ActiveGo 1.8Package acl
Overview ▹
Index ▹
Constants
const (
PolicyDeny = "deny"
PolicyRead = "read"
PolicyWrite = "write"
)
func RuleID ¶
func RuleID(rules string) string
RuleID is used to generate an ID for a rule
type ACL ¶
ACL is the interface for policy enforcement.
type ACL interface {
// ACLList checks for permission to list all the ACLs
ACLList() bool
// ACLModify checks for permission to manipulate ACLs
ACLModify() bool
// AgentRead checks for permission to read from agent endpoints for a
// given node.
AgentRead(string) bool
// AgentWrite checks for permission to make changes via agent endpoints
// for a given node.
AgentWrite(string) bool
// EventRead determines if a specific event can be queried.
EventRead(string) bool
// EventWrite determines if a specific event may be fired.
EventWrite(string) bool
// KeyRead checks for permission to read a given key
KeyRead(string) bool
// KeyWrite checks for permission to write a given key
KeyWrite(string) bool
// KeyWritePrefix checks for permission to write to an
// entire key prefix. This means there must be no sub-policies
// that deny a write.
KeyWritePrefix(string) bool
// KeyringRead determines if the encryption keyring used in
// the gossip layer can be read.
KeyringRead() bool
// KeyringWrite determines if the keyring can be manipulated
KeyringWrite() bool
// NodeRead checks for permission to read (discover) a given node.
NodeRead(string) bool
// NodeWrite checks for permission to create or update (register) a
// given node.
NodeWrite(string) bool
// OperatorRead determines if the read-only Consul operator functions
// can be used.
OperatorRead() bool
// OperatorWrite determines if the state-changing Consul operator
// functions can be used.
OperatorWrite() bool
// PrepardQueryRead determines if a specific prepared query can be read
// to show its contents (this is not used for execution).
PreparedQueryRead(string) bool
// PreparedQueryWrite determines if a specific prepared query can be
// created, modified, or deleted.
PreparedQueryWrite(string) bool
// ServiceRead checks for permission to read a given service
ServiceRead(string) bool
// ServiceWrite checks for permission to create or update a given
// service
ServiceWrite(string) bool
// SessionRead checks for permission to read sessions for a given node.
SessionRead(string) bool
// SessionWrite checks for permission to create sessions for a given
// node.
SessionWrite(string) bool
// Snapshot checks for permission to take and restore snapshots.
Snapshot() bool
}
func AllowAll ¶
func AllowAll() ACL
AllowAll returns an ACL rule that allows all operations
func DenyAll ¶
func DenyAll() ACL
DenyAll returns an ACL rule that denies all operations
func ManageAll ¶
func ManageAll() ACL
ManageAll returns an ACL rule that can manage all resources
func RootACL ¶
func RootACL(id string) ACL
RootACL returns a possible ACL if the ID matches a root policy
type AgentPolicy ¶
AgentPolicy represents a policy for working with agent endpoints on nodes with specific name prefixes.
type AgentPolicy struct {
Node string `hcl:",key"`
Policy string
}
func (*AgentPolicy) GoString ¶
func (a *AgentPolicy) GoString() string
type Cache ¶
Cache is used to implement policy and ACL caching
type Cache struct {
// contains filtered or unexported fields
}
func NewCache ¶
func NewCache(size int, faultfn FaultFunc) (*Cache, error)
NewCache constructs a new policy and ACL cache of a given size
func (*Cache) ClearACL ¶
func (c *Cache) ClearACL(id string)
ClearACL is used to clear the ACL cache if any
func (*Cache) GetACL ¶
func (c *Cache) GetACL(id string) (ACL, error)
GetACL is used to get a potentially cached ACL policy. If not cached, it will be generated and then cached.
func (*Cache) GetACLPolicy ¶
func (c *Cache) GetACLPolicy(id string) (string, *Policy, error)
GetACLPolicy is used to get the potentially cached ACL policy. If not cached, it will be generated and then cached.
func (*Cache) GetPolicy ¶
func (c *Cache) GetPolicy(rules string) (*Policy, error)
GetPolicy is used to get a potentially cached policy set. If not cached, it will be parsed, and then cached.
func (*Cache) Purge ¶
func (c *Cache) Purge()
Purge is used to clear all the ACL caches. The rule and policy caches are not purged, since they are content-hashed anyways.
type EventPolicy ¶
EventPolicy represents a user event policy.
type EventPolicy struct {
Event string `hcl:",key"`
Policy string
}
func (*EventPolicy) GoString ¶
func (e *EventPolicy) GoString() string
type FaultFunc ¶
FaultFunc is a function used to fault in the parent, rules for an ACL given its ID
type FaultFunc func(id string) (string, string, error)
type KeyPolicy ¶
KeyPolicy represents a policy for a key
type KeyPolicy struct {
Prefix string `hcl:",key"`
Policy string
}
func (*KeyPolicy) GoString ¶
func (k *KeyPolicy) GoString() string
type NodePolicy ¶
NodePolicy represents a policy for a node
type NodePolicy struct {
Name string `hcl:",key"`
Policy string
}
func (*NodePolicy) GoString ¶
func (n *NodePolicy) GoString() string
type Policy ¶
Policy is used to represent the policy specified by an ACL configuration.
type Policy struct {
ID string `hcl:"-"`
Agents []*AgentPolicy `hcl:"agent,expand"`
Keys []*KeyPolicy `hcl:"key,expand"`
Nodes []*NodePolicy `hcl:"node,expand"`
Services []*ServicePolicy `hcl:"service,expand"`
Sessions []*SessionPolicy `hcl:"session,expand"`
Events []*EventPolicy `hcl:"event,expand"`
PreparedQueries []*PreparedQueryPolicy `hcl:"query,expand"`
Keyring string `hcl:"keyring"`
Operator string `hcl:"operator"`
}
func Parse ¶
func Parse(rules string) (*Policy, error)
Parse is used to parse the specified ACL rules into an intermediary set of policies, before being compiled into the ACL
type PolicyACL ¶
PolicyACL is used to wrap a set of ACL policies to provide the ACL interface.
type PolicyACL struct {
// contains filtered or unexported fields
}
func New ¶
func New(parent ACL, policy *Policy) (*PolicyACL, error)
New is used to construct a policy based ACL from a set of policies and a parent policy to resolve missing cases.
func (*PolicyACL) ACLList ¶
func (p *PolicyACL) ACLList() bool
ACLList checks if listing of ACLs is allowed
func (*PolicyACL) ACLModify ¶
func (p *PolicyACL) ACLModify() bool
ACLModify checks if modification of ACLs is allowed
func (*PolicyACL) AgentRead ¶
func (p *PolicyACL) AgentRead(node string) bool
AgentRead checks for permission to read from agent endpoints for a given node.
func (*PolicyACL) AgentWrite ¶
func (p *PolicyACL) AgentWrite(node string) bool
AgentWrite checks for permission to make changes via agent endpoints for a given node.
func (*PolicyACL) EventRead ¶
func (p *PolicyACL) EventRead(name string) bool
EventRead is used to determine if the policy allows for a specific user event to be read.
func (*PolicyACL) EventWrite ¶
func (p *PolicyACL) EventWrite(name string) bool
EventWrite is used to determine if new events can be created (fired) by the policy.
func (*PolicyACL) KeyRead ¶
func (p *PolicyACL) KeyRead(key string) bool
KeyRead returns if a key is allowed to be read
func (*PolicyACL) KeyWrite ¶
func (p *PolicyACL) KeyWrite(key string) bool
KeyWrite returns if a key is allowed to be written
func (*PolicyACL) KeyWritePrefix ¶
func (p *PolicyACL) KeyWritePrefix(prefix string) bool
KeyWritePrefix returns if a prefix is allowed to be written
func (*PolicyACL) KeyringRead ¶
func (p *PolicyACL) KeyringRead() bool
KeyringRead is used to determine if the keyring can be read by the current ACL token.
func (*PolicyACL) KeyringWrite ¶
func (p *PolicyACL) KeyringWrite() bool
KeyringWrite determines if the keyring can be manipulated.
func (*PolicyACL) NodeRead ¶
func (p *PolicyACL) NodeRead(name string) bool
NodeRead checks if reading (discovery) of a node is allowed
func (*PolicyACL) NodeWrite ¶
func (p *PolicyACL) NodeWrite(name string) bool
NodeWrite checks if writing (registering) a node is allowed
func (*PolicyACL) OperatorRead ¶
func (p *PolicyACL) OperatorRead() bool
OperatorRead determines if the read-only operator functions are allowed.
func (*PolicyACL) OperatorWrite ¶
func (p *PolicyACL) OperatorWrite() bool
OperatorWrite determines if the state-changing operator functions are allowed.
func (*PolicyACL) PreparedQueryRead ¶
func (p *PolicyACL) PreparedQueryRead(prefix string) bool
PreparedQueryRead checks if reading (listing) of a prepared query is allowed - this isn't execution, just listing its contents.
func (*PolicyACL) PreparedQueryWrite ¶
func (p *PolicyACL) PreparedQueryWrite(prefix string) bool
PreparedQueryWrite checks if writing (creating, updating, or deleting) of a prepared query is allowed.
func (*PolicyACL) ServiceRead ¶
func (p *PolicyACL) ServiceRead(name string) bool
ServiceRead checks if reading (discovery) of a service is allowed
func (*PolicyACL) ServiceWrite ¶
func (p *PolicyACL) ServiceWrite(name string) bool
ServiceWrite checks if writing (registering) a service is allowed
func (*PolicyACL) SessionRead ¶
func (p *PolicyACL) SessionRead(node string) bool
SessionRead checks for permission to read sessions for a given node.
func (*PolicyACL) SessionWrite ¶
func (p *PolicyACL) SessionWrite(node string) bool
SessionWrite checks for permission to create sessions for a given node.
func (*PolicyACL) Snapshot ¶
func (p *PolicyACL) Snapshot() bool
Snapshot checks if taking and restoring snapshots is allowed.
type PreparedQueryPolicy ¶
PreparedQueryPolicy represents a prepared query policy.
type PreparedQueryPolicy struct {
Prefix string `hcl:",key"`
Policy string
}
func (*PreparedQueryPolicy) GoString ¶
func (p *PreparedQueryPolicy) GoString() string
type ServicePolicy ¶
ServicePolicy represents a policy for a service
type ServicePolicy struct {
Name string `hcl:",key"`
Policy string
}
func (*ServicePolicy) GoString ¶
func (s *ServicePolicy) GoString() string
type SessionPolicy ¶
SessionPolicy represents a policy for making sessions tied to specific node name prefixes.
type SessionPolicy struct {
Node string `hcl:",key"`
Policy string
}
func (*SessionPolicy) GoString ¶
func (s *SessionPolicy) GoString() string
type StaticACL ¶
StaticACL is used to implement a base ACL policy. It either allows or denies all requests. This can be used as a parent ACL to act in a blacklist or whitelist mode.
type StaticACL struct {
// contains filtered or unexported fields
}
func (*StaticACL) ACLList ¶
func (s *StaticACL) ACLList() bool
func (*StaticACL) ACLModify ¶
func (s *StaticACL) ACLModify() bool
func (*StaticACL) AgentRead ¶
func (s *StaticACL) AgentRead(string) bool
func (*StaticACL) AgentWrite ¶
func (s *StaticACL) AgentWrite(string) bool
func (*StaticACL) EventRead ¶
func (s *StaticACL) EventRead(string) bool
func (*StaticACL) EventWrite ¶
func (s *StaticACL) EventWrite(string) bool
func (*StaticACL) KeyRead ¶
func (s *StaticACL) KeyRead(string) bool
func (*StaticACL) KeyWrite ¶
func (s *StaticACL) KeyWrite(string) bool
func (*StaticACL) KeyWritePrefix ¶
func (s *StaticACL) KeyWritePrefix(string) bool
func (*StaticACL) KeyringRead ¶
func (s *StaticACL) KeyringRead() bool
func (*StaticACL) KeyringWrite ¶
func (s *StaticACL) KeyringWrite() bool
func (*StaticACL) NodeRead ¶
func (s *StaticACL) NodeRead(string) bool
func (*StaticACL) NodeWrite ¶
func (s *StaticACL) NodeWrite(string) bool
func (*StaticACL) OperatorRead ¶
func (s *StaticACL) OperatorRead() bool
func (*StaticACL) OperatorWrite ¶
func (s *StaticACL) OperatorWrite() bool
func (*StaticACL) PreparedQueryRead ¶
func (s *StaticACL) PreparedQueryRead(string) bool
func (*StaticACL) PreparedQueryWrite ¶
func (s *StaticACL) PreparedQueryWrite(string) bool
func (*StaticACL) ServiceRead ¶
func (s *StaticACL) ServiceRead(string) bool
func (*StaticACL) ServiceWrite ¶
func (s *StaticACL) ServiceWrite(string) bool
func (*StaticACL) SessionRead ¶
func (s *StaticACL) SessionRead(string) bool
func (*StaticACL) SessionWrite ¶
func (s *StaticACL) SessionWrite(string) bool
func (*StaticACL) Snapshot ¶
func (s *StaticACL) Snapshot() bool