AliasIfAnonymousToken returns the string "anonymous token" if accessorID is acl.AnonymousTokenID.

AllowAll returns an Authorizer that allows all operations.

DenyAll returns an Authorizer that denies all operations.

IsErrDisabled checks if the given error message is comparable to ErrDisabled.

IsErrNotFound checks if the given error message is comparable to ErrNotFound.

IsErrPermissionDenied checks if the given error message is comparable to ErrPermissionDenied.

IsErrRootDenied checks if the given error message is comparable to ErrRootDenied.

IsValidRoleName returns true if the provided name can be used as an ACLAuthMethod Name.

IsValidNodeIdentityName returns true if the provided name can be used as an ACLNodeIdentity NodeName.

IsValidRoleName returns true if the provided name can be used as an ACLRole Name.

IsValidServiceIdentityName returns true if the provided name can be used as an ACLServiceIdentity ServiceName.

ManageAll returns an Authorizer that can manage all resources.

NewAuthorizerFromRules is a convenience function to invoke NewPolicyFromSource followed by NewPolicyAuthorizer with the parse policy.

NewChainedAuthorizer creates a ChainedAuthorizer with the provided chain of Authorizers.

NewPolicyAuthorizer merges the policies and returns an Authorizer that will enforce them.

NewPolicyAuthorizerWithDefaults will actually created a ChainedAuthorizer with the policies compiled into one Authorizer and the backup policy of the defaultAuthz.

NewPolicyFromSource is used to parse the specified ACL rules into an intermediary set of policies, before being compiled into the ACL.

TODO Extract information from Authorizer.

RootAuthorizer returns a possible Authorizer if the ID matches a root policy.

ValidatePolicyName returns nil if the provided name can be used as an ACLPolicy Name otherwise a useful error is returned.

Allow returned from an Authorizer enforcement method indicates that a corresponding rule was found and that access should be allowed.

AnonymousTokenID is the AccessorID of the anonymous token.

Default returned from an Authorizer enforcement method indicates that a corresponding rule was not found and that whether access should be granted or denied should be deferred to the default access level.

DefaultNamespaceName is used to mimic the behavior in consul/structs/intention.go, where we define IntentionDefaultNamespace as 'default' and so we use the same here.

Deny returned from an Authorizer enforcement method indicates that a corresponding rule was found and that access should be denied.

EmptyNamespaceName is the name of the default partition that is an empty string.

NonEmptyDefaultPartitionName is the name of the default partition that is not empty.

ErrDisabled is returned when ACL changes are not permitted since they are disabled.

ErrInvalidParent is returned when a remotely resolve ACL token claims to have a non-root parent.

ErrNotFound indicates there is no matching ACL.

ErrPermissionDenied is returned when an ACL based rejection happens.

ErrRootDenied is returned when attempting to resolve a root ACL.

AgentRule represents a rule for working with agent endpoints on nodes with specific name prefixes.

AllowAuthorizer is a wrapper to expose the *Allowed methods.

AuthorizerContext contains extra information that can be used in the determination of an ACL enforcement decision.

ChainedAuthorizer can combine multiple Authorizers into one.

Config encapsulates all of the generic configuration parameters used for policy parsing and enforcement.

EnterpriseMeta stub.

EnterprisePolicyMeta stub.

EnterprisePolicyRules stub.

EnterpriseRule stub.

EventRule represents a user event rule.

IdentityRule represents a policy for a workload identity Deprecated: exists just to track the former field for decoding.

KeyRule represents a rule for a key.

NodeRule represents a rule for a node.

Arguably this should be some sort of union type.

Policy is used to represent the policy specified by an ACL configuration.

PreparedQueryRule represents a prepared query rule.

In some sense we really want this to contain an EnterpriseMeta, but this turns out to be a convenient place to hang helper functions off of.

ServiceRule represents a policy for a service.

SessionRule represents a rule for making sessions tied to specific node name prefixes.

Authorizer is the interface for policy enforcement.