acl - ActiveState ActiveGo 1.8
...

Package acl

import "github.com/hashicorp/consul/acl"
Overview
Index

Overview ▾

Index ▾

Constants
func RuleID(rules string) string
type ACL
    func AllowAll() ACL
    func DenyAll() ACL
    func ManageAll() ACL
    func RootACL(id string) ACL
type AgentPolicy
    func (a *AgentPolicy) GoString() string
type Cache
    func NewCache(size int, faultfn FaultFunc) (*Cache, error)
    func (c *Cache) ClearACL(id string)
    func (c *Cache) GetACL(id string) (ACL, error)
    func (c *Cache) GetACLPolicy(id string) (string, *Policy, error)
    func (c *Cache) GetPolicy(rules string) (*Policy, error)
    func (c *Cache) Purge()
type EventPolicy
    func (e *EventPolicy) GoString() string
type FaultFunc
type KeyPolicy
    func (k *KeyPolicy) GoString() string
type NodePolicy
    func (n *NodePolicy) GoString() string
type Policy
    func Parse(rules string) (*Policy, error)
type PolicyACL
    func New(parent ACL, policy *Policy) (*PolicyACL, error)
    func (p *PolicyACL) ACLList() bool
    func (p *PolicyACL) ACLModify() bool
    func (p *PolicyACL) AgentRead(node string) bool
    func (p *PolicyACL) AgentWrite(node string) bool
    func (p *PolicyACL) EventRead(name string) bool
    func (p *PolicyACL) EventWrite(name string) bool
    func (p *PolicyACL) KeyRead(key string) bool
    func (p *PolicyACL) KeyWrite(key string) bool
    func (p *PolicyACL) KeyWritePrefix(prefix string) bool
    func (p *PolicyACL) KeyringRead() bool
    func (p *PolicyACL) KeyringWrite() bool
    func (p *PolicyACL) NodeRead(name string) bool
    func (p *PolicyACL) NodeWrite(name string) bool
    func (p *PolicyACL) OperatorRead() bool
    func (p *PolicyACL) OperatorWrite() bool
    func (p *PolicyACL) PreparedQueryRead(prefix string) bool
    func (p *PolicyACL) PreparedQueryWrite(prefix string) bool
    func (p *PolicyACL) ServiceRead(name string) bool
    func (p *PolicyACL) ServiceWrite(name string) bool
    func (p *PolicyACL) SessionRead(node string) bool
    func (p *PolicyACL) SessionWrite(node string) bool
    func (p *PolicyACL) Snapshot() bool
type PreparedQueryPolicy
    func (p *PreparedQueryPolicy) GoString() string
type ServicePolicy
    func (s *ServicePolicy) GoString() string
type SessionPolicy
    func (s *SessionPolicy) GoString() string
type StaticACL
    func (s *StaticACL) ACLList() bool
    func (s *StaticACL) ACLModify() bool
    func (s *StaticACL) AgentRead(string) bool
    func (s *StaticACL) AgentWrite(string) bool
    func (s *StaticACL) EventRead(string) bool
    func (s *StaticACL) EventWrite(string) bool
    func (s *StaticACL) KeyRead(string) bool
    func (s *StaticACL) KeyWrite(string) bool
    func (s *StaticACL) KeyWritePrefix(string) bool
    func (s *StaticACL) KeyringRead() bool
    func (s *StaticACL) KeyringWrite() bool
    func (s *StaticACL) NodeRead(string) bool
    func (s *StaticACL) NodeWrite(string) bool
    func (s *StaticACL) OperatorRead() bool
    func (s *StaticACL) OperatorWrite() bool
    func (s *StaticACL) PreparedQueryRead(string) bool
    func (s *StaticACL) PreparedQueryWrite(string) bool
    func (s *StaticACL) ServiceRead(string) bool
    func (s *StaticACL) ServiceWrite(string) bool
    func (s *StaticACL) SessionRead(string) bool
    func (s *StaticACL) SessionWrite(string) bool
    func (s *StaticACL) Snapshot() bool

Package files

acl.go cache.go policy.go

Constants

const (
    PolicyDeny  = "deny"
    PolicyRead  = "read"
    PolicyWrite = "write"
)

func RuleID

func RuleID(rules string) string

RuleID is used to generate an ID for a rule

type ACL

ACL is the interface for policy enforcement.

type ACL interface {
    // ACLList checks for permission to list all the ACLs
    ACLList() bool

    // ACLModify checks for permission to manipulate ACLs
    ACLModify() bool

    // AgentRead checks for permission to read from agent endpoints for a
    // given node.
    AgentRead(string) bool

    // AgentWrite checks for permission to make changes via agent endpoints
    // for a given node.
    AgentWrite(string) bool

    // EventRead determines if a specific event can be queried.
    EventRead(string) bool

    // EventWrite determines if a specific event may be fired.
    EventWrite(string) bool

    // KeyRead checks for permission to read a given key
    KeyRead(string) bool

    // KeyWrite checks for permission to write a given key
    KeyWrite(string) bool

    // KeyWritePrefix checks for permission to write to an
    // entire key prefix. This means there must be no sub-policies
    // that deny a write.
    KeyWritePrefix(string) bool

    // KeyringRead determines if the encryption keyring used in
    // the gossip layer can be read.
    KeyringRead() bool

    // KeyringWrite determines if the keyring can be manipulated
    KeyringWrite() bool

    // NodeRead checks for permission to read (discover) a given node.
    NodeRead(string) bool

    // NodeWrite checks for permission to create or update (register) a
    // given node.
    NodeWrite(string) bool

    // OperatorRead determines if the read-only Consul operator functions
    // can be used.
    OperatorRead() bool

    // OperatorWrite determines if the state-changing Consul operator
    // functions can be used.
    OperatorWrite() bool

    // PrepardQueryRead determines if a specific prepared query can be read
    // to show its contents (this is not used for execution).
    PreparedQueryRead(string) bool

    // PreparedQueryWrite determines if a specific prepared query can be
    // created, modified, or deleted.
    PreparedQueryWrite(string) bool

    // ServiceRead checks for permission to read a given service
    ServiceRead(string) bool

    // ServiceWrite checks for permission to create or update a given
    // service
    ServiceWrite(string) bool

    // SessionRead checks for permission to read sessions for a given node.
    SessionRead(string) bool

    // SessionWrite checks for permission to create sessions for a given
    // node.
    SessionWrite(string) bool

    // Snapshot checks for permission to take and restore snapshots.
    Snapshot() bool
}

func AllowAll

func AllowAll() ACL

AllowAll returns an ACL rule that allows all operations

func DenyAll

func DenyAll() ACL

DenyAll returns an ACL rule that denies all operations

func ManageAll

func ManageAll() ACL

ManageAll returns an ACL rule that can manage all resources

func RootACL

func RootACL(id string) ACL

RootACL returns a possible ACL if the ID matches a root policy

type AgentPolicy

AgentPolicy represents a policy for working with agent endpoints on nodes with specific name prefixes.

type AgentPolicy struct {
    Node   string `hcl:",key"`
    Policy string
}

func (*AgentPolicy) GoString

func (a *AgentPolicy) GoString() string

type Cache

Cache is used to implement policy and ACL caching

type Cache struct {
    // contains filtered or unexported fields
}

func NewCache

func NewCache(size int, faultfn FaultFunc) (*Cache, error)

NewCache constructs a new policy and ACL cache of a given size

func (*Cache) ClearACL

func (c *Cache) ClearACL(id string)

ClearACL is used to clear the ACL cache if any

func (*Cache) GetACL

func (c *Cache) GetACL(id string) (ACL, error)

GetACL is used to get a potentially cached ACL policy. If not cached, it will be generated and then cached.

func (*Cache) GetACLPolicy

func (c *Cache) GetACLPolicy(id string) (string, *Policy, error)

GetACLPolicy is used to get the potentially cached ACL policy. If not cached, it will be generated and then cached.

func (*Cache) GetPolicy

func (c *Cache) GetPolicy(rules string) (*Policy, error)

GetPolicy is used to get a potentially cached policy set. If not cached, it will be parsed, and then cached.

func (*Cache) Purge

func (c *Cache) Purge()

Purge is used to clear all the ACL caches. The rule and policy caches are not purged, since they are content-hashed anyways.

type EventPolicy

EventPolicy represents a user event policy.

type EventPolicy struct {
    Event  string `hcl:",key"`
    Policy string
}

func (*EventPolicy) GoString

func (e *EventPolicy) GoString() string

type FaultFunc

FaultFunc is a function used to fault in the parent, rules for an ACL given its ID

type FaultFunc func(id string) (string, string, error)

type KeyPolicy

KeyPolicy represents a policy for a key

type KeyPolicy struct {
    Prefix string `hcl:",key"`
    Policy string
}

func (*KeyPolicy) GoString

func (k *KeyPolicy) GoString() string

type NodePolicy

NodePolicy represents a policy for a node

type NodePolicy struct {
    Name   string `hcl:",key"`
    Policy string
}

func (*NodePolicy) GoString

func (n *NodePolicy) GoString() string

type Policy

Policy is used to represent the policy specified by an ACL configuration.

type Policy struct {
    ID              string                 `hcl:"-"`
    Agents          []*AgentPolicy         `hcl:"agent,expand"`
    Keys            []*KeyPolicy           `hcl:"key,expand"`
    Nodes           []*NodePolicy          `hcl:"node,expand"`
    Services        []*ServicePolicy       `hcl:"service,expand"`
    Sessions        []*SessionPolicy       `hcl:"session,expand"`
    Events          []*EventPolicy         `hcl:"event,expand"`
    PreparedQueries []*PreparedQueryPolicy `hcl:"query,expand"`
    Keyring         string                 `hcl:"keyring"`
    Operator        string                 `hcl:"operator"`
}

func Parse

func Parse(rules string) (*Policy, error)

Parse is used to parse the specified ACL rules into an intermediary set of policies, before being compiled into the ACL

type PolicyACL

PolicyACL is used to wrap a set of ACL policies to provide the ACL interface.

type PolicyACL struct {
    // contains filtered or unexported fields
}

func New

func New(parent ACL, policy *Policy) (*PolicyACL, error)

New is used to construct a policy based ACL from a set of policies and a parent policy to resolve missing cases.

func (*PolicyACL) ACLList

func (p *PolicyACL) ACLList() bool

ACLList checks if listing of ACLs is allowed

func (*PolicyACL) ACLModify

func (p *PolicyACL) ACLModify() bool

ACLModify checks if modification of ACLs is allowed

func (*PolicyACL) AgentRead

func (p *PolicyACL) AgentRead(node string) bool

AgentRead checks for permission to read from agent endpoints for a given node.

func (*PolicyACL) AgentWrite

func (p *PolicyACL) AgentWrite(node string) bool

AgentWrite checks for permission to make changes via agent endpoints for a given node.

func (*PolicyACL) EventRead

func (p *PolicyACL) EventRead(name string) bool

EventRead is used to determine if the policy allows for a specific user event to be read.

func (*PolicyACL) EventWrite

func (p *PolicyACL) EventWrite(name string) bool

EventWrite is used to determine if new events can be created (fired) by the policy.

func (*PolicyACL) KeyRead

func (p *PolicyACL) KeyRead(key string) bool

KeyRead returns if a key is allowed to be read

func (*PolicyACL) KeyWrite

func (p *PolicyACL) KeyWrite(key string) bool

KeyWrite returns if a key is allowed to be written

func (*PolicyACL) KeyWritePrefix

func (p *PolicyACL) KeyWritePrefix(prefix string) bool

KeyWritePrefix returns if a prefix is allowed to be written

func (*PolicyACL) KeyringRead

func (p *PolicyACL) KeyringRead() bool

KeyringRead is used to determine if the keyring can be read by the current ACL token.

func (*PolicyACL) KeyringWrite

func (p *PolicyACL) KeyringWrite() bool

KeyringWrite determines if the keyring can be manipulated.

func (*PolicyACL) NodeRead

func (p *PolicyACL) NodeRead(name string) bool

NodeRead checks if reading (discovery) of a node is allowed

func (*PolicyACL) NodeWrite

func (p *PolicyACL) NodeWrite(name string) bool

NodeWrite checks if writing (registering) a node is allowed

func (*PolicyACL) OperatorRead

func (p *PolicyACL) OperatorRead() bool

OperatorRead determines if the read-only operator functions are allowed.

func (*PolicyACL) OperatorWrite

func (p *PolicyACL) OperatorWrite() bool

OperatorWrite determines if the state-changing operator functions are allowed.

func (*PolicyACL) PreparedQueryRead

func (p *PolicyACL) PreparedQueryRead(prefix string) bool

PreparedQueryRead checks if reading (listing) of a prepared query is allowed - this isn't execution, just listing its contents.

func (*PolicyACL) PreparedQueryWrite

func (p *PolicyACL) PreparedQueryWrite(prefix string) bool

PreparedQueryWrite checks if writing (creating, updating, or deleting) of a prepared query is allowed.

func (*PolicyACL) ServiceRead

func (p *PolicyACL) ServiceRead(name string) bool

ServiceRead checks if reading (discovery) of a service is allowed

func (*PolicyACL) ServiceWrite

func (p *PolicyACL) ServiceWrite(name string) bool

ServiceWrite checks if writing (registering) a service is allowed

func (*PolicyACL) SessionRead

func (p *PolicyACL) SessionRead(node string) bool

SessionRead checks for permission to read sessions for a given node.

func (*PolicyACL) SessionWrite

func (p *PolicyACL) SessionWrite(node string) bool

SessionWrite checks for permission to create sessions for a given node.

func (*PolicyACL) Snapshot

func (p *PolicyACL) Snapshot() bool

Snapshot checks if taking and restoring snapshots is allowed.

type PreparedQueryPolicy

PreparedQueryPolicy represents a prepared query policy.

type PreparedQueryPolicy struct {
    Prefix string `hcl:",key"`
    Policy string
}

func (*PreparedQueryPolicy) GoString

func (p *PreparedQueryPolicy) GoString() string

type ServicePolicy

ServicePolicy represents a policy for a service

type ServicePolicy struct {
    Name   string `hcl:",key"`
    Policy string
}

func (*ServicePolicy) GoString

func (s *ServicePolicy) GoString() string

type SessionPolicy

SessionPolicy represents a policy for making sessions tied to specific node name prefixes.

type SessionPolicy struct {
    Node   string `hcl:",key"`
    Policy string
}

func (*SessionPolicy) GoString

func (s *SessionPolicy) GoString() string

type StaticACL

StaticACL is used to implement a base ACL policy. It either allows or denies all requests. This can be used as a parent ACL to act in a blacklist or whitelist mode.

type StaticACL struct {
    // contains filtered or unexported fields
}

func (*StaticACL) ACLList

func (s *StaticACL) ACLList() bool

func (*StaticACL) ACLModify

func (s *StaticACL) ACLModify() bool

func (*StaticACL) AgentRead

func (s *StaticACL) AgentRead(string) bool

func (*StaticACL) AgentWrite

func (s *StaticACL) AgentWrite(string) bool

func (*StaticACL) EventRead

func (s *StaticACL) EventRead(string) bool

func (*StaticACL) EventWrite

func (s *StaticACL) EventWrite(string) bool

func (*StaticACL) KeyRead

func (s *StaticACL) KeyRead(string) bool

func (*StaticACL) KeyWrite

func (s *StaticACL) KeyWrite(string) bool

func (*StaticACL) KeyWritePrefix

func (s *StaticACL) KeyWritePrefix(string) bool

func (*StaticACL) KeyringRead

func (s *StaticACL) KeyringRead() bool

func (*StaticACL) KeyringWrite

func (s *StaticACL) KeyringWrite() bool

func (*StaticACL) NodeRead

func (s *StaticACL) NodeRead(string) bool

func (*StaticACL) NodeWrite

func (s *StaticACL) NodeWrite(string) bool

func (*StaticACL) OperatorRead

func (s *StaticACL) OperatorRead() bool

func (*StaticACL) OperatorWrite

func (s *StaticACL) OperatorWrite() bool

func (*StaticACL) PreparedQueryRead

func (s *StaticACL) PreparedQueryRead(string) bool

func (*StaticACL) PreparedQueryWrite

func (s *StaticACL) PreparedQueryWrite(string) bool

func (*StaticACL) ServiceRead

func (s *StaticACL) ServiceRead(string) bool

func (*StaticACL) ServiceWrite

func (s *StaticACL) ServiceWrite(string) bool

func (*StaticACL) SessionRead

func (s *StaticACL) SessionRead(string) bool

func (*StaticACL) SessionWrite

func (s *StaticACL) SessionWrite(string) bool

func (*StaticACL) Snapshot

func (s *StaticACL) Snapshot() bool