[NET-6249] Add templated policies description

pull/19735/head
Ronald Ekambi 2023-11-26 09:02:56 -05:00
parent c1dbf00a85
commit 5cf44bea20
20 changed files with 52 additions and 7 deletions

3
.changelog/19735.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:improvement
acl: add templated policy descriptions
```

View File

@ -1166,6 +1166,7 @@ func (s *HTTPHandlers) ACLTemplatedPoliciesList(resp http.ResponseWriter, req *h
TemplateName: tmpBase.TemplateName,
Schema: tmpBase.Schema,
Template: tmpBase.Template,
Description: tmpBase.Description,
}
}
@ -1211,6 +1212,7 @@ func (s *HTTPHandlers) ACLTemplatedPolicyRead(resp http.ResponseWriter, req *htt
TemplateName: baseTemplate.TemplateName,
Schema: baseTemplate.Schema,
Template: baseTemplate.Template,
Description: baseTemplate.Description,
}, nil
}

View File

@ -1413,6 +1413,7 @@ func TestACL_HTTP(t *testing.T) {
TemplateName: api.ACLTemplatedPolicyServiceName,
Schema: structs.ACLTemplatedPolicyServiceSchema,
Template: structs.ACLTemplatedPolicyService,
Description: structs.ACLTemplatedPolicyServiceDescription,
}, list[api.ACLTemplatedPolicyServiceName])
})
t.Run("Read", func(t *testing.T) {
@ -1435,6 +1436,7 @@ func TestACL_HTTP(t *testing.T) {
var templatedPolicy api.ACLTemplatedPolicyResponse
require.NoError(t, json.NewDecoder(resp.Body).Decode(&templatedPolicy))
require.Equal(t, structs.ACLTemplatedPolicyNoRequiredVariablesSchema, templatedPolicy.Schema)
require.Equal(t, structs.ACLTemplatedPolicyDNSDescription, templatedPolicy.Description)
require.Equal(t, api.ACLTemplatedPolicyDNSName, templatedPolicy.TemplateName)
require.Equal(t, structs.ACLTemplatedPolicyDNS, templatedPolicy.Template)
})

View File

@ -42,6 +42,13 @@ const (
ACLTemplatedPolicyWorkloadIdentityID = "00000000-0000-0000-0000-000000000007"
ACLTemplatedPolicyAPIGatewayID = "00000000-0000-0000-0000-000000000008"
ACLTemplatedPolicyServiceDescription = "Gives the token or role permissions to register a service and discover services in the Consul catalog. It also gives the specified service's sidecar proxy the permission to discover and route traffic to other services."
ACLTemplatedPolicyNodeDescription = "Gives the token or role permissions for a register an agent/node into the catalog. A node is typically a consul agent but can also be a physical server, cloud instance or a container."
ACLTemplatedPolicyDNSDescription = "Gives the token or role permissions for the Consul DNS to query services in the network."
ACLTemplatedPolicyNomadServerDescription = "Gives the token or role permissions required for integration with a nomad server."
ACLTemplatedPolicyWorkloadIdentityDescription = "Gives the token or role permissions for a specific workload identity."
ACLTemplatedPolicyAPIGatewayDescription = "Gives the token or role permissions for a Consul api gateway"
ACLTemplatedPolicyNoRequiredVariablesSchema = "" // catch-all schema for all templated policy that don't require a schema
)
@ -52,6 +59,7 @@ type ACLTemplatedPolicyBase struct {
TemplateID string
Schema string
Template string
Description string
}
var (
@ -63,36 +71,42 @@ var (
TemplateName: api.ACLTemplatedPolicyServiceName,
Schema: ACLTemplatedPolicyServiceSchema,
Template: ACLTemplatedPolicyService,
Description: ACLTemplatedPolicyServiceDescription,
},
api.ACLTemplatedPolicyNodeName: {
TemplateID: ACLTemplatedPolicyNodeID,
TemplateName: api.ACLTemplatedPolicyNodeName,
Schema: ACLTemplatedPolicyNodeSchema,
Template: ACLTemplatedPolicyNode,
Description: ACLTemplatedPolicyNodeDescription,
},
api.ACLTemplatedPolicyDNSName: {
TemplateID: ACLTemplatedPolicyDNSID,
TemplateName: api.ACLTemplatedPolicyDNSName,
Schema: ACLTemplatedPolicyNoRequiredVariablesSchema,
Template: ACLTemplatedPolicyDNS,
Description: ACLTemplatedPolicyDNSDescription,
},
api.ACLTemplatedPolicyNomadServerName: {
TemplateID: ACLTemplatedPolicyNomadServerID,
TemplateName: api.ACLTemplatedPolicyNomadServerName,
Schema: ACLTemplatedPolicyNoRequiredVariablesSchema,
Template: ACLTemplatedPolicyNomadServer,
Description: ACLTemplatedPolicyNomadServerDescription,
},
api.ACLTemplatedPolicyWorkloadIdentityName: {
TemplateID: ACLTemplatedPolicyWorkloadIdentityID,
TemplateName: api.ACLTemplatedPolicyWorkloadIdentityName,
Schema: ACLTemplatedPolicyWorkloadIdentitySchema,
Template: ACLTemplatedPolicyWorkloadIdentity,
Description: ACLTemplatedPolicyWorkloadIdentityDescription,
},
api.ACLTemplatedPolicyAPIGatewayName: {
TemplateID: ACLTemplatedPolicyAPIGatewayID,
TemplateName: api.ACLTemplatedPolicyAPIGatewayName,
Schema: ACLTemplatedPolicyAPIGatewaySchema,
Template: ACLTemplatedPolicyAPIGateway,
Description: ACLTemplatedPolicyAPIGatewayDescription,
},
}
)

View File

@ -173,6 +173,7 @@ type ACLTemplatedPolicyResponse struct {
TemplateName string
Schema string
Template string
Description string
}
type ACLTemplatedPolicyVariables struct {

View File

@ -65,6 +65,7 @@ func (f *prettyFormatter) FormatTemplatedPolicy(templatedPolicy api.ACLTemplated
var buffer bytes.Buffer
buffer.WriteString(fmt.Sprintf("Name: %s\n", templatedPolicy.TemplateName))
buffer.WriteString(fmt.Sprintf("Description: %s\n", templatedPolicy.Description))
buffer.WriteString("Input variables:")
switch templatedPolicy.TemplateName {

View File

@ -37,6 +37,7 @@ func testFormatTemplatedPolicy(t *testing.T, dirPath string) {
TemplateName: api.ACLTemplatedPolicyNodeName,
Schema: structs.ACLTemplatedPolicyNodeSchema,
Template: structs.ACLTemplatedPolicyNode,
Description: structs.ACLTemplatedPolicyNodeDescription,
},
},
"dns-templated-policy": {
@ -44,6 +45,7 @@ func testFormatTemplatedPolicy(t *testing.T, dirPath string) {
TemplateName: api.ACLTemplatedPolicyDNSName,
Schema: structs.ACLTemplatedPolicyNoRequiredVariablesSchema,
Template: structs.ACLTemplatedPolicyDNS,
Description: structs.ACLTemplatedPolicyDNSDescription,
},
},
"service-templated-policy": {
@ -51,6 +53,7 @@ func testFormatTemplatedPolicy(t *testing.T, dirPath string) {
TemplateName: api.ACLTemplatedPolicyServiceName,
Schema: structs.ACLTemplatedPolicyServiceSchema,
Template: structs.ACLTemplatedPolicyService,
Description: structs.ACLTemplatedPolicyServiceDescription,
},
},
"nomad-server-templated-policy": {
@ -58,6 +61,7 @@ func testFormatTemplatedPolicy(t *testing.T, dirPath string) {
TemplateName: api.ACLTemplatedPolicyNomadServerName,
Schema: structs.ACLTemplatedPolicyNoRequiredVariablesSchema,
Template: structs.ACLTemplatedPolicyNomadServer,
Description: structs.ACLTemplatedPolicyNomadServerDescription,
},
},
}
@ -98,16 +102,19 @@ func testFormatTemplatedPolicyList(t *testing.T, dirPath string) {
TemplateName: api.ACLTemplatedPolicyNodeName,
Schema: structs.ACLTemplatedPolicyNodeSchema,
Template: structs.ACLTemplatedPolicyNode,
Description: structs.ACLTemplatedPolicyNodeDescription,
},
"builtin/dns": {
TemplateName: api.ACLTemplatedPolicyDNSName,
Schema: structs.ACLTemplatedPolicyNoRequiredVariablesSchema,
Template: structs.ACLTemplatedPolicyDNS,
Description: structs.ACLTemplatedPolicyDNSDescription,
},
"builtin/service": {
TemplateName: api.ACLTemplatedPolicyServiceName,
Schema: structs.ACLTemplatedPolicyServiceSchema,
Template: structs.ACLTemplatedPolicyService,
Description: structs.ACLTemplatedPolicyServiceDescription,
},
}

View File

@ -1,5 +1,6 @@
{
"TemplateName": "builtin/dns",
"Schema": "",
"Template": "\nnode_prefix \"\" {\n\tpolicy = \"read\"\n}\nservice_prefix \"\" {\n\tpolicy = \"read\"\n}\nquery_prefix \"\" {\n\tpolicy = \"read\"\n}"
"Template": "\nnode_prefix \"\" {\n\tpolicy = \"read\"\n}\nservice_prefix \"\" {\n\tpolicy = \"read\"\n}\nquery_prefix \"\" {\n\tpolicy = \"read\"\n}",
"Description": "Gives the token or role permissions for the Consul DNS to query services in the network."
}

View File

@ -1,4 +1,5 @@
Name: builtin/dns
Description: Gives the token or role permissions for the Consul DNS to query services in the network.
Input variables: None
Example usage:
consul acl token create -templated-policy builtin/dns

View File

@ -1,4 +1,5 @@
Name: builtin/dns
Description: Gives the token or role permissions for the Consul DNS to query services in the network.
Input variables: None
Example usage:
consul acl token create -templated-policy builtin/dns

View File

@ -1,5 +1,6 @@
{
"TemplateName": "builtin/node",
"Schema": "{\n\t\"type\": \"object\",\n\t\"properties\": {\n\t\t\"name\": { \"type\": \"string\", \"$ref\": \"#/definitions/min-length-one\" }\n\t},\n\t\"required\": [\"name\"],\n\t\"definitions\": {\n\t\t\"min-length-one\": {\n\t\t\t\t\"type\": \"string\",\n\t\t\t\t\"minLength\": 1\n\t\t}\n\t}\n}",
"Template": "\nnode \"{{.Name}}\" {\n\tpolicy = \"write\"\n}\nservice_prefix \"\" {\n\tpolicy = \"read\"\n}"
"Template": "\nnode \"{{.Name}}\" {\n\tpolicy = \"write\"\n}\nservice_prefix \"\" {\n\tpolicy = \"read\"\n}",
"Description": "Gives the token or role permissions for a register an agent/node into the catalog. A node is typically a consul agent but can also be a physical server, cloud instance or a container."
}

View File

@ -1,4 +1,5 @@
Name: builtin/node
Description: Gives the token or role permissions for a register an agent/node into the catalog. A node is typically a consul agent but can also be a physical server, cloud instance or a container.
Input variables:
Name: String - Required - The node name.
Example usage:

View File

@ -1,4 +1,5 @@
Name: builtin/node
Description: Gives the token or role permissions for a register an agent/node into the catalog. A node is typically a consul agent but can also be a physical server, cloud instance or a container.
Input variables:
Name: String - Required - The node name.
Example usage:

View File

@ -1,5 +1,6 @@
{
"TemplateName": "builtin/nomad-server",
"Schema": "",
"Template": "\nacl = \"write\"\nagent_prefix \"\" {\n policy = \"read\"\n}\nnode_prefix \"\" {\n policy = \"read\"\n}\nservice_prefix \"\" {\n policy = \"write\"\n}"
"Template": "\nacl = \"write\"\nagent_prefix \"\" {\n policy = \"read\"\n}\nnode_prefix \"\" {\n policy = \"read\"\n}\nservice_prefix \"\" {\n policy = \"write\"\n}",
"Description": "Gives the token or role permissions required for integration with a nomad server."
}

View File

@ -1,4 +1,5 @@
Name: builtin/nomad-server
Description: Gives the token or role permissions required for integration with a nomad server.
Input variables: None
Example usage:
consul acl token create -templated-policy builtin/nomad-server

View File

@ -1,4 +1,5 @@
Name: builtin/nomad-server
Description: Gives the token or role permissions required for integration with a nomad server.
Input variables: None
Example usage:
consul acl token create -templated-policy builtin/nomad-server

View File

@ -1,5 +1,6 @@
{
"TemplateName": "builtin/service",
"Schema": "{\n\t\"type\": \"object\",\n\t\"properties\": {\n\t\t\"name\": { \"type\": \"string\", \"$ref\": \"#/definitions/min-length-one\" }\n\t},\n\t\"required\": [\"name\"],\n\t\"definitions\": {\n\t\t\"min-length-one\": {\n\t\t\t\t\"type\": \"string\",\n\t\t\t\t\"minLength\": 1\n\t\t}\n\t}\n}",
"Template": "\nservice \"{{.Name}}\" {\n\tpolicy = \"write\"\n}\nservice \"{{.Name}}-sidecar-proxy\" {\n\tpolicy = \"write\"\n}\nservice_prefix \"\" {\n\tpolicy = \"read\"\n}\nnode_prefix \"\" {\n\tpolicy = \"read\"\n}"
"Template": "\nservice \"{{.Name}}\" {\n\tpolicy = \"write\"\n}\nservice \"{{.Name}}-sidecar-proxy\" {\n\tpolicy = \"write\"\n}\nservice_prefix \"\" {\n\tpolicy = \"read\"\n}\nnode_prefix \"\" {\n\tpolicy = \"read\"\n}",
"Description": "Gives the token or role permissions to register a service and discover services in the Consul catalog. It also gives the specified service's sidecar proxy the permission to discover and route traffic to other services."
}

View File

@ -1,4 +1,5 @@
Name: builtin/service
Description: Gives the token or role permissions to register a service and discover services in the Consul catalog. It also gives the specified service's sidecar proxy the permission to discover and route traffic to other services.
Input variables:
Name: String - Required - The name of the service.
Example usage:

View File

@ -1,4 +1,5 @@
Name: builtin/service
Description: Gives the token or role permissions to register a service and discover services in the Consul catalog. It also gives the specified service's sidecar proxy the permission to discover and route traffic to other services.
Input variables:
Name: String - Required - The name of the service.
Example usage:

View File

@ -2,16 +2,19 @@
"builtin/dns": {
"TemplateName": "builtin/dns",
"Schema": "",
"Template": "\nnode_prefix \"\" {\n\tpolicy = \"read\"\n}\nservice_prefix \"\" {\n\tpolicy = \"read\"\n}\nquery_prefix \"\" {\n\tpolicy = \"read\"\n}"
"Template": "\nnode_prefix \"\" {\n\tpolicy = \"read\"\n}\nservice_prefix \"\" {\n\tpolicy = \"read\"\n}\nquery_prefix \"\" {\n\tpolicy = \"read\"\n}",
"Description": "Gives the token or role permissions for the Consul DNS to query services in the network."
},
"builtin/node": {
"TemplateName": "builtin/node",
"Schema": "{\n\t\"type\": \"object\",\n\t\"properties\": {\n\t\t\"name\": { \"type\": \"string\", \"$ref\": \"#/definitions/min-length-one\" }\n\t},\n\t\"required\": [\"name\"],\n\t\"definitions\": {\n\t\t\"min-length-one\": {\n\t\t\t\t\"type\": \"string\",\n\t\t\t\t\"minLength\": 1\n\t\t}\n\t}\n}",
"Template": "\nnode \"{{.Name}}\" {\n\tpolicy = \"write\"\n}\nservice_prefix \"\" {\n\tpolicy = \"read\"\n}"
"Template": "\nnode \"{{.Name}}\" {\n\tpolicy = \"write\"\n}\nservice_prefix \"\" {\n\tpolicy = \"read\"\n}",
"Description": "Gives the token or role permissions for a register an agent/node into the catalog. A node is typically a consul agent but can also be a physical server, cloud instance or a container."
},
"builtin/service": {
"TemplateName": "builtin/service",
"Schema": "{\n\t\"type\": \"object\",\n\t\"properties\": {\n\t\t\"name\": { \"type\": \"string\", \"$ref\": \"#/definitions/min-length-one\" }\n\t},\n\t\"required\": [\"name\"],\n\t\"definitions\": {\n\t\t\"min-length-one\": {\n\t\t\t\t\"type\": \"string\",\n\t\t\t\t\"minLength\": 1\n\t\t}\n\t}\n}",
"Template": "\nservice \"{{.Name}}\" {\n\tpolicy = \"write\"\n}\nservice \"{{.Name}}-sidecar-proxy\" {\n\tpolicy = \"write\"\n}\nservice_prefix \"\" {\n\tpolicy = \"read\"\n}\nnode_prefix \"\" {\n\tpolicy = \"read\"\n}"
"Template": "\nservice \"{{.Name}}\" {\n\tpolicy = \"write\"\n}\nservice \"{{.Name}}-sidecar-proxy\" {\n\tpolicy = \"write\"\n}\nservice_prefix \"\" {\n\tpolicy = \"read\"\n}\nnode_prefix \"\" {\n\tpolicy = \"read\"\n}",
"Description": "Gives the token or role permissions to register a service and discover services in the Consul catalog. It also gives the specified service's sidecar proxy the permission to discover and route traffic to other services."
}
}