mirror of https://github.com/hashicorp/consul
156 lines
3.9 KiB
Go
156 lines
3.9 KiB
Go
|
package structs
|
||
|
|
||
|
import (
|
||
|
"errors"
|
||
|
"time"
|
||
|
|
||
|
"github.com/hashicorp/consul/acl"
|
||
|
)
|
||
|
|
||
|
// ACLOp is used in RPCs to encode ACL operations.
|
||
|
type ACLOp string
|
||
|
|
||
|
const (
|
||
|
// ACLBootstrapInit is used to perform a scan for existing tokens which
|
||
|
// will decide whether bootstrapping is allowed for a cluster. This is
|
||
|
// initiated by the leader when it steps up, if necessary.
|
||
|
ACLBootstrapInit = "bootstrap-init"
|
||
|
|
||
|
// ACLBootstrapNow is used to perform a one-time ACL bootstrap operation on
|
||
|
// a cluster to get the first management token.
|
||
|
ACLBootstrapNow = "bootstrap-now"
|
||
|
|
||
|
// ACLSet creates or updates a token.
|
||
|
ACLSet ACLOp = "set"
|
||
|
|
||
|
// ACLForceSet is deprecated, but left for backwards compatibility.
|
||
|
ACLForceSet = "force-set"
|
||
|
|
||
|
// ACLDelete deletes a token.
|
||
|
ACLDelete = "delete"
|
||
|
)
|
||
|
|
||
|
// ACLBootstrapNotInitializedErr is returned when a bootstrap is attempted but
|
||
|
// we haven't yet initialized ACL bootstrap. It provides some guidance to
|
||
|
// operators on how to proceed.
|
||
|
var ACLBootstrapNotInitializedErr = errors.New("ACL bootstrap not initialized, need to force a leader election and ensure all Consul servers support this feature")
|
||
|
|
||
|
// ACLBootstrapNotAllowedErr is returned once we know that a bootstrap can no
|
||
|
// longer be done since the cluster was bootstrapped, or a management token
|
||
|
// was created manually.
|
||
|
var ACLBootstrapNotAllowedErr = errors.New("ACL bootstrap no longer allowed")
|
||
|
|
||
|
const (
|
||
|
// ACLTypeClient tokens have rules applied
|
||
|
ACLTypeClient = "client"
|
||
|
|
||
|
// ACLTypeManagement tokens have an always allow policy, so they can
|
||
|
// make other tokens and can access all resources.
|
||
|
ACLTypeManagement = "management"
|
||
|
)
|
||
|
|
||
|
// ACL is used to represent a token and its rules
|
||
|
type ACL struct {
|
||
|
ID string
|
||
|
Name string
|
||
|
Type string
|
||
|
Rules string
|
||
|
|
||
|
RaftIndex
|
||
|
}
|
||
|
|
||
|
// ACLs is a slice of ACLs.
|
||
|
type ACLs []*ACL
|
||
|
|
||
|
// IsSame checks if one ACL is the same as another, without looking
|
||
|
// at the Raft information (that's why we didn't call it IsEqual). This is
|
||
|
// useful for seeing if an update would be idempotent for all the functional
|
||
|
// parts of the structure.
|
||
|
func (a *ACL) IsSame(other *ACL) bool {
|
||
|
if a.ID != other.ID ||
|
||
|
a.Name != other.Name ||
|
||
|
a.Type != other.Type ||
|
||
|
a.Rules != other.Rules {
|
||
|
return false
|
||
|
}
|
||
|
|
||
|
return true
|
||
|
}
|
||
|
|
||
|
// ACLBootstrap keeps track of whether bootstrapping ACLs is allowed for a
|
||
|
// cluster.
|
||
|
type ACLBootstrap struct {
|
||
|
// AllowBootstrap will only be true if no existing management tokens
|
||
|
// have been found.
|
||
|
AllowBootstrap bool
|
||
|
|
||
|
RaftIndex
|
||
|
}
|
||
|
|
||
|
// ACLRequest is used to create, update or delete an ACL
|
||
|
type ACLRequest struct {
|
||
|
Datacenter string
|
||
|
Op ACLOp
|
||
|
ACL ACL
|
||
|
WriteRequest
|
||
|
}
|
||
|
|
||
|
func (r *ACLRequest) RequestDatacenter() string {
|
||
|
return r.Datacenter
|
||
|
}
|
||
|
|
||
|
// ACLRequests is a list of ACL change requests.
|
||
|
type ACLRequests []*ACLRequest
|
||
|
|
||
|
// ACLSpecificRequest is used to request an ACL by ID
|
||
|
type ACLSpecificRequest struct {
|
||
|
Datacenter string
|
||
|
ACL string
|
||
|
QueryOptions
|
||
|
}
|
||
|
|
||
|
// RequestDatacenter returns the DC this request is targeted to.
|
||
|
func (r *ACLSpecificRequest) RequestDatacenter() string {
|
||
|
return r.Datacenter
|
||
|
}
|
||
|
|
||
|
// ACLPolicyRequest is used to request an ACL by ID, conditionally
|
||
|
// filtering on an ID
|
||
|
type ACLPolicyRequest struct {
|
||
|
Datacenter string
|
||
|
ACL string
|
||
|
ETag string
|
||
|
QueryOptions
|
||
|
}
|
||
|
|
||
|
// RequestDatacenter returns the DC this request is targeted to.
|
||
|
func (r *ACLPolicyRequest) RequestDatacenter() string {
|
||
|
return r.Datacenter
|
||
|
}
|
||
|
|
||
|
// IndexedACLs has tokens along with the Raft metadata about them.
|
||
|
type IndexedACLs struct {
|
||
|
ACLs ACLs
|
||
|
QueryMeta
|
||
|
}
|
||
|
|
||
|
// ACLPolicy is a policy that can be associated with a token.
|
||
|
type ACLPolicy struct {
|
||
|
ETag string
|
||
|
Parent string
|
||
|
Policy *acl.Policy
|
||
|
TTL time.Duration
|
||
|
QueryMeta
|
||
|
}
|
||
|
|
||
|
// ACLReplicationStatus provides information about the health of the ACL
|
||
|
// replication system.
|
||
|
type ACLReplicationStatus struct {
|
||
|
Enabled bool
|
||
|
Running bool
|
||
|
SourceDatacenter string
|
||
|
ReplicatedIndex uint64
|
||
|
LastSuccess time.Time
|
||
|
LastError time.Time
|
||
|
}
|