Documentation ¶
Index ¶
- Constants
- Variables
- func IsErrDisabled(err error) bool
- func IsErrNotFound(err error) bool
- func IsErrPermissionDenied(err error) bool
- func IsErrRootDenied(err error) bool
- func TranslateLegacyRules(policyBytes []byte) ([]byte, error)
- type AgentPolicy
- type Authorizer
- type EventPolicy
- type KeyPolicy
- type NodePolicy
- type PermissionDeniedError
- type Policy
- type PolicyAuthorizer
- func (p *PolicyAuthorizer) ACLRead() bool
- func (p *PolicyAuthorizer) ACLWrite() bool
- func (p *PolicyAuthorizer) AgentRead(node string) bool
- func (p *PolicyAuthorizer) AgentWrite(node string) bool
- func (p *PolicyAuthorizer) EventRead(name string) bool
- func (p *PolicyAuthorizer) EventWrite(name string) bool
- func (p *PolicyAuthorizer) IntentionDefaultAllow() bool
- func (p *PolicyAuthorizer) IntentionRead(prefix string) bool
- func (p *PolicyAuthorizer) IntentionWrite(prefix string) bool
- func (p *PolicyAuthorizer) KeyList(key string) bool
- func (p *PolicyAuthorizer) KeyRead(key string) bool
- func (p *PolicyAuthorizer) KeyWrite(key string, scope sentinel.ScopeFn) bool
- func (p *PolicyAuthorizer) KeyWritePrefix(prefix string) bool
- func (p *PolicyAuthorizer) KeyringRead() bool
- func (p *PolicyAuthorizer) KeyringWrite() bool
- func (p *PolicyAuthorizer) NodeRead(name string) bool
- func (p *PolicyAuthorizer) NodeWrite(name string, scope sentinel.ScopeFn) bool
- func (p *PolicyAuthorizer) OperatorRead() bool
- func (p *PolicyAuthorizer) OperatorWrite() bool
- func (p *PolicyAuthorizer) PreparedQueryRead(prefix string) bool
- func (p *PolicyAuthorizer) PreparedQueryWrite(prefix string) bool
- func (p *PolicyAuthorizer) ServiceRead(name string) bool
- func (p *PolicyAuthorizer) ServiceWrite(name string, scope sentinel.ScopeFn) bool
- func (p *PolicyAuthorizer) SessionRead(node string) bool
- func (p *PolicyAuthorizer) SessionWrite(node string) bool
- func (p *PolicyAuthorizer) Snapshot() bool
- type PreparedQueryPolicy
- type RulePolicy
- type Sentinel
- type ServicePolicy
- type SessionPolicy
- type StaticAuthorizer
- func (s *StaticAuthorizer) ACLRead() bool
- func (s *StaticAuthorizer) ACLWrite() bool
- func (s *StaticAuthorizer) AgentRead(string) bool
- func (s *StaticAuthorizer) AgentWrite(string) bool
- func (s *StaticAuthorizer) EventRead(string) bool
- func (s *StaticAuthorizer) EventWrite(string) bool
- func (s *StaticAuthorizer) IntentionDefaultAllow() bool
- func (s *StaticAuthorizer) IntentionRead(string) bool
- func (s *StaticAuthorizer) IntentionWrite(string) bool
- func (s *StaticAuthorizer) KeyList(string) bool
- func (s *StaticAuthorizer) KeyRead(string) bool
- func (s *StaticAuthorizer) KeyWrite(string, sentinel.ScopeFn) bool
- func (s *StaticAuthorizer) KeyWritePrefix(string) bool
- func (s *StaticAuthorizer) KeyringRead() bool
- func (s *StaticAuthorizer) KeyringWrite() bool
- func (s *StaticAuthorizer) NodeRead(string) bool
- func (s *StaticAuthorizer) NodeWrite(string, sentinel.ScopeFn) bool
- func (s *StaticAuthorizer) OperatorRead() bool
- func (s *StaticAuthorizer) OperatorWrite() bool
- func (s *StaticAuthorizer) PreparedQueryRead(string) bool
- func (s *StaticAuthorizer) PreparedQueryWrite(string) bool
- func (s *StaticAuthorizer) ServiceRead(string) bool
- func (s *StaticAuthorizer) ServiceWrite(string, sentinel.ScopeFn) bool
- func (s *StaticAuthorizer) SessionRead(string) bool
- func (s *StaticAuthorizer) SessionWrite(string) bool
- func (s *StaticAuthorizer) Snapshot() bool
- type SyntaxVersion
Constants ¶
const ( PolicyDeny = "deny" PolicyRead = "read" PolicyWrite = "write" PolicyList = "list" )
const DefaultPolicyEnforcementLevel = "hard-mandatory"
DefaultPolicyEnforcementLevel will be used if the user leaves the level blank when configuring an ACL.
Variables ¶
var ( // ErrNotFound indicates there is no matching ACL. ErrNotFound = errors.New(errNotFound) // ErrRootDenied is returned when attempting to resolve a root ACL. ErrRootDenied = errors.New(errRootDenied) // ErrDisabled is returned when ACL changes are not permitted since // they are disabled. ErrDisabled = errors.New(errDisabled) // ErrPermissionDenied is returned when an ACL based rejection // happens. ErrPermissionDenied = PermissionDeniedError{} // ErrInvalidParent is returned when a remotely resolve ACL // token claims to have a non-root parent ErrInvalidParent = errors.New(errInvalidParent) )
Functions ¶
func IsErrDisabled ¶ added in v0.9.3
IsErrDisabled checks if the given error message is comparable to ErrDisabled.
func IsErrNotFound ¶ added in v0.9.3
IsErrNotFound checks if the given error message is comparable to ErrNotFound.
func IsErrPermissionDenied ¶ added in v0.9.3
IsErrPermissionDenied checks if the given error message is comparable to ErrPermissionDenied.
func IsErrRootDenied ¶ added in v0.9.3
IsErrRootDenied checks if the given error message is comparable to ErrRootDenied.
func TranslateLegacyRules ¶ added in v1.4.5
Types ¶
type AgentPolicy ¶ added in v0.7.3
AgentPolicy represents a policy for working with agent endpoints on nodes with specific name prefixes.
func (*AgentPolicy) GoString ¶ added in v0.7.3
func (a *AgentPolicy) GoString() string
type Authorizer ¶ added in v1.4.5
type Authorizer interface { // ACLRead checks for permission to list all the ACLs ACLRead() bool // ACLWrite checks for permission to manipulate ACLs ACLWrite() bool // AgentRead checks for permission to read from agent endpoints for a // given node. AgentRead(string) bool // AgentWrite checks for permission to make changes via agent endpoints // for a given node. AgentWrite(string) bool // EventRead determines if a specific event can be queried. EventRead(string) bool // EventWrite determines if a specific event may be fired. EventWrite(string) bool // IntentionDefaultAllow determines the default authorized behavior // when no intentions match a Connect request. IntentionDefaultAllow() bool // IntentionRead determines if a specific intention can be read. IntentionRead(string) bool // IntentionWrite determines if a specific intention can be // created, modified, or deleted. IntentionWrite(string) bool // KeyList checks for permission to list keys under a prefix KeyList(string) bool // KeyRead checks for permission to read a given key KeyRead(string) bool // KeyWrite checks for permission to write a given key KeyWrite(string, sentinel.ScopeFn) bool // KeyWritePrefix checks for permission to write to an // entire key prefix. This means there must be no sub-policies // that deny a write. KeyWritePrefix(string) bool // KeyringRead determines if the encryption keyring used in // the gossip layer can be read. KeyringRead() bool // KeyringWrite determines if the keyring can be manipulated KeyringWrite() bool // NodeRead checks for permission to read (discover) a given node. NodeRead(string) bool // NodeWrite checks for permission to create or update (register) a // given node. NodeWrite(string, sentinel.ScopeFn) bool // OperatorRead determines if the read-only Consul operator functions // can be used. OperatorRead() bool // OperatorWrite determines if the state-changing Consul operator // functions can be used. OperatorWrite() bool // PreparedQueryRead determines if a specific prepared query can be read // to show its contents (this is not used for execution). PreparedQueryRead(string) bool // PreparedQueryWrite determines if a specific prepared query can be // created, modified, or deleted. PreparedQueryWrite(string) bool // ServiceRead checks for permission to read a given service ServiceRead(string) bool // ServiceWrite checks for permission to create or update a given // service ServiceWrite(string, sentinel.ScopeFn) bool // SessionRead checks for permission to read sessions for a given node. SessionRead(string) bool // SessionWrite checks for permission to create sessions for a given // node. SessionWrite(string) bool // Snapshot checks for permission to take and restore snapshots. Snapshot() bool }
Authorizer is the interface for policy enforcement.
func AllowAll ¶
func AllowAll() Authorizer
AllowAll returns an Authorizer that allows all operations
func ManageAll ¶
func ManageAll() Authorizer
ManageAll returns an Authorizer that can manage all resources
func RootAuthorizer ¶ added in v1.4.5
func RootAuthorizer(id string) Authorizer
RootAuthorizer returns a possible Authorizer if the ID matches a root policy
type EventPolicy ¶
EventPolicy represents a user event policy.
func (*EventPolicy) GoString ¶
func (e *EventPolicy) GoString() string
type NodePolicy ¶ added in v0.7.3
NodePolicy represents a policy for a node
func (*NodePolicy) GoString ¶ added in v0.7.3
func (n *NodePolicy) GoString() string
type PermissionDeniedError ¶ added in v0.9.3
type PermissionDeniedError struct {
Cause string
}
func (PermissionDeniedError) Error ¶ added in v0.9.3
func (e PermissionDeniedError) Error() string
type Policy ¶
type Policy struct { ID string `hcl:"id"` Revision uint64 `hcl:"revision"` ACL string `hcl:"acl,expand"` Agents []*AgentPolicy `hcl:"agent,expand"` AgentPrefixes []*AgentPolicy `hcl:"agent_prefix,expand"` Keys []*KeyPolicy `hcl:"key,expand"` KeyPrefixes []*KeyPolicy `hcl:"key_prefix,expand"` Nodes []*NodePolicy `hcl:"node,expand"` NodePrefixes []*NodePolicy `hcl:"node_prefix,expand"` Services []*ServicePolicy `hcl:"service,expand"` ServicePrefixes []*ServicePolicy `hcl:"service_prefix,expand"` Sessions []*SessionPolicy `hcl:"session,expand"` SessionPrefixes []*SessionPolicy `hcl:"session_prefix,expand"` Events []*EventPolicy `hcl:"event,expand"` EventPrefixes []*EventPolicy `hcl:"event_prefix,expand"` PreparedQueries []*PreparedQueryPolicy `hcl:"query,expand"` PreparedQueryPrefixes []*PreparedQueryPolicy `hcl:"query_prefix,expand"` Keyring string `hcl:"keyring"` Operator string `hcl:"operator"` }
Policy is used to represent the policy specified by an ACL configuration.
func MergePolicies ¶ added in v1.4.5
MergePolicies merges multiple ACL policies into one policy This function will not set either the ID or the Scope fields of the resulting policy as its up to the caller to determine what the merged value is.
func NewPolicyFromSource ¶ added in v1.4.5
func NewPolicyFromSource(id string, revision uint64, rules string, syntax SyntaxVersion, sentinel sentinel.Evaluator) (*Policy, error)
NewPolicyFromSource is used to parse the specified ACL rules into an intermediary set of policies, before being compiled into the ACL
func (*Policy) ConvertFromLegacy ¶ added in v1.4.5
func (*Policy) ConvertToLegacy ¶ added in v1.4.5
type PolicyAuthorizer ¶ added in v1.4.5
type PolicyAuthorizer struct {
// contains filtered or unexported fields
}
PolicyAuthorizer is used to wrap a set of ACL policies to provide the Authorizer interface.
func NewPolicyAuthorizer ¶ added in v1.4.5
func NewPolicyAuthorizer(parent Authorizer, policies []*Policy, sentinel sentinel.Evaluator) (*PolicyAuthorizer, error)
NewPolicyAuthorizer is used to construct a policy based ACL from a set of policies and a parent policy to resolve missing cases.
func (*PolicyAuthorizer) ACLRead ¶ added in v1.4.5
func (p *PolicyAuthorizer) ACLRead() bool
ACLRead checks if listing of ACLs is allowed
func (*PolicyAuthorizer) ACLWrite ¶ added in v1.4.5
func (p *PolicyAuthorizer) ACLWrite() bool
ACLWrite checks if modification of ACLs is allowed
func (*PolicyAuthorizer) AgentRead ¶ added in v1.4.5
func (p *PolicyAuthorizer) AgentRead(node string) bool
AgentRead checks for permission to read from agent endpoints for a given node.
func (*PolicyAuthorizer) AgentWrite ¶ added in v1.4.5
func (p *PolicyAuthorizer) AgentWrite(node string) bool
AgentWrite checks for permission to make changes via agent endpoints for a given node.
func (*PolicyAuthorizer) EventRead ¶ added in v1.4.5
func (p *PolicyAuthorizer) EventRead(name string) bool
EventRead is used to determine if the policy allows for a specific user event to be read.
func (*PolicyAuthorizer) EventWrite ¶ added in v1.4.5
func (p *PolicyAuthorizer) EventWrite(name string) bool
EventWrite is used to determine if new events can be created (fired) by the policy.
func (*PolicyAuthorizer) IntentionDefaultAllow ¶ added in v1.4.5
func (p *PolicyAuthorizer) IntentionDefaultAllow() bool
IntentionDefaultAllow returns whether the default behavior when there are no matching intentions is to allow or deny.
func (*PolicyAuthorizer) IntentionRead ¶ added in v1.4.5
func (p *PolicyAuthorizer) IntentionRead(prefix string) bool
IntentionRead checks if writing (creating, updating, or deleting) of an intention is allowed.
func (*PolicyAuthorizer) IntentionWrite ¶ added in v1.4.5
func (p *PolicyAuthorizer) IntentionWrite(prefix string) bool
IntentionWrite checks if writing (creating, updating, or deleting) of an intention is allowed.
func (*PolicyAuthorizer) KeyList ¶ added in v1.4.5
func (p *PolicyAuthorizer) KeyList(key string) bool
KeyList returns if a key is allowed to be listed
func (*PolicyAuthorizer) KeyRead ¶ added in v1.4.5
func (p *PolicyAuthorizer) KeyRead(key string) bool
KeyRead returns if a key is allowed to be read
func (*PolicyAuthorizer) KeyWrite ¶ added in v1.4.5
func (p *PolicyAuthorizer) KeyWrite(key string, scope sentinel.ScopeFn) bool
KeyWrite returns if a key is allowed to be written
func (*PolicyAuthorizer) KeyWritePrefix ¶ added in v1.4.5
func (p *PolicyAuthorizer) KeyWritePrefix(prefix string) bool
KeyWritePrefix returns if a prefix is allowed to be written
This is mainly used to detect whether a whole tree within the KV can be removed. For that reason we must be able to delete everything under the prefix. First we must have "write" on the prefix itself
func (*PolicyAuthorizer) KeyringRead ¶ added in v1.4.5
func (p *PolicyAuthorizer) KeyringRead() bool
KeyringRead is used to determine if the keyring can be read by the current ACL token.
func (*PolicyAuthorizer) KeyringWrite ¶ added in v1.4.5
func (p *PolicyAuthorizer) KeyringWrite() bool
KeyringWrite determines if the keyring can be manipulated.
func (*PolicyAuthorizer) NodeRead ¶ added in v1.4.5
func (p *PolicyAuthorizer) NodeRead(name string) bool
NodeRead checks if reading (discovery) of a node is allowed
func (*PolicyAuthorizer) NodeWrite ¶ added in v1.4.5
func (p *PolicyAuthorizer) NodeWrite(name string, scope sentinel.ScopeFn) bool
NodeWrite checks if writing (registering) a node is allowed
func (*PolicyAuthorizer) OperatorRead ¶ added in v1.4.5
func (p *PolicyAuthorizer) OperatorRead() bool
OperatorRead determines if the read-only operator functions are allowed.
func (*PolicyAuthorizer) OperatorWrite ¶ added in v1.4.5
func (p *PolicyAuthorizer) OperatorWrite() bool
OperatorWrite determines if the state-changing operator functions are allowed.
func (*PolicyAuthorizer) PreparedQueryRead ¶ added in v1.4.5
func (p *PolicyAuthorizer) PreparedQueryRead(prefix string) bool
PreparedQueryRead checks if reading (listing) of a prepared query is allowed - this isn't execution, just listing its contents.
func (*PolicyAuthorizer) PreparedQueryWrite ¶ added in v1.4.5
func (p *PolicyAuthorizer) PreparedQueryWrite(prefix string) bool
PreparedQueryWrite checks if writing (creating, updating, or deleting) of a prepared query is allowed.
func (*PolicyAuthorizer) ServiceRead ¶ added in v1.4.5
func (p *PolicyAuthorizer) ServiceRead(name string) bool
ServiceRead checks if reading (discovery) of a service is allowed
func (*PolicyAuthorizer) ServiceWrite ¶ added in v1.4.5
func (p *PolicyAuthorizer) ServiceWrite(name string, scope sentinel.ScopeFn) bool
ServiceWrite checks if writing (registering) a service is allowed
func (*PolicyAuthorizer) SessionRead ¶ added in v1.4.5
func (p *PolicyAuthorizer) SessionRead(node string) bool
SessionRead checks for permission to read sessions for a given node.
func (*PolicyAuthorizer) SessionWrite ¶ added in v1.4.5
func (p *PolicyAuthorizer) SessionWrite(node string) bool
SessionWrite checks for permission to create sessions for a given node.
func (*PolicyAuthorizer) Snapshot ¶ added in v1.4.5
func (p *PolicyAuthorizer) Snapshot() bool
Snapshot checks if taking and restoring snapshots is allowed.
type PreparedQueryPolicy ¶
PreparedQueryPolicy represents a prepared query policy.
func (*PreparedQueryPolicy) GoString ¶
func (p *PreparedQueryPolicy) GoString() string
type RulePolicy ¶ added in v1.4.5
type RulePolicy struct {
// contains filtered or unexported fields
}
RulePolicy binds a regular ACL policy along with an optional piece of code to execute.
type Sentinel ¶ added in v1.0.2
Sentinel defines a snippet of Sentinel code that can be attached to a policy.
type ServicePolicy ¶
type ServicePolicy struct { Name string `hcl:",key"` Policy string Sentinel Sentinel // Intentions is the policy for intentions where this service is the // destination. This may be empty, in which case the Policy determines // the intentions policy. Intentions string }
ServicePolicy represents a policy for a service
func (*ServicePolicy) GoString ¶
func (s *ServicePolicy) GoString() string
type SessionPolicy ¶ added in v0.7.3
SessionPolicy represents a policy for making sessions tied to specific node name prefixes.
func (*SessionPolicy) GoString ¶ added in v0.7.3
func (s *SessionPolicy) GoString() string
type StaticAuthorizer ¶ added in v1.4.5
type StaticAuthorizer struct {
// contains filtered or unexported fields
}
StaticAuthorizer is used to implement a base ACL policy. It either allows or denies all requests. This can be used as a parent ACL to act in a blacklist or whitelist mode.
func (*StaticAuthorizer) ACLRead ¶ added in v1.4.5
func (s *StaticAuthorizer) ACLRead() bool
func (*StaticAuthorizer) ACLWrite ¶ added in v1.4.5
func (s *StaticAuthorizer) ACLWrite() bool
func (*StaticAuthorizer) AgentRead ¶ added in v1.4.5
func (s *StaticAuthorizer) AgentRead(string) bool
func (*StaticAuthorizer) AgentWrite ¶ added in v1.4.5
func (s *StaticAuthorizer) AgentWrite(string) bool
func (*StaticAuthorizer) EventRead ¶ added in v1.4.5
func (s *StaticAuthorizer) EventRead(string) bool
func (*StaticAuthorizer) EventWrite ¶ added in v1.4.5
func (s *StaticAuthorizer) EventWrite(string) bool
func (*StaticAuthorizer) IntentionDefaultAllow ¶ added in v1.4.5
func (s *StaticAuthorizer) IntentionDefaultAllow() bool
func (*StaticAuthorizer) IntentionRead ¶ added in v1.4.5
func (s *StaticAuthorizer) IntentionRead(string) bool
func (*StaticAuthorizer) IntentionWrite ¶ added in v1.4.5
func (s *StaticAuthorizer) IntentionWrite(string) bool
func (*StaticAuthorizer) KeyList ¶ added in v1.4.5
func (s *StaticAuthorizer) KeyList(string) bool
func (*StaticAuthorizer) KeyRead ¶ added in v1.4.5
func (s *StaticAuthorizer) KeyRead(string) bool
func (*StaticAuthorizer) KeyWrite ¶ added in v1.4.5
func (s *StaticAuthorizer) KeyWrite(string, sentinel.ScopeFn) bool
func (*StaticAuthorizer) KeyWritePrefix ¶ added in v1.4.5
func (s *StaticAuthorizer) KeyWritePrefix(string) bool
func (*StaticAuthorizer) KeyringRead ¶ added in v1.4.5
func (s *StaticAuthorizer) KeyringRead() bool
func (*StaticAuthorizer) KeyringWrite ¶ added in v1.4.5
func (s *StaticAuthorizer) KeyringWrite() bool
func (*StaticAuthorizer) NodeRead ¶ added in v1.4.5
func (s *StaticAuthorizer) NodeRead(string) bool
func (*StaticAuthorizer) NodeWrite ¶ added in v1.4.5
func (s *StaticAuthorizer) NodeWrite(string, sentinel.ScopeFn) bool
func (*StaticAuthorizer) OperatorRead ¶ added in v1.4.5
func (s *StaticAuthorizer) OperatorRead() bool
func (*StaticAuthorizer) OperatorWrite ¶ added in v1.4.5
func (s *StaticAuthorizer) OperatorWrite() bool
func (*StaticAuthorizer) PreparedQueryRead ¶ added in v1.4.5
func (s *StaticAuthorizer) PreparedQueryRead(string) bool
func (*StaticAuthorizer) PreparedQueryWrite ¶ added in v1.4.5
func (s *StaticAuthorizer) PreparedQueryWrite(string) bool
func (*StaticAuthorizer) ServiceRead ¶ added in v1.4.5
func (s *StaticAuthorizer) ServiceRead(string) bool
func (*StaticAuthorizer) ServiceWrite ¶ added in v1.4.5
func (s *StaticAuthorizer) ServiceWrite(string, sentinel.ScopeFn) bool
func (*StaticAuthorizer) SessionRead ¶ added in v1.4.5
func (s *StaticAuthorizer) SessionRead(string) bool
func (*StaticAuthorizer) SessionWrite ¶ added in v1.4.5
func (s *StaticAuthorizer) SessionWrite(string) bool
func (*StaticAuthorizer) Snapshot ¶ added in v1.4.5
func (s *StaticAuthorizer) Snapshot() bool
type SyntaxVersion ¶ added in v1.4.5
type SyntaxVersion int
const ( SyntaxCurrent SyntaxVersion = iota SyntaxLegacy )