README
¶
gNSI.authz
The idea
Implementation of reliable and fast APIs to control remote network-connected
device like a switch or a router is not easy due to complexity of the
communication over a computer network. Fortunately, by using Remote Procedure Call (RPC) technique all (or most) of this complexity can be hidden from
a user, but because those APIs can be used to create havoc in mission-critical
networks, not everybody should be able to perform all RPCs provided by those
management APIs.
gNSI.authz defines an API that allows for configuration of the RPC service on
a switch to control which user can and cannot access specific RPCs.
The gRPC-level Authorization Policy
The policy to be enforced is defined in the form of a JSON string whose structure depends on the requirements of the RPC server.
In the case of a gRPC-based server the JSON string's schema can be found
here.
It also can be described using the following PROTOBUF definition.
// Copyright 2021 The gRPC Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
syntax = "proto3";
package grpc.auth.v1;
option go_api_flag = "OPEN_TO_OPAQUE_HYBRID"; // See http://go/go-api-flag.
// Peer specifies attributes of a peer. Fields in the Peer are ANDed together,
// once we support multiple fields in the future.
message Peer {
// Optional. A list of peer identities to match for authorization. The
// principals are one of, i.e., it matches if one of the principals matches.
// The field supports Exact, Prefix, Suffix, and Presence matches.
// - Exact match: "abc" will match on value "abc".
// - Prefix match: "abc*" will match on value "abc" and "abcd".
// - Suffix match: "*abc" will match on value "abc" and "xabc".
// - Presence match: "*" will match when the value is not empty.
repeated string principals = 1;
}
// Specification of HTTP header match attributes.
message Header {
// Required. The name of the HTTP header to match. The following headers are
// *not* supported: "hop-by-hop" headers (e.g., those listed in "Connection"
// header), HTTP/2 pseudo headers (":"-prefixed), the "Host" header, and
// headers prefixed with "grpc-".
string key = 1;
// Required. A list of header values to match. The header values are ORed
// together, i.e., it matches if one of the values matches. This field
// supports Exact, Prefix, Suffix, and Presence match. Multi-valued headers
// are considered a single value with commas added between values.
// - Exact match: "abc" will match on value "abc".
// - Prefix match: "abc*" will match on value "abc" and "abcd".
// - Suffix match: "*abc" will match on value "abc" and "xabc".
// - Presence match: "*" will match when the value is not empty.
repeated string values = 2;
}
// Request specifies attributes of a request. Fields in the Request are ANDed
// together.
message Request {
// Optional. A list of paths to match for authorization. This is the fully
// qualified name in the form of "/package.service/method". The paths are ORed
// together, i.e., it matches if one of the paths matches. This field supports
// Exact, Prefix, Suffix, and Presence matches.
// - Exact match: "abc" will match on value "abc".
// - Prefix match: "abc*" will match on value "abc" and "abcd".
// - Suffix match: "*abc" will match on value "abc" and "xabc".
// - Presence match: "*" will match when the value is not empty.
repeated string paths = 1;
// Optional. A list of HTTP header key/value pairs to match against, for
// potentially advanced use cases. The headers are ANDed together, i.e., it
// matches only if *all* the headers match.
repeated Header headers = 3;
}
// Specification of rules.
message Rule {
// Required. The name of an authorization rule.
// It is mainly for monitoring and error message generation.
// This name must be unique within the list of deny (or allow) rules.
string name = 1;
// Optional. If not set, no checks will be performed against the source. An
// empty rule is always matched (i.e., both source and request are empty).
Peer source = 2;
// Optional. If not set, no checks will be performed against the request. An
// empty rule is always matched (i.e., both source and request are empty).
Request request = 3;
}
// AuthorizationPolicy defines which principals are permitted to access which
// resource. Resources are RPC methods scoped by services.
//
// In the following yaml policy example, a peer identity from ["admin1",
// "admin2", "admin3"] is authorized to access any RPC methods in pkg.service,
// and peer identity "dev" is authorized to access the "foo" and "bar" RPC
// methods.
//
// name: example-policy
// allow_rules:
// - name: admin-access
// source:
// principals:
// - "spiffe://foo.com/sa/admin1"
// - "spiffe://foo.com/sa/admin2"
// - "spiffe://foo.com/sa/admin3"
// request:
// paths: ["/pkg.service/*"]
// - name: dev-access
// source:
// principals: ["spiffe://foo.com/sa/dev"]
// request:
// paths: ["/pkg.service/foo", "/pkg.service/bar"]
message AuthorizationPolicy {
// Required. The name of an authorization policy.
// It is mainly for monitoring and error message generation.
string name = 1;
// Optional. List of deny rules to match. If a request matches any of the deny
// rules, then it will be denied. If none of the deny rules matches or there
// are no deny rules, the allow rules will be evaluated.
repeated Rule deny_rules = 2;
// Required. List of allow rules to match. The allow rules will only be
// evaluated after the deny rules. If a request matches any of the allow
// rules, then it will be allowed. If none of the allow rules match, it
// will be denied.
repeated Rule allow_rules = 3;
}
An example
Below is an example of a gRPC-level Authorization Policy that allows two admins,
Alice and Bob, access to all RPCs that are defined by the gNSI.ssh interface.
Nobody else will be able to call any of the gNSI.ssh RPCs.
{
"name": "gNSI.ssh policy",
"allow_rules": [{
"name": "admin-access",
"source": {
"principals": [
"spiffe://company.com/sa/alice",
"spiffe://company.com/sa/bob"
]
},
"request": {
"paths": [
"/gnsi.ssh.Ssh/*"
]
}
}]
}
Managing the gRPC-based Authorization Policy
Initial (factory reset) state assumption
When a device boots for the first time it should have:
-
The
gNSI.authzservice transitions to up and running. -
The default gRPC-level Authorization Policy for all active gRPC services.
The default gRPC-level Authorization Policy must allow access to all RPCs.
-
Once a gNSI policy is set (uploaded and Finalized), the default policy disposition becomes deny, as mentioned in the AuthorizationPolicy message documentation above.
Updating the policy
Every policy needs changes from time to time and the gNSI.authz.Rotate() RPC
is designed to do this task.
There are 5 steps in the process of updating (rotating) an gRPC-level Authorization Policy, namely:
-
Starting the
gNSI.authz.Rotate()streaming RPC.As the result a streaming connection is created between the server (the switch) and the client (the management application) that is used in the following steps.
⚠ Warning Only one
gNSI.authz.Rotate()can be in progress. -
The client uploads new gRPC-level Authorization Policy using the
UploadRequestmessage.For example:
{ "version": "version-1", "created_on": "1632779276520673693", "policy": { "name": "gNSI.ssh policy", "allow_rules": [{ "name": "admin-access", "source": { "principals": [ "spiffe://company.com/sa/alice", "spiffe://company.com/sa/bob" ] }, "request": { "paths": [ "/gnsi.ssh.Ssh/*" ] } }], "deny_rules": [{ "name": "sales-access", "source": { "principals": [ "spiffe://company.com/sa/marge", "spiffe://company.com/sa/don" ] }, "request": { "paths": [ "/gnsi.ssh.Ssh/MutateAccountCredentials", "/gnsi.ssh.Ssh/MutateHostCredentials" ] } }] } }⚠ Warning There is only one gRPC-level Authorization Policy on the device therefore it is "declarative" for all gRPC servers and services on the device. In other words: all policies must be defined in the policy being rotated as this rotate operation will replace all previously defined/used policies once the
Finalizemessage is sent.The information passed in both the
versionand thecreated_onfields is not used internally by thegNSI.authzservice and is designed to help keep track of what gRPC-level Authorization Policy is active on a particular switch. -
After syntactic validation and activating the new policy, the server sends the
UploadResponseback to the client -
The client verifies the correctness of the new gRPC-level Authorization Policy using separate
gNSI.authz.Probe()RPC(s) -
The client sends the
Finalizemessage indicating the previous gRPC-level Authorization Policy can be deleted.⚠ Warning Closing the stream without sending the
Finalizemessage will result in abandoning the uploaded policy and rollback to the one that was active before the Rotation RPC started.
Evaluating the rules
In a simple deployment, the set of rules in the gRPC-level Authorization Policy most likely will be clear enough for a human to analyze, but in a data-center environment the list of rules will likely be long and complex, and therefore difficult to reason about.
To help this process the gNSI.authz API includes the gNSI.authz.Probe() RPC.
This RPC allows for checking the response of the gRPC-level Authorization Policy engine to a RPC performed by a specific user based the installed policy.
Because the policy uploaded during the gNSI.authz.Rotate() call becomes active
immediately, the gNSI.authz.Probe() can be used to check if the uploaded
policy provides the expected response, without attempting the (potentially
destructive) RPC in question, while the gNSI.authz.Rotate() is still active
(the stream is still open and the Finalize message has not been sent yet).
For example, to check if alice can perform the
gNSI.ssh.MutateAccountCredentials() RPC the gNSI.authz.Probe() should be
called with the following parameters:
{
"user": "spiffe://company.com/sa/alice",
"rpc": "gNSI.ssh.MutateAccountCredentials"
}
As alice is listed in the example policy in the allow_rules section the
expected result of the gNSI.authz.Probe() RPC is:
{
"action": "ACTION_PERMIT",
"version": "<a version string provided during in the UploadRequest>"
}
OpenConfig Extension for the gMNI gRPC-based Authorization Policy telemetry
gnsi-authz.yang
An overview of the changes defined in the gnsi-authz.yang file are shown
below.
module: gnsi-authz
augment /oc-sys:system/oc-sys:aaa/oc-sys:authorization/oc-sys:state:
+--ro grpc-authz-policy-version? version
+--ro grpc-authz-policy-created-on? created-on
augment /oc-sys:system/oc-sys-grpc:grpc-servers/oc-sys-grpc:grpc-server:
+--ro authz-policy-counters
+--ro rpcs
+--ro rpc* [name]
+--ro name -> ../state/name
+--ro state
+--ro name? string
+--ro access-rejects? oc-yang:counter64
+--ro last-access-reject? oc-types:timeticks64
+--ro access-accepts? oc-yang:counter64
+--ro last-access-accept? oc-types:timeticks64
openconfig-system tree
The openconfig-system subtree after augments defined in the gnsi-authz.yang
file is shown below.
The diagram of the tree.
module: openconfig-system
+--rw system
+--rw config
| +--rw hostname? oc-inet:domain-name
| +--rw domain-name? oc-inet:domain-name
| +--rw login-banner? string
| +--rw motd-banner? string
+--ro state
| +--ro hostname? oc-inet:domain-name
| +--ro domain-name? oc-inet:domain-name
| +--ro login-banner? string
| +--ro motd-banner? string
| +--ro current-datetime? oc-yang:date-and-time
| +--ro boot-time? oc-types:timeticks64
+--rw clock
| +--rw config
| | +--rw timezone-name? timezone-name-type
| +--ro state
| +--ro timezone-name? timezone-name-type
+--rw dns
| +--rw config
| | +--rw search* oc-inet:domain-name
| +--ro state
| | +--ro search* oc-inet:domain-name
| +--rw servers
| | +--rw server* [address]
| | +--rw address -> ../config/address
| | +--rw config
| | | +--rw address? oc-inet:ip-address
| | | +--rw port? oc-inet:port-number
| | +--ro state
| | +--ro address? oc-inet:ip-address
| | +--ro port? oc-inet:port-number
| +--rw host-entries
| +--rw host-entry* [hostname]
| +--rw hostname -> ../config/hostname
| +--rw config
| | +--rw hostname? string
| | +--rw alias* string
| | +--rw ipv4-address* oc-inet:ipv4-address
| | +--rw ipv6-address* oc-inet:ipv6-address
| +--ro state
| +--ro hostname? string
| +--ro alias* string
| +--ro ipv4-address* oc-inet:ipv4-address
| +--ro ipv6-address* oc-inet:ipv6-address
+--rw ntp
| +--rw config
| | +--rw enabled? boolean
| | +--rw ntp-source-address? oc-inet:ip-address
| | +--rw enable-ntp-auth? boolean
| +--ro state
| | +--ro enabled? boolean
| | +--ro ntp-source-address? oc-inet:ip-address
| | +--ro enable-ntp-auth? boolean
| | +--ro auth-mismatch? oc-yang:counter64
| +--rw ntp-keys
| | +--rw ntp-key* [key-id]
| | +--rw key-id -> ../config/key-id
| | +--rw config
| | | +--rw key-id? uint16
| | | +--rw key-type? identityref
| | | +--rw key-value? string
| | +--ro state
| | +--ro key-id? uint16
| | +--ro key-type? identityref
| | +--ro key-value? string
| +--rw servers
| +--rw server* [address]
| +--rw address -> ../config/address
| +--rw config
| | +--rw address? oc-inet:host
| | +--rw port? oc-inet:port-number
| | +--rw version? uint8
| | +--rw association-type? enumeration
| | +--rw iburst? boolean
| | +--rw prefer? boolean
| +--ro state
| +--ro address? oc-inet:host
| +--ro port? oc-inet:port-number
| +--ro version? uint8
| +--ro association-type? enumeration
| +--ro iburst? boolean
| +--ro prefer? boolean
| +--ro stratum? uint8
| +--ro root-delay? uint32
| +--ro root-dispersion? uint64
| +--ro offset? uint64
| +--ro poll-interval? uint32
+--rw ssh-server
| +--rw config
| | +--rw enable? boolean
| | +--rw protocol-version? enumeration
| | +--rw timeout? uint16
| | +--rw rate-limit? uint16
| | +--rw session-limit? uint16
| +--ro state
| +--ro enable? boolean
| +--ro protocol-version? enumeration
| +--ro timeout? uint16
| +--ro rate-limit? uint16
| +--ro session-limit? uint16
+--rw telnet-server
| +--rw config
| | +--rw enable? boolean
| | +--rw timeout? uint16
| | +--rw rate-limit? uint16
| | +--rw session-limit? uint16
| +--ro state
| +--ro enable? boolean
| +--ro timeout? uint16
| +--ro rate-limit? uint16
| +--ro session-limit? uint16
+--rw logging
| +--rw console
| | +--rw config
| | +--ro state
| | +--rw selectors
| | +--rw selector* [facility severity]
| | +--rw facility -> ../config/facility
| | +--rw severity -> ../config/severity
| | +--rw config
| | | +--rw facility? identityref
| | | +--rw severity? syslog-severity
| | +--ro state
| | +--ro facility? identityref
| | +--ro severity? syslog-severity
| +--rw remote-servers
| +--rw remote-server* [host]
| +--rw host -> ../config/host
| +--rw config
| | +--rw host? oc-inet:host
| | +--rw source-address? oc-inet:ip-address
| | +--rw remote-port? oc-inet:port-number
| +--ro state
| | +--ro host? oc-inet:host
| | +--ro source-address? oc-inet:ip-address
| | +--ro remote-port? oc-inet:port-number
| +--rw selectors
| +--rw selector* [facility severity]
| +--rw facility -> ../config/facility
| +--rw severity -> ../config/severity
| +--rw config
| | +--rw facility? identityref
| | +--rw severity? syslog-severity
| +--ro state
| +--ro facility? identityref
| +--ro severity? syslog-severity
+--rw aaa
| +--rw config
| +--ro state
| +--rw authentication
| | +--rw config
| | | +--rw authentication-method* union
| | +--ro state
| | | +--ro authentication-method* union
| | +--rw admin-user
| | | +--rw config
| | | | +--rw admin-password? string
| | | | +--rw admin-password-hashed? oc-aaa-types:crypt-password-type
| | | +--ro state
| | | +--ro admin-password? string
| | | +--ro admin-password-hashed? oc-aaa-types:crypt-password-type
| | | +--ro admin-username? string
| | +--rw users
| | +--rw user* [username]
| | +--rw username -> ../config/username
| | +--rw config
| | | +--rw username? string
| | | +--rw password? string
| | | +--rw password-hashed? oc-aaa-types:crypt-password-type
| | | +--rw ssh-key? string
| | | +--rw role? union
| | +--ro state
| | +--ro username? string
| | +--ro password? string
| | +--ro password-hashed? oc-aaa-types:crypt-password-type
| | +--ro ssh-key? string
| | +--ro role? union
| +--rw authorization
| | +--rw config
| | | +--rw authorization-method* union
| | +--ro state
| | | +--ro authorization-method* union
| | | +--ro gnsi-authz:grpc-authz-policy-version? version
| | | +--ro gnsi-authz:grpc-authz-policy-created-on? created-on
| | +--rw events
| | +--rw event* [event-type]
| | +--rw event-type -> ../config/event-type
| | +--rw config
| | | +--rw event-type? identityref
| | +--ro state
| | +--ro event-type? identityref
| +--rw accounting
| | +--rw config
| | | +--rw accounting-method* union
| | +--ro state
| | | +--ro accounting-method* union
| | +--rw events
| | +--rw event* [event-type]
| | +--rw event-type -> ../config/event-type
| | +--rw config
| | | +--rw event-type? identityref
| | | +--rw record? enumeration
| | +--ro state
| | +--ro event-type? identityref
| | +--ro record? enumeration
| +--rw server-groups
| +--rw server-group* [name]
| +--rw name -> ../config/name
| +--rw config
| | +--rw name? string
| | +--rw type? identityref
| +--ro state
| | +--ro name? string
| | +--ro type? identityref
| +--rw servers
| +--rw server* [address]
| +--rw address -> ../config/address
| +--rw config
| | +--rw name? string
| | +--rw address? oc-inet:ip-address
| | +--rw timeout? uint16
| +--ro state
| | +--ro name? string
| | +--ro address? oc-inet:ip-address
| | +--ro timeout? uint16
| | +--ro connection-opens? oc-yang:counter64
| | +--ro connection-closes? oc-yang:counter64
| | +--ro connection-aborts? oc-yang:counter64
| | +--ro connection-failures? oc-yang:counter64
| | +--ro connection-timeouts? oc-yang:counter64
| | +--ro messages-sent? oc-yang:counter64
| | +--ro messages-received? oc-yang:counter64
| | +--ro errors-received? oc-yang:counter64
| +--rw tacacs
| | +--rw config
| | | +--rw port? oc-inet:port-number
| | | +--rw secret-key? oc-types:routing-password
| | | +--rw secret-key-hashed? oc-aaa-types:crypt-password-type
| | | +--rw source-address? oc-inet:ip-address
| | +--ro state
| | +--ro port? oc-inet:port-number
| | +--ro secret-key? oc-types:routing-password
| | +--ro secret-key-hashed? oc-aaa-types:crypt-password-type
| | +--ro source-address? oc-inet:ip-address
| +--rw radius
| +--rw config
| | +--rw auth-port? oc-inet:port-number
| | +--rw acct-port? oc-inet:port-number
| | +--rw secret-key? oc-types:routing-password
| | +--rw secret-key-hashed? oc-aaa-types:crypt-password-type
| | +--rw source-address? oc-inet:ip-address
| | +--rw retransmit-attempts? uint8
| +--ro state
| +--ro auth-port? oc-inet:port-number
| +--ro acct-port? oc-inet:port-number
| +--ro secret-key? oc-types:routing-password
| +--ro secret-key-hashed? oc-aaa-types:crypt-password-type
| +--ro source-address? oc-inet:ip-address
| +--ro retransmit-attempts? uint8
| +--ro counters
| +--ro retried-access-requests? oc-yang:counter64
| +--ro access-accepts? oc-yang:counter64
| +--ro access-rejects? oc-yang:counter64
| +--ro timeout-access-requests? oc-yang:counter64
+--rw memory
| +--rw config
| +--ro state
| +--ro physical? uint64
| +--ro reserved? uint64
+--ro cpus
| +--ro cpu* [index]
| +--ro index -> ../state/index
| +--ro state
| +--ro index? union
| +--ro total
| | +--ro instant? oc-types:percentage
| | +--ro avg? oc-types:percentage
| | +--ro min? oc-types:percentage
| | +--ro max? oc-types:percentage
| | +--ro interval? oc-types:stat-interval
| | +--ro min-time? oc-types:timeticks64
| | +--ro max-time? oc-types:timeticks64
| +--ro user
| | +--ro instant? oc-types:percentage
| | +--ro avg? oc-types:percentage
| | +--ro min? oc-types:percentage
| | +--ro max? oc-types:percentage
| | +--ro interval? oc-types:stat-interval
| | +--ro min-time? oc-types:timeticks64
| | +--ro max-time? oc-types:timeticks64
| +--ro kernel
| | +--ro instant? oc-types:percentage
| | +--ro avg? oc-types:percentage
| | +--ro min? oc-types:percentage
| | +--ro max? oc-types:percentage
| | +--ro interval? oc-types:stat-interval
| | +--ro min-time? oc-types:timeticks64
| | +--ro max-time? oc-types:timeticks64
| +--ro nice
| | +--ro instant? oc-types:percentage
| | +--ro avg? oc-types:percentage
| | +--ro min? oc-types:percentage
| | +--ro max? oc-types:percentage
| | +--ro interval? oc-types:stat-interval
| | +--ro min-time? oc-types:timeticks64
| | +--ro max-time? oc-types:timeticks64
| +--ro idle
| | +--ro instant? oc-types:percentage
| | +--ro avg? oc-types:percentage
| | +--ro min? oc-types:percentage
| | +--ro max? oc-types:percentage
| | +--ro interval? oc-types:stat-interval
| | +--ro min-time? oc-types:timeticks64
| | +--ro max-time? oc-types:timeticks64
| +--ro wait
| | +--ro instant? oc-types:percentage
| | +--ro avg? oc-types:percentage
| | +--ro min? oc-types:percentage
| | +--ro max? oc-types:percentage
| | +--ro interval? oc-types:stat-interval
| | +--ro min-time? oc-types:timeticks64
| | +--ro max-time? oc-types:timeticks64
| +--ro hardware-interrupt
| | +--ro instant? oc-types:percentage
| | +--ro avg? oc-types:percentage
| | +--ro min? oc-types:percentage
| | +--ro max? oc-types:percentage
| | +--ro interval? oc-types:stat-interval
| | +--ro min-time? oc-types:timeticks64
| | +--ro max-time? oc-types:timeticks64
| +--ro software-interrupt
| +--ro instant? oc-types:percentage
| +--ro avg? oc-types:percentage
| +--ro min? oc-types:percentage
| +--ro max? oc-types:percentage
| +--ro interval? oc-types:stat-interval
| +--ro min-time? oc-types:timeticks64
| +--ro max-time? oc-types:timeticks64
+--rw processes
| +--ro process* [pid]
| +--ro pid -> ../state/pid
| +--ro state
| +--ro pid? uint64
| +--ro name? string
| +--ro args* string
| +--ro start-time? oc-types:timeticks64
| +--ro cpu-usage-user? oc-yang:counter64
| +--ro cpu-usage-system? oc-yang:counter64
| +--ro cpu-utilization? oc-types:percentage
| +--ro memory-usage? uint64
| +--ro memory-utilization? oc-types:percentage
+--ro alarms
| +--ro alarm* [id]
| +--ro id -> ../state/id
| +--ro config
| +--ro state
| +--ro id? string
| +--ro resource? string
| +--ro text? string
| +--ro time-created? oc-types:timeticks64
| +--ro severity? identityref
| +--ro type-id? union
+--rw messages
| +--rw config
| | +--rw severity? oc-log:syslog-severity
| +--ro state
| | +--ro severity? oc-log:syslog-severity
| | +--ro message
| | +--ro msg? string
| | +--ro priority? uint8
| | +--ro app-name? string
| | +--ro procid? string
| | +--ro msgid? string
| +--rw debug-entries
| +--rw debug-service* [service]
| +--rw service -> ../config/service
| +--rw config
| | +--rw service? identityref
| | +--rw enabled? boolean
| +--ro state
| +--ro service? identityref
| +--ro enabled? boolean
+--rw license
| +--rw licenses
| +--rw license* [license-id]
| +--rw license-id -> ../config/license-id
| +--rw config
| | +--rw license-id? string
| | +--rw license-data? union
| | +--rw active? boolean
| +--ro state
| +--ro license-id? string
| +--ro license-data? union
| +--ro active? boolean
| +--ro description? string
| +--ro issue-date? uint64
| +--ro expiration-date? uint64
| +--ro in-use? boolean
| +--ro expired? boolean
| +--ro valid? boolean
+--rw oc-sys-grpc:grpc-servers
+--rw oc-sys-grpc:grpc-server* [name]
+--rw oc-sys-grpc:name -> ../config/name
+--rw oc-sys-grpc:config
| +--rw oc-sys-grpc:name? string
| +--rw oc-sys-grpc:services* identityref
| +--rw oc-sys-grpc:enable? boolean
| +--rw oc-sys-grpc:port? oc-inet:port-number
| +--rw oc-sys-grpc:transport-security? boolean
| +--rw oc-sys-grpc:certificate-id? string
| +--rw oc-sys-grpc:metadata-authentication? boolean
| +--rw oc-sys-grpc:listen-addresses* union
| +--rw oc-sys-grpc:network-instance? oc-ni:network-instance-ref
+--ro oc-sys-grpc:state
| +--ro oc-sys-grpc:name? string
| +--ro oc-sys-grpc:services* identityref
| +--ro oc-sys-grpc:enable? boolean
| +--ro oc-sys-grpc:port? oc-inet:port-number
| +--ro oc-sys-grpc:transport-security? boolean
| +--ro oc-sys-grpc:certificate-id? string
| +--ro oc-sys-grpc:metadata-authentication? boolean
| +--ro oc-sys-grpc:listen-addresses* union
| +--ro oc-sys-grpc:network-instance? oc-ni:network-instance-ref
+--ro gnsi-authz:authz-policy-counters
+--ro gnsi-authz:rpcs
+--ro gnsi-authz:rpc* [name]
+--ro gnsi-authz:name -> ../state/name
+--ro gnsi-authz:state
+--ro gnsi-authz:name? string
+--ro gnsi-authz:access-rejects? oc-yang:counter64
+--ro gnsi-authz:last-access-reject? oc-types:timeticks64
+--ro gnsi-authz:access-accepts? oc-yang:counter64
+--ro gnsi-authz:last-access-accept? oc-types:timeticks64
For interactive version click here.
Documentation
¶
Index ¶
- Variables
- func RegisterAuthzServer(s grpc.ServiceRegistrar, srv AuthzServer)
- type AuthzClient
- type AuthzServer
- type Authz_RotateClient
- type Authz_RotateServer
- type FinalizeRequest
- type GetRequest
- type GetResponse
- func (*GetResponse) Descriptor() ([]byte, []int)deprecated
- func (x *GetResponse) GetCreatedOn() uint64
- func (x *GetResponse) GetPolicy() string
- func (x *GetResponse) GetVersion() string
- func (*GetResponse) ProtoMessage()
- func (x *GetResponse) ProtoReflect() protoreflect.Message
- func (x *GetResponse) Reset()
- func (x *GetResponse) String() string
- type ProbeRequest
- func (*ProbeRequest) Descriptor() ([]byte, []int)deprecated
- func (x *ProbeRequest) GetRpc() string
- func (x *ProbeRequest) GetUser() string
- func (*ProbeRequest) ProtoMessage()
- func (x *ProbeRequest) ProtoReflect() protoreflect.Message
- func (x *ProbeRequest) Reset()
- func (x *ProbeRequest) String() string
- type ProbeResponse
- func (*ProbeResponse) Descriptor() ([]byte, []int)deprecated
- func (x *ProbeResponse) GetAction() ProbeResponse_Action
- func (x *ProbeResponse) GetVersion() string
- func (*ProbeResponse) ProtoMessage()
- func (x *ProbeResponse) ProtoReflect() protoreflect.Message
- func (x *ProbeResponse) Reset()
- func (x *ProbeResponse) String() string
- type ProbeResponse_Action
- func (ProbeResponse_Action) Descriptor() protoreflect.EnumDescriptor
- func (x ProbeResponse_Action) Enum() *ProbeResponse_Action
- func (ProbeResponse_Action) EnumDescriptor() ([]byte, []int)deprecated
- func (x ProbeResponse_Action) Number() protoreflect.EnumNumber
- func (x ProbeResponse_Action) String() string
- func (ProbeResponse_Action) Type() protoreflect.EnumType
- type RotateAuthzRequest
- func (*RotateAuthzRequest) Descriptor() ([]byte, []int)deprecated
- func (x *RotateAuthzRequest) GetFinalizeRotation() *FinalizeRequest
- func (x *RotateAuthzRequest) GetForceOverwrite() bool
- func (m *RotateAuthzRequest) GetRotateRequest() isRotateAuthzRequest_RotateRequest
- func (x *RotateAuthzRequest) GetUploadRequest() *UploadRequest
- func (*RotateAuthzRequest) ProtoMessage()
- func (x *RotateAuthzRequest) ProtoReflect() protoreflect.Message
- func (x *RotateAuthzRequest) Reset()
- func (x *RotateAuthzRequest) String() string
- type RotateAuthzRequest_FinalizeRotation
- type RotateAuthzRequest_UploadRequest
- type RotateAuthzResponse
- func (*RotateAuthzResponse) Descriptor() ([]byte, []int)deprecated
- func (m *RotateAuthzResponse) GetRotateResponse() isRotateAuthzResponse_RotateResponse
- func (x *RotateAuthzResponse) GetUploadResponse() *UploadResponse
- func (*RotateAuthzResponse) ProtoMessage()
- func (x *RotateAuthzResponse) ProtoReflect() protoreflect.Message
- func (x *RotateAuthzResponse) Reset()
- func (x *RotateAuthzResponse) String() string
- type RotateAuthzResponse_UploadResponse
- type UnimplementedAuthzServer
- type UnsafeAuthzServer
- type UploadRequest
- func (*UploadRequest) Descriptor() ([]byte, []int)deprecated
- func (x *UploadRequest) GetCreatedOn() uint64
- func (x *UploadRequest) GetPolicy() string
- func (x *UploadRequest) GetVersion() string
- func (*UploadRequest) ProtoMessage()
- func (x *UploadRequest) ProtoReflect() protoreflect.Message
- func (x *UploadRequest) Reset()
- func (x *UploadRequest) String() string
- type UploadResponse
Constants ¶
This section is empty.
Variables ¶
View Source
var ( ProbeResponse_Action_name = map[int32]string{ 0: "ACTION_UNSPECIFIED", 1: "ACTION_DENY", 2: "ACTION_PERMIT", } ProbeResponse_Action_value = map[string]int32{ "ACTION_UNSPECIFIED": 0, "ACTION_DENY": 1, "ACTION_PERMIT": 2, } )
Enum value maps for ProbeResponse_Action.
View Source
var Authz_ServiceDesc = grpc.ServiceDesc{ ServiceName: "gnsi.authz.v1.Authz", HandlerType: (*AuthzServer)(nil), Methods: []grpc.MethodDesc{ { MethodName: "Probe", Handler: _Authz_Probe_Handler, }, { MethodName: "Get", Handler: _Authz_Get_Handler, }, }, Streams: []grpc.StreamDesc{ { StreamName: "Rotate", Handler: _Authz_Rotate_Handler, ServerStreams: true, ClientStreams: true, }, }, Metadata: "github.com/openconfig/gnsi/authz/authz.proto", }
Authz_ServiceDesc is the grpc.ServiceDesc for Authz service. It's only intended for direct use with grpc.RegisterService, and not to be introspected or modified (even as a copy)
View Source
var File_github_com_openconfig_gnsi_authz_authz_proto protoreflect.FileDescriptor
Functions ¶
func RegisterAuthzServer ¶
func RegisterAuthzServer(s grpc.ServiceRegistrar, srv AuthzServer)
Types ¶
type AuthzClient ¶
type AuthzClient interface {
Rotate(ctx context.Context, opts ...grpc.CallOption) (Authz_RotateClient, error)
Probe(ctx context.Context, in *ProbeRequest, opts ...grpc.CallOption) (*ProbeResponse, error)
Get(ctx context.Context, in *GetRequest, opts ...grpc.CallOption) (*GetResponse, error)
}
AuthzClient is the client API for Authz service.
For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
func NewAuthzClient ¶
func NewAuthzClient(cc grpc.ClientConnInterface) AuthzClient
type AuthzServer ¶
type AuthzServer interface {
Rotate(Authz_RotateServer) error
Probe(context.Context, *ProbeRequest) (*ProbeResponse, error)
Get(context.Context, *GetRequest) (*GetResponse, error)
// contains filtered or unexported methods
}
AuthzServer is the server API for Authz service. All implementations must embed UnimplementedAuthzServer for forward compatibility
type Authz_RotateClient ¶
type Authz_RotateClient interface {
Send(*RotateAuthzRequest) error
Recv() (*RotateAuthzResponse, error)
grpc.ClientStream
}
type Authz_RotateServer ¶
type Authz_RotateServer interface {
Send(*RotateAuthzResponse) error
Recv() (*RotateAuthzRequest, error)
grpc.ServerStream
}
type FinalizeRequest ¶
type FinalizeRequest struct {
// contains filtered or unexported fields
}
func (*FinalizeRequest) Descriptor
deprecated
func (*FinalizeRequest) Descriptor() ([]byte, []int)
Deprecated: Use FinalizeRequest.ProtoReflect.Descriptor instead.
func (*FinalizeRequest) ProtoMessage ¶
func (*FinalizeRequest) ProtoMessage()
func (*FinalizeRequest) ProtoReflect ¶
func (x *FinalizeRequest) ProtoReflect() protoreflect.Message
func (*FinalizeRequest) Reset ¶
func (x *FinalizeRequest) Reset()
func (*FinalizeRequest) String ¶
func (x *FinalizeRequest) String() string
type GetRequest ¶
type GetRequest struct {
// contains filtered or unexported fields
}
func (*GetRequest) Descriptor
deprecated
func (*GetRequest) Descriptor() ([]byte, []int)
Deprecated: Use GetRequest.ProtoReflect.Descriptor instead.
func (*GetRequest) ProtoMessage ¶
func (*GetRequest) ProtoMessage()
func (*GetRequest) ProtoReflect ¶
func (x *GetRequest) ProtoReflect() protoreflect.Message
func (*GetRequest) Reset ¶
func (x *GetRequest) Reset()
func (*GetRequest) String ¶
func (x *GetRequest) String() string
type GetResponse ¶
type GetResponse struct {
Version string `protobuf:"bytes,1,opt,name=version,proto3" json:"version,omitempty"`
CreatedOn uint64 `protobuf:"varint,2,opt,name=created_on,json=createdOn,proto3" json:"created_on,omitempty"`
Policy string `protobuf:"bytes,3,opt,name=policy,proto3" json:"policy,omitempty"`
// contains filtered or unexported fields
}
func (*GetResponse) Descriptor
deprecated
func (*GetResponse) Descriptor() ([]byte, []int)
Deprecated: Use GetResponse.ProtoReflect.Descriptor instead.
func (*GetResponse) GetCreatedOn ¶
func (x *GetResponse) GetCreatedOn() uint64
func (*GetResponse) GetPolicy ¶
func (x *GetResponse) GetPolicy() string
func (*GetResponse) GetVersion ¶
func (x *GetResponse) GetVersion() string
func (*GetResponse) ProtoMessage ¶
func (*GetResponse) ProtoMessage()
func (*GetResponse) ProtoReflect ¶
func (x *GetResponse) ProtoReflect() protoreflect.Message
func (*GetResponse) Reset ¶
func (x *GetResponse) Reset()
func (*GetResponse) String ¶
func (x *GetResponse) String() string
type ProbeRequest ¶
type ProbeRequest struct {
User string `protobuf:"bytes,1,opt,name=user,proto3" json:"user,omitempty"`
Rpc string `protobuf:"bytes,2,opt,name=rpc,proto3" json:"rpc,omitempty"`
// contains filtered or unexported fields
}
func (*ProbeRequest) Descriptor
deprecated
func (*ProbeRequest) Descriptor() ([]byte, []int)
Deprecated: Use ProbeRequest.ProtoReflect.Descriptor instead.
func (*ProbeRequest) GetRpc ¶
func (x *ProbeRequest) GetRpc() string
func (*ProbeRequest) GetUser ¶
func (x *ProbeRequest) GetUser() string
func (*ProbeRequest) ProtoMessage ¶
func (*ProbeRequest) ProtoMessage()
func (*ProbeRequest) ProtoReflect ¶
func (x *ProbeRequest) ProtoReflect() protoreflect.Message
func (*ProbeRequest) Reset ¶
func (x *ProbeRequest) Reset()
func (*ProbeRequest) String ¶
func (x *ProbeRequest) String() string
type ProbeResponse ¶
type ProbeResponse struct {
Action ProbeResponse_Action `protobuf:"varint,1,opt,name=action,proto3,enum=gnsi.authz.v1.ProbeResponse_Action" json:"action,omitempty"`
Version string `protobuf:"bytes,2,opt,name=version,proto3" json:"version,omitempty"`
// contains filtered or unexported fields
}
func (*ProbeResponse) Descriptor
deprecated
func (*ProbeResponse) Descriptor() ([]byte, []int)
Deprecated: Use ProbeResponse.ProtoReflect.Descriptor instead.
func (*ProbeResponse) GetAction ¶
func (x *ProbeResponse) GetAction() ProbeResponse_Action
func (*ProbeResponse) GetVersion ¶
func (x *ProbeResponse) GetVersion() string
func (*ProbeResponse) ProtoMessage ¶
func (*ProbeResponse) ProtoMessage()
func (*ProbeResponse) ProtoReflect ¶
func (x *ProbeResponse) ProtoReflect() protoreflect.Message
func (*ProbeResponse) Reset ¶
func (x *ProbeResponse) Reset()
func (*ProbeResponse) String ¶
func (x *ProbeResponse) String() string
type ProbeResponse_Action ¶
type ProbeResponse_Action int32
const ( ProbeResponse_ACTION_UNSPECIFIED ProbeResponse_Action = 0 ProbeResponse_ACTION_DENY ProbeResponse_Action = 1 ProbeResponse_ACTION_PERMIT ProbeResponse_Action = 2 )
func (ProbeResponse_Action) Descriptor ¶
func (ProbeResponse_Action) Descriptor() protoreflect.EnumDescriptor
func (ProbeResponse_Action) Enum ¶
func (x ProbeResponse_Action) Enum() *ProbeResponse_Action
func (ProbeResponse_Action) EnumDescriptor
deprecated
func (ProbeResponse_Action) EnumDescriptor() ([]byte, []int)
Deprecated: Use ProbeResponse_Action.Descriptor instead.
func (ProbeResponse_Action) Number ¶
func (x ProbeResponse_Action) Number() protoreflect.EnumNumber
func (ProbeResponse_Action) String ¶
func (x ProbeResponse_Action) String() string
func (ProbeResponse_Action) Type ¶
func (ProbeResponse_Action) Type() protoreflect.EnumType
type RotateAuthzRequest ¶
type RotateAuthzRequest struct {
// Types that are assignable to RotateRequest:
// *RotateAuthzRequest_UploadRequest
// *RotateAuthzRequest_FinalizeRotation
RotateRequest isRotateAuthzRequest_RotateRequest `protobuf_oneof:"rotate_request"`
ForceOverwrite bool `protobuf:"varint,3,opt,name=force_overwrite,json=forceOverwrite,proto3" json:"force_overwrite,omitempty"`
// contains filtered or unexported fields
}
func (*RotateAuthzRequest) Descriptor
deprecated
func (*RotateAuthzRequest) Descriptor() ([]byte, []int)
Deprecated: Use RotateAuthzRequest.ProtoReflect.Descriptor instead.
func (*RotateAuthzRequest) GetFinalizeRotation ¶
func (x *RotateAuthzRequest) GetFinalizeRotation() *FinalizeRequest
func (*RotateAuthzRequest) GetForceOverwrite ¶
func (x *RotateAuthzRequest) GetForceOverwrite() bool
func (*RotateAuthzRequest) GetRotateRequest ¶
func (m *RotateAuthzRequest) GetRotateRequest() isRotateAuthzRequest_RotateRequest
func (*RotateAuthzRequest) GetUploadRequest ¶
func (x *RotateAuthzRequest) GetUploadRequest() *UploadRequest
func (*RotateAuthzRequest) ProtoMessage ¶
func (*RotateAuthzRequest) ProtoMessage()
func (*RotateAuthzRequest) ProtoReflect ¶
func (x *RotateAuthzRequest) ProtoReflect() protoreflect.Message
func (*RotateAuthzRequest) Reset ¶
func (x *RotateAuthzRequest) Reset()
func (*RotateAuthzRequest) String ¶
func (x *RotateAuthzRequest) String() string
type RotateAuthzRequest_FinalizeRotation ¶
type RotateAuthzRequest_FinalizeRotation struct {
FinalizeRotation *FinalizeRequest `protobuf:"bytes,2,opt,name=finalize_rotation,json=finalizeRotation,proto3,oneof"`
}
type RotateAuthzRequest_UploadRequest ¶
type RotateAuthzRequest_UploadRequest struct {
UploadRequest *UploadRequest `protobuf:"bytes,1,opt,name=upload_request,json=uploadRequest,proto3,oneof"`
}
type RotateAuthzResponse ¶
type RotateAuthzResponse struct {
// Types that are assignable to RotateResponse:
// *RotateAuthzResponse_UploadResponse
RotateResponse isRotateAuthzResponse_RotateResponse `protobuf_oneof:"rotate_response"`
// contains filtered or unexported fields
}
func (*RotateAuthzResponse) Descriptor
deprecated
func (*RotateAuthzResponse) Descriptor() ([]byte, []int)
Deprecated: Use RotateAuthzResponse.ProtoReflect.Descriptor instead.
func (*RotateAuthzResponse) GetRotateResponse ¶
func (m *RotateAuthzResponse) GetRotateResponse() isRotateAuthzResponse_RotateResponse
func (*RotateAuthzResponse) GetUploadResponse ¶
func (x *RotateAuthzResponse) GetUploadResponse() *UploadResponse
func (*RotateAuthzResponse) ProtoMessage ¶
func (*RotateAuthzResponse) ProtoMessage()
func (*RotateAuthzResponse) ProtoReflect ¶
func (x *RotateAuthzResponse) ProtoReflect() protoreflect.Message
func (*RotateAuthzResponse) Reset ¶
func (x *RotateAuthzResponse) Reset()
func (*RotateAuthzResponse) String ¶
func (x *RotateAuthzResponse) String() string
type RotateAuthzResponse_UploadResponse ¶
type RotateAuthzResponse_UploadResponse struct {
UploadResponse *UploadResponse `protobuf:"bytes,1,opt,name=upload_response,json=uploadResponse,proto3,oneof"`
}
type UnimplementedAuthzServer ¶
type UnimplementedAuthzServer struct {
}
UnimplementedAuthzServer must be embedded to have forward compatible implementations.
func (UnimplementedAuthzServer) Get ¶
func (UnimplementedAuthzServer) Get(context.Context, *GetRequest) (*GetResponse, error)
func (UnimplementedAuthzServer) Probe ¶
func (UnimplementedAuthzServer) Probe(context.Context, *ProbeRequest) (*ProbeResponse, error)
func (UnimplementedAuthzServer) Rotate ¶
func (UnimplementedAuthzServer) Rotate(Authz_RotateServer) error
type UnsafeAuthzServer ¶
type UnsafeAuthzServer interface {
// contains filtered or unexported methods
}
UnsafeAuthzServer may be embedded to opt out of forward compatibility for this service. Use of this interface is not recommended, as added methods to AuthzServer will result in compilation errors.
type UploadRequest ¶
type UploadRequest struct {
Version string `protobuf:"bytes,1,opt,name=version,proto3" json:"version,omitempty"`
CreatedOn uint64 `protobuf:"varint,2,opt,name=created_on,json=createdOn,proto3" json:"created_on,omitempty"`
Policy string `protobuf:"bytes,3,opt,name=policy,proto3" json:"policy,omitempty"`
// contains filtered or unexported fields
}
func (*UploadRequest) Descriptor
deprecated
func (*UploadRequest) Descriptor() ([]byte, []int)
Deprecated: Use UploadRequest.ProtoReflect.Descriptor instead.
func (*UploadRequest) GetCreatedOn ¶
func (x *UploadRequest) GetCreatedOn() uint64
func (*UploadRequest) GetPolicy ¶
func (x *UploadRequest) GetPolicy() string
func (*UploadRequest) GetVersion ¶
func (x *UploadRequest) GetVersion() string
func (*UploadRequest) ProtoMessage ¶
func (*UploadRequest) ProtoMessage()
func (*UploadRequest) ProtoReflect ¶
func (x *UploadRequest) ProtoReflect() protoreflect.Message
func (*UploadRequest) Reset ¶
func (x *UploadRequest) Reset()
func (*UploadRequest) String ¶
func (x *UploadRequest) String() string
type UploadResponse ¶
type UploadResponse struct {
// contains filtered or unexported fields
}
func (*UploadResponse) Descriptor
deprecated
func (*UploadResponse) Descriptor() ([]byte, []int)
Deprecated: Use UploadResponse.ProtoReflect.Descriptor instead.
func (*UploadResponse) ProtoMessage ¶
func (*UploadResponse) ProtoMessage()
func (*UploadResponse) ProtoReflect ¶
func (x *UploadResponse) ProtoReflect() protoreflect.Message
func (*UploadResponse) Reset ¶
func (x *UploadResponse) Reset()
func (*UploadResponse) String ¶
func (x *UploadResponse) String() string
Source Files
Click to show internal directories.
Click to hide internal directories.