lang

package
v0.1.15 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 25, 2018 License: Apache-2.0 Imports: 16 Imported by: 0

Documentation

Overview

Package lang provides core constructs for describing Aptomi policy, as well as core structures for processing policy.

Let's start with policy objects. Cluster - individual cluster where containers get deployed (e.g. k8s cluster). Service - service for a bundle (e.g. database). Context - a set of contexts, defining how service can be fulfilled (e.g. MariaDB, MySQL, SQLite). Bundle - specific bundle implementation (set of containers to run, and dependencies on other services). Claim - triggers instantiation of a service. Rule - rules which constitute policy, allowing to change labels and perform actions during policy resolution. ACLRule - rules which define user roles for accessing Aptomi namespaces.

Now, core structures: LabelSet - set of labels that get processed and transformed LabelOperations - how to transform labels Criteria - bool-based lists of expressions for defining complex criteria

Index

Constants

View Source
const LabelTarget = "target"

LabelTarget is a special label name where cluster should be stored. It's required by the engine during policy processing

View Source
const Reject = "reject"

Reject is a special constant that is used in rule actions for rejecting claims, ingress traffic, etc

Variables

View Source
var ACLRolesMap = map[string]*ACLRole{
	DomainAdmin.ID:     DomainAdmin,
	NamespaceAdmin.ID:  NamespaceAdmin,
	ServiceConsumer.ID: ServiceConsumer,
	nobody.ID:          nobody,
}

ACLRolesMap represents the map of ACL roles (Role ID -> Role)

View Source
var ACLRolesOrderedList = []*ACLRole{
	DomainAdmin,
	NamespaceAdmin,
	ServiceConsumer,
	nobody,
}

ACLRolesOrderedList represents the ordered list of ACL roles (from most "powerful" to least "powerful")

View Source
var ACLRuleObject = &runtime.Info{
	Kind:        "aclrule",
	Storable:    true,
	Versioned:   true,
	Deletable:   true,
	Constructor: func() runtime.Object { return &ACLRule{} },
}

ACLRuleObject is an informational data structure with Kind and Constructor for ACLRule

View Source
var BundleObject = &runtime.Info{
	Kind:        "bundle",
	Storable:    true,
	Versioned:   true,
	Deletable:   true,
	Constructor: func() runtime.Object { return &Bundle{} },
}

BundleObject is an informational data structure with Kind and Constructor for Bundle

View Source
var ClaimObject = &runtime.Info{
	Kind:        "claim",
	Storable:    true,
	Versioned:   true,
	Deletable:   true,
	Constructor: func() runtime.Object { return &Claim{} },
}

ClaimObject is an informational data structure with Kind and Constructor for Claim

View Source
var ClusterObject = &runtime.Info{
	Kind:        "cluster",
	Storable:    true,
	Versioned:   true,
	Deletable:   true,
	Constructor: func() runtime.Object { return &Cluster{} },
}

ClusterObject is an informational data structure with Kind and Constructor for Cluster

View Source
var DomainAdmin = &ACLRole{
	ID:   "domain-admin",
	Name: "Domain Admin",
	Privileges: &Privileges{
		AllNamespaces: true,
		NamespaceObjects: map[string]*Privilege{
			BundleObject.Kind:  fullAccess,
			ServiceObject.Kind: fullAccess,
			ClaimObject.Kind:   fullAccess,
			RuleObject.Kind:    fullAccess,
		},
		GlobalObjects: map[string]*Privilege{
			ClusterObject.Kind: fullAccess,
			RuleObject.Kind:    fullAccess,
			ACLRuleObject.Kind: fullAccess,
		},
	},
}

DomainAdmin is a built-in domain admin role

View Source
var NamespaceAdmin = &ACLRole{
	ID:   "namespace-admin",
	Name: "Namespace Admin",
	Privileges: &Privileges{
		NamespaceObjects: map[string]*Privilege{
			BundleObject.Kind:  fullAccess,
			ServiceObject.Kind: fullAccess,
			ClaimObject.Kind:   fullAccess,
			RuleObject.Kind:    fullAccess,
		},
		GlobalObjects: map[string]*Privilege{
			ClusterObject.Kind: viewAccess,
			RuleObject.Kind:    viewAccess,
			ACLRuleObject.Kind: viewAccess,
		},
	},
}

NamespaceAdmin is a built-in admin role

View Source
var (
	// PolicyObjects is the list of informational data for all policy objects
	PolicyObjects = []*runtime.Info{
		BundleObject,
		ServiceObject,
		ClaimObject,
		ClusterObject,
		RuleObject,
		ACLRuleObject,
	}
)
View Source
var RuleObject = &runtime.Info{
	Kind:        "rule",
	Storable:    true,
	Versioned:   true,
	Deletable:   true,
	Constructor: func() runtime.Object { return &Rule{} },
}

RuleObject is an informational data structure with Kind and Constructor for Rule

View Source
var ServiceConsumer = &ACLRole{
	ID:   "service-consumer",
	Name: "Service Consumer",
	Privileges: &Privileges{
		NamespaceObjects: map[string]*Privilege{
			BundleObject.Kind:  viewAccess,
			ServiceObject.Kind: viewAccess,
			ClaimObject.Kind:   fullAccess,
			RuleObject.Kind:    viewAccess,
		},
		GlobalObjects: map[string]*Privilege{
			ClusterObject.Kind: viewAccess,
			RuleObject.Kind:    viewAccess,
			ACLRuleObject.Kind: viewAccess,
		},
	},
}

ServiceConsumer is a built-in service consumer role

View Source
var ServiceObject = &runtime.Info{
	Kind:        "service",
	Storable:    true,
	Versioned:   true,
	Deletable:   true,
	Constructor: func() runtime.Object { return &Service{} },
}

ServiceObject is an informational data structure with Kind and Constructor for Service

Functions

func IsPolicyObject

func IsPolicyObject(obj runtime.Object) bool

IsPolicyObject returns true if provided object is part of the policy objects list

Types

type ACLResolver

type ACLResolver struct {
	// contains filtered or unexported fields
}

ACLResolver is a struct which allows to perform ACL resolution, allowing to retrieve user privileges for the objects they access

func NewACLResolver

func NewACLResolver(aclRules map[string]*ACLRule) *ACLResolver

NewACLResolver creates a new ACLResolver

func (*ACLResolver) GetUserPrivileges

func (resolver *ACLResolver) GetUserPrivileges(user *User, obj Base) (*Privilege, error)

GetUserPrivileges is a main method which determines privileges that a given user has for a given object

func (*ACLResolver) GetUserRoleMap

func (resolver *ACLResolver) GetUserRoleMap(user *User) (map[string]map[string]bool, error)

GetUserRoleMap returns the map role ID -> to which namespaces this role applies, for a given user. Note that user may have multiple roles at the same time. E.g. - domain admin (i.e. for all namespaces within Aptomi domain) - namespace admin for a set of given namespaces - service consumer for a set of given namespaces

type ACLRole

type ACLRole struct {
	ID         string
	Name       string
	Privileges *Privileges
}

ACLRole is a struct for defining user roles and their privileges. Aptomi has 4 built-in user roles: domain admin, namespace admin, service consumer, and nobody. Domain admin has full access rights to all namespaces. It can manage global objects in 'system' namespace (clusters, rules, and ACL rules). Namespace admin has full access right to a given set of namespaces, but it cannot global objects in 'system' namespace (clusters, rules, and ACL rules). Service consumer can only consume services within a given set of namespaces. Service consumption is treated as capability to instantiate services in a given namespace. Nobody cannot do anything except viewing the policy.

type ACLRule

type ACLRule struct {
	runtime.TypeKind `yaml:",inline"`
	Metadata         `validate:"required"`

	// Weight defined for the rule. All rules are sorted in the order of increasing weight and applied in that order
	Weight int `validate:"min=0"`

	// Criteria - if it gets evaluated to true during policy resolution, then rules's actions will be executed.
	// It's an optional field, so if it's nil then it is considered to be evaluated to true automatically
	Criteria *Criteria `yaml:",omitempty" validate:"omitempty"`

	// Actions define the set of actions that will be executed if Criteria gets evaluated to true
	Actions *ACLRuleActions `validate:"required"`
}

ACLRule defines which users have which roles in Aptomi. They should be configured by Aptomi domain admins in the policy. ACLRules allow to pick groups of users and assign ACL roles to them (e.g. give access to a particular namespace)

func GetACLRulesSortedByWeight added in v0.1.15

func GetACLRulesSortedByWeight(rules map[string]*ACLRule) []*ACLRule

GetACLRulesSortedByWeight returns all rules sorted by their weight

func (*ACLRule) ApplyActions added in v0.1.15

func (rule *ACLRule) ApplyActions(roleMap map[string]map[string]bool)

ApplyActions applies rule actions and updates result

func (*ACLRule) Matches added in v0.1.15

func (aclRule *ACLRule) Matches(params *expression.Parameters, cache *expression.Cache) (bool, error)

Matches returns true if a rule matches

type ACLRuleActions added in v0.1.15

type ACLRuleActions struct {
	// AddRole is a map with role ID as key, while value is a set of comma-separated namespaces to which this role applies
	AddRole map[string]string `yaml:"add-role,omitempty" validate:"omitempty,addRoleNS"`
}

ACLRuleActions is a set of actions that can be performed by a ACL rule, assigning permissions to access namespaces

type APIPolicy

type APIPolicy struct {
	Namespace map[string]*APIPolicyNamespace
}

APIPolicy is a Policy representation for API filtered for specific user

type APIPolicyNamespace

type APIPolicyNamespace struct {
	Bundles  map[string]*Bundle
	Services map[string]*Service
	Clusters map[string]*Cluster
	Rules    map[string]*Rule
	ACLRules map[string]*Rule
	Claims   map[string]*Claim
}

APIPolicyNamespace is a PolicyNamespace representation for API filtered for specific user

type Allocation

type Allocation struct {
	// Bundle defined which bundle to allocated. It can be in form of 'bundleName', referring to bundle within
	// current namespace. Or it can be in form of 'namespace/bundleName', referring to bundle in a different
	// namespace
	Bundle string `validate:"required"`

	// Keys define a set of unique keys that define this allocation. If keys are not defined, then allocation will
	// always correspond to a single instance. If keys are defined, it will allow to create different bundle instances
	// based on labels. Different keys values resolved during policy processing will result in different bundle
	// instances created by Aptomi. For example, if key is set to {{.User.Labels.team}}, it will get dynamically
	// resolved into a user's team name. And, since users from different teams will have different keys, every team
	// will get their own bundle instance from Aptomi
	Keys []string `yaml:"keys,omitempty" validate:"dive,template"`
}

Allocation determines which bundle should be allocated for by the given context and which additional keys should be added to component instance key

type Base

type Base interface {
	runtime.Deletable
}

Base interface represents unified base object that could be part of the policy

type Bundle added in v0.1.15

type Bundle struct {
	runtime.TypeKind `yaml:",inline"`
	Metadata         `validate:"required"`

	// Labels is a set of labels attached to the bundle
	Labels map[string]string `yaml:"labels,omitempty" validate:"omitempty,labels"`

	// Components is the list of components bundle consists of
	Components []*BundleComponent `validate:"dive"`
	// contains filtered or unexported fields
}

Bundle defines individual bundle in Aptomi. The idea is that bundles get defined by different teams. Those teams define bundle-specific consumption rules of how others can consume their bundles.

Bundle typically consists of one or more components. Each component can either be pointer to the code (e.g. docker container image with metadata that needs to be started/managed) or it can be dependency on another service (which will get fulfilled by Aptomi)

func (*Bundle) GetComponentsMap added in v0.1.15

func (bundle *Bundle) GetComponentsMap() map[string]*BundleComponent

GetComponentsMap lazily initializes and returns a map of name -> component, while being thread-safe

func (*Bundle) GetComponentsSortedTopologically added in v0.1.15

func (bundle *Bundle) GetComponentsSortedTopologically() ([]*BundleComponent, error)

GetComponentsSortedTopologically returns all components sorted in a topological order This should be thread safe

type BundleComponent added in v0.1.15

type BundleComponent struct {
	// Name is a user-defined component name
	Name string `validate:"identifier"`

	// Criteria - if it gets evaluated to true during policy resolution, then component will be included
	// into the bundle. It's an optional field, so if it's nil then it is considered to be true automatically
	Criteria *Criteria `yaml:",omitempty" validate:"omitempty"`

	// Service, if not empty, denoted that the component points to another service. Meaning that
	// a bundle needs to have another service instantiated and running (e.g. 'wordpress' bundle needs a 'database'
	// service). This will be fulfilled at policy resolution time.
	Service string `yaml:"service,omitempty" validate:"omitempty"`

	// Code, if not empty, means that component is a code that can be instantiated with certain parameters (e.g. docker
	// container image)
	Code *Code `yaml:"code,omitempty" validate:"omitempty"`

	// Discovery is a map of discovery parameters that this component exposes to other bundles
	Discovery util.NestedParameterMap `yaml:"discovery,omitempty" validate:"omitempty,templateNestedMap"`

	// Dependencies represent cross-component dependencies within a given bundle. Component may need other components
	// within that bundle to exist, before it gets instantiated
	Dependencies []string `yaml:"dependencies,omitempty" validate:"dive,identifier"`
}

BundleComponent defines component within a bundle

func (*BundleComponent) Matches added in v0.1.15

func (component *BundleComponent) Matches(params *expression.Parameters, cache *expression.Cache) (bool, error)

Matches checks if component criteria is satisfied

type Claim added in v0.1.15

type Claim struct {
	runtime.TypeKind `yaml:",inline"`
	Metadata         `validate:"required"`

	// User is a user name for a user, who requested this claim.
	User string `validate:"required"`

	// Service that is being requested. It can be in form of 'serviceName', referring to service within
	// current namespace. Or it can be in form of 'namespace/serviceName', referring to service in a different
	// namespace.
	Service string `validate:"required"`

	// Labels which are provided by the user.
	Labels map[string]string `yaml:"labels,omitempty" validate:"omitempty,labels"`
}

Claim is a declaration of use, defined in a form <User> needs an instance of <Service> with specified set of <Labels>. It allows users to request services, which will translate into instantiation of complete service instances in the cloud

type ClaimAction added in v0.1.15

type ClaimAction string

ClaimAction is a rule action to allow or disallow claim to be resolved

type Cluster

type Cluster struct {
	runtime.TypeKind `yaml:",inline"`
	Metadata         `validate:"required"`

	// Type is a cluster type. Based on its type, the appropriate deployment plugin will be called to deploy containers.
	Type string `validate:"clustertype"`

	// Labels is a set of labels attached to the cluster
	Labels map[string]string `yaml:"labels,omitempty" validate:"omitempty,labels"`

	// Config for a given cluster type
	Config interface{} `validate:"required"`
}

Cluster defines an individual cluster where containers get deployed. Various cloud providers are supported via setting a cluster type (k8s, Amazon ECS, GKE, etc).

func (*Cluster) MakeCopy

func (cluster *Cluster) MakeCopy() *Cluster

MakeCopy makes a shallow copy of the Cluster struct

func (*Cluster) ParseConfigInto

func (cluster *Cluster) ParseConfigInto(obj interface{}) error

ParseConfigInto parses cluster config into provided object

type Code

type Code struct {
	// Type represents code type (e.g. "helm"). It determines the plugin that will get executed for
	// for this code component
	Type string `validate:"required,codetype"`

	// Params define parameters that will be passed down to the deployment plugin. Params follow text template syntax
	// and can refer to arbitrary labels, as well as discovery parameters exposed by other components (within the
	// current bundle) and discovery parameters exposed by bundles the current bundle depends on
	Params util.NestedParameterMap `validate:"omitempty,templateNestedMap"`
}

Code with type and parameters, used to instantiate/update/delete component instances

type Context

type Context struct {
	// Name defines context name in the policy
	Name string `validate:"identifier"`

	// Criteria - if it gets evaluated to true during policy resolution, then service
	// will get fulfilled by allocating this context. It's an optional field, so if it's nil then
	// it is considered to be evaluated to true automatically
	Criteria *Criteria `yaml:",omitempty" validate:"omitempty"`

	// ChangeLabels defines how current set of labels will get changed/transformed in case
	// the context gets matched
	ChangeLabels LabelOperations `yaml:"change-labels,omitempty" validate:"labelOperations"`

	// Allocation defines how the context will get allocated (which bundle to allocate and which unique key to use)
	Allocation *Allocation `validate:"required"`
}

Context represents a single context within a service. It's essentially a bundle instance for a given of class of use cases, a given set of consumers, etc.

func (*Context) Matches

func (context *Context) Matches(params *expression.Parameters, cache *expression.Cache) (bool, error)

Matches checks if context criteria is satisfied

func (*Context) ResolveKeys

func (context *Context) ResolveKeys(params *template.Parameters, cache *template.Cache) ([]string, error)

ResolveKeys resolves dynamic allocation keys, which later get added to component instance key

type Criteria

type Criteria struct {
	// RequireAll follows 'AND' logic
	RequireAll []string `yaml:"require-all,omitempty" validate:"dive,expression"`

	// RequireAny follows 'OR' logic
	RequireAny []string `yaml:"require-any,omitempty" validate:"dive,expression"`

	// RequireNone follows 'AND NOT'
	RequireNone []string `yaml:"require-none,omitempty" validate:"dive,expression"`
}

Criteria is a structure which allows users to define complex matching expressions in the policy. Criteria expressions can refer to labels through variables. It supports require-all, require-any and require-none clauses, with a list of expressions under each clause.

Criteria gets evaluated to true only when (1) All RequireAll expression evaluate to true, (2) At least one of RequireAny expressions evaluates to true, (3) None of RequireNone expressions evaluate to true.

If any of RequireAll, RequireAny, RequireNone are absent, the corresponding clause will be skipped. So it's perfectly fine to have a criteria with fewer than 3 clauses (e.g. just RequireAll), or with no sections at all. Empty criteria without any clauses always evaluates to true

type GlobalUsers

type GlobalUsers struct {
	// Users is a map[name] -> *User
	Users map[string]*User
}

GlobalUsers contains the map of users by their name

type IngressAction

type IngressAction string

IngressAction is a rule action to to allow or disallow ingres traffic for a component

type LabelOperations

type LabelOperations map[string]map[string]string

LabelOperations defines label transform operations. It supports two types of operations - 'set' and 'remove', those strings are used as keys in the main map.

When 'set' is used, the inner name->value map defines which labels should be added/overwritten. When 'remove' is used, the inner name->value map defines which labels should be deleted. In this case value doesn't matter and name can even point to an empty string as value

The typical usage of this struct is to take LabelSet and transform it using LabelOperations.

func NewLabelOperations

func NewLabelOperations(setMap map[string]string, removeMap map[string]string) LabelOperations

NewLabelOperations creates a new LabelOperations object, given "set" and "remove" parameters

func NewLabelOperationsSetSingleLabel

func NewLabelOperationsSetSingleLabel(k string, v string) LabelOperations

NewLabelOperationsSetSingleLabel creates a new LabelOperations object to set a single "k"="v" label

type LabelSet

type LabelSet struct {
	Labels map[string]string
}

LabelSet defines the set of labels that will be manipulated throughout policy execution. All labels are stored in a 'key' -> 'value' map

func NewLabelSet

func NewLabelSet(labels map[string]string) *LabelSet

NewLabelSet creates a new LabelSet from a given map of text labels

func (*LabelSet) AddLabels

func (src *LabelSet) AddLabels(addMap map[string]string)

AddLabels adds new labels to the current set of labels

func (*LabelSet) ApplyTransform

func (src *LabelSet) ApplyTransform(ops LabelOperations) bool

ApplyTransform applies a given set of label transformations to the current set of labels. The method teturns true if changes have been made to the current set

func (*LabelSet) Equal

func (src *LabelSet) Equal(dst *LabelSet) bool

Equal compares two labels sets. If one is nil and another one is empty, it will return true as well

type Metadata

type Metadata struct {
	Namespace  string             `yaml:",omitempty" validate:"identifier"`
	Name       string             `yaml:",omitempty" validate:"identifier"`
	Generation runtime.Generation `yaml:",omitempty"`
	Deleted    bool               `yaml:",omitempty"`
}

Metadata is an object metadata implementation (Namespace, Kind, Name, Generation) which works for all standard objects. Namespace defines in which namespace the object is defined. An object always gets placed in only one namespace. Kind describes type of the object (e.g. Bundle, Service, Cluster, etc) Name is a user-provided string identifier of an object. Names are usually human readable and must be unique across objects within the same namespace and the same object kind.

func (*Metadata) GetGeneration

func (meta *Metadata) GetGeneration() runtime.Generation

GetGeneration returns object generation

func (*Metadata) GetName

func (meta *Metadata) GetName() string

GetName returns object name

func (*Metadata) GetNamespace

func (meta *Metadata) GetNamespace() string

GetNamespace returns object namespace

func (*Metadata) IsDeleted added in v0.1.10

func (meta *Metadata) IsDeleted() bool

IsDeleted returns if object deleted or not

func (*Metadata) SetDeleted added in v0.1.10

func (meta *Metadata) SetDeleted(deleted bool)

SetDeleted sets object deleted flag

func (*Metadata) SetGeneration

func (meta *Metadata) SetGeneration(generation runtime.Generation)

SetGeneration sets object generation

type Policy

type Policy struct {
	// Namespace is a map from namespace name into a PolicyNamespace
	Namespace map[string]*PolicyNamespace `validate:"dive"`
	// contains filtered or unexported fields
}

Policy describes the entire Aptomi policy.

At the highest level, policy consists of namespaces. Namespaces provide isolation for policy objects and access to namespaces can be controlled via ACL rules. Thus, different users can have different access rights to different parts of Aptomi policy. Namespaces are useful in environments with many users, multiple teams and projects.

Objects get stored in their corresponding namespaces. Names of objects must be unique within a namespace and a given object kind.

Once policy is defined, it can be passed to the engine for policy resolution. Policy resolution translates a given policy (intent) into actual state (what services/components need to created/updated/deleted, how and where) and the corresponding set of actions.

func NewPolicy

func NewPolicy() *Policy

NewPolicy creates a new Policy

func (*Policy) APIPolicy

func (policy *Policy) APIPolicy() *APIPolicy

APIPolicy returns Policy representation for API filtered for specific user

func (*Policy) AddObject

func (policy *Policy) AddObject(obj Base) error

AddObject adds a given object into the policy. When you add objects to the policy, they get added to the corresponding Namespace. If error occurs (e.g. object has an unknown kind) then the error will be returned

func (*Policy) GetObject

func (policy *Policy) GetObject(kind string, locator string, currentNs string) (runtime.Object, error)

GetObject looks up and returns an object from the policy, given its kind, locator ([namespace/]name), and current namespace relative to which the call is being made. It may return nil and no error, if an object hasn't been found in the policy. TODO: we may want to fix semantics of this method, so that it either returns a non-nil object or an error (i.e. doesn't return nil, nil)

func (*Policy) GetObjectsByKind

func (policy *Policy) GetObjectsByKind(kind string) []Base

GetObjectsByKind returns all objects in a policy with a given kind, across all namespaces

func (*Policy) RemoveObject

func (policy *Policy) RemoveObject(obj Base) bool

RemoveObject removes a given object from the policy. Returns true if removed and false if nothing got removed.

func (*Policy) Validate

func (policy *Policy) Validate() error

Validate performs validation of the entire policy, making sure that all of its objects are well-formed. It also checks that all cross-object references are valid. If policy is malformed, then a list of errors is returned. Otherwise, if policy is correctly formed, then nil is returned. The resulting error can be caster to (validator.ValidationErrors) and iterated over, to get the full list of errors.

func (*Policy) View

func (policy *Policy) View(user *User) *PolicyView

View returns a policy view object, which allows to make all policy operations on behalf of a certain user Policy view object will enforce all ACLs, allowing the user to only perform actions which he is allowed to perform All ACL rules should be loaded and added to the policy before this method gets called

type PolicyNamespace

type PolicyNamespace struct {
	Name     string              `validate:"identifier"`
	Bundles  map[string]*Bundle  `validate:"dive"`
	Services map[string]*Service `validate:"dive"`
	Clusters map[string]*Cluster `validate:"dive"`
	Rules    map[string]*Rule    `validate:"dive"`
	ACLRules map[string]*ACLRule `validate:"dive"`
	Claims   map[string]*Claim   `validate:"dive"`
}

PolicyNamespace describes a specific namespace within Aptomi policy. All policy objects get placed in the appropriate maps and structs within PolicyNamespace.

func NewPolicyNamespace

func NewPolicyNamespace(name string) *PolicyNamespace

NewPolicyNamespace creates a new PolicyNamespace

type PolicyValidator

type PolicyValidator struct {
	// contains filtered or unexported fields
}

PolicyValidator is a custom validator for the policy

func NewPolicyValidator

func NewPolicyValidator(policy *Policy) *PolicyValidator

NewPolicyValidator creates a new PolicyValidator

func (*PolicyValidator) Validate

func (v *PolicyValidator) Validate() error

Validate validates the entire policy for errors and returns an error (it can be casted to policyValidationError, containing a list of errors inside). When error is printed as string, it will automatically contains the full list of validation errors.

type PolicyView

type PolicyView struct {
	// Policy which gets viewed
	Policy *Policy

	// User who is viewing policy
	User *User

	// Resolver is access control rules (who can access which objects in which policy namespaces)
	Resolver *ACLResolver
}

PolicyView allows to view/manage policy objects on behalf on a certain user It will enforce all ACLs, allowing the user to only perform actions which he is entitled to perform.

func NewPolicyView

func NewPolicyView(policy *Policy, user *User, resolver *ACLResolver) *PolicyView

NewPolicyView creates a new PolicyView

func (*PolicyView) APIPolicy

func (view *PolicyView) APIPolicy() *APIPolicy

APIPolicy returns Policy representation for API filtered for specific user

func (*PolicyView) AddObject

func (view *PolicyView) AddObject(obj Base) error

AddObject adds an object into the policy. When you add objects to the policy, they get added to the corresponding Namespace. If error occurs (e.g. object has an unknown kind, etc) then the error will be returned

func (*PolicyView) CanConsume

func (view *PolicyView) CanConsume(service *Service) (bool, error)

CanConsume returns if user has permissions to consume a given service. If a user can declare a claim in a given namespace, then he can essentially can consume the service

func (*PolicyView) ManageObject

func (view *PolicyView) ManageObject(obj Base) error

ManageObject checks if user has permissions to manage a given object. If user has no permissions, then ACL error will be returned

func (*PolicyView) ViewObject

func (view *PolicyView) ViewObject(obj Base) error

ViewObject checks if user has permissions to view a given object. If user has no permissions, then ACL error will be returned

type Privilege

type Privilege struct {
	// View indicates whether or not a user can view an object (R)
	View bool

	// Manage indicates whether or not a user can manage an object, i.e. perform operations (CUD)
	Manage bool
}

Privilege is a unit of privilege for any single given object

type Privileges

type Privileges struct {
	// AllNamespaces, when set to true, indicated that user privileges apply to all namespaces. Otherwise it applies
	// to a set of given namespaces
	AllNamespaces bool

	// NamespaceObjects specifies whether or not this role can view/manage a certain object kind within a non-system namespace
	NamespaceObjects map[string]*Privilege

	// GlobalObjects specifies whether or not this role can view/manage a certain object kind within a system namespace
	GlobalObjects map[string]*Privilege
}

Privileges defines a set of privileges for a particular role in Aptomi

type Rule

type Rule struct {
	runtime.TypeKind `yaml:",inline"`
	Metadata         `validate:"required"`

	// Weight defined for the rule. All rules are sorted in the order of increasing weight and applied in that order
	Weight int `validate:"min=0"`

	// Criteria - if it gets evaluated to true during policy resolution, then rules's actions will be executed.
	// It's an optional field, so if it's nil then it is considered to be evaluated to true automatically
	Criteria *Criteria `yaml:",omitempty" validate:"omitempty"`

	// Actions define the set of actions that will be executed if Criteria gets evaluated to true
	Actions *RuleActions `validate:"required"`
}

Rule is a generic mechanism for defining rules in Aptomi.

Rules can be used to set certain labels on certain conditions as well as perform certain actions (such as rejecting claims, rejecting ingress traffic, etc)

func GetRulesSortedByWeight added in v0.1.14

func GetRulesSortedByWeight(rules map[string]*Rule) []*Rule

GetRulesSortedByWeight returns all rules sorted by their weight

func (*Rule) ApplyActions

func (rule *Rule) ApplyActions(result *RuleActionResult)

ApplyActions applies rule actions and updates result

func (*Rule) Matches

func (rule *Rule) Matches(params *expression.Parameters, cache *expression.Cache) (bool, error)

Matches returns true if a rule matches

type RuleActionResult

type RuleActionResult struct {
	RejectClaim   bool
	RejectIngress bool

	ChangedLabelsOnLastApply bool
	Labels                   *LabelSet
}

RuleActionResult is a result of processing multiple rules on a given component

func NewRuleActionResult

func NewRuleActionResult(labels *LabelSet) *RuleActionResult

NewRuleActionResult creates a new RuleActionResult

type RuleActions

type RuleActions struct {
	// ChangeLabels defines how labels should be transformed
	ChangeLabels LabelOperations `yaml:"change-labels,omitempty" validate:"omitempty,labelOperations"`

	// Claim defines whether claim should be rejected
	Claim ClaimAction `yaml:"claim,omitempty" validate:"omitempty,allowReject"`

	// Ingress defines whether ingress traffic should be rejected
	Ingress IngressAction `yaml:"ingress,omitempty" validate:"omitempty,allowReject"`
}

RuleActions is a set of actions that can be performed by a rule. All fields in this structure are optional. If a field is defined, then the corresponding action will be processed

type Service

type Service struct {
	runtime.TypeKind `yaml:",inline"`
	Metadata         `validate:"required"`

	// ChangeLabels defines how current set of labels will get changed/transformed in case
	// the service gets matched
	ChangeLabels LabelOperations `yaml:"change-labels,omitempty" validate:"labelOperations"`

	// Contexts contains an ordered list of contexts within a service. When allocating an instance, Aptomi will pick
	// and instantiate the first context which matches the criteria
	Contexts []*Context `validate:"dive"`
}

Service is an object, which allows you to define a service for a bundle, as well as a set of specific implementations. For example, service can be a 'database', with specific bundle contexts implemented by 'MySQL', 'MariaDB', 'SQLite'.

When claims get declared, they always get declared on a service (not on a specific bundle).

type Target added in v0.1.15

type Target struct {
	// ClusterNamespace is a namespace in Aptomi, to which the cluster belongs
	ClusterNamespace string

	// ClusterName is a cluster name in Aptomi
	ClusterName string

	// Suffix is an additional specifier (e.g. k8s namespace in case of Helm and k8s plugins)
	Suffix string
}

Target represents a deployment target in Aptomi

func NewTarget added in v0.1.15

func NewTarget(target string) *Target

NewTarget creates a new deployment target, given a string in form [aptomi_namespace/]cluster[.suffix] (where suffix is typically a k8s namespace)

func (*Target) GetCluster added in v0.1.15

func (target *Target) GetCluster(policy *Policy, currentNs string) (*Cluster, error)

GetCluster allows to look up a cluster, given a deployment target

type User

type User struct {
	// Name is a unique name of a user
	Name string

	// Password hash is a hashed and salted user password
	PasswordHash string

	// Labels is a set of 'name'->'value' string labels, attached to the user
	Labels map[string]string

	// DomainAdmin is a special bool flag, which allows to mark certain users as domain admins. It's useful for Aptomi
	// bootstrap process, when someone needs to upload ACL rules into Aptomi (but his role is not defined in ACL,
	// because ACL list is empty when Aptomi is first installed)
	DomainAdmin bool
}

User represents a user in Aptomi. It has a unique Name and a set of Labels, Users can be retrieved from multiple sources (e.g. file, LDAP, AD, etc)

Directories

Path Synopsis
Package builder provides simple and easy-to-use way to construct Aptomi Policy in the source code, primarily for unit tests.
Package builder provides simple and easy-to-use way to construct Aptomi Policy in the source code, primarily for unit tests.
Package expression provides support for evaluating expressions in Aptomi, with support for caching compiled expressions.
Package expression provides support for evaluating expressions in Aptomi, with support for caching compiled expressions.
Package template provides support for evaluating text templates in Aptomi, with support for caching compiled templates.
Package template provides support for evaluating text templates in Aptomi, with support for caching compiled templates.
Package yaml provides support for marshalling YAML objects and loading/unmarshalling them from YAML files.
Package yaml provides support for marshalling YAML objects and loading/unmarshalling them from YAML files.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL