acl

package
v0.20.4 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 3, 2024 License: Apache-2.0 Imports: 6 Imported by: 19

Documentation

Overview

Package acl contains functions to enforce access control lists. It allows you to register multiple security policies for enforcing ACLs for users or HTTP requests. The specific policy to use must be specified from a command line argument and cannot be changed on-the-fly.

For actual authentication and authorization, you would need to implement your own policy as a package that calls RegisterPolicy(), and compile it into all Vitess binaries that you use.

By default (when no security_policy is specified), everyone is allowed to do anything.

For convenience, there are two other built-in policies that also do NOT do any authentication, but allow you to globally disable some roles entirely:

  • `deny-all` disallows all roles for everyone. Note that access is still allowed to endpoints that are considered "public" (no ACL check at all).
  • `read-only` allows anyone to act as DEBUGGING or MONITORING, but no one is allowed to act as ADMIN. It also disallows any other custom roles that are requested.

Index

Constants

View Source
const (
	ADMIN      = "admin"
	DEBUGGING  = "debugging"
	MONITORING = "monitoring"
)

This is a list of predefined roles. Applications are free to invent more roles, as long as the acl policies they use can understand what they mean.

Variables

This section is empty.

Functions

func CheckAccessActor

func CheckAccessActor(actor, role string) error

CheckAccessActor uses the current security policy to verify if an actor has access to the role.

func CheckAccessHTTP

func CheckAccessHTTP(req *http.Request, role string) error

CheckAccessHTTP uses the current security policy to verify if an actor in an http request has access to the role.

func RegisterFlags added in v0.15.0

func RegisterFlags(fs *pflag.FlagSet)

func RegisterPolicy

func RegisterPolicy(name string, policy Policy)

RegisterPolicy registers a security policy. This function must be called before the first call to CheckAccess happens, preferably through an init. This will ensure that the requested policy can be found by other acl functions when needed.

func SendError

func SendError(w http.ResponseWriter, err error)

SendError is a convenience function that sends an ACL error as an HTTP response.

Types

type Policy

type Policy interface {
	// CheckAccessActor can be called to verify if an actor
	// has access to the role.
	CheckAccessActor(actor, role string) error
	// CheckAccessHTTP can be called to verify if an actor in
	// the http request has access to the role.
	CheckAccessHTTP(req *http.Request, role string) error
}

Policy defines the interface that needs to be satisfied by ACL policy implementors.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL