acl

package

v0.20.0-rc1 Latest Latest Go to latest Published: Jun 13, 2024 License: Apache-2.0 Imports: 6 Imported by: 9

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

Documentation ¶

Overview ¶

Package acl contains functions to enforce access control lists. It allows you to register multiple security policies for enforcing ACLs for users or HTTP requests. The specific policy to use must be specified from a command line argument and cannot be changed on-the-fly.

For actual authentication and authorization, you would need to implement your own policy as a package that calls RegisterPolicy(), and compile it into all Vitess binaries that you use.

By default (when no security_policy is specified), everyone is allowed to do anything.

For convenience, there are two other built-in policies that also do NOT do any authentication, but allow you to globally disable some roles entirely:

`deny-all` disallows all roles for everyone. Note that access is still allowed to endpoints that are considered "public" (no ACL check at all).
`read-only` allows anyone to act as DEBUGGING or MONITORING, but no one is allowed to act as ADMIN. It also disallows any other custom roles that are requested.

Index ¶

Constants
func CheckAccessActor(actor, role string) error
func CheckAccessHTTP(req *http.Request, role string) error
func RegisterFlags(fs *pflag.FlagSet)
func RegisterPolicy(name string, policy Policy)
func SendError(w http.ResponseWriter, err error)
type Policy

Constants ¶

View Source

const (
	ADMIN      = "admin"
	DEBUGGING  = "debugging"
	MONITORING = "monitoring"
)

This is a list of predefined roles. Applications are free to invent more roles, as long as the acl policies they use can understand what they mean.

Variables ¶

This section is empty.

Functions ¶

func CheckAccessActor ¶

func CheckAccessActor(actor, role string) error

CheckAccessActor uses the current security policy to verify if an actor has access to the role.

func CheckAccessHTTP ¶

func CheckAccessHTTP(req *http.Request, role string) error

CheckAccessHTTP uses the current security policy to verify if an actor in an http request has access to the role.

func RegisterFlags ¶ added in v0.15.0

func RegisterFlags(fs *pflag.FlagSet)

func RegisterPolicy ¶

func RegisterPolicy(name string, policy Policy)

RegisterPolicy registers a security policy. This function must be called before the first call to CheckAccess happens, preferably through an init. This will ensure that the requested policy can be found by other acl functions when needed.

func SendError ¶

func SendError(w http.ResponseWriter, err error)

SendError is a convenience function that sends an ACL error as an HTTP response.

Types ¶

type Policy ¶

type Policy interface {
	// CheckAccessActor can be called to verify if an actor
	// has access to the role.
	CheckAccessActor(actor, role string) error
	// CheckAccessHTTP can be called to verify if an actor in
	// the http request has access to the role.
	CheckAccessHTTP(req *http.Request, role string) error
}

Policy defines the interface that needs to be satisfied by ACL policy implementors.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL