Documentation ¶
Overview ¶
Package policy provides advanced policy features to fine tune end-user permissions.
Index ¶
- Variables
- func InitDefaults(ctx context.Context) error
- func NewDAO(o dao.DAO) dao.DAO
- func Upgrade101(ctx context.Context) error
- func Upgrade103(ctx context.Context) error
- func Upgrade120(ctx context.Context) error
- func Upgrade122(ctx context.Context) error
- func Upgrade142(ctx context.Context) error
- func Upgrade202(ctx context.Context) error
- func Upgrade210(ctx context.Context) error
- func Upgrade220(ctx context.Context) error
- func Upgrade227(ctx context.Context) error
- func Upgrade399(ctx context.Context) error
- type DAO
Constants ¶
This section is empty.
Variables ¶
View Source
var ( // DefaultPolicyGroups provides some sample policies to Admin Users. // Note that Name and Description fields are generally i18nized // that is why we rather declare here the corresponding message IDs. DefaultPolicyGroups = []*idm.PolicyGroup{ { Uuid: "public-access", Name: "PolicyGroup.PublicAccess.Title", Description: "PolicyGroup.PublicAccess.Description", ResourceGroup: idm.PolicyResourceGroup_rest, Policies: []*idm.Policy{ converter.LadonToProtoPolicy(&ladon.DefaultPolicy{ ID: "discovery-policy", Description: "PolicyGroup.PublicAccess.Rule1", Subjects: []string{"profile:anon"}, Resources: []string{"rest:/config/discovery<.*>"}, Actions: []string{"GET"}, Effect: ladon.AllowAccess, }), converter.LadonToProtoPolicy(&ladon.DefaultPolicy{ ID: "reset-password-policy", Description: "PolicyGroup.PublicAccess.Rule2", Subjects: []string{"profile:anon"}, Resources: []string{"rest:/auth/reset-password<.*>"}, Actions: []string{"PUT", "POST"}, Effect: ladon.AllowAccess, }), converter.LadonToProtoPolicy(&ladon.DefaultPolicy{ ID: "frontend-state", Description: "PolicyGroup.PublicAccess.Rule3", Subjects: []string{"profile:anon"}, Resources: []string{ "rest:/frontend/binaries/GLOBAL/<.*>", "rest:/frontend/bootconf", "rest:/frontend/messages/<.*>", "rest:/frontend/plugins/<.*>", "rest:/frontend/state", "rest:/frontend/auth/state", "rest:/frontend/login/connectors", }, Actions: []string{"GET"}, Effect: ladon.AllowAccess, }), converter.LadonToProtoPolicy(&ladon.DefaultPolicy{ ID: "frontend-auth", Description: "PolicyGroup.PublicAccess.Rule4", Subjects: []string{"profile:anon"}, Resources: []string{"rest:/frontend/session"}, Actions: []string{"POST"}, Effect: ladon.AllowAccess, }), }, }, { Uuid: "public-access-install", Name: "PolicyGroup.PublicInstall.Title", Description: "PolicyGroup.PublicInstall.Description", ResourceGroup: idm.PolicyResourceGroup_rest, Policies: []*idm.Policy{ converter.LadonToProtoPolicy(&ladon.DefaultPolicy{ ID: "install-policy", Description: "PolicyGroup.PublicInstall.Rule1", Subjects: []string{"profile:anon"}, Resources: []string{"rest:/install"}, Actions: []string{"GET", "POST"}, Effect: ladon.AllowAccess, }), }, }, { Uuid: "rest-apis-default-accesses", Name: "PolicyGroup.LoggedUsers.Title", Description: "PolicyGroup.LoggedUsers.Description", ResourceGroup: idm.PolicyResourceGroup_rest, Policies: []*idm.Policy{ converter.LadonToProtoPolicy(&ladon.DefaultPolicy{ ID: "admin-default-policy", Description: "PolicyGroup.LoggedUsers.Rule1", Subjects: []string{"profile:admin"}, Resources: []string{"rest:<.+>"}, Actions: []string{"GET", "POST", "DELETE", "PUT", "PATCH"}, Effect: ladon.AllowAccess, }), converter.LadonToProtoPolicy(&ladon.DefaultPolicy{ ID: "user-default-policy", Description: "PolicyGroup.LoggedUsers.Rule2", Subjects: []string{"profile:standard", "profile:shared"}, Resources: []string{ "rest:/user", "rest:/user/<.+>", "rest:/workspace", "rest:/role", "rest:/role/<.+>", "rest:/graph<.+>", "rest:/jobs/user", "rest:/jobs/user<.+>", "rest:/meta<.+>", "rest:/mailer/send", "rest:/search/nodes", "rest:/share<.+>", "rest:/activity<.+>", "rest:/changes", "rest:/changes<.+>", "rest:/tree/create", "rest:/tree/delete", "rest:/tree/restore", "rest:/tree/selection", "rest:/tree/stat/<.+>", "rest:/tree/stats", "rest:/templates", "rest:/templates<.+>", "rest:/auth/token/document", }, Actions: []string{"GET", "POST", "DELETE", "PUT", "PATCH"}, Effect: ladon.AllowAccess, }), converter.LadonToProtoPolicy(&ladon.DefaultPolicy{ ID: "user-meta-read", Description: "PolicyGroup.LoggedUsers.Rule3", Subjects: []string{"profile:standard", "profile:shared"}, Resources: []string{ "rest:/user-meta/bookmarks", "rest:/user-meta/namespace", "rest:/user-meta/search", "rest:/user-meta/tags/<.+>", }, Actions: []string{"GET", "POST"}, Effect: ladon.AllowAccess, }), converter.LadonToProtoPolicy(&ladon.DefaultPolicy{ ID: "user-meta-put", Description: "PolicyGroup.LoggedUsers.Rule4", Subjects: []string{"profile:standard", "profile:shared"}, Resources: []string{ "rest:/user-meta/update", }, Actions: []string{"PUT"}, Effect: ladon.AllowAccess, }), converter.LadonToProtoPolicy(&ladon.DefaultPolicy{ ID: "frontend-read", Description: "PolicyGroup.LoggedUsers.Rule5", Subjects: []string{"profile:standard", "profile:shared"}, Resources: []string{ "rest:/frontend/<.*>", }, Actions: []string{"GET"}, Effect: ladon.AllowAccess, }), converter.LadonToProtoPolicy(&ladon.DefaultPolicy{ ID: "frontend-post", Description: "PolicyGroup.LoggedUsers.Rule6", Subjects: []string{"profile:standard", "profile:shared"}, Resources: []string{ "rest:/frontend/binaries/USER/<.+>", "rest:/frontend/enroll", "rest:/frontend/session", }, Actions: []string{"POST"}, Effect: ladon.AllowAccess, }), }, }, { Uuid: "oidc-actions-policies", Name: "PolicyGroup.OIDC.Title", Description: "PolicyGroup.OIDC.Description", ResourceGroup: idm.PolicyResourceGroup_oidc, Policies: []*idm.Policy{ converter.LadonToProtoPolicy(&ladon.DefaultPolicy{ ID: "all-users-login", Description: "PolicyGroup.OIDC.Rule1", Subjects: []string{"user:<.+>", "profile:<.+>", "role:<.+>"}, Resources: []string{"oidc"}, Actions: []string{"login"}, Effect: ladon.AllowAccess, }), }, }, { Uuid: "sample-acl-policy", Name: "PolicyGroup.ACLSample1.Title", Description: "PolicyGroup.ACLSample1.Description", ResourceGroup: idm.PolicyResourceGroup_acl, Policies: []*idm.Policy{ converter.LadonToProtoPolicy(&ladon.DefaultPolicy{ ID: "acl-complex-rule1", Description: "PolicyGroup.ACLSample1.Rule1", Subjects: []string{"policy:sample-acl-policy"}, Resources: []string{"acl"}, Actions: []string{"read", "write"}, Effect: ladon.AllowAccess, }), converter.LadonToProtoPolicy(&ladon.DefaultPolicy{ ID: "acl-complex-rule2", Description: "PolicyGroup.ACLSample1.Rule2", Subjects: []string{"policy:sample-acl-policy"}, Resources: []string{"acl"}, Actions: []string{"write"}, Effect: ladon.DenyAccess, Conditions: ladon.Conditions{ servicecontext.HttpMetaRemoteAddress: &conditions.StringNotMatchCondition{ Matches: "localhost|127.0.0.1|::1", }, permissions.PolicyNodeMetaName: &ladon.StringMatchCondition{ Matches: "target", }, }, }), converter.LadonToProtoPolicy(&ladon.DefaultPolicy{ ID: "acl-complex-rule3", Description: "PolicyGroup.ACLSample1.Rule3", Subjects: []string{"policy:sample-acl-policy"}, Resources: []string{"acl"}, Actions: []string{"read"}, Effect: ladon.DenyAccess, Conditions: ladon.Conditions{ servicecontext.HttpMetaRemoteAddress: &conditions.StringNotMatchCondition{ Matches: "localhost|127.0.0.1|::1", }, permissions.PolicyNodeMetaName: &ladon.StringMatchCondition{ Matches: "(.+)\\.png", }, }, }), }, }, { Uuid: "limited-period-access-acl-policy2", Name: "PolicyGroup.ACLSamplePeriod.Title", Description: "PolicyGroup.ACLSamplePeriod.Description", ResourceGroup: idm.PolicyResourceGroup_acl, Policies: []*idm.Policy{ converter.LadonToProtoPolicy(&ladon.DefaultPolicy{ ID: "acl-temporary-access2", Description: "PolicyGroup.ACLSamplePeriod.Rule1", Subjects: []string{"policy:limited-period-access-acl-policy2"}, Resources: []string{"acl"}, Actions: []string{"write", "read"}, Effect: ladon.AllowAccess, Conditions: ladon.Conditions{ servicecontext.ClientTime: &conditions.WithinPeriodCondition{ Matches: "2018-02-01T00:00+0100/2018-04-01T00:00+0100", }, }, }), }, }, { Uuid: "no-access-after-acl-policy", Name: "PolicyGroup.ACLSampleDateDisable.Title", Description: "PolicyGroup.ACLSampleDateDisable.Description", ResourceGroup: idm.PolicyResourceGroup_acl, Policies: []*idm.Policy{ converter.LadonToProtoPolicy(&ladon.DefaultPolicy{ ID: "acl-date-rule1", Description: "PolicyGroup.ACLSampleDateDisable.Rule1", Subjects: []string{"policy:no-access-after-acl-policy"}, Resources: []string{"acl"}, Actions: []string{"read", "write"}, Effect: ladon.AllowAccess, }), converter.LadonToProtoPolicy(&ladon.DefaultPolicy{ ID: "acl-date-rule2", Description: "PolicyGroup.ACLSampleDateDisable.Rule2", Subjects: []string{"policy:no-access-after-acl-policy"}, Resources: []string{"acl"}, Actions: []string{"read", "write"}, Effect: ladon.DenyAccess, Conditions: ladon.Conditions{ servicecontext.ServerTime: &conditions.DateAfterCondition{ Matches: "2018-02-28T23:59+0100", }, }, }), }, }, { Uuid: "office-hours-access-acl-policy", Name: "PolicyGroup.ACLSampleBusinessHours.Title", Description: "PolicyGroup.ACLSampleBusinessHours.Description", ResourceGroup: idm.PolicyResourceGroup_acl, Policies: []*idm.Policy{ converter.LadonToProtoPolicy(&ladon.DefaultPolicy{ ID: "acl-office-hours-rule", Description: "PolicyGroup.ACLSampleBusinessHours.Rule1", Subjects: []string{"policy:office-hours-access-acl-policy"}, Resources: []string{"acl"}, Actions: []string{"read", "write"}, Effect: ladon.AllowAccess, Conditions: ladon.Conditions{ servicecontext.ClientTime: &conditions.OfficeHoursCondition{ Matches: "Monday-Friday/09:00/18:30", }, }, }), }, }, { Uuid: "no-external-access-acl-policy", Name: "PolicyGroup.ACLSampleExternalIP.Title", Description: "PolicyGroup.ACLSampleExternalIP.Description", ResourceGroup: idm.PolicyResourceGroup_acl, Policies: []*idm.Policy{ converter.LadonToProtoPolicy(&ladon.DefaultPolicy{ ID: "acl-complex-rule4", Description: "PolicyGroup.ACLSampleExternalIP.Rule1", Subjects: []string{"policy:no-external-access-acl-policy"}, Resources: []string{"acl"}, Actions: []string{"read", "write"}, Effect: ladon.AllowAccess, }), converter.LadonToProtoPolicy(&ladon.DefaultPolicy{ ID: "acl-complex-rule5", Description: "PolicyGroup.ACLSampleExternalIP.Rule2", Subjects: []string{"policy:no-external-access-acl-policy"}, Resources: []string{"acl"}, Actions: []string{"read", "write"}, Effect: ladon.DenyAccess, Conditions: ladon.Conditions{ servicecontext.HttpMetaRemoteAddress: &conditions.StringNotMatchCondition{ Matches: "localhost|127.0.0.1|::1", }, }, }), }, }, } )
Functions ¶
func InitDefaults ¶
InitDefaults is called once at first launch to create default policy groups.
func Upgrade101 ¶
Upgrade101 adapts policy dbs. It is called once at service launch when Cells version become >= 1.0.1.
func Upgrade103 ¶
Upgrade103 adapts policy dbs. It is called once at service launch when Cells version become >= 1.0.3 .
func Upgrade120 ¶
Upgrade120 performs upgrade on policies starting at v1.2.0
func Upgrade122 ¶
Upgrade122 adapts policy dbs. It is called once at service launch when Cells version become >= 1.2.2.
func Upgrade142 ¶
Upgrade142 performs upgrade on policies starting at v1.4.2
func Upgrade202 ¶
func Upgrade210 ¶
func Upgrade220 ¶
func Upgrade227 ¶
func Upgrade399 ¶ added in v4.0.1
Types ¶
Directories ¶
Path | Synopsis |
---|---|
Package conditions provides implementation of basic condition rules to enable building elaborated policies.
|
Package conditions provides implementation of basic condition rules to enable building elaborated policies. |
Package grpc is the policy engine service
|
Package grpc is the policy engine service |
Package lang provides policy-related i18n strings
|
Package lang provides policy-related i18n strings |
Package rest is a gateway to the underlying grpc service
|
Package rest is a gateway to the underlying grpc service |
Click to show internal directories.
Click to hide internal directories.