acl

package
v2.13.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 1, 2022 License: Apache-2.0 Imports: 5 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	Role_name = map[int32]string{
		0: "ROLE_UNSPECIFIED",
		1: "USER",
		2: "SYSTEM",
		3: "OTHERS",
	}
	Role_value = map[string]int32{
		"ROLE_UNSPECIFIED": 0,
		"USER":             1,
		"SYSTEM":           2,
		"OTHERS":           3,
	}
)

Enum value maps for Role.

View Source 
var (
	MatchType_name = map[int32]string{
		0: "MATCH_TYPE_UNSPECIFIED",
		1: "STRING_EQUAL",
		2: "STRING_NOT_EQUAL",
	}
	MatchType_value = map[string]int32{
		"MATCH_TYPE_UNSPECIFIED": 0,
		"STRING_EQUAL":           1,
		"STRING_NOT_EQUAL":       2,
	}
)

Enum value maps for MatchType.

View Source 
var (
	Operation_name = map[int32]string{
		0: "OPERATION_UNSPECIFIED",
		1: "GET",
		2: "HEAD",
		3: "PUT",
		4: "DELETE",
		5: "SEARCH",
		6: "GETRANGE",
		7: "GETRANGEHASH",
	}
	Operation_value = map[string]int32{
		"OPERATION_UNSPECIFIED": 0,
		"GET":                   1,
		"HEAD":                  2,
		"PUT":                   3,
		"DELETE":                4,
		"SEARCH":                5,
		"GETRANGE":              6,
		"GETRANGEHASH":          7,
	}
)

Enum value maps for Operation.

View Source 
var (
	Action_name = map[int32]string{
		0: "ACTION_UNSPECIFIED",
		1: "ALLOW",
		2: "DENY",
	}
	Action_value = map[string]int32{
		"ACTION_UNSPECIFIED": 0,
		"ALLOW":              1,
		"DENY":               2,
	}
)

Enum value maps for Action.

View Source 
var (
	HeaderType_name = map[int32]string{
		0: "HEADER_UNSPECIFIED",
		1: "REQUEST",
		2: "OBJECT",
		3: "SERVICE",
	}
	HeaderType_value = map[string]int32{
		"HEADER_UNSPECIFIED": 0,
		"REQUEST":            1,
		"OBJECT":             2,
		"SERVICE":            3,
	}
)

Enum value maps for HeaderType.

View Source 
var File_acl_grpc_types_proto protoreflect.FileDescriptor

Functions

This section is empty.

Types

type Action 

type Action int32

Rule execution result action. Either allows or denies access if the rule's filters match. 

const (
	// Unspecified action, default value
	Action_ACTION_UNSPECIFIED Action = 0
	// Allow action
	Action_ALLOW Action = 1
	// Deny action
	Action_DENY Action = 2
)

func (Action) Descriptor 

func (Action) Descriptor() protoreflect.EnumDescriptor

func (Action) Enum 

func (x Action) Enum() *Action

func (Action) EnumDescriptor deprecated 

func (Action) EnumDescriptor() ([]byte, []int)

Deprecated: Use Action.Descriptor instead.

func (*Action) FromString 

func (x *Action) FromString(s string) bool

FromString parses Action from a string representation, It is a reverse action to String().

Returns true if s was parsed successfully.

func (Action) Number 

func (x Action) Number() protoreflect.EnumNumber

func (Action) String 

func (x Action) String() string

func (Action) Type 

func (Action) Type() protoreflect.EnumType

type BearerToken 

type BearerToken struct {

	// Bearer Token body
	Body *BearerToken_Body `protobuf:"bytes,1,opt,name=body,proto3" json:"body,omitempty"`
	// Signature of BearerToken body
	Signature *grpc.Signature `protobuf:"bytes,2,opt,name=signature,proto3" json:"signature,omitempty"`
	// contains filtered or unexported fields
}

BearerToken allows to attach signed Extended ACL rules to the request in `RequestMetaHeader`. If container's Basic ACL rules allow, the attached rule set will be checked instead of one attached to the container itself. Just like [JWT](https://jwt.io), it has a limited lifetime and scope, hence can be used in the similar use cases, like providing authorisation to externally authenticated party.

BearerToken can be issued only by the container's owner and must be signed using the key associated with the container's `OwnerID`.

func (*BearerToken) Descriptor deprecated 

func (*BearerToken) Descriptor() ([]byte, []int)

Deprecated: Use BearerToken.ProtoReflect.Descriptor instead.

func (*BearerToken) GetBody 

func (x *BearerToken) GetBody() *BearerToken_Body

func (*BearerToken) GetSignature 

func (x *BearerToken) GetSignature() *grpc.Signature

func (*BearerToken) ProtoMessage 

func (*BearerToken) ProtoMessage()

func (*BearerToken) ProtoReflect 

func (x *BearerToken) ProtoReflect() protoreflect.Message

func (*BearerToken) Reset 

func (x *BearerToken) Reset()

func (*BearerToken) SetBody 

func (m *BearerToken) SetBody(v *BearerToken_Body)

SetBody sets bearer token body.

func (*BearerToken) SetSignature 

func (m *BearerToken) SetSignature(v *refs.Signature)

SetSignature sets bearer token signature.

func (*BearerToken) String 

func (x *BearerToken) String() string

type BearerToken_Body 

type BearerToken_Body struct {

	// Table of Extended ACL rules to use instead of the ones attached to the
	// container. If it contains `container_id` field, bearer token is only
	// valid for this specific container. Otherwise, any container of the same owner
	// is allowed.
	EaclTable *EACLTable `protobuf:"bytes,1,opt,name=eacl_table,json=eaclTable,proto3" json:"eacl_table,omitempty"`
	// `OwnerID` defines to whom the token was issued. It must match the request
	// originator's `OwnerID`. If empty, any token bearer will be accepted.
	OwnerId *grpc.OwnerID `protobuf:"bytes,2,opt,name=owner_id,json=ownerID,proto3" json:"owner_id,omitempty"`
	// Token expiration and valid time period parameters
	Lifetime *BearerToken_Body_TokenLifetime `protobuf:"bytes,3,opt,name=lifetime,proto3" json:"lifetime,omitempty"`
	// contains filtered or unexported fields
}

Bearer Token body structure contains Extended ACL table issued by the container owner with additional information preventing token abuse.

func (*BearerToken_Body) Descriptor deprecated 

func (*BearerToken_Body) Descriptor() ([]byte, []int)

Deprecated: Use BearerToken_Body.ProtoReflect.Descriptor instead.

func (*BearerToken_Body) GetEaclTable 

func (x *BearerToken_Body) GetEaclTable() *EACLTable

func (*BearerToken_Body) GetLifetime 

func (x *BearerToken_Body) GetLifetime() *BearerToken_Body_TokenLifetime

func (*BearerToken_Body) GetOwnerId 

func (x *BearerToken_Body) GetOwnerId() *grpc.OwnerID

func (*BearerToken_Body) ProtoMessage 

func (*BearerToken_Body) ProtoMessage()

func (*BearerToken_Body) ProtoReflect 

func (x *BearerToken_Body) ProtoReflect() protoreflect.Message

func (*BearerToken_Body) Reset 

func (x *BearerToken_Body) Reset()

func (*BearerToken_Body) SetEaclTable 

func (m *BearerToken_Body) SetEaclTable(v *EACLTable)

SetEaclTable sets eACL table of the bearer token.

func (*BearerToken_Body) SetLifetime 

func (m *BearerToken_Body) SetLifetime(v *BearerToken_Body_TokenLifetime)

SetLifetime sets lifetime of the bearer token.

func (*BearerToken_Body) SetOwnerId 

func (m *BearerToken_Body) SetOwnerId(v *refs.OwnerID)

SetOwnerId sets identifier of the bearer token owner.

func (*BearerToken_Body) String 

func (x *BearerToken_Body) String() string

type BearerToken_Body_TokenLifetime 

type BearerToken_Body_TokenLifetime struct {

	// Expiration Epoch
	Exp uint64 `protobuf:"varint,1,opt,name=exp,proto3" json:"exp,omitempty"`
	// Not valid before Epoch
	Nbf uint64 `protobuf:"varint,2,opt,name=nbf,proto3" json:"nbf,omitempty"`
	// Issued at Epoch
	Iat uint64 `protobuf:"varint,3,opt,name=iat,proto3" json:"iat,omitempty"`
	// contains filtered or unexported fields
}

Lifetime parameters of the token. Field names taken from [rfc7519](https://tools.ietf.org/html/rfc7519).

func (*BearerToken_Body_TokenLifetime) Descriptor deprecated 

func (*BearerToken_Body_TokenLifetime) Descriptor() ([]byte, []int)

Deprecated: Use BearerToken_Body_TokenLifetime.ProtoReflect.Descriptor instead.

func (*BearerToken_Body_TokenLifetime) GetExp 

func (x *BearerToken_Body_TokenLifetime) GetExp() uint64

func (*BearerToken_Body_TokenLifetime) GetIat 

func (x *BearerToken_Body_TokenLifetime) GetIat() uint64

func (*BearerToken_Body_TokenLifetime) GetNbf 

func (x *BearerToken_Body_TokenLifetime) GetNbf() uint64

func (*BearerToken_Body_TokenLifetime) ProtoMessage 

func (*BearerToken_Body_TokenLifetime) ProtoMessage()

func (*BearerToken_Body_TokenLifetime) ProtoReflect 

func (x *BearerToken_Body_TokenLifetime) ProtoReflect() protoreflect.Message

func (*BearerToken_Body_TokenLifetime) Reset 

func (x *BearerToken_Body_TokenLifetime) Reset()

func (*BearerToken_Body_TokenLifetime) SetExp 

func (m *BearerToken_Body_TokenLifetime) SetExp(v uint64)

SetExp sets epoch number of the token expiration.

func (*BearerToken_Body_TokenLifetime) SetIat 

func (m *BearerToken_Body_TokenLifetime) SetIat(v uint64)

SetIat sets the number of the epoch in which the token was issued.

func (*BearerToken_Body_TokenLifetime) SetNbf 

func (m *BearerToken_Body_TokenLifetime) SetNbf(v uint64)

SetNbf sets starting epoch number of the token.

func (*BearerToken_Body_TokenLifetime) String 

func (x *BearerToken_Body_TokenLifetime) String() string

type EACLRecord 

type EACLRecord struct {

	// NeoFS request Verb to match
	Operation Operation `protobuf:"varint,1,opt,name=operation,proto3,enum=neo.fs.v2.acl.Operation" json:"operation,omitempty"`
	// Rule execution result. Either allows or denies access if filters match.
	Action Action `protobuf:"varint,2,opt,name=action,proto3,enum=neo.fs.v2.acl.Action" json:"action,omitempty"`
	// List of filters to match and see if rule is applicable
	Filters []*EACLRecord_Filter `protobuf:"bytes,3,rep,name=filters,proto3" json:"filters,omitempty"`
	// List of target subjects to apply ACL rule to
	Targets []*EACLRecord_Target `protobuf:"bytes,4,rep,name=targets,proto3" json:"targets,omitempty"`
	// contains filtered or unexported fields
}

Describes a single eACL rule.

func (*EACLRecord) Descriptor deprecated 

func (*EACLRecord) Descriptor() ([]byte, []int)

Deprecated: Use EACLRecord.ProtoReflect.Descriptor instead.

func (*EACLRecord) GetAction 

func (x *EACLRecord) GetAction() Action

func (*EACLRecord) GetFilters 

func (x *EACLRecord) GetFilters() []*EACLRecord_Filter

func (*EACLRecord) GetOperation 

func (x *EACLRecord) GetOperation() Operation

func (*EACLRecord) GetTargets 

func (x *EACLRecord) GetTargets() []*EACLRecord_Target

func (*EACLRecord) ProtoMessage 

func (*EACLRecord) ProtoMessage()

func (*EACLRecord) ProtoReflect 

func (x *EACLRecord) ProtoReflect() protoreflect.Message

func (*EACLRecord) Reset 

func (x *EACLRecord) Reset()

func (*EACLRecord) SetAction 

func (m *EACLRecord) SetAction(v Action)

SetAction sets action of the eACL record.

func (*EACLRecord) SetFilters 

func (m *EACLRecord) SetFilters(v []*EACLRecord_Filter)

SetFilters sets filter list of the eACL record.

func (*EACLRecord) SetOperation 

func (m *EACLRecord) SetOperation(v Operation)

SetOperation sets operation of the eACL record.

func (*EACLRecord) SetTargets 

func (m *EACLRecord) SetTargets(v []*EACLRecord_Target)

SetTargets sets target list of the eACL record.

func (*EACLRecord) String 

func (x *EACLRecord) String() string

type EACLRecord_Filter 

type EACLRecord_Filter struct {

	// Define if Object or Request header will be used
	HeaderType HeaderType `protobuf:"varint,1,opt,name=header_type,json=headerType,proto3,enum=neo.fs.v2.acl.HeaderType" json:"header_type,omitempty"`
	// Match operation type
	MatchType MatchType `protobuf:"varint,2,opt,name=match_type,json=matchType,proto3,enum=neo.fs.v2.acl.MatchType" json:"match_type,omitempty"`
	// Name of the Header to use
	Key string `protobuf:"bytes,3,opt,name=key,proto3" json:"key,omitempty"`
	// Expected Header Value or pattern to match
	Value string `protobuf:"bytes,4,opt,name=value,proto3" json:"value,omitempty"`
	// contains filtered or unexported fields
}

Filter to check particular properties of the request or the object.

By default `key` field refers to the corresponding object's `Attribute`. Some Object's header fields can also be accessed by adding `$Object:` prefix to the name. Here is the list of fields available via this prefix:

  • $Object:version \ version
  • $Object:objectID \ object_id
  • $Object:containerID \ container_id
  • $Object:ownerID \ owner_id
  • $Object:creationEpoch \ creation_epoch
  • $Object:payloadLength \ payload_length
  • $Object:payloadHash \ payload_hash
  • $Object:objectType \ object_type
  • $Object:homomorphicHash \ homomorphic_hash

Please note, that if request or response does not have object's headers or full object (Range, RangeHash, Search, Delete), it will not be possible to filter by object header fields or user attributes. From the well-known list only `$Object:objectID` and `$Object:containerID` will be available, as it's possible to take that information from the requested address.

func (*EACLRecord_Filter) Descriptor deprecated 

func (*EACLRecord_Filter) Descriptor() ([]byte, []int)

Deprecated: Use EACLRecord_Filter.ProtoReflect.Descriptor instead.

func (*EACLRecord_Filter) GetHeaderType 

func (x *EACLRecord_Filter) GetHeaderType() HeaderType

func (*EACLRecord_Filter) GetKey 

func (x *EACLRecord_Filter) GetKey() string

func (*EACLRecord_Filter) GetMatchType 

func (x *EACLRecord_Filter) GetMatchType() MatchType

func (*EACLRecord_Filter) GetValue 

func (x *EACLRecord_Filter) GetValue() string

func (*EACLRecord_Filter) ProtoMessage 

func (*EACLRecord_Filter) ProtoMessage()

func (*EACLRecord_Filter) ProtoReflect 

func (x *EACLRecord_Filter) ProtoReflect() protoreflect.Message

func (*EACLRecord_Filter) Reset 

func (x *EACLRecord_Filter) Reset()

func (*EACLRecord_Filter) SetHeader 

func (m *EACLRecord_Filter) SetHeader(v HeaderType)

SetHeader sets header type of the eACL filter.

func (*EACLRecord_Filter) SetKey 

func (m *EACLRecord_Filter) SetKey(v string)

SetKey sets key of the eACL filter.

func (*EACLRecord_Filter) SetMatchType 

func (m *EACLRecord_Filter) SetMatchType(v MatchType)

SetMatchType sets match type of the eACL filter.

func (*EACLRecord_Filter) SetValue 

func (m *EACLRecord_Filter) SetValue(v string)

SetValue sets value of the eACL filter.

func (*EACLRecord_Filter) String 

func (x *EACLRecord_Filter) String() string

type EACLRecord_Target 

type EACLRecord_Target struct {

	// Target subject's role class
	Role Role `protobuf:"varint,1,opt,name=role,proto3,enum=neo.fs.v2.acl.Role" json:"role,omitempty"`
	// List of public keys to identify target subject
	Keys [][]byte `protobuf:"bytes,2,rep,name=keys,proto3" json:"keys,omitempty"`
	// contains filtered or unexported fields
}

Target to apply ACL rule. Can be a subject's role class or a list of public keys to match.

func (*EACLRecord_Target) Descriptor deprecated 

func (*EACLRecord_Target) Descriptor() ([]byte, []int)

Deprecated: Use EACLRecord_Target.ProtoReflect.Descriptor instead.

func (*EACLRecord_Target) GetKeys 

func (x *EACLRecord_Target) GetKeys() [][]byte

func (*EACLRecord_Target) GetRole 

func (x *EACLRecord_Target) GetRole() Role

func (*EACLRecord_Target) ProtoMessage 

func (*EACLRecord_Target) ProtoMessage()

func (*EACLRecord_Target) ProtoReflect 

func (x *EACLRecord_Target) ProtoReflect() protoreflect.Message

func (*EACLRecord_Target) Reset 

func (x *EACLRecord_Target) Reset()

func (*EACLRecord_Target) SetKeys 

func (m *EACLRecord_Target) SetKeys(v [][]byte)

SetKeys of the eACL target.

func (*EACLRecord_Target) SetRole 

func (m *EACLRecord_Target) SetRole(v Role)

SetRole sets target group of the eACL target.

func (*EACLRecord_Target) String 

func (x *EACLRecord_Target) String() string

type EACLTable 

type EACLTable struct {

	// eACL format version. Effectively, the version of API library used to create
	// eACL Table.
	Version *grpc.Version `protobuf:"bytes,1,opt,name=version,proto3" json:"version,omitempty"`
	// Identifier of the container that should use given access control rules
	ContainerId *grpc.ContainerID `protobuf:"bytes,2,opt,name=container_id,json=containerID,proto3" json:"container_id,omitempty"`
	// List of Extended ACL rules
	Records []*EACLRecord `protobuf:"bytes,3,rep,name=records,proto3" json:"records,omitempty"`
	// contains filtered or unexported fields
}

Extended ACL rules table. A list of ACL rules defined additionally to Basic ACL. Extended ACL rules can be attached to a container and can be updated or may be defined in `BearerToken` structure. Please see the corresponding NeoFS Technical Specification section for detailed description.

func (*EACLTable) Descriptor deprecated 

func (*EACLTable) Descriptor() ([]byte, []int)

Deprecated: Use EACLTable.ProtoReflect.Descriptor instead.

func (*EACLTable) GetContainerId 

func (x *EACLTable) GetContainerId() *grpc.ContainerID

func (*EACLTable) GetRecords 

func (x *EACLTable) GetRecords() []*EACLRecord

func (*EACLTable) GetVersion 

func (x *EACLTable) GetVersion() *grpc.Version

func (*EACLTable) ProtoMessage 

func (*EACLTable) ProtoMessage()

func (*EACLTable) ProtoReflect 

func (x *EACLTable) ProtoReflect() protoreflect.Message

func (*EACLTable) Reset 

func (x *EACLTable) Reset()

func (*EACLTable) SetContainerId 

func (m *EACLTable) SetContainerId(v *refs.ContainerID)

SetContainerId sets container identifier of the eACL table.

func (*EACLTable) SetRecords 

func (m *EACLTable) SetRecords(v []*EACLRecord)

SetRecords sets record list of the eACL table.

func (*EACLTable) SetVersion 

func (m *EACLTable) SetVersion(v *refs.Version)

SetVersion sets version of EACL rules in table.

func (*EACLTable) String 

func (x *EACLTable) String() string

type HeaderType 

type HeaderType int32

Enumeration of possible sources of Headers to apply filters. 

const (
	// Unspecified header, default value.
	HeaderType_HEADER_UNSPECIFIED HeaderType = 0
	// Filter request headers
	HeaderType_REQUEST HeaderType = 1
	// Filter object headers
	HeaderType_OBJECT HeaderType = 2
	// Filter service headers. These are not processed by NeoFS nodes and
	// exist for service use only.
	HeaderType_SERVICE HeaderType = 3
)

func (HeaderType) Descriptor 

func (HeaderType) Descriptor() protoreflect.EnumDescriptor

func (HeaderType) Enum 

func (x HeaderType) Enum() *HeaderType

func (HeaderType) EnumDescriptor deprecated 

func (HeaderType) EnumDescriptor() ([]byte, []int)

Deprecated: Use HeaderType.Descriptor instead.

func (*HeaderType) FromString 

func (x *HeaderType) FromString(s string) bool

FromString parses HeaderType from a string representation, It is a reverse action to String().

Returns true if s was parsed successfully.

func (HeaderType) Number 

func (x HeaderType) Number() protoreflect.EnumNumber

func (HeaderType) String 

func (x HeaderType) String() string

func (HeaderType) Type 

func (HeaderType) Type() protoreflect.EnumType

type MatchType 

type MatchType int32

MatchType is an enumeration of match types. 

const (
	// Unspecified match type, default value.
	MatchType_MATCH_TYPE_UNSPECIFIED MatchType = 0
	// Return true if strings are equal
	MatchType_STRING_EQUAL MatchType = 1
	// Return true if strings are different
	MatchType_STRING_NOT_EQUAL MatchType = 2
)

func (MatchType) Descriptor 

func (MatchType) Descriptor() protoreflect.EnumDescriptor

func (MatchType) Enum 

func (x MatchType) Enum() *MatchType

func (MatchType) EnumDescriptor deprecated 

func (MatchType) EnumDescriptor() ([]byte, []int)

Deprecated: Use MatchType.Descriptor instead.

func (*MatchType) FromString 

func (x *MatchType) FromString(s string) bool

FromString parses MatchType from a string representation, It is a reverse action to String().

Returns true if s was parsed successfully.

func (MatchType) Number 

func (x MatchType) Number() protoreflect.EnumNumber

func (MatchType) String 

func (x MatchType) String() string

func (MatchType) Type 

func (MatchType) Type() protoreflect.EnumType

type Operation 

type Operation int32

Request's operation type to match if the rule is applicable to a particular request. 

const (
	// Unspecified operation, default value
	Operation_OPERATION_UNSPECIFIED Operation = 0
	// Get
	Operation_GET Operation = 1
	// Head
	Operation_HEAD Operation = 2
	// Put
	Operation_PUT Operation = 3
	// Delete
	Operation_DELETE Operation = 4
	// Search
	Operation_SEARCH Operation = 5
	// GetRange
	Operation_GETRANGE Operation = 6
	// GetRangeHash
	Operation_GETRANGEHASH Operation = 7
)

func (Operation) Descriptor 

func (Operation) Descriptor() protoreflect.EnumDescriptor

func (Operation) Enum 

func (x Operation) Enum() *Operation

func (Operation) EnumDescriptor deprecated 

func (Operation) EnumDescriptor() ([]byte, []int)

Deprecated: Use Operation.Descriptor instead.

func (*Operation) FromString 

func (x *Operation) FromString(s string) bool

FromString parses Operation from a string representation, It is a reverse action to String().

Returns true if s was parsed successfully.

func (Operation) Number 

func (x Operation) Number() protoreflect.EnumNumber

func (Operation) String 

func (x Operation) String() string

func (Operation) Type 

func (Operation) Type() protoreflect.EnumType

type Role 

type Role int32

Target role of the access control rule in access control list. 

const (
	// Unspecified  role, default value
	Role_ROLE_UNSPECIFIED Role = 0
	// User target rule is applied if sender is the owner of the container
	Role_USER Role = 1
	// System target rule is applied if sender is a storage node within the
	// container or an inner ring node
	Role_SYSTEM Role = 2
	// Others target rule is applied if sender is neither a user nor a system target
	Role_OTHERS Role = 3
)

func (Role) Descriptor 

func (Role) Descriptor() protoreflect.EnumDescriptor

func (Role) Enum 

func (x Role) Enum() *Role

func (Role) EnumDescriptor deprecated 

func (Role) EnumDescriptor() ([]byte, []int)

Deprecated: Use Role.Descriptor instead.

func (*Role) FromString 

func (x *Role) FromString(s string) bool

FromString parses Role from a string representation, It is a reverse action to String().

Returns true if s was parsed successfully.

func (Role) Number 

func (x Role) Number() protoreflect.EnumNumber

func (Role) String 

func (x Role) String() string

func (Role) Type 

func (Role) Type() protoreflect.EnumType

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.