acl

package
v1.6.105 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 12, 2023 License: MPL-2.0 Imports: 9 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// The following levels are the only valid values for the `policy = "read"` block.
	// When policies are merged together, the most privilege is granted, except for deny
	// which always takes precedence and supersedes.
	PolicyDeny  = "deny"
	PolicyRead  = "read"
	PolicyList  = "list"
	PolicyWrite = "write"
	PolicyScale = "scale"
)
View Source
const (
	NamespaceCapabilityDeny                 = "deny"
	NamespaceCapabilityListJobs             = "list-jobs"
	NamespaceCapabilityParseJob             = "parse-job"
	NamespaceCapabilityReadJob              = "read-job"
	NamespaceCapabilitySubmitJob            = "submit-job"
	NamespaceCapabilityDispatchJob          = "dispatch-job"
	NamespaceCapabilityReadLogs             = "read-logs"
	NamespaceCapabilityReadFS               = "read-fs"
	NamespaceCapabilityAllocExec            = "alloc-exec"
	NamespaceCapabilityAllocNodeExec        = "alloc-node-exec"
	NamespaceCapabilityAllocLifecycle       = "alloc-lifecycle"
	NamespaceCapabilitySentinelOverride     = "sentinel-override"
	NamespaceCapabilityCSIRegisterPlugin    = "csi-register-plugin"
	NamespaceCapabilityCSIWriteVolume       = "csi-write-volume"
	NamespaceCapabilityCSIReadVolume        = "csi-read-volume"
	NamespaceCapabilityCSIListVolume        = "csi-list-volume"
	NamespaceCapabilityCSIMountVolume       = "csi-mount-volume"
	NamespaceCapabilityListScalingPolicies  = "list-scaling-policies"
	NamespaceCapabilityReadScalingPolicy    = "read-scaling-policy"
	NamespaceCapabilityReadJobScaling       = "read-job-scaling"
	NamespaceCapabilityScaleJob             = "scale-job"
	NamespaceCapabilitySubmitRecommendation = "submit-recommendation"
)
View Source
const (
	NodePoolCapabilityDelete = "delete"
	NodePoolCapabilityDeny   = "deny"
	NodePoolCapabilityRead   = "read"
	NodePoolCapabilityWrite  = "write"
)
View Source
const (
	HostVolumeCapabilityDeny           = "deny"
	HostVolumeCapabilityMountReadOnly  = "mount-readonly"
	HostVolumeCapabilityMountReadWrite = "mount-readwrite"
)
View Source
const (
	// The following are the fine-grained capabilities that can be
	// granted for a variables path. When capabilities are
	// combined we take the union of all capabilities.
	VariablesCapabilityList    = "list"
	VariablesCapabilityRead    = "read"
	VariablesCapabilityWrite   = "write"
	VariablesCapabilityDestroy = "destroy"
	VariablesCapabilityDeny    = "deny"
)
View Source
const AllNamespacesSentinel = "*"

Redefine this value from structs to avoid circular dependency.

Variables

This section is empty.

Functions

func NamespaceValidator added in v0.9.6

func NamespaceValidator(ops ...string) func(*ACL, string) bool

NamespaceValidator returns a func that wraps ACL.AllowNamespaceOperation in a list of operations. Returns true (allowed) if acls are disabled or if *any* capabilities match.

Types

type ACL

type ACL struct {
	// contains filtered or unexported fields
}

ACL object is used to convert a set of policies into a structure that can be efficiently evaluated to determine if an action is allowed.

var ManagementACL *ACL

ManagementACL is a singleton used for management tokens

func NewACL

func NewACL(management bool, policies []*Policy) (*ACL, error)

NewACL compiles a set of policies into an ACL object

func (*ACL) AllowAgentRead

func (a *ACL) AllowAgentRead() bool

AllowAgentRead checks if read operations are allowed for an agent

func (*ACL) AllowAgentWrite

func (a *ACL) AllowAgentWrite() bool

AllowAgentWrite checks if write operations are allowed for an agent

func (*ACL) AllowHostVolume added in v0.10.0

func (a *ACL) AllowHostVolume(ns string) bool

AllowHostVolume checks if any operations are allowed for a HostVolume

func (*ACL) AllowHostVolumeOperation added in v0.10.0

func (a *ACL) AllowHostVolumeOperation(hv string, op string) bool

AllowHostVolumeOperation checks if a given operation is allowed for a host volume

func (*ACL) AllowNamespace

func (a *ACL) AllowNamespace(ns string) bool

AllowNamespace checks if any operations are allowed for a namespace

func (*ACL) AllowNamespaceOperation

func (a *ACL) AllowNamespaceOperation(ns string, op string) bool

AllowNamespaceOperation checks if a given operation is allowed for a namespace.

func (*ACL) AllowNodePool added in v1.6.105

func (a *ACL) AllowNodePool(pool string) bool

AllowNodePool returns true if any operation is allowed for the node pool.

func (*ACL) AllowNodePoolOperation added in v1.6.105

func (a *ACL) AllowNodePoolOperation(pool string, op string) bool

AllowNodePoolOperation returns true if the given operation is allowed in the node pool specified.

func (*ACL) AllowNodePoolSearch added in v1.6.105

func (a *ACL) AllowNodePoolSearch() bool

AllowNodePoolSearch returns true if any operation is allowed in at least one node pool.

This is a very loose check and is expected that callers perform more precise verification later.

func (*ACL) AllowNodeRead

func (a *ACL) AllowNodeRead() bool

AllowNodeRead checks if read operations are allowed for a node

func (*ACL) AllowNodeWrite

func (a *ACL) AllowNodeWrite() bool

AllowNodeWrite checks if write operations are allowed for a node

func (*ACL) AllowNsOp

func (a *ACL) AllowNsOp(ns string, op string) bool

AllowNsOp is shorthand for AllowNamespaceOperation

func (*ACL) AllowNsOpFunc added in v1.6.105

func (a *ACL) AllowNsOpFunc(ops ...string) func(string) bool

AllowNsOpFunc is a helper that returns a function that can be used to check namespace permissions.

func (*ACL) AllowOperatorRead

func (a *ACL) AllowOperatorRead() bool

AllowOperatorRead checks if read operations are allowed for a operator

func (*ACL) AllowOperatorWrite

func (a *ACL) AllowOperatorWrite() bool

AllowOperatorWrite checks if write operations are allowed for a operator

func (*ACL) AllowPluginList added in v0.11.0

func (a *ACL) AllowPluginList() bool

AllowPluginList checks if list operations are allowed for all plugins

func (*ACL) AllowPluginRead added in v0.11.0

func (a *ACL) AllowPluginRead() bool

AllowPluginRead checks if read operations are allowed for all plugins

func (*ACL) AllowQuotaRead

func (a *ACL) AllowQuotaRead() bool

AllowQuotaRead checks if read operations are allowed for all quotas

func (*ACL) AllowQuotaWrite

func (a *ACL) AllowQuotaWrite() bool

AllowQuotaWrite checks if write operations are allowed for quotas

func (*ACL) AllowVariableOperation added in v1.6.105

func (a *ACL) AllowVariableOperation(ns, path, op string, claim *ACLClaim) bool

func (*ACL) AllowVariableSearch added in v1.6.105

func (a *ACL) AllowVariableSearch(ns string) bool

AllowVariableSearch is a very loose check that the token has *any* access to a variables path for the namespace, with an expectation that the actual search result will be filtered by specific paths

func (*ACL) IsManagement

func (a *ACL) IsManagement() bool

IsManagement checks if this represents a management token

type ACLClaim added in v1.6.105

type ACLClaim struct {
	Namespace string
	Job       string
	Group     string
	Task      string
}

type AgentPolicy

type AgentPolicy struct {
	Policy string
}

type HostVolumePolicy added in v0.10.0

type HostVolumePolicy struct {
	Name         string `hcl:",key"`
	Policy       string
	Capabilities []string
}

HostVolumePolicy is the policy for a specific named host volume

type NamespacePolicy

type NamespacePolicy struct {
	Name         string `hcl:",key"`
	Policy       string
	Capabilities []string
	Variables    *VariablesPolicy `hcl:"variables"`
}

NamespacePolicy is the policy for a specific namespace

type NodePolicy

type NodePolicy struct {
	Policy string
}

type NodePoolPolicy added in v1.6.105

type NodePoolPolicy struct {
	Name         string `hcl:",key"`
	Policy       string
	Capabilities []string
}

NodePoolPolicy is the policfy for a specific node pool.

type OperatorPolicy

type OperatorPolicy struct {
	Policy string
}

type PluginPolicy added in v0.11.0

type PluginPolicy struct {
	Policy string
}

type Policy

type Policy struct {
	Namespaces  []*NamespacePolicy  `hcl:"namespace,expand"`
	NodePools   []*NodePoolPolicy   `hcl:"node_pool,expand"`
	HostVolumes []*HostVolumePolicy `hcl:"host_volume,expand"`
	Agent       *AgentPolicy        `hcl:"agent"`
	Node        *NodePolicy         `hcl:"node"`
	Operator    *OperatorPolicy     `hcl:"operator"`
	Quota       *QuotaPolicy        `hcl:"quota"`
	Plugin      *PluginPolicy       `hcl:"plugin"`
	Raw         string              `hcl:"-"`
}

Policy represents a parsed HCL or JSON policy.

func Parse

func Parse(rules string) (*Policy, error)

Parse is used to parse the specified ACL rules into an intermediary set of policies, before being compiled into the ACL

func (*Policy) IsEmpty

func (p *Policy) IsEmpty() bool

IsEmpty checks to make sure that at least one policy has been set and is not comprised of only a raw policy.

type QuotaPolicy

type QuotaPolicy struct {
	Policy string
}

type VariablesPathPolicy added in v1.6.105

type VariablesPathPolicy struct {
	PathSpec     string `hcl:",key"`
	Capabilities []string
}

type VariablesPolicy added in v1.6.105

type VariablesPolicy struct {
	Paths []*VariablesPathPolicy `hcl:"path"`
}

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL