Documentation ¶
Index ¶
- Constants
- Variables
- func IsErrDisabled(err error) bool
- func IsErrNotFound(err error) bool
- func IsErrPermissionDenied(err error) bool
- func IsErrRootDenied(err error) bool
- func TranslateLegacyRules(policyBytes []byte) ([]byte, error)
- type AccessLevel
- type AgentRule
- type Authorizer
- func AllowAll() Authorizer
- func DenyAll() Authorizer
- func ManageAll() Authorizer
- func NewPolicyAuthorizer(policies []*Policy, entConfig *EnterpriseACLConfig) (Authorizer, error)
- func NewPolicyAuthorizerWithDefaults(defaultAuthz Authorizer, policies []*Policy, entConfig *EnterpriseACLConfig) (Authorizer, error)
- func RootAuthorizer(id string) Authorizer
- type ChainedAuthorizer
- func (c *ChainedAuthorizer) ACLRead(entCtx *EnterpriseAuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) ACLWrite(entCtx *EnterpriseAuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) AgentRead(node string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) AgentWrite(node string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) AuthorizerChain() []Authorizer
- func (c *ChainedAuthorizer) EventRead(name string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) EventWrite(name string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) IntentionDefaultAllow(entCtx *EnterpriseAuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) IntentionRead(prefix string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) IntentionWrite(prefix string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) KeyList(keyPrefix string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) KeyRead(key string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) KeyWrite(key string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) KeyWritePrefix(keyPrefix string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) KeyringRead(entCtx *EnterpriseAuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) KeyringWrite(entCtx *EnterpriseAuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) NodeRead(node string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) NodeWrite(node string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) OperatorRead(entCtx *EnterpriseAuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) OperatorWrite(entCtx *EnterpriseAuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) PreparedQueryRead(query string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) PreparedQueryWrite(query string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) ServiceRead(name string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) ServiceWrite(name string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) SessionRead(node string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) SessionWrite(node string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision
- func (c *ChainedAuthorizer) Snapshot(entCtx *EnterpriseAuthorizerContext) EnforcementDecision
- type EnforcementDecision
- type EnterpriseACLConfig
- type EnterpriseAuthorizer
- type EnterpriseAuthorizerContext
- type EnterprisePolicyMeta
- type EnterprisePolicyRules
- type EnterpriseRule
- type EventRule
- type KeyRule
- type NodeRule
- type PermissionDeniedError
- type Policy
- type PolicyMerger
- type PolicyRules
- type PreparedQueryRule
- type Resource
- type ServiceRule
- type SessionRule
- type StaticAuthorizer
- func (s *StaticAuthorizer) ACLRead(*EnterpriseAuthorizerContext) EnforcementDecision
- func (s *StaticAuthorizer) ACLWrite(*EnterpriseAuthorizerContext) EnforcementDecision
- func (s *StaticAuthorizer) AgentRead(string, *EnterpriseAuthorizerContext) EnforcementDecision
- func (s *StaticAuthorizer) AgentWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision
- func (s *StaticAuthorizer) EventRead(string, *EnterpriseAuthorizerContext) EnforcementDecision
- func (s *StaticAuthorizer) EventWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision
- func (s *StaticAuthorizer) IntentionDefaultAllow(*EnterpriseAuthorizerContext) EnforcementDecision
- func (s *StaticAuthorizer) IntentionRead(string, *EnterpriseAuthorizerContext) EnforcementDecision
- func (s *StaticAuthorizer) IntentionWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision
- func (s *StaticAuthorizer) KeyList(string, *EnterpriseAuthorizerContext) EnforcementDecision
- func (s *StaticAuthorizer) KeyRead(string, *EnterpriseAuthorizerContext) EnforcementDecision
- func (s *StaticAuthorizer) KeyWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision
- func (s *StaticAuthorizer) KeyWritePrefix(string, *EnterpriseAuthorizerContext) EnforcementDecision
- func (s *StaticAuthorizer) KeyringRead(*EnterpriseAuthorizerContext) EnforcementDecision
- func (s *StaticAuthorizer) KeyringWrite(*EnterpriseAuthorizerContext) EnforcementDecision
- func (s *StaticAuthorizer) NodeRead(string, *EnterpriseAuthorizerContext) EnforcementDecision
- func (s *StaticAuthorizer) NodeWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision
- func (s *StaticAuthorizer) OperatorRead(*EnterpriseAuthorizerContext) EnforcementDecision
- func (s *StaticAuthorizer) OperatorWrite(*EnterpriseAuthorizerContext) EnforcementDecision
- func (s *StaticAuthorizer) PreparedQueryRead(string, *EnterpriseAuthorizerContext) EnforcementDecision
- func (s *StaticAuthorizer) PreparedQueryWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision
- func (s *StaticAuthorizer) ServiceRead(string, *EnterpriseAuthorizerContext) EnforcementDecision
- func (s *StaticAuthorizer) ServiceWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision
- func (s *StaticAuthorizer) SessionRead(string, *EnterpriseAuthorizerContext) EnforcementDecision
- func (s *StaticAuthorizer) SessionWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision
- func (s *StaticAuthorizer) Snapshot(_ *EnterpriseAuthorizerContext) EnforcementDecision
- type SyntaxVersion
Constants ¶
const ( PolicyDeny = "deny" PolicyRead = "read" PolicyList = "list" PolicyWrite = "write" )
Variables ¶
var ( // ErrNotFound indicates there is no matching ACL. ErrNotFound = errors.New(errNotFound) // ErrRootDenied is returned when attempting to resolve a root ACL. ErrRootDenied = errors.New(errRootDenied) // ErrDisabled is returned when ACL changes are not permitted since // they are disabled. ErrDisabled = errors.New(errDisabled) // ErrPermissionDenied is returned when an ACL based rejection // happens. ErrPermissionDenied = PermissionDeniedError{} // ErrInvalidParent is returned when a remotely resolve ACL // token claims to have a non-root parent ErrInvalidParent = errors.New(errInvalidParent) )
Functions ¶
func IsErrDisabled ¶ added in v0.9.3
IsErrDisabled checks if the given error message is comparable to ErrDisabled.
func IsErrNotFound ¶ added in v0.9.3
IsErrNotFound checks if the given error message is comparable to ErrNotFound.
func IsErrPermissionDenied ¶ added in v0.9.3
IsErrPermissionDenied checks if the given error message is comparable to ErrPermissionDenied.
func IsErrRootDenied ¶ added in v0.9.3
IsErrRootDenied checks if the given error message is comparable to ErrRootDenied.
func TranslateLegacyRules ¶ added in v1.4.0
Types ¶
type AccessLevel ¶ added in v1.7.0
type AccessLevel int
const ( AccessUnknown AccessLevel = iota AccessDeny AccessRead AccessList AccessWrite )
func AccessLevelFromString ¶ added in v1.7.0
func AccessLevelFromString(level string) (AccessLevel, error)
func (AccessLevel) String ¶ added in v1.7.0
func (l AccessLevel) String() string
type AgentRule ¶ added in v1.7.0
AgentRule represents a rule for working with agent endpoints on nodes with specific name prefixes.
type Authorizer ¶ added in v1.4.0
type Authorizer interface { // ACLRead checks for permission to list all the ACLs ACLRead(*EnterpriseAuthorizerContext) EnforcementDecision // ACLWrite checks for permission to manipulate ACLs ACLWrite(*EnterpriseAuthorizerContext) EnforcementDecision // AgentRead checks for permission to read from agent endpoints for a // given node. AgentRead(string, *EnterpriseAuthorizerContext) EnforcementDecision // AgentWrite checks for permission to make changes via agent endpoints // for a given node. AgentWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision // EventRead determines if a specific event can be queried. EventRead(string, *EnterpriseAuthorizerContext) EnforcementDecision // EventWrite determines if a specific event may be fired. EventWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision // IntentionDefaultAllow determines the default authorized behavior // when no intentions match a Connect request. IntentionDefaultAllow(*EnterpriseAuthorizerContext) EnforcementDecision // IntentionRead determines if a specific intention can be read. IntentionRead(string, *EnterpriseAuthorizerContext) EnforcementDecision // IntentionWrite determines if a specific intention can be // created, modified, or deleted. IntentionWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision // KeyList checks for permission to list keys under a prefix KeyList(string, *EnterpriseAuthorizerContext) EnforcementDecision // KeyRead checks for permission to read a given key KeyRead(string, *EnterpriseAuthorizerContext) EnforcementDecision // KeyWrite checks for permission to write a given key KeyWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision // KeyWritePrefix checks for permission to write to an // entire key prefix. This means there must be no sub-policies // that deny a write. KeyWritePrefix(string, *EnterpriseAuthorizerContext) EnforcementDecision // KeyringRead determines if the encryption keyring used in // the gossip layer can be read. KeyringRead(*EnterpriseAuthorizerContext) EnforcementDecision // KeyringWrite determines if the keyring can be manipulated KeyringWrite(*EnterpriseAuthorizerContext) EnforcementDecision // NodeRead checks for permission to read (discover) a given node. NodeRead(string, *EnterpriseAuthorizerContext) EnforcementDecision // NodeWrite checks for permission to create or update (register) a // given node. NodeWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision // OperatorRead determines if the read-only Consul operator functions // can be used. OperatorRead(*EnterpriseAuthorizerContext) EnforcementDecision // OperatorWrite determines if the state-changing Consul operator // functions can be used. OperatorWrite(*EnterpriseAuthorizerContext) EnforcementDecision // PreparedQueryRead determines if a specific prepared query can be read // to show its contents (this is not used for execution). PreparedQueryRead(string, *EnterpriseAuthorizerContext) EnforcementDecision // PreparedQueryWrite determines if a specific prepared query can be // created, modified, or deleted. PreparedQueryWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision // ServiceRead checks for permission to read a given service ServiceRead(string, *EnterpriseAuthorizerContext) EnforcementDecision // ServiceWrite checks for permission to create or update a given // service ServiceWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision // SessionRead checks for permission to read sessions for a given node. SessionRead(string, *EnterpriseAuthorizerContext) EnforcementDecision // SessionWrite checks for permission to create sessions for a given // node. SessionWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision // Snapshot checks for permission to take and restore snapshots. Snapshot(*EnterpriseAuthorizerContext) EnforcementDecision // Embedded Interface for Consul Enterprise specific ACL enforcement EnterpriseAuthorizer }
Authorizer is the interface for policy enforcement.
func AllowAll ¶
func AllowAll() Authorizer
AllowAll returns an Authorizer that allows all operations
func ManageAll ¶
func ManageAll() Authorizer
ManageAll returns an Authorizer that can manage all resources
func NewPolicyAuthorizer ¶ added in v1.4.0
func NewPolicyAuthorizer(policies []*Policy, entConfig *EnterpriseACLConfig) (Authorizer, error)
NewPolicyAuthorizer merges the policies and returns an Authorizer that will enforce them
func NewPolicyAuthorizerWithDefaults ¶ added in v1.7.0
func NewPolicyAuthorizerWithDefaults(defaultAuthz Authorizer, policies []*Policy, entConfig *EnterpriseACLConfig) (Authorizer, error)
NewPolicyAuthorizerWithDefaults will actually created a ChainedAuthorizer with the policies compiled into one Authorizer and the backup policy of the defaultAuthz
func RootAuthorizer ¶ added in v1.4.0
func RootAuthorizer(id string) Authorizer
RootAuthorizer returns a possible Authorizer if the ID matches a root policy
type ChainedAuthorizer ¶ added in v1.7.0
type ChainedAuthorizer struct {
// contains filtered or unexported fields
}
ChainedAuthorizer can combine multiple Authorizers into one. Each Authorizer in the chain is asked (in order) for an enforcement decision. The first non-Default decision that is rendered by an Authorizer in the chain will be used as the overall decision of the ChainedAuthorizer
func NewChainedAuthorizer ¶ added in v1.7.0
func NewChainedAuthorizer(chain []Authorizer) *ChainedAuthorizer
NewChainedAuthorizer creates a ChainedAuthorizer with the provided chain of Authorizers. The slice provided should be in the order of most precedent Authorizer at the beginning and least precedent Authorizer at the end.
func (*ChainedAuthorizer) ACLRead ¶ added in v1.7.0
func (c *ChainedAuthorizer) ACLRead(entCtx *EnterpriseAuthorizerContext) EnforcementDecision
ACLRead checks for permission to list all the ACLs
func (*ChainedAuthorizer) ACLWrite ¶ added in v1.7.0
func (c *ChainedAuthorizer) ACLWrite(entCtx *EnterpriseAuthorizerContext) EnforcementDecision
ACLWrite checks for permission to manipulate ACLs
func (*ChainedAuthorizer) AgentRead ¶ added in v1.7.0
func (c *ChainedAuthorizer) AgentRead(node string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision
AgentRead checks for permission to read from agent endpoints for a given node.
func (*ChainedAuthorizer) AgentWrite ¶ added in v1.7.0
func (c *ChainedAuthorizer) AgentWrite(node string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision
AgentWrite checks for permission to make changes via agent endpoints for a given node.
func (*ChainedAuthorizer) AuthorizerChain ¶ added in v1.7.0
func (c *ChainedAuthorizer) AuthorizerChain() []Authorizer
func (*ChainedAuthorizer) EventRead ¶ added in v1.7.0
func (c *ChainedAuthorizer) EventRead(name string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision
EventRead determines if a specific event can be queried.
func (*ChainedAuthorizer) EventWrite ¶ added in v1.7.0
func (c *ChainedAuthorizer) EventWrite(name string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision
EventWrite determines if a specific event may be fired.
func (*ChainedAuthorizer) IntentionDefaultAllow ¶ added in v1.7.0
func (c *ChainedAuthorizer) IntentionDefaultAllow(entCtx *EnterpriseAuthorizerContext) EnforcementDecision
IntentionDefaultAllow determines the default authorized behavior when no intentions match a Connect request.
func (*ChainedAuthorizer) IntentionRead ¶ added in v1.7.0
func (c *ChainedAuthorizer) IntentionRead(prefix string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision
IntentionRead determines if a specific intention can be read.
func (*ChainedAuthorizer) IntentionWrite ¶ added in v1.7.0
func (c *ChainedAuthorizer) IntentionWrite(prefix string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision
IntentionWrite determines if a specific intention can be created, modified, or deleted.
func (*ChainedAuthorizer) KeyList ¶ added in v1.7.0
func (c *ChainedAuthorizer) KeyList(keyPrefix string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision
KeyList checks for permission to list keys under a prefix
func (*ChainedAuthorizer) KeyRead ¶ added in v1.7.0
func (c *ChainedAuthorizer) KeyRead(key string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision
KeyRead checks for permission to read a given key
func (*ChainedAuthorizer) KeyWrite ¶ added in v1.7.0
func (c *ChainedAuthorizer) KeyWrite(key string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision
KeyWrite checks for permission to write a given key
func (*ChainedAuthorizer) KeyWritePrefix ¶ added in v1.7.0
func (c *ChainedAuthorizer) KeyWritePrefix(keyPrefix string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision
KeyWritePrefix checks for permission to write to an entire key prefix. This means there must be no sub-policies that deny a write.
func (*ChainedAuthorizer) KeyringRead ¶ added in v1.7.0
func (c *ChainedAuthorizer) KeyringRead(entCtx *EnterpriseAuthorizerContext) EnforcementDecision
KeyringRead determines if the encryption keyring used in the gossip layer can be read.
func (*ChainedAuthorizer) KeyringWrite ¶ added in v1.7.0
func (c *ChainedAuthorizer) KeyringWrite(entCtx *EnterpriseAuthorizerContext) EnforcementDecision
KeyringWrite determines if the keyring can be manipulated
func (*ChainedAuthorizer) NodeRead ¶ added in v1.7.0
func (c *ChainedAuthorizer) NodeRead(node string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision
NodeRead checks for permission to read (discover) a given node.
func (*ChainedAuthorizer) NodeWrite ¶ added in v1.7.0
func (c *ChainedAuthorizer) NodeWrite(node string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision
NodeWrite checks for permission to create or update (register) a given node.
func (*ChainedAuthorizer) OperatorRead ¶ added in v1.7.0
func (c *ChainedAuthorizer) OperatorRead(entCtx *EnterpriseAuthorizerContext) EnforcementDecision
OperatorRead determines if the read-only Consul operator functions can be used.
func (*ChainedAuthorizer) OperatorWrite ¶ added in v1.7.0
func (c *ChainedAuthorizer) OperatorWrite(entCtx *EnterpriseAuthorizerContext) EnforcementDecision
OperatorWrite determines if the state-changing Consul operator functions can be used.
func (*ChainedAuthorizer) PreparedQueryRead ¶ added in v1.7.0
func (c *ChainedAuthorizer) PreparedQueryRead(query string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision
PreparedQueryRead determines if a specific prepared query can be read to show its contents (this is not used for execution).
func (*ChainedAuthorizer) PreparedQueryWrite ¶ added in v1.7.0
func (c *ChainedAuthorizer) PreparedQueryWrite(query string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision
PreparedQueryWrite determines if a specific prepared query can be created, modified, or deleted.
func (*ChainedAuthorizer) ServiceRead ¶ added in v1.7.0
func (c *ChainedAuthorizer) ServiceRead(name string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision
ServiceRead checks for permission to read a given service
func (*ChainedAuthorizer) ServiceWrite ¶ added in v1.7.0
func (c *ChainedAuthorizer) ServiceWrite(name string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision
ServiceWrite checks for permission to create or update a given service
func (*ChainedAuthorizer) SessionRead ¶ added in v1.7.0
func (c *ChainedAuthorizer) SessionRead(node string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision
SessionRead checks for permission to read sessions for a given node.
func (*ChainedAuthorizer) SessionWrite ¶ added in v1.7.0
func (c *ChainedAuthorizer) SessionWrite(node string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision
SessionWrite checks for permission to create sessions for a given node.
func (*ChainedAuthorizer) Snapshot ¶ added in v1.7.0
func (c *ChainedAuthorizer) Snapshot(entCtx *EnterpriseAuthorizerContext) EnforcementDecision
Snapshot checks for permission to take and restore snapshots.
type EnforcementDecision ¶ added in v1.7.0
type EnforcementDecision int
const ( // Deny returned from an Authorizer enforcement method indicates // that a corresponding rule was found and that access should be denied Deny EnforcementDecision = iota // Allow returned from an Authorizer enforcement method indicates // that a corresponding rule was found and that access should be allowed Allow // Default returned from an Authorizer enforcement method indicates // that a corresponding rule was not found and that whether access // should be granted or denied should be deferred to the default // access level Default )
func Enforce ¶ added in v1.7.0
func Enforce(authz Authorizer, rsc Resource, segment string, access string, ctx *EnterpriseAuthorizerContext) (EnforcementDecision, error)
func EnforceEnterprise ¶
func EnforceEnterprise(_ Authorizer, _ Resource, _ string, _ string, _ *EnterpriseAuthorizerContext) (bool, EnforcementDecision, error)
func (EnforcementDecision) String ¶ added in v1.7.0
func (d EnforcementDecision) String() string
type EnterpriseACLConfig ¶
type EnterpriseACLConfig struct{}
EnterpriseACLConfig stub
func (*EnterpriseACLConfig) Close ¶
func (_ *EnterpriseACLConfig) Close()
type EnterpriseAuthorizer ¶
type EnterpriseAuthorizer interface{}
EnterpriseAuthorizer stub interface
type EnterpriseAuthorizerContext ¶
type EnterpriseAuthorizerContext struct{}
EnterpriseAuthorizerContext stub
type EnterprisePolicyMeta ¶ added in v1.7.0
type EnterprisePolicyMeta struct{}
EnterprisePolicyMeta stub
type EnterprisePolicyRules ¶ added in v1.7.0
type EnterprisePolicyRules struct{}
EnterprisePolicyRules stub
func (*EnterprisePolicyRules) Validate ¶ added in v1.7.0
func (r *EnterprisePolicyRules) Validate(*EnterpriseACLConfig) error
type EnterpriseRule ¶ added in v1.7.0
type EnterpriseRule struct{}
EnterpriseRule stub
func (*EnterpriseRule) Validate ¶ added in v1.7.0
func (r *EnterpriseRule) Validate(string, *EnterpriseACLConfig) error
type KeyRule ¶ added in v1.7.0
type KeyRule struct { Prefix string `hcl:",key"` Policy string EnterpriseRule `hcl:",squash"` }
KeyRule represents a rule for a key
type NodeRule ¶ added in v1.7.0
type NodeRule struct { Name string `hcl:",key"` Policy string EnterpriseRule `hcl:",squash"` }
NodeRule represents a rule for a node
type PermissionDeniedError ¶ added in v0.9.3
type PermissionDeniedError struct {
Cause string
}
func (PermissionDeniedError) Error ¶ added in v0.9.3
func (e PermissionDeniedError) Error() string
type Policy ¶
type Policy struct { ID string `hcl:"id"` Revision uint64 `hcl:"revision"` PolicyRules `hcl:",squash"` EnterprisePolicyRules `hcl:",squash"` }
Policy is used to represent the policy specified by an ACL configuration.
func MergePolicies ¶ added in v1.4.0
func NewPolicyFromSource ¶ added in v1.4.0
func NewPolicyFromSource(id string, revision uint64, rules string, syntax SyntaxVersion, conf *EnterpriseACLConfig, meta *EnterprisePolicyMeta) (*Policy, error)
NewPolicyFromSource is used to parse the specified ACL rules into an intermediary set of policies, before being compiled into the ACL
func (*Policy) ConvertFromLegacy ¶ added in v1.4.0
func (*Policy) ConvertToLegacy ¶ added in v1.4.0
type PolicyMerger ¶ added in v1.7.0
type PolicyMerger struct {
// contains filtered or unexported fields
}
func NewPolicyMerger ¶ added in v1.7.0
func NewPolicyMerger() *PolicyMerger
func (*PolicyMerger) Merge ¶ added in v1.7.0
func (m *PolicyMerger) Merge(policy *Policy)
func (*PolicyMerger) Policy ¶ added in v1.7.0
func (m *PolicyMerger) Policy() *Policy
Policy outputs the merged policy
type PolicyRules ¶ added in v1.7.0
type PolicyRules struct { ACL string `hcl:"acl,expand"` Agents []*AgentRule `hcl:"agent,expand"` AgentPrefixes []*AgentRule `hcl:"agent_prefix,expand"` Keys []*KeyRule `hcl:"key,expand"` KeyPrefixes []*KeyRule `hcl:"key_prefix,expand"` Nodes []*NodeRule `hcl:"node,expand"` NodePrefixes []*NodeRule `hcl:"node_prefix,expand"` Services []*ServiceRule `hcl:"service,expand"` ServicePrefixes []*ServiceRule `hcl:"service_prefix,expand"` Sessions []*SessionRule `hcl:"session,expand"` SessionPrefixes []*SessionRule `hcl:"session_prefix,expand"` Events []*EventRule `hcl:"event,expand"` EventPrefixes []*EventRule `hcl:"event_prefix,expand"` PreparedQueries []*PreparedQueryRule `hcl:"query,expand"` PreparedQueryPrefixes []*PreparedQueryRule `hcl:"query_prefix,expand"` Keyring string `hcl:"keyring"` Operator string `hcl:"operator"` }
func (*PolicyRules) Validate ¶ added in v1.7.0
func (pr *PolicyRules) Validate(conf *EnterpriseACLConfig) error
type PreparedQueryRule ¶ added in v1.7.0
PreparedQueryRule represents a prepared query rule.
type Resource ¶ added in v1.7.0
type Resource string
const ( ResourceACL Resource = "acl" ResourceAgent Resource = "agent" ResourceEvent Resource = "event" ResourceIntention Resource = "intention" ResourceKey Resource = "key" ResourceKeyring Resource = "keyring" ResourceNode Resource = "node" ResourceOperator Resource = "operator" ResourceQuery Resource = "query" ResourceService Resource = "service" ResourceSession Resource = "session" )
type ServiceRule ¶ added in v1.7.0
type ServiceRule struct { Name string `hcl:",key"` Policy string // Intentions is the policy for intentions where this service is the // destination. This may be empty, in which case the Policy determines // the intentions policy. Intentions string EnterpriseRule `hcl:",squash"` }
ServiceRule represents a policy for a service
type SessionRule ¶ added in v1.7.0
SessionRule represents a rule for making sessions tied to specific node name prefixes.
type StaticAuthorizer ¶ added in v1.4.0
type StaticAuthorizer struct {
// contains filtered or unexported fields
}
StaticAuthorizer is used to implement a base ACL policy. It either allows or denies all requests. This can be used as a parent ACL to act in a blacklist or whitelist mode.
func (*StaticAuthorizer) ACLRead ¶ added in v1.4.0
func (s *StaticAuthorizer) ACLRead(*EnterpriseAuthorizerContext) EnforcementDecision
func (*StaticAuthorizer) ACLWrite ¶ added in v1.4.0
func (s *StaticAuthorizer) ACLWrite(*EnterpriseAuthorizerContext) EnforcementDecision
func (*StaticAuthorizer) AgentRead ¶ added in v1.4.0
func (s *StaticAuthorizer) AgentRead(string, *EnterpriseAuthorizerContext) EnforcementDecision
func (*StaticAuthorizer) AgentWrite ¶ added in v1.4.0
func (s *StaticAuthorizer) AgentWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision
func (*StaticAuthorizer) EventRead ¶ added in v1.4.0
func (s *StaticAuthorizer) EventRead(string, *EnterpriseAuthorizerContext) EnforcementDecision
func (*StaticAuthorizer) EventWrite ¶ added in v1.4.0
func (s *StaticAuthorizer) EventWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision
func (*StaticAuthorizer) IntentionDefaultAllow ¶ added in v1.4.0
func (s *StaticAuthorizer) IntentionDefaultAllow(*EnterpriseAuthorizerContext) EnforcementDecision
func (*StaticAuthorizer) IntentionRead ¶ added in v1.4.0
func (s *StaticAuthorizer) IntentionRead(string, *EnterpriseAuthorizerContext) EnforcementDecision
func (*StaticAuthorizer) IntentionWrite ¶ added in v1.4.0
func (s *StaticAuthorizer) IntentionWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision
func (*StaticAuthorizer) KeyList ¶ added in v1.4.0
func (s *StaticAuthorizer) KeyList(string, *EnterpriseAuthorizerContext) EnforcementDecision
func (*StaticAuthorizer) KeyRead ¶ added in v1.4.0
func (s *StaticAuthorizer) KeyRead(string, *EnterpriseAuthorizerContext) EnforcementDecision
func (*StaticAuthorizer) KeyWrite ¶ added in v1.4.0
func (s *StaticAuthorizer) KeyWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision
func (*StaticAuthorizer) KeyWritePrefix ¶ added in v1.4.0
func (s *StaticAuthorizer) KeyWritePrefix(string, *EnterpriseAuthorizerContext) EnforcementDecision
func (*StaticAuthorizer) KeyringRead ¶ added in v1.4.0
func (s *StaticAuthorizer) KeyringRead(*EnterpriseAuthorizerContext) EnforcementDecision
func (*StaticAuthorizer) KeyringWrite ¶ added in v1.4.0
func (s *StaticAuthorizer) KeyringWrite(*EnterpriseAuthorizerContext) EnforcementDecision
func (*StaticAuthorizer) NodeRead ¶ added in v1.4.0
func (s *StaticAuthorizer) NodeRead(string, *EnterpriseAuthorizerContext) EnforcementDecision
func (*StaticAuthorizer) NodeWrite ¶ added in v1.4.0
func (s *StaticAuthorizer) NodeWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision
func (*StaticAuthorizer) OperatorRead ¶ added in v1.4.0
func (s *StaticAuthorizer) OperatorRead(*EnterpriseAuthorizerContext) EnforcementDecision
func (*StaticAuthorizer) OperatorWrite ¶ added in v1.4.0
func (s *StaticAuthorizer) OperatorWrite(*EnterpriseAuthorizerContext) EnforcementDecision
func (*StaticAuthorizer) PreparedQueryRead ¶ added in v1.4.0
func (s *StaticAuthorizer) PreparedQueryRead(string, *EnterpriseAuthorizerContext) EnforcementDecision
func (*StaticAuthorizer) PreparedQueryWrite ¶ added in v1.4.0
func (s *StaticAuthorizer) PreparedQueryWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision
func (*StaticAuthorizer) ServiceRead ¶ added in v1.4.0
func (s *StaticAuthorizer) ServiceRead(string, *EnterpriseAuthorizerContext) EnforcementDecision
func (*StaticAuthorizer) ServiceWrite ¶ added in v1.4.0
func (s *StaticAuthorizer) ServiceWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision
func (*StaticAuthorizer) SessionRead ¶ added in v1.4.0
func (s *StaticAuthorizer) SessionRead(string, *EnterpriseAuthorizerContext) EnforcementDecision
func (*StaticAuthorizer) SessionWrite ¶ added in v1.4.0
func (s *StaticAuthorizer) SessionWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision
func (*StaticAuthorizer) Snapshot ¶ added in v1.4.0
func (s *StaticAuthorizer) Snapshot(_ *EnterpriseAuthorizerContext) EnforcementDecision
type SyntaxVersion ¶ added in v1.4.0
type SyntaxVersion int
const ( SyntaxCurrent SyntaxVersion = iota SyntaxLegacy )