GO-2024-2669: API token secret ID leak to Sentinel in github.com/hashicorp/nomad

GO-2024-2670: ACL security vulnerability in github.com/hashicorp/nomad

GO-2024-2671: CSI plugin names disclosure in github.com/hashicorp/nomad

acl

package

v1.4.3 Latest Latest Go to latest Published: Nov 21, 2022 License: MPL-2.0 Imports: 7 Imported by: 141

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/hashicorp/nomad

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func NamespaceValidator(ops ...string) func(*ACL, string) bool
type ACL
- func NewACL(management bool, policies []*Policy) (*ACL, error)
type AgentPolicy
type HostVolumePolicy
type NamespacePolicy
type NodePolicy
type OperatorPolicy
type PluginPolicy
type Policy
- func Parse(rules string) (*Policy, error)
- func (p *Policy) IsEmpty() bool
type QuotaPolicy
type VariablesPathPolicy
type VariablesPolicy

Constants ¶

View Source

const (
	// The following levels are the only valid values for the `policy = "read"` stanza.
	// When policies are merged together, the most privilege is granted, except for deny
	// which always takes precedence and supersedes.
	PolicyDeny  = "deny"
	PolicyRead  = "read"
	PolicyList  = "list"
	PolicyWrite = "write"
	PolicyScale = "scale"
)

View Source

const (
	NamespaceCapabilityDeny                 = "deny"
	NamespaceCapabilityListJobs             = "list-jobs"
	NamespaceCapabilityParseJob             = "parse-job"
	NamespaceCapabilityReadJob              = "read-job"
	NamespaceCapabilitySubmitJob            = "submit-job"
	NamespaceCapabilityDispatchJob          = "dispatch-job"
	NamespaceCapabilityReadLogs             = "read-logs"
	NamespaceCapabilityReadFS               = "read-fs"
	NamespaceCapabilityAllocExec            = "alloc-exec"
	NamespaceCapabilityAllocNodeExec        = "alloc-node-exec"
	NamespaceCapabilityAllocLifecycle       = "alloc-lifecycle"
	NamespaceCapabilitySentinelOverride     = "sentinel-override"
	NamespaceCapabilityCSIRegisterPlugin    = "csi-register-plugin"
	NamespaceCapabilityCSIWriteVolume       = "csi-write-volume"
	NamespaceCapabilityCSIReadVolume        = "csi-read-volume"
	NamespaceCapabilityCSIListVolume        = "csi-list-volume"
	NamespaceCapabilityCSIMountVolume       = "csi-mount-volume"
	NamespaceCapabilityListScalingPolicies  = "list-scaling-policies"
	NamespaceCapabilityReadScalingPolicy    = "read-scaling-policy"
	NamespaceCapabilityReadJobScaling       = "read-job-scaling"
	NamespaceCapabilityScaleJob             = "scale-job"
	NamespaceCapabilitySubmitRecommendation = "submit-recommendation"
)

View Source

const (
	HostVolumeCapabilityDeny           = "deny"
	HostVolumeCapabilityMountReadOnly  = "mount-readonly"
	HostVolumeCapabilityMountReadWrite = "mount-readwrite"
)

View Source

const (
	// The following are the fine-grained capabilities that can be
	// granted for a variables path. When capabilities are
	// combined we take the union of all capabilities.
	VariablesCapabilityList    = "list"
	VariablesCapabilityRead    = "read"
	VariablesCapabilityWrite   = "write"
	VariablesCapabilityDestroy = "destroy"
	VariablesCapabilityDeny    = "deny"
)

View Source

const AllNamespacesSentinel = "*"

Redefine this value from structs to avoid circular dependency.

Variables ¶

This section is empty.

Functions ¶

func NamespaceValidator ¶ added in v0.9.6

func NamespaceValidator(ops ...string) func(*ACL, string) bool

NamespaceValidator returns a func that wraps ACL.AllowNamespaceOperation in a list of operations. Returns true (allowed) if acls are disabled or if *any* capabilities match.

Types ¶

type ACL ¶

type ACL struct {
	// contains filtered or unexported fields
}

ACL object is used to convert a set of policies into a structure that can be efficiently evaluated to determine if an action is allowed.

var ManagementACL *ACL

ManagementACL is a singleton used for management tokens

func NewACL ¶

func NewACL(management bool, policies []*Policy) (*ACL, error)

NewACL compiles a set of policies into an ACL object

func (*ACL) AllowAgentRead ¶

func (a *ACL) AllowAgentRead() bool

AllowAgentRead checks if read operations are allowed for an agent

func (*ACL) AllowAgentWrite ¶

func (a *ACL) AllowAgentWrite() bool

AllowAgentWrite checks if write operations are allowed for an agent

func (*ACL) AllowHostVolume ¶ added in v0.10.0

func (a *ACL) AllowHostVolume(ns string) bool

AllowHostVolume checks if any operations are allowed for a HostVolume

func (*ACL) AllowHostVolumeOperation ¶ added in v0.10.0

func (a *ACL) AllowHostVolumeOperation(hv string, op string) bool

AllowHostVolumeOperation checks if a given operation is allowed for a host volume

func (*ACL) AllowNamespace ¶

func (a *ACL) AllowNamespace(ns string) bool

AllowNamespace checks if any operations are allowed for a namespace

func (*ACL) AllowNamespaceOperation ¶

func (a *ACL) AllowNamespaceOperation(ns string, op string) bool

AllowNamespaceOperation checks if a given operation is allowed for a namespace.

func (*ACL) AllowNodeRead ¶

func (a *ACL) AllowNodeRead() bool

AllowNodeRead checks if read operations are allowed for a node

func (*ACL) AllowNodeWrite ¶

func (a *ACL) AllowNodeWrite() bool

AllowNodeWrite checks if write operations are allowed for a node

func (*ACL) AllowNsOp ¶

func (a *ACL) AllowNsOp(ns string, op string) bool

AllowNsOp is shorthand for AllowNamespaceOperation

func (*ACL) AllowNsOpFunc ¶ added in v1.1.15

func (a *ACL) AllowNsOpFunc(ops ...string) func(string) bool

AllowNsOpFunc is a helper that returns a function that can be used to check namespace permissions.

func (*ACL) AllowOperatorRead ¶

func (a *ACL) AllowOperatorRead() bool

AllowOperatorRead checks if read operations are allowed for a operator

func (*ACL) AllowOperatorWrite ¶

func (a *ACL) AllowOperatorWrite() bool

AllowOperatorWrite checks if write operations are allowed for a operator

func (*ACL) AllowPluginList ¶ added in v0.11.0

func (a *ACL) AllowPluginList() bool

AllowPluginList checks if list operations are allowed for all plugins

func (*ACL) AllowPluginRead ¶ added in v0.11.0

func (a *ACL) AllowPluginRead() bool

AllowPluginRead checks if read operations are allowed for all plugins

func (*ACL) AllowQuotaRead ¶

func (a *ACL) AllowQuotaRead() bool

AllowQuotaRead checks if read operations are allowed for all quotas

func (*ACL) AllowQuotaWrite ¶

func (a *ACL) AllowQuotaWrite() bool

AllowQuotaWrite checks if write operations are allowed for quotas

func (*ACL) AllowVariableOperation ¶ added in v1.4.0

func (a *ACL) AllowVariableOperation(ns, path, op string) bool

func (*ACL) AllowVariableSearch ¶ added in v1.4.0

func (a *ACL) AllowVariableSearch(ns string) bool

AllowVariableSearch is a very loose check that the token has *any* access to a variables path for the namespace, with an expectation that the actual search result will be filtered by specific paths

func (*ACL) IsManagement ¶

func (a *ACL) IsManagement() bool

IsManagement checks if this represents a management token

type AgentPolicy ¶

type AgentPolicy struct {
	Policy string
}

type HostVolumePolicy ¶ added in v0.10.0

type HostVolumePolicy struct {
	Name         string `hcl:",key"`
	Policy       string
	Capabilities []string
}

HostVolumePolicy is the policy for a specific named host volume

type NamespacePolicy ¶

type NamespacePolicy struct {
	Name         string `hcl:",key"`
	Policy       string
	Capabilities []string
	Variables    *VariablesPolicy `hcl:"variables"`
}

NamespacePolicy is the policy for a specific namespace

type NodePolicy ¶

type NodePolicy struct {
	Policy string
}

type OperatorPolicy ¶

type OperatorPolicy struct {
	Policy string
}

type PluginPolicy ¶ added in v0.11.0

type PluginPolicy struct {
	Policy string
}

type Policy ¶

type Policy struct {
	Namespaces  []*NamespacePolicy  `hcl:"namespace,expand"`
	HostVolumes []*HostVolumePolicy `hcl:"host_volume,expand"`
	Agent       *AgentPolicy        `hcl:"agent"`
	Node        *NodePolicy         `hcl:"node"`
	Operator    *OperatorPolicy     `hcl:"operator"`
	Quota       *QuotaPolicy        `hcl:"quota"`
	Plugin      *PluginPolicy       `hcl:"plugin"`
	Raw         string              `hcl:"-"`
}

Policy represents a parsed HCL or JSON policy.

func Parse ¶

func Parse(rules string) (*Policy, error)

Parse is used to parse the specified ACL rules into an intermediary set of policies, before being compiled into the ACL

func (*Policy) IsEmpty ¶

func (p *Policy) IsEmpty() bool

IsEmpty checks to make sure that at least one policy has been set and is not comprised of only a raw policy.

type QuotaPolicy ¶

type QuotaPolicy struct {
	Policy string
}

type VariablesPathPolicy ¶ added in v1.4.0

type VariablesPathPolicy struct {
	PathSpec     string `hcl:",key"`
	Capabilities []string
}

type VariablesPolicy ¶ added in v1.4.0

type VariablesPolicy struct {
	Paths []*VariablesPathPolicy `hcl:"path"`
}

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL