mirror of
https://github.com/status-im/consul.git
synced 2025-01-12 23:05:28 +00:00
6424ef6a56
* [CC-5719] Add support for builtin global-read-only policy * Add changelog * Add read-only to docs * Fix some minor issues. * Change from ReplaceAll to Sprintf * Change IsValidPolicy name to return an error instead of bool * Fix PolicyList test * Fix other tests * Apply suggestions from code review Co-authored-by: Paul Glass <pglass@hashicorp.com> * Fix state store test for policy list. * Fix naming issues * Update acl/validation.go Co-authored-by: Chris Thain <32781396+cthain@users.noreply.github.com> * Update agent/consul/acl_endpoint.go --------- Co-authored-by: Paul Glass <pglass@hashicorp.com> Co-authored-by: Chris Thain <32781396+cthain@users.noreply.github.com>
105 lines
2.4 KiB
Go
105 lines
2.4 KiB
Go
// Copyright (c) HashiCorp, Inc.
|
|
// SPDX-License-Identifier: MPL-2.0
|
|
|
|
//go:build !consulent
|
|
// +build !consulent
|
|
|
|
package structs
|
|
|
|
import (
|
|
"fmt"
|
|
|
|
"github.com/hashicorp/consul/acl"
|
|
)
|
|
|
|
const (
|
|
EnterpriseACLPolicyGlobalManagement = ""
|
|
EnterpriseACLPolicyGlobalReadOnly = ""
|
|
|
|
// aclPolicyTemplateServiceIdentity is the template used for synthesizing
|
|
// policies for service identities.
|
|
aclPolicyTemplateServiceIdentity = `
|
|
service "%[1]s" {
|
|
policy = "write"
|
|
}
|
|
service "%[1]s-sidecar-proxy" {
|
|
policy = "write"
|
|
}
|
|
service_prefix "" {
|
|
policy = "read"
|
|
}
|
|
node_prefix "" {
|
|
policy = "read"
|
|
}`
|
|
|
|
// A typical Consul node requires two permissions for itself.
|
|
// node:write
|
|
// - register itself in the catalog
|
|
// - update its network coordinates
|
|
// - potentially used to delete services during anti-entropy
|
|
// service:read
|
|
// - used during anti-entropy to discover all services that
|
|
// are registered to the node. That way the node can diff
|
|
// its local state against an accurate depiction of the
|
|
// remote state.
|
|
aclPolicyTemplateNodeIdentity = `
|
|
node "%[1]s" {
|
|
policy = "write"
|
|
}
|
|
service_prefix "" {
|
|
policy = "read"
|
|
}`
|
|
)
|
|
|
|
type ACLAuthMethodEnterpriseFields struct{}
|
|
|
|
type ACLAuthMethodEnterpriseMeta struct{}
|
|
|
|
func (_ *ACLAuthMethodEnterpriseMeta) FillWithEnterpriseMeta(_ *acl.EnterpriseMeta) {
|
|
// do nothing
|
|
}
|
|
|
|
func (_ *ACLAuthMethodEnterpriseMeta) ToEnterpriseMeta() *acl.EnterpriseMeta {
|
|
return DefaultEnterpriseMetaInDefaultPartition()
|
|
}
|
|
|
|
func aclServiceIdentityRules(svc string, _ *acl.EnterpriseMeta) string {
|
|
return fmt.Sprintf(aclPolicyTemplateServiceIdentity, svc)
|
|
}
|
|
|
|
func aclNodeIdentityRules(node string, _ *acl.EnterpriseMeta) string {
|
|
return fmt.Sprintf(aclPolicyTemplateNodeIdentity, node)
|
|
}
|
|
|
|
func (p *ACLPolicy) EnterprisePolicyMeta() *acl.EnterprisePolicyMeta {
|
|
return nil
|
|
}
|
|
|
|
func (t *ACLToken) NodeIdentityList() []*ACLNodeIdentity {
|
|
if len(t.NodeIdentities) == 0 {
|
|
return nil
|
|
}
|
|
|
|
out := make([]*ACLNodeIdentity, 0, len(t.NodeIdentities))
|
|
for _, n := range t.NodeIdentities {
|
|
out = append(out, n.Clone())
|
|
}
|
|
return out
|
|
}
|
|
|
|
func (r *ACLRole) NodeIdentityList() []*ACLNodeIdentity {
|
|
if len(r.NodeIdentities) == 0 {
|
|
return nil
|
|
}
|
|
|
|
out := make([]*ACLNodeIdentity, 0, len(r.NodeIdentities))
|
|
for _, n := range r.NodeIdentities {
|
|
out = append(out, n.Clone())
|
|
}
|
|
return out
|
|
}
|
|
|
|
func IsValidPartitionAndDatacenter(meta acl.EnterpriseMeta, datacenters []string, primaryDatacenter string) bool {
|
|
return true
|
|
}
|