Back to godoc.org

Package acl

v1.4.5
Latest Go to latest

The latest major version is .

Published: May 22, 2019 | License: MPL-2.0 | Module: github.com/tencentyun/consul

Index

Constants

const (
	PolicyDeny  = "deny"
	PolicyRead  = "read"
	PolicyWrite = "write"
	PolicyList  = "list"
)
const DefaultPolicyEnforcementLevel = "hard-mandatory"

DefaultPolicyEnforcementLevel will be used if the user leaves the level blank when configuring an ACL.

Variables

var (
	// ErrNotFound indicates there is no matching ACL.
	ErrNotFound = errors.New(errNotFound)

	// ErrRootDenied is returned when attempting to resolve a root ACL.
	ErrRootDenied = errors.New(errRootDenied)

	// ErrDisabled is returned when ACL changes are not permitted since
	// they are disabled.
	ErrDisabled = errors.New(errDisabled)

	// ErrPermissionDenied is returned when an ACL based rejection
	// happens.
	ErrPermissionDenied = PermissionDeniedError{}

	// ErrInvalidParent is returned when a remotely resolve ACL
	// token claims to have a non-root parent
	ErrInvalidParent = errors.New(errInvalidParent)
)

func IsErrDisabled

func IsErrDisabled(err error) bool

IsErrDisabled checks if the given error message is comparable to ErrDisabled.

func IsErrNotFound

func IsErrNotFound(err error) bool

IsErrNotFound checks if the given error message is comparable to ErrNotFound.

func IsErrPermissionDenied

func IsErrPermissionDenied(err error) bool

IsErrPermissionDenied checks if the given error message is comparable to ErrPermissionDenied.

func IsErrRootDenied

func IsErrRootDenied(err error) bool

IsErrRootDenied checks if the given error message is comparable to ErrRootDenied.

func TranslateLegacyRules

func TranslateLegacyRules(policyBytes []byte) ([]byte, error)

type AgentPolicy

type AgentPolicy struct {
	Node   string `hcl:",key"`
	Policy string
}

AgentPolicy represents a policy for working with agent endpoints on nodes with specific name prefixes.

func (*AgentPolicy) GoString

func (a *AgentPolicy) GoString() string

type Authorizer

type Authorizer interface {
	// ACLRead checks for permission to list all the ACLs
	ACLRead() bool

	// ACLWrite checks for permission to manipulate ACLs
	ACLWrite() bool

	// AgentRead checks for permission to read from agent endpoints for a
	// given node.
	AgentRead(string) bool

	// AgentWrite checks for permission to make changes via agent endpoints
	// for a given node.
	AgentWrite(string) bool

	// EventRead determines if a specific event can be queried.
	EventRead(string) bool

	// EventWrite determines if a specific event may be fired.
	EventWrite(string) bool

	// IntentionDefaultAllow determines the default authorized behavior
	// when no intentions match a Connect request.
	IntentionDefaultAllow() bool

	// IntentionRead determines if a specific intention can be read.
	IntentionRead(string) bool

	// IntentionWrite determines if a specific intention can be
	// created, modified, or deleted.
	IntentionWrite(string) bool

	// KeyList checks for permission to list keys under a prefix
	KeyList(string) bool

	// KeyRead checks for permission to read a given key
	KeyRead(string) bool

	// KeyWrite checks for permission to write a given key
	KeyWrite(string, sentinel.ScopeFn) bool

	// KeyWritePrefix checks for permission to write to an
	// entire key prefix. This means there must be no sub-policies
	// that deny a write.
	KeyWritePrefix(string) bool

	// KeyringRead determines if the encryption keyring used in
	// the gossip layer can be read.
	KeyringRead() bool

	// KeyringWrite determines if the keyring can be manipulated
	KeyringWrite() bool

	// NodeRead checks for permission to read (discover) a given node.
	NodeRead(string) bool

	// NodeWrite checks for permission to create or update (register) a
	// given node.
	NodeWrite(string, sentinel.ScopeFn) bool

	// OperatorRead determines if the read-only Consul operator functions
	// can be used.
	OperatorRead() bool

	// OperatorWrite determines if the state-changing Consul operator
	// functions can be used.
	OperatorWrite() bool

	// PreparedQueryRead determines if a specific prepared query can be read
	// to show its contents (this is not used for execution).
	PreparedQueryRead(string) bool

	// PreparedQueryWrite determines if a specific prepared query can be
	// created, modified, or deleted.
	PreparedQueryWrite(string) bool

	// ServiceRead checks for permission to read a given service
	ServiceRead(string) bool

	// ServiceWrite checks for permission to create or update a given
	// service
	ServiceWrite(string, sentinel.ScopeFn) bool

	// SessionRead checks for permission to read sessions for a given node.
	SessionRead(string) bool

	// SessionWrite checks for permission to create sessions for a given
	// node.
	SessionWrite(string) bool

	// Snapshot checks for permission to take and restore snapshots.
	Snapshot() bool
}

Authorizer is the interface for policy enforcement.

func AllowAll

func AllowAll() Authorizer

AllowAll returns an Authorizer that allows all operations

func DenyAll

func DenyAll() Authorizer

DenyAll returns an Authorizer that denies all operations

func ManageAll

func ManageAll() Authorizer

ManageAll returns an Authorizer that can manage all resources

func RootAuthorizer

func RootAuthorizer(id string) Authorizer

RootAuthorizer returns a possible Authorizer if the ID matches a root policy

type EventPolicy

type EventPolicy struct {
	Event  string `hcl:",key"`
	Policy string
}

EventPolicy represents a user event policy.

func (*EventPolicy) GoString

func (e *EventPolicy) GoString() string

type KeyPolicy

type KeyPolicy struct {
	Prefix   string `hcl:",key"`
	Policy   string
	Sentinel Sentinel
}

KeyPolicy represents a policy for a key

func (*KeyPolicy) GoString

func (k *KeyPolicy) GoString() string

type NodePolicy

type NodePolicy struct {
	Name     string `hcl:",key"`
	Policy   string
	Sentinel Sentinel
}

NodePolicy represents a policy for a node

func (*NodePolicy) GoString

func (n *NodePolicy) GoString() string

type PermissionDeniedError

type PermissionDeniedError struct {
	Cause string
}

func (PermissionDeniedError) Error

func (e PermissionDeniedError) Error() string

type Policy

type Policy struct {
	ID                    string                 `hcl:"id"`
	Revision              uint64                 `hcl:"revision"`
	ACL                   string                 `hcl:"acl,expand"`
	Agents                []*AgentPolicy         `hcl:"agent,expand"`
	AgentPrefixes         []*AgentPolicy         `hcl:"agent_prefix,expand"`
	Keys                  []*KeyPolicy           `hcl:"key,expand"`
	KeyPrefixes           []*KeyPolicy           `hcl:"key_prefix,expand"`
	Nodes                 []*NodePolicy          `hcl:"node,expand"`
	NodePrefixes          []*NodePolicy          `hcl:"node_prefix,expand"`
	Services              []*ServicePolicy       `hcl:"service,expand"`
	ServicePrefixes       []*ServicePolicy       `hcl:"service_prefix,expand"`
	Sessions              []*SessionPolicy       `hcl:"session,expand"`
	SessionPrefixes       []*SessionPolicy       `hcl:"session_prefix,expand"`
	Events                []*EventPolicy         `hcl:"event,expand"`
	EventPrefixes         []*EventPolicy         `hcl:"event_prefix,expand"`
	PreparedQueries       []*PreparedQueryPolicy `hcl:"query,expand"`
	PreparedQueryPrefixes []*PreparedQueryPolicy `hcl:"query_prefix,expand"`
	Keyring               string                 `hcl:"keyring"`
	Operator              string                 `hcl:"operator"`
}

Policy is used to represent the policy specified by an ACL configuration.

func MergePolicies

func MergePolicies(policies []*Policy) *Policy

MergePolicies merges multiple ACL policies into one policy This function will not set either the ID or the Scope fields of the resulting policy as its up to the caller to determine what the merged value is.

func NewPolicyFromSource

func NewPolicyFromSource(id string, revision uint64, rules string, syntax SyntaxVersion, sentinel sentinel.Evaluator) (*Policy, error)

NewPolicyFromSource is used to parse the specified ACL rules into an intermediary set of policies, before being compiled into the ACL

func (*Policy) ConvertFromLegacy

func (policy *Policy) ConvertFromLegacy() *Policy

func (*Policy) ConvertToLegacy

func (policy *Policy) ConvertToLegacy() *Policy

type PolicyAuthorizer

type PolicyAuthorizer struct {
	// contains filtered or unexported fields
}

PolicyAuthorizer is used to wrap a set of ACL policies to provide the Authorizer interface.

func NewPolicyAuthorizer

func NewPolicyAuthorizer(parent Authorizer, policies []*Policy, sentinel sentinel.Evaluator) (*PolicyAuthorizer, error)

NewPolicyAuthorizer is used to construct a policy based ACL from a set of policies and a parent policy to resolve missing cases.

func (*PolicyAuthorizer) ACLRead

func (p *PolicyAuthorizer) ACLRead() bool

ACLRead checks if listing of ACLs is allowed

func (*PolicyAuthorizer) ACLWrite

func (p *PolicyAuthorizer) ACLWrite() bool

ACLWrite checks if modification of ACLs is allowed

func (*PolicyAuthorizer) AgentRead

func (p *PolicyAuthorizer) AgentRead(node string) bool

AgentRead checks for permission to read from agent endpoints for a given node.

func (*PolicyAuthorizer) AgentWrite

func (p *PolicyAuthorizer) AgentWrite(node string) bool

AgentWrite checks for permission to make changes via agent endpoints for a given node.

func (*PolicyAuthorizer) EventRead

func (p *PolicyAuthorizer) EventRead(name string) bool

EventRead is used to determine if the policy allows for a specific user event to be read.

func (*PolicyAuthorizer) EventWrite

func (p *PolicyAuthorizer) EventWrite(name string) bool

EventWrite is used to determine if new events can be created (fired) by the policy.

func (*PolicyAuthorizer) IntentionDefaultAllow

func (p *PolicyAuthorizer) IntentionDefaultAllow() bool

IntentionDefaultAllow returns whether the default behavior when there are no matching intentions is to allow or deny.

func (*PolicyAuthorizer) IntentionRead

func (p *PolicyAuthorizer) IntentionRead(prefix string) bool

IntentionRead checks if writing (creating, updating, or deleting) of an intention is allowed.

func (*PolicyAuthorizer) IntentionWrite

func (p *PolicyAuthorizer) IntentionWrite(prefix string) bool

IntentionWrite checks if writing (creating, updating, or deleting) of an intention is allowed.

func (*PolicyAuthorizer) KeyList

func (p *PolicyAuthorizer) KeyList(key string) bool

KeyList returns if a key is allowed to be listed

func (*PolicyAuthorizer) KeyRead

func (p *PolicyAuthorizer) KeyRead(key string) bool

KeyRead returns if a key is allowed to be read

func (*PolicyAuthorizer) KeyWrite

func (p *PolicyAuthorizer) KeyWrite(key string, scope sentinel.ScopeFn) bool

KeyWrite returns if a key is allowed to be written

func (*PolicyAuthorizer) KeyWritePrefix

func (p *PolicyAuthorizer) KeyWritePrefix(prefix string) bool

KeyWritePrefix returns if a prefix is allowed to be written

This is mainly used to detect whether a whole tree within the KV can be removed. For that reason we must be able to delete everything under the prefix. First we must have "write" on the prefix itself

func (*PolicyAuthorizer) KeyringRead

func (p *PolicyAuthorizer) KeyringRead() bool

KeyringRead is used to determine if the keyring can be read by the current ACL token.

func (*PolicyAuthorizer) KeyringWrite

func (p *PolicyAuthorizer) KeyringWrite() bool

KeyringWrite determines if the keyring can be manipulated.

func (*PolicyAuthorizer) NodeRead

func (p *PolicyAuthorizer) NodeRead(name string) bool

NodeRead checks if reading (discovery) of a node is allowed

func (*PolicyAuthorizer) NodeWrite

func (p *PolicyAuthorizer) NodeWrite(name string, scope sentinel.ScopeFn) bool

NodeWrite checks if writing (registering) a node is allowed

func (*PolicyAuthorizer) OperatorRead

func (p *PolicyAuthorizer) OperatorRead() bool

OperatorRead determines if the read-only operator functions are allowed.

func (*PolicyAuthorizer) OperatorWrite

func (p *PolicyAuthorizer) OperatorWrite() bool

OperatorWrite determines if the state-changing operator functions are allowed.

func (*PolicyAuthorizer) PreparedQueryRead

func (p *PolicyAuthorizer) PreparedQueryRead(prefix string) bool

PreparedQueryRead checks if reading (listing) of a prepared query is allowed - this isn't execution, just listing its contents.

func (*PolicyAuthorizer) PreparedQueryWrite

func (p *PolicyAuthorizer) PreparedQueryWrite(prefix string) bool

PreparedQueryWrite checks if writing (creating, updating, or deleting) of a prepared query is allowed.

func (*PolicyAuthorizer) ServiceRead

func (p *PolicyAuthorizer) ServiceRead(name string) bool

ServiceRead checks if reading (discovery) of a service is allowed

func (*PolicyAuthorizer) ServiceWrite

func (p *PolicyAuthorizer) ServiceWrite(name string, scope sentinel.ScopeFn) bool

ServiceWrite checks if writing (registering) a service is allowed

func (*PolicyAuthorizer) SessionRead

func (p *PolicyAuthorizer) SessionRead(node string) bool

SessionRead checks for permission to read sessions for a given node.

func (*PolicyAuthorizer) SessionWrite

func (p *PolicyAuthorizer) SessionWrite(node string) bool

SessionWrite checks for permission to create sessions for a given node.

func (*PolicyAuthorizer) Snapshot

func (p *PolicyAuthorizer) Snapshot() bool

Snapshot checks if taking and restoring snapshots is allowed.

type PreparedQueryPolicy

type PreparedQueryPolicy struct {
	Prefix string `hcl:",key"`
	Policy string
}

PreparedQueryPolicy represents a prepared query policy.

func (*PreparedQueryPolicy) GoString

func (p *PreparedQueryPolicy) GoString() string

type RulePolicy

type RulePolicy struct {
	// contains filtered or unexported fields
}

RulePolicy binds a regular ACL policy along with an optional piece of code to execute.

type Sentinel

type Sentinel struct {
	Code             string
	EnforcementLevel string
}

Sentinel defines a snippet of Sentinel code that can be attached to a policy.

type ServicePolicy

type ServicePolicy struct {
	Name     string `hcl:",key"`
	Policy   string
	Sentinel Sentinel

	// Intentions is the policy for intentions where this service is the
	// destination. This may be empty, in which case the Policy determines
	// the intentions policy.
	Intentions string
}

ServicePolicy represents a policy for a service

func (*ServicePolicy) GoString

func (s *ServicePolicy) GoString() string

type SessionPolicy

type SessionPolicy struct {
	Node   string `hcl:",key"`
	Policy string
}

SessionPolicy represents a policy for making sessions tied to specific node name prefixes.

func (*SessionPolicy) GoString

func (s *SessionPolicy) GoString() string

type StaticAuthorizer

type StaticAuthorizer struct {
	// contains filtered or unexported fields
}

StaticAuthorizer is used to implement a base ACL policy. It either allows or denies all requests. This can be used as a parent ACL to act in a blacklist or whitelist mode.

func (*StaticAuthorizer) ACLRead

func (s *StaticAuthorizer) ACLRead() bool

func (*StaticAuthorizer) ACLWrite

func (s *StaticAuthorizer) ACLWrite() bool

func (*StaticAuthorizer) AgentRead

func (s *StaticAuthorizer) AgentRead(string) bool

func (*StaticAuthorizer) AgentWrite

func (s *StaticAuthorizer) AgentWrite(string) bool

func (*StaticAuthorizer) EventRead

func (s *StaticAuthorizer) EventRead(string) bool

func (*StaticAuthorizer) EventWrite

func (s *StaticAuthorizer) EventWrite(string) bool

func (*StaticAuthorizer) IntentionDefaultAllow

func (s *StaticAuthorizer) IntentionDefaultAllow() bool

func (*StaticAuthorizer) IntentionRead

func (s *StaticAuthorizer) IntentionRead(string) bool

func (*StaticAuthorizer) IntentionWrite

func (s *StaticAuthorizer) IntentionWrite(string) bool

func (*StaticAuthorizer) KeyList

func (s *StaticAuthorizer) KeyList(string) bool

func (*StaticAuthorizer) KeyRead

func (s *StaticAuthorizer) KeyRead(string) bool

func (*StaticAuthorizer) KeyWrite

func (s *StaticAuthorizer) KeyWrite(string, sentinel.ScopeFn) bool

func (*StaticAuthorizer) KeyWritePrefix

func (s *StaticAuthorizer) KeyWritePrefix(string) bool

func (*StaticAuthorizer) KeyringRead

func (s *StaticAuthorizer) KeyringRead() bool

func (*StaticAuthorizer) KeyringWrite

func (s *StaticAuthorizer) KeyringWrite() bool

func (*StaticAuthorizer) NodeRead

func (s *StaticAuthorizer) NodeRead(string) bool

func (*StaticAuthorizer) NodeWrite

func (s *StaticAuthorizer) NodeWrite(string, sentinel.ScopeFn) bool

func (*StaticAuthorizer) OperatorRead

func (s *StaticAuthorizer) OperatorRead() bool

func (*StaticAuthorizer) OperatorWrite

func (s *StaticAuthorizer) OperatorWrite() bool

func (*StaticAuthorizer) PreparedQueryRead

func (s *StaticAuthorizer) PreparedQueryRead(string) bool

func (*StaticAuthorizer) PreparedQueryWrite

func (s *StaticAuthorizer) PreparedQueryWrite(string) bool

func (*StaticAuthorizer) ServiceRead

func (s *StaticAuthorizer) ServiceRead(string) bool

func (*StaticAuthorizer) ServiceWrite

func (s *StaticAuthorizer) ServiceWrite(string, sentinel.ScopeFn) bool

func (*StaticAuthorizer) SessionRead

func (s *StaticAuthorizer) SessionRead(string) bool

func (*StaticAuthorizer) SessionWrite

func (s *StaticAuthorizer) SessionWrite(string) bool

func (*StaticAuthorizer) Snapshot

func (s *StaticAuthorizer) Snapshot() bool

type SyntaxVersion

type SyntaxVersion int
const (
	SyntaxCurrent SyntaxVersion = iota
	SyntaxLegacy
)

Package Files

Documentation was rendered with GOOS=linux and GOARCH=amd64.

Jump to identifier

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to identifier