Documentation ¶
Overview ¶
Package acl contains functions to enforce access control lists. It allows you to register multiple security policies for enforcing ACLs for users or HTTP requests. The specific policy to use must be specified from a command line argument and cannot be changed on-the-fly.
For actual authentication and authorization, you would need to implement your own policy as a package that calls RegisterPolicy(), and compile it into all Vitess binaries that you use.
By default (when no security_policy is specified), everyone is allowed to do anything.
For convenience, there are two other built-in policies that also do NOT do any authentication, but allow you to globally disable some roles entirely:
- `deny-all` disallows all roles for everyone. Note that access is still allowed to endpoints that are considered "public" (no ACL check at all).
- `read-only` allows anyone to act as DEBUGGING or MONITORING, but no one is allowed to act as ADMIN. It also disallows any other custom roles that are requested.
Index ¶
Constants ¶
const ( ADMIN = "admin" DEBUGGING = "debugging" MONITORING = "monitoring" )
This is a list of predefined roles. Applications are free to invent more roles, as long as the acl policies they use can understand what they mean.
Variables ¶
This section is empty.
Functions ¶
func CheckAccessActor ¶
CheckAccessActor uses the current security policy to verify if an actor has access to the role.
func CheckAccessHTTP ¶
CheckAccessHTTP uses the current security policy to verify if an actor in an http request has access to the role.
func RegisterFlags ¶ added in v0.15.0
func RegisterPolicy ¶
RegisterPolicy registers a security policy. This function must be called before the first call to CheckAccess happens, preferably through an init. This will ensure that the requested policy can be found by other acl functions when needed.
func SendError ¶
func SendError(w http.ResponseWriter, err error)
SendError is a convenience function that sends an ACL error as an HTTP response.
Types ¶
type Policy ¶
type Policy interface { // CheckAccessActor can be called to verify if an actor // has access to the role. CheckAccessActor(actor, role string) error // CheckAccessHTTP can be called to verify if an actor in // the http request has access to the role. CheckAccessHTTP(req *http.Request, role string) error }
Policy defines the interface that needs to be satisfied by ACL policy implementors.