be manipulated

func (*ChainedAuthorizer) NodeRead added in v1.7.0

NodeRead checks for permission to read (discover) a given node.

func (*ChainedAuthorizer) NodeWrite added in v1.7.0

NodeWrite checks for permission to create or update (register) a given node.

func (*ChainedAuthorizer) OperatorRead added in v1.7.0

OperatorRead determines if the read-only Consul operator functions can be used.

func (*ChainedAuthorizer) OperatorWrite added in v1.7.0

OperatorWrite determines if the state-changing Consul operator functions can be used.

func (*ChainedAuthorizer) PreparedQueryRead added in v1.7.0

func (c *ChainedAuthorizer) PreparedQueryRead(query string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision

PreparedQueryRead determines if a specific prepared query can be read to show its contents (this is not used for execution).

func (*ChainedAuthorizer) PreparedQueryWrite added in v1.7.0

func (c *ChainedAuthorizer) PreparedQueryWrite(query string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision

PreparedQueryWrite determines if a specific prepared query can be created, modified, or deleted.

func (*ChainedAuthorizer) ServiceRead added in v1.7.0

ServiceRead checks for permission to read a given service

func (*ChainedAuthorizer) ServiceWrite added in v1.7.0

ServiceWrite checks for permission to create or update a given service

func (*ChainedAuthorizer) SessionRead added in v1.7.0

SessionRead checks for permission to read sessions for a given node.

func (*ChainedAuthorizer) SessionWrite added in v1.7.0

SessionWrite checks for permission to create sessions for a given node.

func (*ChainedAuthorizer) Snapshot added in v1.7.0

Snapshot checks for permission to take and restore snapshots.

type EnforcementDecision added in v1.7.0

type EnforcementDecision int
const (
	// Deny returned from an Authorizer enforcement method indicates
	// that a corresponding rule was found and that access should be denied
	Deny EnforcementDecision = iota
	// Allow returned from an Authorizer enforcement method indicates
	// that a corresponding rule was found and that access should be allowed
	Allow
	// Default returned from an Authorizer enforcement method indicates
	// that a corresponding rule was not found and that whether access
	// should be granted or denied should be deferred to the default
	// access level
	Default
)

func Enforce added in v1.7.0

func Enforce(authz Authorizer, rsc Resource, segment string, access string, ctx *EnterpriseAuthorizerContext) (EnforcementDecision, error)

func (EnforcementDecision) String added in v1.7.0

func (d EnforcementDecision) String() string

type EnterpriseACLConfig

type EnterpriseACLConfig struct{}

EnterpriseACLConfig stub

func (*EnterpriseACLConfig) Close

func (_ *EnterpriseACLConfig) Close()

type EnterpriseAuthorizer

type EnterpriseAuthorizer interface{}

EnterpriseAuthorizer stub interface

type EnterpriseAuthorizerContext

type EnterpriseAuthorizerContext struct{}

EnterpriseAuthorizerContext stub

type EnterprisePolicyMeta added in v1.7.0

type EnterprisePolicyMeta struct{}

EnterprisePolicyMeta stub

type EnterprisePolicyRules added in v1.7.0

type EnterprisePolicyRules struct{}

EnterprisePolicyRules stub

func (*EnterprisePolicyRules) Validate added in v1.7.0

type EnterpriseRule added in v1.7.0

type EnterpriseRule struct{}

EnterpriseRule stub

func (*EnterpriseRule) Validate added in v1.7.0

type EventRule added in v1.7.0

type EventRule struct {
	Event  string `hcl:",key"`
	Policy string
}

EventRule represents a user event rule.

type KeyRule added in v1.7.0

type KeyRule struct {
	Prefix string `hcl:",key"`
	Policy string

	EnterpriseRule `hcl:",squash"`
}

KeyRule represents a rule for a key

type NodeRule added in v1.7.0

type NodeRule struct {
	Name   string `hcl:",key"`
	Policy string

	EnterpriseRule `hcl:",squash"`
}

NodeRule represents a rule for a node

type PermissionDeniedError added in v0.9.3

type PermissionDeniedError struct {
	Cause string
}

func (PermissionDeniedError) Error added in v0.9.3

func (e PermissionDeniedError) Error() string

type Policy

type Policy struct {
	ID                    string `hcl:"id"`
	Revision              uint64 `hcl:"revision"`
	PolicyRules           `hcl:",squash"`
	EnterprisePolicyRules `hcl:",squash"`
}

Policy is used to represent the policy specified by an ACL configuration.

func MergePolicies added in v1.4.0

func MergePolicies(policies []*Policy) *Policy

func NewPolicyFromSource added in v1.4.0

func NewPolicyFromSource(id string, revision uint64, rules string, syntax SyntaxVersion, conf *EnterpriseACLConfig, meta *EnterprisePolicyMeta) (*Policy, error)

NewPolicyFromSource is used to parse the specified ACL rules into an intermediary set of policies, before being compiled into the ACL

func (*Policy) ConvertFromLegacy added in v1.4.0

func (policy *Policy) ConvertFromLegacy() *Policy

func (*Policy) ConvertToLegacy added in v1.4.0

func (policy *Policy) ConvertToLegacy() *Policy

type PolicyMerger added in v1.7.0

type PolicyMerger struct {
	// contains filtered or unexported fields
}

func NewPolicyMerger added in v1.7.0

func NewPolicyMerger() *PolicyMerger

func (*PolicyMerger) Merge added in v1.7.0

func (m *PolicyMerger) Merge(policy *Policy)

func (*PolicyMerger) Policy added in v1.7.0

func (m *PolicyMerger) Policy() *Policy

Policy outputs the merged policy

type PolicyRules added in v1.7.0

type PolicyRules struct {
	ACL                   string               `hcl:"acl,expand"`
	Agents                []*AgentRule         `hcl:"agent,expand"`
	AgentPrefixes         []*AgentRule         `hcl:"agent_prefix,expand"`
	Keys                  []*KeyRule           `hcl:"key,expand"`
	KeyPrefixes           []*KeyRule           `hcl:"key_prefix,expand"`
	Nodes                 []*NodeRule          `hcl:"node,expand"`
	NodePrefixes          []*NodeRule          `hcl:"node_prefix,expand"`
	Services              []*ServiceRule       `hcl:"service,expand"`
	ServicePrefixes       []*ServiceRule       `hcl:"service_prefix,expand"`
	Sessions              []*SessionRule       `hcl:"session,expand"`
	SessionPrefixes       []*SessionRule       `hcl:"session_prefix,expand"`
	Events                []*EventRule         `hcl:"event,expand"`
	EventPrefixes         []*EventRule         `hcl:"event_prefix,expand"`
	PreparedQueries       []*PreparedQueryRule `hcl:"query,expand"`
	PreparedQueryPrefixes []*PreparedQueryRule `hcl:"query_prefix,expand"`
	Keyring               string               `hcl:"keyring"`
	Operator              string               `hcl:"operator"`
}

func (*PolicyRules) Validate added in v1.7.0

func (pr *PolicyRules) Validate(conf *EnterpriseACLConfig) error

type PreparedQueryRule added in v1.7.0

type PreparedQueryRule struct {
	Prefix string `hcl:",key"`
	Policy string
}

PreparedQueryRule represents a prepared query rule.

type Resource added in v1.7.0

type Resource string
const (
	ResourceACL       Resource = "acl"
	ResourceAgent     Resource = "agent"
	ResourceEvent     Resource = "event"
	ResourceIntention Resource = "intention"
	ResourceKey       Resource = "key"
	ResourceKeyring   Resource = "keyring"
	ResourceNode      Resource = "node"
	ResourceOperator  Resource = "operator"
	ResourceQuery     Resource = "query"
	ResourceService   Resource = "service"
	ResourceSession   Resource = "session"
)

type ServiceRule added in v1.7.0

type ServiceRule struct {
	Name   string `hcl:",key"`
	Policy string

	// Intentions is the policy for intentions where this service is the
	// destination. This may be empty, in which case the Policy determines
	// the intentions policy.
	Intentions string

	EnterpriseRule `hcl:",squash"`
}

ServiceRule represents a policy for a service

type SessionRule added in v1.7.0

type SessionRule struct {
	Node   string `hcl:",key"`
	Policy string
}

SessionRule represents a rule for making sessions tied to specific node name prefixes.

type StaticAuthorizer added in v1.4.0

type StaticAuthorizer struct {
	// contains filtered or unexported fields
}

StaticAuthorizer is used to implement a base ACL policy. It either allows or denies all requests. This can be used as a parent ACL to act in a blacklist or whitelist mode.

func (*StaticAuthorizer) ACLRead added in v1.4.0

func (*StaticAuthorizer) ACLWrite added in v1.4.0

func (*StaticAuthorizer) AgentRead added in v1.4.0

func (*StaticAuthorizer) AgentWrite added in v1.4.0

func (*StaticAuthorizer) EventRead added in v1.4.0

func (*StaticAuthorizer) EventWrite added in v1.4.0

func (*StaticAuthorizer) IntentionDefaultAllow added in v1.4.0

func (*StaticAuthorizer) IntentionRead added in v1.4.0

func (*StaticAuthorizer) IntentionWrite added in v1.4.0

func (*StaticAuthorizer) KeyList added in v1.4.0

func (*StaticAuthorizer) KeyRead added in v1.4.0

func (*StaticAuthorizer) KeyWrite added in v1.4.0

func (*StaticAuthorizer) KeyWritePrefix added in v1.4.0

func (*StaticAuthorizer) KeyringRead added in v1.4.0

func (*StaticAuthorizer) KeyringWrite added in v1.4.0

func (*StaticAuthorizer) NodeRead added in v1.4.0

func (*StaticAuthorizer) NodeWrite added in v1.4.0

func (*StaticAuthorizer) OperatorRead added in v1.4.0

func (*StaticAuthorizer) OperatorWrite added in v1.4.0

func (*StaticAuthorizer) PreparedQueryRead added in v1.4.0

func (*StaticAuthorizer) PreparedQueryWrite added in v1.4.0

func (*StaticAuthorizer) ServiceRead added in v1.4.0

func (*StaticAuthorizer) ServiceWrite added in v1.4.0

func (*StaticAuthorizer) SessionRead added in v1.4.0

func (*StaticAuthorizer) SessionWrite added in v1.4.0

func (*StaticAuthorizer) Snapshot added in v1.4.0

type SyntaxVersion added in v1.4.0

type SyntaxVersion int
const (
	SyntaxCurrent SyntaxVersion = iota
	SyntaxLegacy
)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL