open-consul/agent/structs/acl_oss.go
Freddy 494764ee2d
acl: small resolver changes to account for partitions (#11052)
Also refactoring the enterprise side of a test to make it easier to reason about.
2021-09-16 09:17:02 -05:00

100 lines
2.3 KiB
Go

// +build !consulent
package structs
import (
"fmt"
"github.com/hashicorp/consul/acl"
)
const (
EnterpriseACLPolicyGlobalManagement = ""
// aclPolicyTemplateServiceIdentity is the template used for synthesizing
// policies for service identities.
aclPolicyTemplateServiceIdentity = `
service "%[1]s" {
policy = "write"
}
service "%[1]s-sidecar-proxy" {
policy = "write"
}
service_prefix "" {
policy = "read"
}
node_prefix "" {
policy = "read"
}`
// A typical Consul node requires two permissions for itself.
// node:write
// - register itself in the catalog
// - update its network coordinates
// - potentially used to delete services during anti-entropy
// service:read
// - used during anti-entropy to discover all services that
// are registered to the node. That way the node can diff
// its local state against an accurate depiction of the
// remote state.
aclPolicyTemplateNodeIdentity = `
node "%[1]s" {
policy = "write"
}
service_prefix "" {
policy = "read"
}`
)
type ACLAuthMethodEnterpriseFields struct{}
type ACLAuthMethodEnterpriseMeta struct{}
func (_ *ACLAuthMethodEnterpriseMeta) FillWithEnterpriseMeta(_ *EnterpriseMeta) {
// do nothing
}
func (_ *ACLAuthMethodEnterpriseMeta) ToEnterpriseMeta() *EnterpriseMeta {
return DefaultEnterpriseMetaInDefaultPartition()
}
func aclServiceIdentityRules(svc string, _ *EnterpriseMeta) string {
return fmt.Sprintf(aclPolicyTemplateServiceIdentity, svc)
}
func aclNodeIdentityRules(node string, _ *EnterpriseMeta) string {
return fmt.Sprintf(aclPolicyTemplateNodeIdentity, node)
}
func (p *ACLPolicy) EnterprisePolicyMeta() *acl.EnterprisePolicyMeta {
return nil
}
func (m *ACLAuthMethod) TargetEnterpriseMeta(_ *EnterpriseMeta) *EnterpriseMeta {
return &m.EnterpriseMeta
}
func (t *ACLToken) NodeIdentityList() []*ACLNodeIdentity {
if len(t.NodeIdentities) == 0 {
return nil
}
out := make([]*ACLNodeIdentity, 0, len(t.NodeIdentities))
for _, n := range t.NodeIdentities {
out = append(out, n.Clone())
}
return out
}
func (r *ACLRole) NodeIdentityList() []*ACLNodeIdentity {
if len(r.NodeIdentities) == 0 {
return nil
}
out := make([]*ACLNodeIdentity, 0, len(r.NodeIdentities))
for _, n := range r.NodeIdentities {
out = append(out, n.Clone())
}
return out
}