acl

package
v0.12.0-rc1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 7, 2020 License: MPL-2.0 Imports: 7 Imported by: 145

Documentation

Index

Constants

View Source
const (
	// The following levels are the only valid values for the `policy = "read"` stanza.
	// When policies are merged together, the most privilege is granted, except for deny
	// which always takes precedence and supersedes.
	PolicyDeny  = "deny"
	PolicyRead  = "read"
	PolicyList  = "list"
	PolicyWrite = "write"
	PolicyScale = "scale"
)
View Source
const (
	NamespaceCapabilityDeny                = "deny"
	NamespaceCapabilityListJobs            = "list-jobs"
	NamespaceCapabilityReadJob             = "read-job"
	NamespaceCapabilitySubmitJob           = "submit-job"
	NamespaceCapabilityDispatchJob         = "dispatch-job"
	NamespaceCapabilityReadLogs            = "read-logs"
	NamespaceCapabilityReadFS              = "read-fs"
	NamespaceCapabilityAllocExec           = "alloc-exec"
	NamespaceCapabilityAllocNodeExec       = "alloc-node-exec"
	NamespaceCapabilityAllocLifecycle      = "alloc-lifecycle"
	NamespaceCapabilitySentinelOverride    = "sentinel-override"
	NamespaceCapabilityCSIRegisterPlugin   = "csi-register-plugin"
	NamespaceCapabilityCSIWriteVolume      = "csi-write-volume"
	NamespaceCapabilityCSIReadVolume       = "csi-read-volume"
	NamespaceCapabilityCSIListVolume       = "csi-list-volume"
	NamespaceCapabilityCSIMountVolume      = "csi-mount-volume"
	NamespaceCapabilityListScalingPolicies = "list-scaling-policies"
	NamespaceCapabilityReadScalingPolicy   = "read-scaling-policy"
	NamespaceCapabilityReadJobScaling      = "read-job-scaling"
	NamespaceCapabilityScaleJob            = "scale-job"
)
View Source
const (
	HostVolumeCapabilityDeny           = "deny"
	HostVolumeCapabilityMountReadOnly  = "mount-readonly"
	HostVolumeCapabilityMountReadWrite = "mount-readwrite"
)

Variables

This section is empty.

Functions

func NamespaceValidator added in v0.9.6

func NamespaceValidator(ops ...string) func(*ACL, string) bool

NamespaceValidator returns a func that wraps ACL.AllowNamespaceOperation in a list of operations. Returns true (allowed) if acls are disabled or if *any* capabilities match.

Types

type ACL

type ACL struct {
	// contains filtered or unexported fields
}

ACL object is used to convert a set of policies into a structure that can be efficiently evaluated to determine if an action is allowed.

var ManagementACL *ACL

ManagementACL is a singleton used for management tokens

func NewACL

func NewACL(management bool, policies []*Policy) (*ACL, error)

NewACL compiles a set of policies into an ACL object

func (*ACL) AllowAgentRead

func (a *ACL) AllowAgentRead() bool

AllowAgentRead checks if read operations are allowed for an agent

func (*ACL) AllowAgentWrite

func (a *ACL) AllowAgentWrite() bool

AllowAgentWrite checks if write operations are allowed for an agent

func (*ACL) AllowHostVolume added in v0.10.0

func (a *ACL) AllowHostVolume(ns string) bool

AllowHostVolume checks if any operations are allowed for a HostVolume

func (*ACL) AllowHostVolumeOperation added in v0.10.0

func (a *ACL) AllowHostVolumeOperation(hv string, op string) bool

AllowHostVolumeOperation checks if a given operation is allowed for a host volume

func (*ACL) AllowNamespace

func (a *ACL) AllowNamespace(ns string) bool

AllowNamespace checks if any operations are allowed for a namespace

func (*ACL) AllowNamespaceOperation

func (a *ACL) AllowNamespaceOperation(ns string, op string) bool

AllowNamespaceOperation checks if a given operation is allowed for a namespace

func (*ACL) AllowNodeRead

func (a *ACL) AllowNodeRead() bool

AllowNodeRead checks if read operations are allowed for a node

func (*ACL) AllowNodeWrite

func (a *ACL) AllowNodeWrite() bool

AllowNodeWrite checks if write operations are allowed for a node

func (*ACL) AllowNsOp

func (a *ACL) AllowNsOp(ns string, op string) bool

AllowNsOp is shorthand for AllowNamespaceOperation

func (*ACL) AllowOperatorRead

func (a *ACL) AllowOperatorRead() bool

AllowOperatorRead checks if read operations are allowed for a operator

func (*ACL) AllowOperatorWrite

func (a *ACL) AllowOperatorWrite() bool

AllowOperatorWrite checks if write operations are allowed for a operator

func (*ACL) AllowPluginList added in v0.11.0

func (a *ACL) AllowPluginList() bool

AllowPluginList checks if list operations are allowed for all plugins

func (*ACL) AllowPluginRead added in v0.11.0

func (a *ACL) AllowPluginRead() bool

AllowPluginRead checks if read operations are allowed for all plugins

func (*ACL) AllowQuotaRead

func (a *ACL) AllowQuotaRead() bool

AllowQuotaRead checks if read operations are allowed for all quotas

func (*ACL) AllowQuotaWrite

func (a *ACL) AllowQuotaWrite() bool

AllowQuotaWrite checks if write operations are allowed for quotas

func (*ACL) IsManagement

func (a *ACL) IsManagement() bool

IsManagement checks if this represents a management token

type AgentPolicy

type AgentPolicy struct {
	Policy string
}

type HostVolumePolicy added in v0.10.0

type HostVolumePolicy struct {
	Name         string `hcl:",key"`
	Policy       string
	Capabilities []string
}

HostVolumePolicy is the policy for a specific named host volume

type NamespacePolicy

type NamespacePolicy struct {
	Name         string `hcl:",key"`
	Policy       string
	Capabilities []string
}

NamespacePolicy is the policy for a specific namespace

type NodePolicy

type NodePolicy struct {
	Policy string
}

type OperatorPolicy

type OperatorPolicy struct {
	Policy string
}

type PluginPolicy added in v0.11.0

type PluginPolicy struct {
	Policy string
}

type Policy

type Policy struct {
	Namespaces  []*NamespacePolicy  `hcl:"namespace,expand"`
	HostVolumes []*HostVolumePolicy `hcl:"host_volume,expand"`
	Agent       *AgentPolicy        `hcl:"agent"`
	Node        *NodePolicy         `hcl:"node"`
	Operator    *OperatorPolicy     `hcl:"operator"`
	Quota       *QuotaPolicy        `hcl:"quota"`
	Plugin      *PluginPolicy       `hcl:"plugin"`
	Raw         string              `hcl:"-"`
}

Policy represents a parsed HCL or JSON policy.

func Parse

func Parse(rules string) (*Policy, error)

Parse is used to parse the specified ACL rules into an intermediary set of policies, before being compiled into the ACL

func (*Policy) IsEmpty

func (p *Policy) IsEmpty() bool

IsEmpty checks to make sure that at least one policy has been set and is not comprised of only a raw policy.

type QuotaPolicy

type QuotaPolicy struct {
	Policy string
}

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL