consul/agent/structs/acl_ce.go
2023-10-10 10:58:06 -04:00

104 lines
2.4 KiB
Go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1
//go:build !consulent
package structs
import (
"fmt"
"github.com/hashicorp/consul/acl"
)
const (
EnterpriseACLPolicyGlobalManagement = ""
EnterpriseACLPolicyGlobalReadOnly = ""
// aclPolicyTemplateServiceIdentity is the template used for synthesizing
// policies for service identities.
aclPolicyTemplateServiceIdentity = `
service "%[1]s" {
policy = "write"
}
service "%[1]s-sidecar-proxy" {
policy = "write"
}
service_prefix "" {
policy = "read"
}
node_prefix "" {
policy = "read"
}`
// A typical Consul node requires two permissions for itself.
// node:write
// - register itself in the catalog
// - update its network coordinates
// - potentially used to delete services during anti-entropy
// service:read
// - used during anti-entropy to discover all services that
// are registered to the node. That way the node can diff
// its local state against an accurate depiction of the
// remote state.
aclPolicyTemplateNodeIdentity = `
node "%[1]s" {
policy = "write"
}
service_prefix "" {
policy = "read"
}`
)
type ACLAuthMethodEnterpriseFields struct{}
type ACLAuthMethodEnterpriseMeta struct{}
func (_ *ACLAuthMethodEnterpriseMeta) FillWithEnterpriseMeta(_ *acl.EnterpriseMeta) {
// do nothing
}
func (_ *ACLAuthMethodEnterpriseMeta) ToEnterpriseMeta() *acl.EnterpriseMeta {
return DefaultEnterpriseMetaInDefaultPartition()
}
func aclServiceIdentityRules(svc string, _ *acl.EnterpriseMeta) string {
return fmt.Sprintf(aclPolicyTemplateServiceIdentity, svc)
}
func aclNodeIdentityRules(node string, _ *acl.EnterpriseMeta) string {
return fmt.Sprintf(aclPolicyTemplateNodeIdentity, node)
}
func (p *ACLPolicy) EnterprisePolicyMeta() *acl.EnterprisePolicyMeta {
return nil
}
func (t *ACLToken) NodeIdentityList() []*ACLNodeIdentity {
if len(t.NodeIdentities) == 0 {
return nil
}
out := make([]*ACLNodeIdentity, 0, len(t.NodeIdentities))
for _, n := range t.NodeIdentities {
out = append(out, n.Clone())
}
return out
}
func (r *ACLRole) NodeIdentityList() []*ACLNodeIdentity {
if len(r.NodeIdentities) == 0 {
return nil
}
out := make([]*ACLNodeIdentity, 0, len(r.NodeIdentities))
for _, n := range r.NodeIdentities {
out = append(out, n.Clone())
}
return out
}
func IsValidPartitionAndDatacenter(meta acl.EnterpriseMeta, datacenters []string, primaryDatacenter string) bool {
return true
}