Documentation ¶
Index ¶
- Constants
- Variables
- func IsErrDisabled(err error) bool
- func IsErrNotFound(err error) bool
- func IsErrPermissionDenied(err error) bool
- func IsErrRootDenied(err error) bool
- func RuleID(rules string) string
- type ACL
- type AgentPolicy
- type Cache
- type EventPolicy
- type FaultFunc
- type KeyPolicy
- type NodePolicy
- type PermissionDeniedError
- type Policy
- type PolicyACL
- func (p *PolicyACL) ACLList() bool
- func (p *PolicyACL) ACLModify() bool
- func (p *PolicyACL) AgentRead(node string) bool
- func (p *PolicyACL) AgentWrite(node string) bool
- func (p *PolicyACL) EventRead(name string) bool
- func (p *PolicyACL) EventWrite(name string) bool
- func (p *PolicyACL) KeyList(key string) bool
- func (p *PolicyACL) KeyRead(key string) bool
- func (p *PolicyACL) KeyWrite(key string, scope sentinel.ScopeFn) bool
- func (p *PolicyACL) KeyWritePrefix(prefix string) bool
- func (p *PolicyACL) KeyringRead() bool
- func (p *PolicyACL) KeyringWrite() bool
- func (p *PolicyACL) NodeRead(name string) bool
- func (p *PolicyACL) NodeWrite(name string, scope sentinel.ScopeFn) bool
- func (p *PolicyACL) OperatorRead() bool
- func (p *PolicyACL) OperatorWrite() bool
- func (p *PolicyACL) PreparedQueryRead(prefix string) bool
- func (p *PolicyACL) PreparedQueryWrite(prefix string) bool
- func (p *PolicyACL) ServiceRead(name string) bool
- func (p *PolicyACL) ServiceWrite(name string, scope sentinel.ScopeFn) bool
- func (p *PolicyACL) SessionRead(node string) bool
- func (p *PolicyACL) SessionWrite(node string) bool
- func (p *PolicyACL) Snapshot() bool
- type PolicyRule
- type PreparedQueryPolicy
- type Sentinel
- type ServicePolicy
- type SessionPolicy
- type StaticACL
- func (s *StaticACL) ACLList() bool
- func (s *StaticACL) ACLModify() bool
- func (s *StaticACL) AgentRead(string) bool
- func (s *StaticACL) AgentWrite(string) bool
- func (s *StaticACL) EventRead(string) bool
- func (s *StaticACL) EventWrite(string) bool
- func (s *StaticACL) KeyList(string) bool
- func (s *StaticACL) KeyRead(string) bool
- func (s *StaticACL) KeyWrite(string, sentinel.ScopeFn) bool
- func (s *StaticACL) KeyWritePrefix(string) bool
- func (s *StaticACL) KeyringRead() bool
- func (s *StaticACL) KeyringWrite() bool
- func (s *StaticACL) NodeRead(string) bool
- func (s *StaticACL) NodeWrite(string, sentinel.ScopeFn) bool
- func (s *StaticACL) OperatorRead() bool
- func (s *StaticACL) OperatorWrite() bool
- func (s *StaticACL) PreparedQueryRead(string) bool
- func (s *StaticACL) PreparedQueryWrite(string) bool
- func (s *StaticACL) ServiceRead(string) bool
- func (s *StaticACL) ServiceWrite(string, sentinel.ScopeFn) bool
- func (s *StaticACL) SessionRead(string) bool
- func (s *StaticACL) SessionWrite(string) bool
- func (s *StaticACL) Snapshot() bool
Constants ¶
const ( PolicyDeny = "deny" PolicyRead = "read" PolicyWrite = "write" PolicyList = "list" )
const DefaultPolicyEnforcementLevel = "hard-mandatory"
DefaultPolicyEnforcementLevel will be used if the user leaves the level blank when configuring an ACL.
Variables ¶
var ( // ErrNotFound indicates there is no matching ACL. ErrNotFound = errors.New(errNotFound) // ErrRootDenied is returned when attempting to resolve a root ACL. ErrRootDenied = errors.New(errRootDenied) // ErrDisabled is returned when ACL changes are not permitted since // they are disabled. ErrDisabled = errors.New(errDisabled) // ErrPermissionDenied is returned when an ACL based rejection // happens. ErrPermissionDenied = PermissionDeniedError{} )
Functions ¶
func IsErrDisabled ¶ added in v0.9.3
IsErrDisabled checks if the given error message is comparable to ErrDisabled.
func IsErrNotFound ¶ added in v0.9.3
IsErrNotFound checks if the given error message is comparable to ErrNotFound.
func IsErrPermissionDenied ¶ added in v0.9.3
IsErrPermissionDenied checks if the given error message is comparable to ErrPermissionDenied.
func IsErrRootDenied ¶ added in v0.9.3
IsErrRootDenied checks if the given error message is comparable to ErrRootDenied.
Types ¶
type ACL ¶
type ACL interface { // ACLList checks for permission to list all the ACLs ACLList() bool // ACLModify checks for permission to manipulate ACLs ACLModify() bool // AgentRead checks for permission to read from agent endpoints for a // given node. AgentRead(string) bool // AgentWrite checks for permission to make changes via agent endpoints // for a given node. AgentWrite(string) bool // EventRead determines if a specific event can be queried. EventRead(string) bool // EventWrite determines if a specific event may be fired. EventWrite(string) bool // KeyList checks for permission to list keys under a prefix KeyList(string) bool // KeyRead checks for permission to read a given key KeyRead(string) bool // KeyWrite checks for permission to write a given key KeyWrite(string, sentinel.ScopeFn) bool // KeyWritePrefix checks for permission to write to an // entire key prefix. This means there must be no sub-policies // that deny a write. KeyWritePrefix(string) bool // KeyringRead determines if the encryption keyring used in // the gossip layer can be read. KeyringRead() bool // KeyringWrite determines if the keyring can be manipulated KeyringWrite() bool // NodeRead checks for permission to read (discover) a given node. NodeRead(string) bool // NodeWrite checks for permission to create or update (register) a // given node. NodeWrite(string, sentinel.ScopeFn) bool // OperatorRead determines if the read-only Consul operator functions // can be used. OperatorRead() bool // OperatorWrite determines if the state-changing Consul operator // functions can be used. OperatorWrite() bool // PreparedQueryRead determines if a specific prepared query can be read // to show its contents (this is not used for execution). PreparedQueryRead(string) bool // PreparedQueryWrite determines if a specific prepared query can be // created, modified, or deleted. PreparedQueryWrite(string) bool // ServiceRead checks for permission to read a given service ServiceRead(string) bool // ServiceWrite checks for permission to create or update a given // service ServiceWrite(string, sentinel.ScopeFn) bool // SessionRead checks for permission to read sessions for a given node. SessionRead(string) bool // SessionWrite checks for permission to create sessions for a given // node. SessionWrite(string) bool // Snapshot checks for permission to take and restore snapshots. Snapshot() bool }
ACL is the interface for policy enforcement.
type AgentPolicy ¶ added in v0.7.2
AgentPolicy represents a policy for working with agent endpoints on nodes with specific name prefixes.
func (*AgentPolicy) GoString ¶ added in v0.7.2
func (a *AgentPolicy) GoString() string
type Cache ¶
type Cache struct {
// contains filtered or unexported fields
}
Cache is used to implement policy and ACL caching
func (*Cache) GetACL ¶
GetACL is used to get a potentially cached ACL policy. If not cached, it will be generated and then cached.
func (*Cache) GetACLPolicy ¶
GetACLPolicy is used to get the potentially cached ACL policy. If not cached, it will be generated and then cached.
type EventPolicy ¶ added in v0.6.0
EventPolicy represents a user event policy.
func (*EventPolicy) GoString ¶ added in v0.6.0
func (e *EventPolicy) GoString() string
type NodePolicy ¶ added in v0.7.2
NodePolicy represents a policy for a node
func (*NodePolicy) GoString ¶ added in v0.7.2
func (n *NodePolicy) GoString() string
type PermissionDeniedError ¶ added in v0.9.3
type PermissionDeniedError struct {
Cause string
}
func (PermissionDeniedError) Error ¶ added in v0.9.3
func (e PermissionDeniedError) Error() string
type Policy ¶
type Policy struct { ID string `hcl:"-"` Agents []*AgentPolicy `hcl:"agent,expand"` Keys []*KeyPolicy `hcl:"key,expand"` Nodes []*NodePolicy `hcl:"node,expand"` Services []*ServicePolicy `hcl:"service,expand"` Sessions []*SessionPolicy `hcl:"session,expand"` Events []*EventPolicy `hcl:"event,expand"` PreparedQueries []*PreparedQueryPolicy `hcl:"query,expand"` Keyring string `hcl:"keyring"` Operator string `hcl:"operator"` }
Policy is used to represent the policy specified by an ACL configuration.
type PolicyACL ¶
type PolicyACL struct {
// contains filtered or unexported fields
}
PolicyACL is used to wrap a set of ACL policies to provide the ACL interface.
func New ¶
New is used to construct a policy based ACL from a set of policies and a parent policy to resolve missing cases.
func (*PolicyACL) AgentRead ¶ added in v0.7.2
AgentRead checks for permission to read from agent endpoints for a given node.
func (*PolicyACL) AgentWrite ¶ added in v0.7.2
AgentWrite checks for permission to make changes via agent endpoints for a given node.
func (*PolicyACL) EventRead ¶ added in v0.6.0
EventRead is used to determine if the policy allows for a specific user event to be read.
func (*PolicyACL) EventWrite ¶ added in v0.6.0
EventWrite is used to determine if new events can be created (fired) by the policy.
func (*PolicyACL) KeyWritePrefix ¶
KeyWritePrefix returns if a prefix is allowed to be written
func (*PolicyACL) KeyringRead ¶ added in v0.6.0
KeyringRead is used to determine if the keyring can be read by the current ACL token.
func (*PolicyACL) KeyringWrite ¶ added in v0.6.0
KeyringWrite determines if the keyring can be manipulated.
func (*PolicyACL) NodeRead ¶ added in v0.7.2
NodeRead checks if reading (discovery) of a node is allowed
func (*PolicyACL) NodeWrite ¶ added in v0.7.2
NodeWrite checks if writing (registering) a node is allowed
func (*PolicyACL) OperatorRead ¶ added in v0.7.0
OperatorRead determines if the read-only operator functions are allowed.
func (*PolicyACL) OperatorWrite ¶ added in v0.7.0
OperatorWrite determines if the state-changing operator functions are allowed.
func (*PolicyACL) PreparedQueryRead ¶ added in v0.6.4
PreparedQueryRead checks if reading (listing) of a prepared query is allowed - this isn't execution, just listing its contents.
func (*PolicyACL) PreparedQueryWrite ¶ added in v0.6.4
PreparedQueryWrite checks if writing (creating, updating, or deleting) of a prepared query is allowed.
func (*PolicyACL) ServiceRead ¶ added in v0.5.0
ServiceRead checks if reading (discovery) of a service is allowed
func (*PolicyACL) ServiceWrite ¶ added in v0.5.0
ServiceWrite checks if writing (registering) a service is allowed
func (*PolicyACL) SessionRead ¶ added in v0.7.2
SessionRead checks for permission to read sessions for a given node.
func (*PolicyACL) SessionWrite ¶ added in v0.7.2
SessionWrite checks for permission to create sessions for a given node.
type PolicyRule ¶ added in v1.0.0
type PolicyRule struct {
// contains filtered or unexported fields
}
PolicyRule binds a regular ACL policy along with an optional piece of code to execute.
type PreparedQueryPolicy ¶ added in v0.6.4
PreparedQueryPolicy represents a prepared query policy.
func (*PreparedQueryPolicy) GoString ¶ added in v0.6.4
func (p *PreparedQueryPolicy) GoString() string
type Sentinel ¶ added in v1.0.0
Sentinel defines a snippet of Sentinel code that can be attached to a policy.
type ServicePolicy ¶ added in v0.5.0
ServicePolicy represents a policy for a service
func (*ServicePolicy) GoString ¶ added in v0.5.0
func (s *ServicePolicy) GoString() string
type SessionPolicy ¶ added in v0.7.2
SessionPolicy represents a policy for making sessions tied to specific node name prefixes.
func (*SessionPolicy) GoString ¶ added in v0.7.2
func (s *SessionPolicy) GoString() string
type StaticACL ¶
type StaticACL struct {
// contains filtered or unexported fields
}
StaticACL is used to implement a base ACL policy. It either allows or denies all requests. This can be used as a parent ACL to act in a blacklist or whitelist mode.