2019-10-15 20:58:50 +00:00
|
|
|
// +build !consulent
|
|
|
|
|
|
|
|
package structs
|
|
|
|
|
2019-10-24 18:38:09 +00:00
|
|
|
import (
|
|
|
|
"fmt"
|
|
|
|
|
|
|
|
"github.com/hashicorp/consul/acl"
|
|
|
|
)
|
|
|
|
|
2019-10-15 20:58:50 +00:00
|
|
|
const (
|
|
|
|
EnterpriseACLPolicyGlobalManagement = ""
|
2019-10-24 18:38:09 +00:00
|
|
|
|
|
|
|
// aclPolicyTemplateServiceIdentity is the template used for synthesizing
|
|
|
|
// policies for service identities.
|
|
|
|
aclPolicyTemplateServiceIdentity = `
|
|
|
|
service "%[1]s" {
|
|
|
|
policy = "write"
|
|
|
|
}
|
|
|
|
service "%[1]s-sidecar-proxy" {
|
|
|
|
policy = "write"
|
|
|
|
}
|
|
|
|
service_prefix "" {
|
|
|
|
policy = "read"
|
|
|
|
}
|
|
|
|
node_prefix "" {
|
|
|
|
policy = "read"
|
|
|
|
}`
|
2020-06-16 16:54:27 +00:00
|
|
|
|
|
|
|
// A typical Consul node requires two permissions for itself.
|
|
|
|
// node:write
|
|
|
|
// - register itself in the catalog
|
|
|
|
// - update its network coordinates
|
|
|
|
// - potentially used to delete services during anti-entropy
|
|
|
|
// service:read
|
|
|
|
// - used during anti-entropy to discover all services that
|
|
|
|
// are registered to the node. That way the node can diff
|
|
|
|
// its local state against an accurate depiction of the
|
|
|
|
// remote state.
|
|
|
|
aclPolicyTemplateNodeIdentity = `
|
|
|
|
node "%[1]s" {
|
|
|
|
policy = "write"
|
|
|
|
}
|
|
|
|
service_prefix "" {
|
|
|
|
policy = "read"
|
|
|
|
}`
|
2019-10-15 20:58:50 +00:00
|
|
|
)
|
2019-10-24 18:38:09 +00:00
|
|
|
|
2020-05-06 18:48:04 +00:00
|
|
|
type ACLAuthMethodEnterpriseFields struct{}
|
|
|
|
|
2020-01-14 15:09:29 +00:00
|
|
|
type ACLAuthMethodEnterpriseMeta struct{}
|
|
|
|
|
|
|
|
func (_ *ACLAuthMethodEnterpriseMeta) FillWithEnterpriseMeta(_ *EnterpriseMeta) {
|
|
|
|
// do nothing
|
|
|
|
}
|
|
|
|
|
|
|
|
func (_ *ACLAuthMethodEnterpriseMeta) ToEnterpriseMeta() *EnterpriseMeta {
|
2021-07-22 18:20:45 +00:00
|
|
|
return DefaultEnterpriseMetaInDefaultPartition()
|
2020-01-14 15:09:29 +00:00
|
|
|
}
|
|
|
|
|
2019-10-24 18:38:09 +00:00
|
|
|
func aclServiceIdentityRules(svc string, _ *EnterpriseMeta) string {
|
|
|
|
return fmt.Sprintf(aclPolicyTemplateServiceIdentity, svc)
|
|
|
|
}
|
|
|
|
|
2021-09-16 14:17:02 +00:00
|
|
|
func aclNodeIdentityRules(node string, _ *EnterpriseMeta) string {
|
|
|
|
return fmt.Sprintf(aclPolicyTemplateNodeIdentity, node)
|
|
|
|
}
|
|
|
|
|
2019-10-24 18:38:09 +00:00
|
|
|
func (p *ACLPolicy) EnterprisePolicyMeta() *acl.EnterprisePolicyMeta {
|
|
|
|
return nil
|
|
|
|
}
|
2020-01-14 15:09:29 +00:00
|
|
|
|
|
|
|
func (m *ACLAuthMethod) TargetEnterpriseMeta(_ *EnterpriseMeta) *EnterpriseMeta {
|
|
|
|
return &m.EnterpriseMeta
|
|
|
|
}
|
2020-06-16 16:54:27 +00:00
|
|
|
|
|
|
|
func (t *ACLToken) NodeIdentityList() []*ACLNodeIdentity {
|
|
|
|
if len(t.NodeIdentities) == 0 {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
out := make([]*ACLNodeIdentity, 0, len(t.NodeIdentities))
|
|
|
|
for _, n := range t.NodeIdentities {
|
|
|
|
out = append(out, n.Clone())
|
|
|
|
}
|
|
|
|
return out
|
|
|
|
}
|
|
|
|
|
|
|
|
func (r *ACLRole) NodeIdentityList() []*ACLNodeIdentity {
|
|
|
|
if len(r.NodeIdentities) == 0 {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
out := make([]*ACLNodeIdentity, 0, len(r.NodeIdentities))
|
|
|
|
for _, n := range r.NodeIdentities {
|
|
|
|
out = append(out, n.Clone())
|
|
|
|
}
|
|
|
|
return out
|
|
|
|
}
|