acl

package
v1.3.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 11, 2018 License: MPL-2.0 Imports: 8 Imported by: 0

Documentation

Index

Constants

View Source
const (
	PolicyDeny  = "deny"
	PolicyRead  = "read"
	PolicyWrite = "write"
	PolicyList  = "list"
)
View Source
const DefaultPolicyEnforcementLevel = "hard-mandatory"

DefaultPolicyEnforcementLevel will be used if the user leaves the level blank when configuring an ACL.

Variables

View Source
var (
	// ErrNotFound indicates there is no matching ACL.
	ErrNotFound = errors.New(errNotFound)

	// ErrRootDenied is returned when attempting to resolve a root ACL.
	ErrRootDenied = errors.New(errRootDenied)

	// ErrDisabled is returned when ACL changes are not permitted since
	// they are disabled.
	ErrDisabled = errors.New(errDisabled)

	// ErrPermissionDenied is returned when an ACL based rejection
	// happens.
	ErrPermissionDenied = PermissionDeniedError{}
)

Functions

func IsErrDisabled added in v0.9.3

func IsErrDisabled(err error) bool

IsErrDisabled checks if the given error message is comparable to ErrDisabled.

func IsErrNotFound added in v0.9.3

func IsErrNotFound(err error) bool

IsErrNotFound checks if the given error message is comparable to ErrNotFound.

func IsErrPermissionDenied added in v0.9.3

func IsErrPermissionDenied(err error) bool

IsErrPermissionDenied checks if the given error message is comparable to ErrPermissionDenied.

func IsErrRootDenied added in v0.9.3

func IsErrRootDenied(err error) bool

IsErrRootDenied checks if the given error message is comparable to ErrRootDenied.

func RuleID added in v0.7.0

func RuleID(rules string) string

RuleID is used to generate an ID for a rule

Types

type ACL

type ACL interface {
	// ACLList checks for permission to list all the ACLs
	ACLList() bool

	// ACLModify checks for permission to manipulate ACLs
	ACLModify() bool

	// AgentRead checks for permission to read from agent endpoints for a
	// given node.
	AgentRead(string) bool

	// AgentWrite checks for permission to make changes via agent endpoints
	// for a given node.
	AgentWrite(string) bool

	// EventRead determines if a specific event can be queried.
	EventRead(string) bool

	// EventWrite determines if a specific event may be fired.
	EventWrite(string) bool

	// IntentionDefaultAllow determines the default authorized behavior
	// when no intentions match a Connect request.
	IntentionDefaultAllow() bool

	// IntentionRead determines if a specific intention can be read.
	IntentionRead(string) bool

	// IntentionWrite determines if a specific intention can be
	// created, modified, or deleted.
	IntentionWrite(string) bool

	// KeyList checks for permission to list keys under a prefix
	KeyList(string) bool

	// KeyRead checks for permission to read a given key
	KeyRead(string) bool

	// KeyWrite checks for permission to write a given key
	KeyWrite(string, sentinel.ScopeFn) bool

	// KeyWritePrefix checks for permission to write to an
	// entire key prefix. This means there must be no sub-policies
	// that deny a write.
	KeyWritePrefix(string) bool

	// KeyringRead determines if the encryption keyring used in
	// the gossip layer can be read.
	KeyringRead() bool

	// KeyringWrite determines if the keyring can be manipulated
	KeyringWrite() bool

	// NodeRead checks for permission to read (discover) a given node.
	NodeRead(string) bool

	// NodeWrite checks for permission to create or update (register) a
	// given node.
	NodeWrite(string, sentinel.ScopeFn) bool

	// OperatorRead determines if the read-only Consul operator functions
	// can be used.
	OperatorRead() bool

	// OperatorWrite determines if the state-changing Consul operator
	// functions can be used.
	OperatorWrite() bool

	// PreparedQueryRead determines if a specific prepared query can be read
	// to show its contents (this is not used for execution).
	PreparedQueryRead(string) bool

	// PreparedQueryWrite determines if a specific prepared query can be
	// created, modified, or deleted.
	PreparedQueryWrite(string) bool

	// ServiceRead checks for permission to read a given service
	ServiceRead(string) bool

	// ServiceWrite checks for permission to create or update a given
	// service
	ServiceWrite(string, sentinel.ScopeFn) bool

	// SessionRead checks for permission to read sessions for a given node.
	SessionRead(string) bool

	// SessionWrite checks for permission to create sessions for a given
	// node.
	SessionWrite(string) bool

	// Snapshot checks for permission to take and restore snapshots.
	Snapshot() bool
}

ACL is the interface for policy enforcement.

func AllowAll

func AllowAll() ACL

AllowAll returns an ACL rule that allows all operations

func DenyAll

func DenyAll() ACL

DenyAll returns an ACL rule that denies all operations

func ManageAll

func ManageAll() ACL

ManageAll returns an ACL rule that can manage all resources

func RootACL

func RootACL(id string) ACL

RootACL returns a possible ACL if the ID matches a root policy

type AgentPolicy added in v0.7.2

type AgentPolicy struct {
	Node   string `hcl:",key"`
	Policy string
}

AgentPolicy represents a policy for working with agent endpoints on nodes with specific name prefixes.

func (*AgentPolicy) GoString added in v0.7.2

func (a *AgentPolicy) GoString() string

type Cache

type Cache struct {
	// contains filtered or unexported fields
}

Cache is used to implement policy and ACL caching

func NewCache

func NewCache(size int, faultfn FaultFunc, sentinel sentinel.Evaluator) (*Cache, error)

NewCache constructs a new policy and ACL cache of a given size

func (*Cache) ClearACL

func (c *Cache) ClearACL(id string)

ClearACL is used to clear the ACL cache if any

func (*Cache) GetACL

func (c *Cache) GetACL(id string) (ACL, error)

GetACL is used to get a potentially cached ACL policy. If not cached, it will be generated and then cached.

func (*Cache) GetACLPolicy

func (c *Cache) GetACLPolicy(id string) (string, *Policy, error)

GetACLPolicy is used to get the potentially cached ACL policy. If not cached, it will be generated and then cached.

func (*Cache) GetPolicy

func (c *Cache) GetPolicy(rules string) (*Policy, error)

GetPolicy is used to get a potentially cached policy set. If not cached, it will be parsed, and then cached.

func (*Cache) Purge

func (c *Cache) Purge()

Purge is used to clear all the ACL caches. The rule and policy caches are not purged, since they are content-hashed anyways.

type EventPolicy added in v0.6.0

type EventPolicy struct {
	Event  string `hcl:",key"`
	Policy string
}

EventPolicy represents a user event policy.

func (*EventPolicy) GoString added in v0.6.0

func (e *EventPolicy) GoString() string

type FaultFunc

type FaultFunc func(id string) (string, string, error)

FaultFunc is a function used to fault in the parent, rules for an ACL given its ID

type KeyPolicy

type KeyPolicy struct {
	Prefix   string `hcl:",key"`
	Policy   string
	Sentinel Sentinel
}

KeyPolicy represents a policy for a key

func (*KeyPolicy) GoString

func (k *KeyPolicy) GoString() string

type NodePolicy added in v0.7.2

type NodePolicy struct {
	Name     string `hcl:",key"`
	Policy   string
	Sentinel Sentinel
}

NodePolicy represents a policy for a node

func (*NodePolicy) GoString added in v0.7.2

func (n *NodePolicy) GoString() string

type PermissionDeniedError added in v0.9.3

type PermissionDeniedError struct {
	Cause string
}

func (PermissionDeniedError) Error added in v0.9.3

func (e PermissionDeniedError) Error() string

type Policy

type Policy struct {
	ID              string                 `hcl:"-"`
	Agents          []*AgentPolicy         `hcl:"agent,expand"`
	Keys            []*KeyPolicy           `hcl:"key,expand"`
	Nodes           []*NodePolicy          `hcl:"node,expand"`
	Services        []*ServicePolicy       `hcl:"service,expand"`
	Sessions        []*SessionPolicy       `hcl:"session,expand"`
	Events          []*EventPolicy         `hcl:"event,expand"`
	PreparedQueries []*PreparedQueryPolicy `hcl:"query,expand"`
	Keyring         string                 `hcl:"keyring"`
	Operator        string                 `hcl:"operator"`
}

Policy is used to represent the policy specified by an ACL configuration.

func Parse

func Parse(rules string, sentinel sentinel.Evaluator) (*Policy, error)

Parse is used to parse the specified ACL rules into an intermediary set of policies, before being compiled into the ACL

type PolicyACL

type PolicyACL struct {
	// contains filtered or unexported fields
}

PolicyACL is used to wrap a set of ACL policies to provide the ACL interface.

func New

func New(parent ACL, policy *Policy, sentinel sentinel.Evaluator) (*PolicyACL, error)

New is used to construct a policy based ACL from a set of policies and a parent policy to resolve missing cases.

func (*PolicyACL) ACLList

func (p *PolicyACL) ACLList() bool

ACLList checks if listing of ACLs is allowed

func (*PolicyACL) ACLModify

func (p *PolicyACL) ACLModify() bool

ACLModify checks if modification of ACLs is allowed

func (*PolicyACL) AgentRead added in v0.7.2

func (p *PolicyACL) AgentRead(node string) bool

AgentRead checks for permission to read from agent endpoints for a given node.

func (*PolicyACL) AgentWrite added in v0.7.2

func (p *PolicyACL) AgentWrite(node string) bool

AgentWrite checks for permission to make changes via agent endpoints for a given node.

func (*PolicyACL) EventRead added in v0.6.0

func (p *PolicyACL) EventRead(name string) bool

EventRead is used to determine if the policy allows for a specific user event to be read.

func (*PolicyACL) EventWrite added in v0.6.0

func (p *PolicyACL) EventWrite(name string) bool

EventWrite is used to determine if new events can be created (fired) by the policy.

func (*PolicyACL) IntentionDefaultAllow added in v1.2.0

func (p *PolicyACL) IntentionDefaultAllow() bool

IntentionDefaultAllow returns whether the default behavior when there are no matching intentions is to allow or deny.

func (*PolicyACL) IntentionRead added in v1.2.0

func (p *PolicyACL) IntentionRead(prefix string) bool

IntentionRead checks if writing (creating, updating, or deleting) of an intention is allowed.

func (*PolicyACL) IntentionWrite added in v1.2.0

func (p *PolicyACL) IntentionWrite(prefix string) bool

IntentionWrite checks if writing (creating, updating, or deleting) of an intention is allowed.

func (*PolicyACL) KeyList added in v1.0.0

func (p *PolicyACL) KeyList(key string) bool

KeyList returns if a key is allowed to be listed

func (*PolicyACL) KeyRead

func (p *PolicyACL) KeyRead(key string) bool

KeyRead returns if a key is allowed to be read

func (*PolicyACL) KeyWrite

func (p *PolicyACL) KeyWrite(key string, scope sentinel.ScopeFn) bool

KeyWrite returns if a key is allowed to be written

func (*PolicyACL) KeyWritePrefix

func (p *PolicyACL) KeyWritePrefix(prefix string) bool

KeyWritePrefix returns if a prefix is allowed to be written

func (*PolicyACL) KeyringRead added in v0.6.0

func (p *PolicyACL) KeyringRead() bool

KeyringRead is used to determine if the keyring can be read by the current ACL token.

func (*PolicyACL) KeyringWrite added in v0.6.0

func (p *PolicyACL) KeyringWrite() bool

KeyringWrite determines if the keyring can be manipulated.

func (*PolicyACL) NodeRead added in v0.7.2

func (p *PolicyACL) NodeRead(name string) bool

NodeRead checks if reading (discovery) of a node is allowed

func (*PolicyACL) NodeWrite added in v0.7.2

func (p *PolicyACL) NodeWrite(name string, scope sentinel.ScopeFn) bool

NodeWrite checks if writing (registering) a node is allowed

func (*PolicyACL) OperatorRead added in v0.7.0

func (p *PolicyACL) OperatorRead() bool

OperatorRead determines if the read-only operator functions are allowed.

func (*PolicyACL) OperatorWrite added in v0.7.0

func (p *PolicyACL) OperatorWrite() bool

OperatorWrite determines if the state-changing operator functions are allowed.

func (*PolicyACL) PreparedQueryRead added in v0.6.4

func (p *PolicyACL) PreparedQueryRead(prefix string) bool

PreparedQueryRead checks if reading (listing) of a prepared query is allowed - this isn't execution, just listing its contents.

func (*PolicyACL) PreparedQueryWrite added in v0.6.4

func (p *PolicyACL) PreparedQueryWrite(prefix string) bool

PreparedQueryWrite checks if writing (creating, updating, or deleting) of a prepared query is allowed.

func (*PolicyACL) ServiceRead added in v0.5.0

func (p *PolicyACL) ServiceRead(name string) bool

ServiceRead checks if reading (discovery) of a service is allowed

func (*PolicyACL) ServiceWrite added in v0.5.0

func (p *PolicyACL) ServiceWrite(name string, scope sentinel.ScopeFn) bool

ServiceWrite checks if writing (registering) a service is allowed

func (*PolicyACL) SessionRead added in v0.7.2

func (p *PolicyACL) SessionRead(node string) bool

SessionRead checks for permission to read sessions for a given node.

func (*PolicyACL) SessionWrite added in v0.7.2

func (p *PolicyACL) SessionWrite(node string) bool

SessionWrite checks for permission to create sessions for a given node.

func (*PolicyACL) Snapshot added in v0.7.1

func (p *PolicyACL) Snapshot() bool

Snapshot checks if taking and restoring snapshots is allowed.

type PolicyRule added in v1.0.0

type PolicyRule struct {
	// contains filtered or unexported fields
}

PolicyRule binds a regular ACL policy along with an optional piece of code to execute.

type PreparedQueryPolicy added in v0.6.4

type PreparedQueryPolicy struct {
	Prefix string `hcl:",key"`
	Policy string
}

PreparedQueryPolicy represents a prepared query policy.

func (*PreparedQueryPolicy) GoString added in v0.6.4

func (p *PreparedQueryPolicy) GoString() string

type Sentinel added in v1.0.0

type Sentinel struct {
	Code             string
	EnforcementLevel string
}

Sentinel defines a snippet of Sentinel code that can be attached to a policy.

type ServicePolicy added in v0.5.0

type ServicePolicy struct {
	Name     string `hcl:",key"`
	Policy   string
	Sentinel Sentinel

	// Intentions is the policy for intentions where this service is the
	// destination. This may be empty, in which case the Policy determines
	// the intentions policy.
	Intentions string
}

ServicePolicy represents a policy for a service

func (*ServicePolicy) GoString added in v0.5.0

func (s *ServicePolicy) GoString() string

type SessionPolicy added in v0.7.2

type SessionPolicy struct {
	Node   string `hcl:",key"`
	Policy string
}

SessionPolicy represents a policy for making sessions tied to specific node name prefixes.

func (*SessionPolicy) GoString added in v0.7.2

func (s *SessionPolicy) GoString() string

type StaticACL

type StaticACL struct {
	// contains filtered or unexported fields
}

StaticACL is used to implement a base ACL policy. It either allows or denies all requests. This can be used as a parent ACL to act in a blacklist or whitelist mode.

func (*StaticACL) ACLList

func (s *StaticACL) ACLList() bool

func (*StaticACL) ACLModify

func (s *StaticACL) ACLModify() bool

func (*StaticACL) AgentRead added in v0.7.2

func (s *StaticACL) AgentRead(string) bool

func (*StaticACL) AgentWrite added in v0.7.2

func (s *StaticACL) AgentWrite(string) bool

func (*StaticACL) EventRead added in v0.6.0

func (s *StaticACL) EventRead(string) bool

func (*StaticACL) EventWrite added in v0.6.0

func (s *StaticACL) EventWrite(string) bool

func (*StaticACL) IntentionDefaultAllow added in v1.2.0

func (s *StaticACL) IntentionDefaultAllow() bool

func (*StaticACL) IntentionRead added in v1.2.0

func (s *StaticACL) IntentionRead(string) bool

func (*StaticACL) IntentionWrite added in v1.2.0

func (s *StaticACL) IntentionWrite(string) bool

func (*StaticACL) KeyList added in v1.0.0

func (s *StaticACL) KeyList(string) bool

func (*StaticACL) KeyRead

func (s *StaticACL) KeyRead(string) bool

func (*StaticACL) KeyWrite

func (s *StaticACL) KeyWrite(string, sentinel.ScopeFn) bool

func (*StaticACL) KeyWritePrefix

func (s *StaticACL) KeyWritePrefix(string) bool

func (*StaticACL) KeyringRead added in v0.6.0

func (s *StaticACL) KeyringRead() bool

func (*StaticACL) KeyringWrite added in v0.6.0

func (s *StaticACL) KeyringWrite() bool

func (*StaticACL) NodeRead added in v0.7.2

func (s *StaticACL) NodeRead(string) bool

func (*StaticACL) NodeWrite added in v0.7.2

func (s *StaticACL) NodeWrite(string, sentinel.ScopeFn) bool

func (*StaticACL) OperatorRead added in v0.7.0

func (s *StaticACL) OperatorRead() bool

func (*StaticACL) OperatorWrite added in v0.7.0

func (s *StaticACL) OperatorWrite() bool

func (*StaticACL) PreparedQueryRead added in v0.6.4

func (s *StaticACL) PreparedQueryRead(string) bool

func (*StaticACL) PreparedQueryWrite added in v0.6.4

func (s *StaticACL) PreparedQueryWrite(string) bool

func (*StaticACL) ServiceRead added in v0.5.0

func (s *StaticACL) ServiceRead(string) bool

func (*StaticACL) ServiceWrite added in v0.5.0

func (s *StaticACL) ServiceWrite(string, sentinel.ScopeFn) bool

func (*StaticACL) SessionRead added in v0.7.2

func (s *StaticACL) SessionRead(string) bool

func (*StaticACL) SessionWrite added in v0.7.2

func (s *StaticACL) SessionWrite(string) bool

func (*StaticACL) Snapshot added in v0.7.1

func (s *StaticACL) Snapshot() bool

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL