acl

package

v0.11.0-rc1 Latest Latest Go to latest Published: Apr 7, 2020 License: MPL-2.0 Imports: 7 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/janma/nomad

Documentation ¶

Index ¶

Constants
func NamespaceValidator(ops ...string) func(*ACL, string) bool
type ACL
- func NewACL(management bool, policies []*Policy) (*ACL, error)
type AgentPolicy
type HostVolumePolicy
type NamespacePolicy
type NodePolicy
type OperatorPolicy
type PluginPolicy
type Policy
- func Parse(rules string) (*Policy, error)
- func (p *Policy) IsEmpty() bool
type QuotaPolicy

Constants ¶

View Source

const (
	// The following levels are the only valid values for the `policy = "read"` stanza.
	// When policies are merged together, the most privilege is granted, except for deny
	// which always takes precedence and supercedes.
	PolicyDeny  = "deny"
	PolicyRead  = "read"
	PolicyList  = "list"
	PolicyWrite = "write"
	PolicyScale = "scale"
)

View Source

const (
	NamespaceCapabilityDeny                = "deny"
	NamespaceCapabilityListJobs            = "list-jobs"
	NamespaceCapabilityReadJob             = "read-job"
	NamespaceCapabilitySubmitJob           = "submit-job"
	NamespaceCapabilityDispatchJob         = "dispatch-job"
	NamespaceCapabilityReadLogs            = "read-logs"
	NamespaceCapabilityReadFS              = "read-fs"
	NamespaceCapabilityAllocExec           = "alloc-exec"
	NamespaceCapabilityAllocNodeExec       = "alloc-node-exec"
	NamespaceCapabilityAllocLifecycle      = "alloc-lifecycle"
	NamespaceCapabilitySentinelOverride    = "sentinel-override"
	NamespaceCapabilityCSIRegisterPlugin   = "csi-register-plugin"
	NamespaceCapabilityCSIWriteVolume      = "csi-write-volume"
	NamespaceCapabilityCSIReadVolume       = "csi-read-volume"
	NamespaceCapabilityCSIListVolume       = "csi-list-volume"
	NamespaceCapabilityCSIMountVolume      = "csi-mount-volume"
	NamespaceCapabilityListScalingPolicies = "list-scaling-policies"
	NamespaceCapabilityReadScalingPolicy   = "read-scaling-policy"
	NamespaceCapabilityReadJobScaling      = "read-job-scaling"
	NamespaceCapabilityScaleJob            = "scale-job"
)

View Source

const (
	HostVolumeCapabilityDeny           = "deny"
	HostVolumeCapabilityMountReadOnly  = "mount-readonly"
	HostVolumeCapabilityMountReadWrite = "mount-readwrite"
)

Variables ¶

This section is empty.

Functions ¶

func NamespaceValidator ¶ added in v0.9.6

func NamespaceValidator(ops ...string) func(*ACL, string) bool

NamespaceValidator returns a func that wraps ACL.AllowNamespaceOperation in a list of operations. Returns true (allowed) if acls are disabled or if *any* capabilities match.

Types ¶

type ACL ¶

type ACL struct {
	// contains filtered or unexported fields
}

ACL object is used to convert a set of policies into a structure that can be efficiently evaluated to determine if an action is allowed.

var ManagementACL *ACL

ManagementACL is a singleton used for management tokens

func NewACL ¶

func NewACL(management bool, policies []*Policy) (*ACL, error)

NewACL compiles a set of policies into an ACL object

func (*ACL) AllowAgentRead ¶

func (a *ACL) AllowAgentRead() bool

AllowAgentRead checks if read operations are allowed for an agent

func (*ACL) AllowAgentWrite ¶

func (a *ACL) AllowAgentWrite() bool

AllowAgentWrite checks if write operations are allowed for an agent

func (*ACL) AllowHostVolume ¶ added in v0.10.0

func (a *ACL) AllowHostVolume(ns string) bool

AllowHostVolume checks if any operations are allowed for a HostVolume

func (*ACL) AllowHostVolumeOperation ¶ added in v0.10.0

func (a *ACL) AllowHostVolumeOperation(hv string, op string) bool

AllowHostVolumeOperation checks if a given operation is allowed for a host volume

func (*ACL) AllowNamespace ¶

func (a *ACL) AllowNamespace(ns string) bool

AllowNamespace checks if any operations are allowed for a namespace

func (*ACL) AllowNamespaceOperation ¶

func (a *ACL) AllowNamespaceOperation(ns string, op string) bool

AllowNamespaceOperation checks if a given operation is allowed for a namespace

func (*ACL) AllowNodeRead ¶

func (a *ACL) AllowNodeRead() bool

AllowNodeRead checks if read operations are allowed for a node

func (*ACL) AllowNodeWrite ¶

func (a *ACL) AllowNodeWrite() bool

AllowNodeWrite checks if write operations are allowed for a node

func (*ACL) AllowNsOp ¶

func (a *ACL) AllowNsOp(ns string, op string) bool

AllowNsOp is shorthand for AllowNamespaceOperation

func (*ACL) AllowOperatorRead ¶

func (a *ACL) AllowOperatorRead() bool

AllowOperatorRead checks if read operations are allowed for a operator

func (*ACL) AllowOperatorWrite ¶

func (a *ACL) AllowOperatorWrite() bool

AllowOperatorWrite checks if write operations are allowed for a operator

func (*ACL) AllowPluginList ¶ added in v0.11.0

func (a *ACL) AllowPluginList() bool

AllowPluginList checks if list operations are allowed for all plugins

func (*ACL) AllowPluginRead ¶ added in v0.11.0

func (a *ACL) AllowPluginRead() bool

AllowPluginRead checks if read operations are allowed for all plugins

func (*ACL) AllowQuotaRead ¶

func (a *ACL) AllowQuotaRead() bool

AllowQuotaRead checks if read operations are allowed for all quotas

func (*ACL) AllowQuotaWrite ¶

func (a *ACL) AllowQuotaWrite() bool

AllowQuotaWrite checks if write operations are allowed for quotas

func (*ACL) IsManagement ¶

func (a *ACL) IsManagement() bool

IsManagement checks if this represents a management token

type AgentPolicy ¶

type AgentPolicy struct {
	Policy string
}

type HostVolumePolicy ¶ added in v0.10.0

type HostVolumePolicy struct {
	Name         string `hcl:",key"`
	Policy       string
	Capabilities []string
}

HostVolumePolicy is the policy for a specific named host volume

type NamespacePolicy ¶

type NamespacePolicy struct {
	Name         string `hcl:",key"`
	Policy       string
	Capabilities []string
}

NamespacePolicy is the policy for a specific namespace

type NodePolicy ¶

type NodePolicy struct {
	Policy string
}

type OperatorPolicy ¶

type OperatorPolicy struct {
	Policy string
}

type PluginPolicy ¶ added in v0.11.0

type PluginPolicy struct {
	Policy string
}

type Policy ¶

type Policy struct {
	Namespaces  []*NamespacePolicy  `hcl:"namespace,expand"`
	HostVolumes []*HostVolumePolicy `hcl:"host_volume,expand"`
	Agent       *AgentPolicy        `hcl:"agent"`
	Node        *NodePolicy         `hcl:"node"`
	Operator    *OperatorPolicy     `hcl:"operator"`
	Quota       *QuotaPolicy        `hcl:"quota"`
	Plugin      *PluginPolicy       `hcl:"plugin"`
	Raw         string              `hcl:"-"`
}

Policy represents a parsed HCL or JSON policy.

func Parse ¶

func Parse(rules string) (*Policy, error)

Parse is used to parse the specified ACL rules into an intermediary set of policies, before being compiled into the ACL

func (*Policy) IsEmpty ¶

func (p *Policy) IsEmpty() bool

IsEmpty checks to make sure that at least one policy has been set and is not comprised of only a raw policy.

type QuotaPolicy ¶

type QuotaPolicy struct {
	Policy string
}

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL