Documentation
¶
Overview ¶
Package lang provides core constructs for describing Aptomi policy, as well as core structures for processing policy.
Let's start with policy objects. Cluster - individual cluster where containers get deployed (e.g. k8s cluster). Service - service for a bundle (e.g. database). Context - a set of contexts, defining how service can be fulfilled (e.g. MariaDB, MySQL, SQLite). Bundle - specific bundle implementation (set of containers to run, and dependencies on other services). Claim - triggers instantiation of a service. Rule - rules which constitute policy, allowing to change labels and perform actions during policy resolution. ACLRule - rules which define user roles for accessing Aptomi namespaces.
Now, core structures: LabelSet - set of labels that get processed and transformed LabelOperations - how to transform labels Criteria - bool-based lists of expressions for defining complex criteria
Index ¶
- Constants
- Variables
- func IsPolicyObject(obj runtime.Object) bool
- type ACLResolver
- type ACLRole
- type ACLRule
- type ACLRuleActions
- type APIPolicy
- type APIPolicyNamespace
- type Allocation
- type Base
- type Bundle
- type BundleComponent
- type Claim
- type ClaimAction
- type Cluster
- type Code
- type Context
- type Criteria
- type GlobalUsers
- type IngressAction
- type LabelOperations
- type LabelSet
- type Metadata
- type Policy
- func (policy *Policy) APIPolicy() *APIPolicy
- func (policy *Policy) AddObject(obj Base) error
- func (policy *Policy) GetObject(kind string, locator string, currentNs string) (runtime.Object, error)
- func (policy *Policy) GetObjectsByKind(kind string) []Base
- func (policy *Policy) RemoveObject(obj Base) bool
- func (policy *Policy) Validate() error
- func (policy *Policy) View(user *User) *PolicyView
- type PolicyNamespace
- type PolicyValidator
- type PolicyView
- type Privilege
- type Privileges
- type Rule
- type RuleActionResult
- type RuleActions
- type Service
- type Target
- type User
Constants ¶
const LabelTarget = "target"
LabelTarget is a special label name where cluster should be stored. It's required by the engine during policy processing
const Reject = "reject"
Reject is a special constant that is used in rule actions for rejecting claims, ingress traffic, etc
Variables ¶
var ACLRolesMap = map[string]*ACLRole{ DomainAdmin.ID: DomainAdmin, NamespaceAdmin.ID: NamespaceAdmin, ServiceConsumer.ID: ServiceConsumer, nobody.ID: nobody, }
ACLRolesMap represents the map of ACL roles (Role ID -> Role)
var ACLRolesOrderedList = []*ACLRole{ DomainAdmin, NamespaceAdmin, ServiceConsumer, nobody, }
ACLRolesOrderedList represents the ordered list of ACL roles (from most "powerful" to least "powerful")
var ACLRuleObject = &runtime.Info{ Kind: "aclrule", Storable: true, Versioned: true, Deletable: true, Constructor: func() runtime.Object { return &ACLRule{} }, }
ACLRuleObject is an informational data structure with Kind and Constructor for ACLRule
var BundleObject = &runtime.Info{ Kind: "bundle", Storable: true, Versioned: true, Deletable: true, Constructor: func() runtime.Object { return &Bundle{} }, }
BundleObject is an informational data structure with Kind and Constructor for Bundle
var ClaimObject = &runtime.Info{ Kind: "claim", Storable: true, Versioned: true, Deletable: true, Constructor: func() runtime.Object { return &Claim{} }, }
ClaimObject is an informational data structure with Kind and Constructor for Claim
var ClusterObject = &runtime.Info{ Kind: "cluster", Storable: true, Versioned: true, Deletable: true, Constructor: func() runtime.Object { return &Cluster{} }, }
ClusterObject is an informational data structure with Kind and Constructor for Cluster
var DomainAdmin = &ACLRole{ ID: "domain-admin", Name: "Domain Admin", Privileges: &Privileges{ AllNamespaces: true, NamespaceObjects: map[string]*Privilege{ BundleObject.Kind: fullAccess, ServiceObject.Kind: fullAccess, ClaimObject.Kind: fullAccess, RuleObject.Kind: fullAccess, }, GlobalObjects: map[string]*Privilege{ ClusterObject.Kind: fullAccess, RuleObject.Kind: fullAccess, ACLRuleObject.Kind: fullAccess, }, }, }
DomainAdmin is a built-in domain admin role
var NamespaceAdmin = &ACLRole{ ID: "namespace-admin", Name: "Namespace Admin", Privileges: &Privileges{ NamespaceObjects: map[string]*Privilege{ BundleObject.Kind: fullAccess, ServiceObject.Kind: fullAccess, ClaimObject.Kind: fullAccess, RuleObject.Kind: fullAccess, }, GlobalObjects: map[string]*Privilege{ ClusterObject.Kind: viewAccess, RuleObject.Kind: viewAccess, ACLRuleObject.Kind: viewAccess, }, }, }
NamespaceAdmin is a built-in admin role
var ( // PolicyObjects is the list of informational data for all policy objects PolicyObjects = []*runtime.Info{ BundleObject, ServiceObject, ClaimObject, ClusterObject, RuleObject, ACLRuleObject, } )
var RuleObject = &runtime.Info{ Kind: "rule", Storable: true, Versioned: true, Deletable: true, Constructor: func() runtime.Object { return &Rule{} }, }
RuleObject is an informational data structure with Kind and Constructor for Rule
var ServiceConsumer = &ACLRole{ ID: "service-consumer", Name: "Service Consumer", Privileges: &Privileges{ NamespaceObjects: map[string]*Privilege{ BundleObject.Kind: viewAccess, ServiceObject.Kind: viewAccess, ClaimObject.Kind: fullAccess, RuleObject.Kind: viewAccess, }, GlobalObjects: map[string]*Privilege{ ClusterObject.Kind: viewAccess, RuleObject.Kind: viewAccess, ACLRuleObject.Kind: viewAccess, }, }, }
ServiceConsumer is a built-in service consumer role
var ServiceObject = &runtime.Info{ Kind: "service", Storable: true, Versioned: true, Deletable: true, Constructor: func() runtime.Object { return &Service{} }, }
ServiceObject is an informational data structure with Kind and Constructor for Service
Functions ¶
func IsPolicyObject ¶
IsPolicyObject returns true if provided object is part of the policy objects list
Types ¶
type ACLResolver ¶
type ACLResolver struct {
// contains filtered or unexported fields
}
ACLResolver is a struct which allows to perform ACL resolution, allowing to retrieve user privileges for the objects they access
func NewACLResolver ¶
func NewACLResolver(aclRules map[string]*ACLRule) *ACLResolver
NewACLResolver creates a new ACLResolver
func (*ACLResolver) GetUserPrivileges ¶
func (resolver *ACLResolver) GetUserPrivileges(user *User, obj Base) (*Privilege, error)
GetUserPrivileges is a main method which determines privileges that a given user has for a given object
func (*ACLResolver) GetUserRoleMap ¶
GetUserRoleMap returns the map role ID -> to which namespaces this role applies, for a given user. Note that user may have multiple roles at the same time. E.g. - domain admin (i.e. for all namespaces within Aptomi domain) - namespace admin for a set of given namespaces - service consumer for a set of given namespaces
type ACLRole ¶
type ACLRole struct {
ID string
Name string
Privileges *Privileges
}
ACLRole is a struct for defining user roles and their privileges. Aptomi has 4 built-in user roles: domain admin, namespace admin, service consumer, and nobody. Domain admin has full access rights to all namespaces. It can manage global objects in 'system' namespace (clusters, rules, and ACL rules). Namespace admin has full access right to a given set of namespaces, but it cannot global objects in 'system' namespace (clusters, rules, and ACL rules). Service consumer can only consume services within a given set of namespaces. Service consumption is treated as capability to instantiate services in a given namespace. Nobody cannot do anything except viewing the policy.
type ACLRule ¶
type ACLRule struct {
runtime.TypeKind `yaml:",inline"`
Metadata `validate:"required"`
// Weight defined for the rule. All rules are sorted in the order of increasing weight and applied in that order
Weight int `validate:"min=0"`
// Criteria - if it gets evaluated to true during policy resolution, then rules's actions will be executed.
// It's an optional field, so if it's nil then it is considered to be evaluated to true automatically
Criteria *Criteria `yaml:",omitempty" validate:"omitempty"`
// Actions define the set of actions that will be executed if Criteria gets evaluated to true
Actions *ACLRuleActions `validate:"required"`
}
ACLRule defines which users have which roles in Aptomi. They should be configured by Aptomi domain admins in the policy. ACLRules allow to pick groups of users and assign ACL roles to them (e.g. give access to a particular namespace)
func GetACLRulesSortedByWeight ¶ added in v0.1.15
GetACLRulesSortedByWeight returns all rules sorted by their weight
func (*ACLRule) ApplyActions ¶ added in v0.1.15
ApplyActions applies rule actions and updates result
func (*ACLRule) Matches ¶ added in v0.1.15
func (aclRule *ACLRule) Matches(params *expression.Parameters, cache *expression.Cache) (bool, error)
Matches returns true if a rule matches
type ACLRuleActions ¶ added in v0.1.15
type ACLRuleActions struct {
// AddRole is a map with role ID as key, while value is a set of comma-separated namespaces to which this role applies
AddRole map[string]string `yaml:"add-role,omitempty" validate:"omitempty,addRoleNS"`
}
ACLRuleActions is a set of actions that can be performed by a ACL rule, assigning permissions to access namespaces
type APIPolicy ¶
type APIPolicy struct {
Namespace map[string]*APIPolicyNamespace
}
APIPolicy is a Policy representation for API filtered for specific user
type APIPolicyNamespace ¶
type APIPolicyNamespace struct {
Bundles map[string]*Bundle
Services map[string]*Service
Clusters map[string]*Cluster
Rules map[string]*Rule
ACLRules map[string]*Rule
Claims map[string]*Claim
}
APIPolicyNamespace is a PolicyNamespace representation for API filtered for specific user
type Allocation ¶
type Allocation struct {
// Bundle defined which bundle to allocated. It can be in form of 'bundleName', referring to bundle within
// current namespace. Or it can be in form of 'namespace/bundleName', referring to bundle in a different
// namespace
Bundle string `validate:"required"`
// Keys define a set of unique keys that define this allocation. If keys are not defined, then allocation will
// always correspond to a single instance. If keys are defined, it will allow to create different bundle instances
// based on labels. Different keys values resolved during policy processing will result in different bundle
// instances created by Aptomi. For example, if key is set to {{.User.Labels.team}}, it will get dynamically
// resolved into a user's team name. And, since users from different teams will have different keys, every team
// will get their own bundle instance from Aptomi
Keys []string `yaml:"keys,omitempty" validate:"dive,template"`
}
Allocation determines which bundle should be allocated for by the given context and which additional keys should be added to component instance key
type Bundle ¶ added in v0.1.15
type Bundle struct {
runtime.TypeKind `yaml:",inline"`
Metadata `validate:"required"`
// Labels is a set of labels attached to the bundle
Labels map[string]string `yaml:"labels,omitempty" validate:"omitempty,labels"`
// Components is the list of components bundle consists of
Components []*BundleComponent `validate:"dive"`
// contains filtered or unexported fields
}
Bundle defines individual bundle in Aptomi. The idea is that bundles get defined by different teams. Those teams define bundle-specific consumption rules of how others can consume their bundles.
Bundle typically consists of one or more components. Each component can either be pointer to the code (e.g. docker container image with metadata that needs to be started/managed) or it can be dependency on another service (which will get fulfilled by Aptomi)
func (*Bundle) GetComponentsMap ¶ added in v0.1.15
func (bundle *Bundle) GetComponentsMap() map[string]*BundleComponent
GetComponentsMap lazily initializes and returns a map of name -> component, while being thread-safe
func (*Bundle) GetComponentsSortedTopologically ¶ added in v0.1.15
func (bundle *Bundle) GetComponentsSortedTopologically() ([]*BundleComponent, error)
GetComponentsSortedTopologically returns all components sorted in a topological order This should be thread safe
type BundleComponent ¶ added in v0.1.15
type BundleComponent struct {
// Name is a user-defined component name
Name string `validate:"identifier"`
// Criteria - if it gets evaluated to true during policy resolution, then component will be included
// into the bundle. It's an optional field, so if it's nil then it is considered to be true automatically
Criteria *Criteria `yaml:",omitempty" validate:"omitempty"`
// Service, if not empty, denoted that the component points to another service. Meaning that
// a bundle needs to have another service instantiated and running (e.g. 'wordpress' bundle needs a 'database'
// service). This will be fulfilled at policy resolution time.
Service string `yaml:"service,omitempty" validate:"omitempty"`
// Code, if not empty, means that component is a code that can be instantiated with certain parameters (e.g. docker
// container image)
Code *Code `yaml:"code,omitempty" validate:"omitempty"`
// Discovery is a map of discovery parameters that this component exposes to other bundles
Discovery util.NestedParameterMap `yaml:"discovery,omitempty" validate:"omitempty,templateNestedMap"`
// Dependencies represent cross-component dependencies within a given bundle. Component may need other components
// within that bundle to exist, before it gets instantiated
Dependencies []string `yaml:"dependencies,omitempty" validate:"dive,identifier"`
}
BundleComponent defines component within a bundle
func (*BundleComponent) Matches ¶ added in v0.1.15
func (component *BundleComponent) Matches(params *expression.Parameters, cache *expression.Cache) (bool, error)
Matches checks if component criteria is satisfied
type Claim ¶ added in v0.1.15
type Claim struct {
runtime.TypeKind `yaml:",inline"`
Metadata `validate:"required"`
// User is a user name for a user, who requested this claim.
User string `validate:"required"`
// Service that is being requested. It can be in form of 'serviceName', referring to service within
// current namespace. Or it can be in form of 'namespace/serviceName', referring to service in a different
// namespace.
Service string `validate:"required"`
// Labels which are provided by the user.
Labels map[string]string `yaml:"labels,omitempty" validate:"omitempty,labels"`
}
Claim is a declaration of use, defined in a form <User> needs an instance of <Service> with specified set of <Labels>. It allows users to request services, which will translate into instantiation of complete service instances in the cloud
type ClaimAction ¶ added in v0.1.15
type ClaimAction string
ClaimAction is a rule action to allow or disallow claim to be resolved
type Cluster ¶
type Cluster struct {
runtime.TypeKind `yaml:",inline"`
Metadata `validate:"required"`
// Type is a cluster type. Based on its type, the appropriate deployment plugin will be called to deploy containers.
Type string `validate:"clustertype"`
// Labels is a set of labels attached to the cluster
Labels map[string]string `yaml:"labels,omitempty" validate:"omitempty,labels"`
// Config for a given cluster type
Config interface{} `validate:"required"`
}
Cluster defines an individual cluster where containers get deployed. Various cloud providers are supported via setting a cluster type (k8s, Amazon ECS, GKE, etc).
func (*Cluster) ParseConfigInto ¶
ParseConfigInto parses cluster config into provided object
type Code ¶
type Code struct {
// Type represents code type (e.g. "helm"). It determines the plugin that will get executed for
// for this code component
Type string `validate:"required,codetype"`
// Params define parameters that will be passed down to the deployment plugin. Params follow text template syntax
// and can refer to arbitrary labels, as well as discovery parameters exposed by other components (within the
// current bundle) and discovery parameters exposed by bundles the current bundle depends on
Params util.NestedParameterMap `validate:"omitempty,templateNestedMap"`
}
Code with type and parameters, used to instantiate/update/delete component instances
type Context ¶
type Context struct {
// Name defines context name in the policy
Name string `validate:"identifier"`
// Criteria - if it gets evaluated to true during policy resolution, then service
// will get fulfilled by allocating this context. It's an optional field, so if it's nil then
// it is considered to be evaluated to true automatically
Criteria *Criteria `yaml:",omitempty" validate:"omitempty"`
// ChangeLabels defines how current set of labels will get changed/transformed in case
// the context gets matched
ChangeLabels LabelOperations `yaml:"change-labels,omitempty" validate:"labelOperations"`
// Allocation defines how the context will get allocated (which bundle to allocate and which unique key to use)
Allocation *Allocation `validate:"required"`
}
Context represents a single context within a service. It's essentially a bundle instance for a given of class of use cases, a given set of consumers, etc.
func (*Context) Matches ¶
func (context *Context) Matches(params *expression.Parameters, cache *expression.Cache) (bool, error)
Matches checks if context criteria is satisfied
func (*Context) ResolveKeys ¶
func (context *Context) ResolveKeys(params *template.Parameters, cache *template.Cache) ([]string, error)
ResolveKeys resolves dynamic allocation keys, which later get added to component instance key
type Criteria ¶
type Criteria struct {
// RequireAll follows 'AND' logic
RequireAll []string `yaml:"require-all,omitempty" validate:"dive,expression"`
// RequireAny follows 'OR' logic
RequireAny []string `yaml:"require-any,omitempty" validate:"dive,expression"`
// RequireNone follows 'AND NOT'
RequireNone []string `yaml:"require-none,omitempty" validate:"dive,expression"`
}
Criteria is a structure which allows users to define complex matching expressions in the policy. Criteria expressions can refer to labels through variables. It supports require-all, require-any and require-none clauses, with a list of expressions under each clause.
Criteria gets evaluated to true only when (1) All RequireAll expression evaluate to true, (2) At least one of RequireAny expressions evaluates to true, (3) None of RequireNone expressions evaluate to true.
If any of RequireAll, RequireAny, RequireNone are absent, the corresponding clause will be skipped. So it's perfectly fine to have a criteria with fewer than 3 clauses (e.g. just RequireAll), or with no sections at all. Empty criteria without any clauses always evaluates to true
type GlobalUsers ¶
GlobalUsers contains the map of users by their name
type IngressAction ¶
type IngressAction string
IngressAction is a rule action to to allow or disallow ingres traffic for a component
type LabelOperations ¶
LabelOperations defines label transform operations. It supports two types of operations - 'set' and 'remove', those strings are used as keys in the main map.
When 'set' is used, the inner name->value map defines which labels should be added/overwritten. When 'remove' is used, the inner name->value map defines which labels should be deleted. In this case value doesn't matter and name can even point to an empty string as value
The typical usage of this struct is to take LabelSet and transform it using LabelOperations.
func NewLabelOperations ¶
func NewLabelOperations(setMap map[string]string, removeMap map[string]string) LabelOperations
NewLabelOperations creates a new LabelOperations object, given "set" and "remove" parameters
func NewLabelOperationsSetSingleLabel ¶
func NewLabelOperationsSetSingleLabel(k string, v string) LabelOperations
NewLabelOperationsSetSingleLabel creates a new LabelOperations object to set a single "k"="v" label
type LabelSet ¶
LabelSet defines the set of labels that will be manipulated throughout policy execution. All labels are stored in a 'key' -> 'value' map
func NewLabelSet ¶
NewLabelSet creates a new LabelSet from a given map of text labels
func (*LabelSet) ApplyTransform ¶
func (src *LabelSet) ApplyTransform(ops LabelOperations) bool
ApplyTransform applies a given set of label transformations to the current set of labels. The method teturns true if changes have been made to the current set
type Metadata ¶
type Metadata struct {
Namespace string `yaml:",omitempty" validate:"identifier"`
Name string `yaml:",omitempty" validate:"identifier"`
Generation runtime.Generation `yaml:",omitempty"`
Deleted bool `yaml:",omitempty"`
}
Metadata is an object metadata implementation (Namespace, Kind, Name, Generation) which works for all standard objects. Namespace defines in which namespace the object is defined. An object always gets placed in only one namespace. Kind describes type of the object (e.g. Bundle, Service, Cluster, etc) Name is a user-provided string identifier of an object. Names are usually human readable and must be unique across objects within the same namespace and the same object kind.
func (*Metadata) GetGeneration ¶
func (meta *Metadata) GetGeneration() runtime.Generation
GetGeneration returns object generation
func (*Metadata) GetNamespace ¶
GetNamespace returns object namespace
func (*Metadata) SetDeleted ¶ added in v0.1.10
SetDeleted sets object deleted flag
func (*Metadata) SetGeneration ¶
func (meta *Metadata) SetGeneration(generation runtime.Generation)
SetGeneration sets object generation
type Policy ¶
type Policy struct {
// Namespace is a map from namespace name into a PolicyNamespace
Namespace map[string]*PolicyNamespace `validate:"dive"`
// contains filtered or unexported fields
}
Policy describes the entire Aptomi policy.
At the highest level, policy consists of namespaces. Namespaces provide isolation for policy objects and access to namespaces can be controlled via ACL rules. Thus, different users can have different access rights to different parts of Aptomi policy. Namespaces are useful in environments with many users, multiple teams and projects.
Objects get stored in their corresponding namespaces. Names of objects must be unique within a namespace and a given object kind.
Once policy is defined, it can be passed to the engine for policy resolution. Policy resolution translates a given policy (intent) into actual state (what services/components need to created/updated/deleted, how and where) and the corresponding set of actions.
func (*Policy) APIPolicy ¶
APIPolicy returns Policy representation for API filtered for specific user
func (*Policy) AddObject ¶
AddObject adds a given object into the policy. When you add objects to the policy, they get added to the corresponding Namespace. If error occurs (e.g. object has an unknown kind) then the error will be returned
func (*Policy) GetObject ¶
func (policy *Policy) GetObject(kind string, locator string, currentNs string) (runtime.Object, error)
GetObject looks up and returns an object from the policy, given its kind, locator ([namespace/]name), and current namespace relative to which the call is being made. It may return nil and no error, if an object hasn't been found in the policy. TODO: we may want to fix semantics of this method, so that it either returns a non-nil object or an error (i.e. doesn't return nil, nil)
func (*Policy) GetObjectsByKind ¶
GetObjectsByKind returns all objects in a policy with a given kind, across all namespaces
func (*Policy) RemoveObject ¶
RemoveObject removes a given object from the policy. Returns true if removed and false if nothing got removed.
func (*Policy) Validate ¶
Validate performs validation of the entire policy, making sure that all of its objects are well-formed. It also checks that all cross-object references are valid. If policy is malformed, then a list of errors is returned. Otherwise, if policy is correctly formed, then nil is returned. The resulting error can be caster to (validator.ValidationErrors) and iterated over, to get the full list of errors.
func (*Policy) View ¶
func (policy *Policy) View(user *User) *PolicyView
View returns a policy view object, which allows to make all policy operations on behalf of a certain user Policy view object will enforce all ACLs, allowing the user to only perform actions which he is allowed to perform All ACL rules should be loaded and added to the policy before this method gets called
type PolicyNamespace ¶
type PolicyNamespace struct {
Name string `validate:"identifier"`
Bundles map[string]*Bundle `validate:"dive"`
Services map[string]*Service `validate:"dive"`
Clusters map[string]*Cluster `validate:"dive"`
Rules map[string]*Rule `validate:"dive"`
ACLRules map[string]*ACLRule `validate:"dive"`
Claims map[string]*Claim `validate:"dive"`
}
PolicyNamespace describes a specific namespace within Aptomi policy. All policy objects get placed in the appropriate maps and structs within PolicyNamespace.
func NewPolicyNamespace ¶
func NewPolicyNamespace(name string) *PolicyNamespace
NewPolicyNamespace creates a new PolicyNamespace
type PolicyValidator ¶
type PolicyValidator struct {
// contains filtered or unexported fields
}
PolicyValidator is a custom validator for the policy
func NewPolicyValidator ¶
func NewPolicyValidator(policy *Policy) *PolicyValidator
NewPolicyValidator creates a new PolicyValidator
func (*PolicyValidator) Validate ¶
func (v *PolicyValidator) Validate() error
Validate validates the entire policy for errors and returns an error (it can be casted to policyValidationError, containing a list of errors inside). When error is printed as string, it will automatically contains the full list of validation errors.
type PolicyView ¶
type PolicyView struct {
// Policy which gets viewed
Policy *Policy
// User who is viewing policy
User *User
// Resolver is access control rules (who can access which objects in which policy namespaces)
Resolver *ACLResolver
}
PolicyView allows to view/manage policy objects on behalf on a certain user It will enforce all ACLs, allowing the user to only perform actions which he is entitled to perform.
func NewPolicyView ¶
func NewPolicyView(policy *Policy, user *User, resolver *ACLResolver) *PolicyView
NewPolicyView creates a new PolicyView
func (*PolicyView) APIPolicy ¶
func (view *PolicyView) APIPolicy() *APIPolicy
APIPolicy returns Policy representation for API filtered for specific user
func (*PolicyView) AddObject ¶
func (view *PolicyView) AddObject(obj Base) error
AddObject adds an object into the policy. When you add objects to the policy, they get added to the corresponding Namespace. If error occurs (e.g. object has an unknown kind, etc) then the error will be returned
func (*PolicyView) CanConsume ¶
func (view *PolicyView) CanConsume(service *Service) (bool, error)
CanConsume returns if user has permissions to consume a given service. If a user can declare a claim in a given namespace, then he can essentially can consume the service
func (*PolicyView) ManageObject ¶
func (view *PolicyView) ManageObject(obj Base) error
ManageObject checks if user has permissions to manage a given object. If user has no permissions, then ACL error will be returned
func (*PolicyView) ViewObject ¶
func (view *PolicyView) ViewObject(obj Base) error
ViewObject checks if user has permissions to view a given object. If user has no permissions, then ACL error will be returned
type Privilege ¶
type Privilege struct {
// View indicates whether or not a user can view an object (R)
View bool
// Manage indicates whether or not a user can manage an object, i.e. perform operations (CUD)
Manage bool
}
Privilege is a unit of privilege for any single given object
type Privileges ¶
type Privileges struct {
// AllNamespaces, when set to true, indicated that user privileges apply to all namespaces. Otherwise it applies
// to a set of given namespaces
AllNamespaces bool
// NamespaceObjects specifies whether or not this role can view/manage a certain object kind within a non-system namespace
NamespaceObjects map[string]*Privilege
// GlobalObjects specifies whether or not this role can view/manage a certain object kind within a system namespace
GlobalObjects map[string]*Privilege
}
Privileges defines a set of privileges for a particular role in Aptomi
type Rule ¶
type Rule struct {
runtime.TypeKind `yaml:",inline"`
Metadata `validate:"required"`
// Weight defined for the rule. All rules are sorted in the order of increasing weight and applied in that order
Weight int `validate:"min=0"`
// Criteria - if it gets evaluated to true during policy resolution, then rules's actions will be executed.
// It's an optional field, so if it's nil then it is considered to be evaluated to true automatically
Criteria *Criteria `yaml:",omitempty" validate:"omitempty"`
// Actions define the set of actions that will be executed if Criteria gets evaluated to true
Actions *RuleActions `validate:"required"`
}
Rule is a generic mechanism for defining rules in Aptomi.
Rules can be used to set certain labels on certain conditions as well as perform certain actions (such as rejecting claims, rejecting ingress traffic, etc)
func GetRulesSortedByWeight ¶ added in v0.1.14
GetRulesSortedByWeight returns all rules sorted by their weight
func (*Rule) ApplyActions ¶
func (rule *Rule) ApplyActions(result *RuleActionResult)
ApplyActions applies rule actions and updates result
func (*Rule) Matches ¶
func (rule *Rule) Matches(params *expression.Parameters, cache *expression.Cache) (bool, error)
Matches returns true if a rule matches
type RuleActionResult ¶
type RuleActionResult struct {
RejectClaim bool
RejectIngress bool
ChangedLabelsOnLastApply bool
Labels *LabelSet
}
RuleActionResult is a result of processing multiple rules on a given component
func NewRuleActionResult ¶
func NewRuleActionResult(labels *LabelSet) *RuleActionResult
NewRuleActionResult creates a new RuleActionResult
type RuleActions ¶
type RuleActions struct {
// ChangeLabels defines how labels should be transformed
ChangeLabels LabelOperations `yaml:"change-labels,omitempty" validate:"omitempty,labelOperations"`
// Claim defines whether claim should be rejected
Claim ClaimAction `yaml:"claim,omitempty" validate:"omitempty,allowReject"`
// Ingress defines whether ingress traffic should be rejected
Ingress IngressAction `yaml:"ingress,omitempty" validate:"omitempty,allowReject"`
}
RuleActions is a set of actions that can be performed by a rule. All fields in this structure are optional. If a field is defined, then the corresponding action will be processed
type Service ¶
type Service struct {
runtime.TypeKind `yaml:",inline"`
Metadata `validate:"required"`
// ChangeLabels defines how current set of labels will get changed/transformed in case
// the service gets matched
ChangeLabels LabelOperations `yaml:"change-labels,omitempty" validate:"labelOperations"`
// Contexts contains an ordered list of contexts within a service. When allocating an instance, Aptomi will pick
// and instantiate the first context which matches the criteria
Contexts []*Context `validate:"dive"`
}
Service is an object, which allows you to define a service for a bundle, as well as a set of specific implementations. For example, service can be a 'database', with specific bundle contexts implemented by 'MySQL', 'MariaDB', 'SQLite'.
When claims get declared, they always get declared on a service (not on a specific bundle).
type Target ¶ added in v0.1.15
type Target struct {
// ClusterNamespace is a namespace in Aptomi, to which the cluster belongs
ClusterNamespace string
// ClusterName is a cluster name in Aptomi
ClusterName string
// Suffix is an additional specifier (e.g. k8s namespace in case of Helm and k8s plugins)
Suffix string
}
Target represents a deployment target in Aptomi
type User ¶
type User struct {
// Name is a unique name of a user
Name string
// Password hash is a hashed and salted user password
PasswordHash string
// Labels is a set of 'name'->'value' string labels, attached to the user
Labels map[string]string
// DomainAdmin is a special bool flag, which allows to mark certain users as domain admins. It's useful for Aptomi
// bootstrap process, when someone needs to upload ACL rules into Aptomi (but his role is not defined in ACL,
// because ACL list is empty when Aptomi is first installed)
DomainAdmin bool
}
User represents a user in Aptomi. It has a unique Name and a set of Labels, Users can be retrieved from multiple sources (e.g. file, LDAP, AD, etc)
Source Files
¶
Directories
¶
| Path | Synopsis |
|---|---|
|
Package builder provides simple and easy-to-use way to construct Aptomi Policy in the source code, primarily for unit tests.
|
Package builder provides simple and easy-to-use way to construct Aptomi Policy in the source code, primarily for unit tests. |
|
Package expression provides support for evaluating expressions in Aptomi, with support for caching compiled expressions.
|
Package expression provides support for evaluating expressions in Aptomi, with support for caching compiled expressions. |
|
Package template provides support for evaluating text templates in Aptomi, with support for caching compiled templates.
|
Package template provides support for evaluating text templates in Aptomi, with support for caching compiled templates. |
|
Package yaml provides support for marshalling YAML objects and loading/unmarshalling them from YAML files.
|
Package yaml provides support for marshalling YAML objects and loading/unmarshalling them from YAML files. |