2014-08-08 22:32:43 +00:00
|
|
|
package consul
|
|
|
|
|
|
|
|
import (
|
2014-08-08 22:52:52 +00:00
|
|
|
"errors"
|
|
|
|
"strings"
|
2014-08-08 22:32:43 +00:00
|
|
|
"time"
|
|
|
|
|
2014-08-11 22:01:38 +00:00
|
|
|
"github.com/armon/go-metrics"
|
2014-08-08 22:32:43 +00:00
|
|
|
"github.com/hashicorp/consul/acl"
|
2014-08-08 22:52:52 +00:00
|
|
|
"github.com/hashicorp/consul/consul/structs"
|
|
|
|
)
|
|
|
|
|
|
|
|
const (
|
|
|
|
// aclNotFound indicates there is no matching ACL
|
|
|
|
aclNotFound = "ACL not found"
|
2014-08-11 21:54:18 +00:00
|
|
|
|
2014-08-12 17:58:02 +00:00
|
|
|
// rootDenied is returned when attempting to resolve a root ACL
|
|
|
|
rootDenied = "Cannot resolve root ACL"
|
|
|
|
|
2014-08-12 22:32:44 +00:00
|
|
|
// permissionDenied is returned when an ACL based rejection happens
|
|
|
|
permissionDenied = "Permission denied"
|
|
|
|
|
|
|
|
// aclDisabled is returned when ACL changes are not permitted
|
|
|
|
// since they are disabled.
|
|
|
|
aclDisabled = "ACL support disabled"
|
|
|
|
|
2014-08-11 21:54:18 +00:00
|
|
|
// anonymousToken is the token ID we re-write to if there
|
|
|
|
// is no token ID provided
|
|
|
|
anonymousToken = "anonymous"
|
2014-08-08 22:32:43 +00:00
|
|
|
)
|
|
|
|
|
2014-08-12 22:32:44 +00:00
|
|
|
var (
|
|
|
|
permissionDeniedErr = errors.New(permissionDenied)
|
|
|
|
)
|
|
|
|
|
2014-08-08 22:32:43 +00:00
|
|
|
// aclCacheEntry is used to cache non-authoritative ACL's
|
|
|
|
// If non-authoritative, then we must respect a TTL
|
|
|
|
type aclCacheEntry struct {
|
|
|
|
ACL acl.ACL
|
|
|
|
Expires time.Time
|
2014-08-09 00:38:39 +00:00
|
|
|
ETag string
|
2014-08-08 22:32:43 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// aclFault is used to fault in the rules for an ACL if we take a miss
|
2014-08-12 17:38:57 +00:00
|
|
|
func (s *Server) aclFault(id string) (string, string, error) {
|
2014-08-11 22:01:38 +00:00
|
|
|
defer metrics.MeasureSince([]string{"consul", "acl", "fault"}, time.Now())
|
2014-08-08 22:32:43 +00:00
|
|
|
state := s.fsm.State()
|
|
|
|
_, acl, err := state.ACLGet(id)
|
|
|
|
if err != nil {
|
2014-08-12 17:38:57 +00:00
|
|
|
return "", "", err
|
2014-08-08 22:32:43 +00:00
|
|
|
}
|
|
|
|
if acl == nil {
|
2014-08-12 17:38:57 +00:00
|
|
|
return "", "", errors.New(aclNotFound)
|
2014-08-08 22:32:43 +00:00
|
|
|
}
|
2014-08-12 17:38:57 +00:00
|
|
|
|
2014-08-12 22:32:44 +00:00
|
|
|
// Management tokens have no policy and inherit from the
|
|
|
|
// 'manage' root policy
|
2014-08-12 17:38:57 +00:00
|
|
|
if acl.Type == structs.ACLTypeManagement {
|
2014-08-12 22:32:44 +00:00
|
|
|
return "manage", "", nil
|
2014-08-12 17:38:57 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Otherwise use the base policy
|
|
|
|
return s.config.ACLDefaultPolicy, acl.Rules, nil
|
2014-08-08 22:32:43 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// resolveToken is used to resolve an ACL is any is appropriate
|
|
|
|
func (s *Server) resolveToken(id string) (acl.ACL, error) {
|
|
|
|
// Check if there is no ACL datacenter (ACL's disabled)
|
|
|
|
authDC := s.config.ACLDatacenter
|
2014-08-11 21:54:18 +00:00
|
|
|
if len(authDC) == 0 {
|
2014-08-08 22:32:43 +00:00
|
|
|
return nil, nil
|
|
|
|
}
|
2014-08-11 22:01:38 +00:00
|
|
|
defer metrics.MeasureSince([]string{"consul", "acl", "resolveToken"}, time.Now())
|
2014-08-08 22:32:43 +00:00
|
|
|
|
2014-08-11 21:54:18 +00:00
|
|
|
// Handle the anonymous token
|
|
|
|
if len(id) == 0 {
|
|
|
|
id = anonymousToken
|
2014-08-12 17:58:02 +00:00
|
|
|
} else if acl.RootACL(id) != nil {
|
|
|
|
return nil, errors.New(rootDenied)
|
2014-08-11 21:54:18 +00:00
|
|
|
}
|
|
|
|
|
2014-08-08 22:32:43 +00:00
|
|
|
// Check if we are the ACL datacenter and the leader, use the
|
|
|
|
// authoritative cache
|
|
|
|
if s.config.Datacenter == authDC && s.IsLeader() {
|
|
|
|
return s.aclAuthCache.GetACL(id)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Use our non-authoritative cache
|
2014-08-08 22:52:52 +00:00
|
|
|
return s.lookupACL(id, authDC)
|
2014-08-08 22:32:43 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// lookupACL is used when we are non-authoritative, and need
|
|
|
|
// to resolve an ACL
|
2014-08-08 22:52:52 +00:00
|
|
|
func (s *Server) lookupACL(id, authDC string) (acl.ACL, error) {
|
2014-08-08 22:32:43 +00:00
|
|
|
// Check the cache for the ACL
|
|
|
|
var cached *aclCacheEntry
|
|
|
|
raw, ok := s.aclCache.Get(id)
|
|
|
|
if ok {
|
|
|
|
cached = raw.(*aclCacheEntry)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Check for live cache
|
|
|
|
if cached != nil && time.Now().Before(cached.Expires) {
|
2014-08-11 22:01:38 +00:00
|
|
|
metrics.IncrCounter([]string{"consul", "acl", "cache_hit"}, 1)
|
2014-08-08 22:32:43 +00:00
|
|
|
return cached.ACL, nil
|
2014-08-11 22:01:38 +00:00
|
|
|
} else {
|
|
|
|
metrics.IncrCounter([]string{"consul", "acl", "cache_miss"}, 1)
|
2014-08-08 22:32:43 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Attempt to refresh the policy
|
2014-08-08 23:55:47 +00:00
|
|
|
args := structs.ACLPolicyRequest{
|
2014-08-08 22:52:52 +00:00
|
|
|
Datacenter: authDC,
|
|
|
|
ACL: id,
|
|
|
|
}
|
2014-08-18 22:20:21 +00:00
|
|
|
if cached != nil {
|
|
|
|
args.ETag = cached.ETag
|
|
|
|
}
|
2014-08-08 22:52:52 +00:00
|
|
|
var out structs.ACLPolicy
|
|
|
|
err := s.RPC("ACL.GetPolicy", &args, &out)
|
|
|
|
|
|
|
|
// Handle the happy path
|
|
|
|
if err == nil {
|
2014-08-12 17:54:56 +00:00
|
|
|
return s.useACLPolicy(id, authDC, cached, &out)
|
2014-08-08 22:52:52 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Check for not-found
|
|
|
|
if strings.Contains(err.Error(), aclNotFound) {
|
|
|
|
return nil, errors.New(aclNotFound)
|
|
|
|
} else {
|
|
|
|
s.logger.Printf("[ERR] consul.acl: Failed to get policy for '%s': %v", id, err)
|
|
|
|
}
|
2014-08-08 22:32:43 +00:00
|
|
|
|
|
|
|
// Unable to refresh, apply the down policy
|
|
|
|
switch s.config.ACLDownPolicy {
|
|
|
|
case "allow":
|
|
|
|
return acl.AllowAll(), nil
|
|
|
|
case "extend-cache":
|
|
|
|
if cached != nil {
|
|
|
|
return cached.ACL, nil
|
|
|
|
}
|
|
|
|
fallthrough
|
|
|
|
default:
|
|
|
|
return acl.DenyAll(), nil
|
|
|
|
}
|
|
|
|
}
|
2014-08-09 00:38:39 +00:00
|
|
|
|
|
|
|
// useACLPolicy handles an ACLPolicy response
|
2014-08-12 17:54:56 +00:00
|
|
|
func (s *Server) useACLPolicy(id, authDC string, cached *aclCacheEntry, p *structs.ACLPolicy) (acl.ACL, error) {
|
2014-08-09 00:38:39 +00:00
|
|
|
// Check if we can used the cached policy
|
|
|
|
if cached != nil && cached.ETag == p.ETag {
|
|
|
|
if p.TTL > 0 {
|
|
|
|
cached.Expires = time.Now().Add(p.TTL)
|
|
|
|
}
|
|
|
|
return cached.ACL, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Check for a cached compiled policy
|
|
|
|
var compiled acl.ACL
|
2014-08-11 21:01:45 +00:00
|
|
|
raw, ok := s.aclPolicyCache.Get(p.ETag)
|
2014-08-09 00:38:39 +00:00
|
|
|
if ok {
|
|
|
|
compiled = raw.(acl.ACL)
|
|
|
|
} else {
|
2014-08-12 17:54:56 +00:00
|
|
|
// Resolve the parent policy
|
|
|
|
parent := acl.RootACL(p.Parent)
|
|
|
|
if parent == nil {
|
|
|
|
var err error
|
|
|
|
parent, err = s.lookupACL(p.Parent, authDC)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2014-08-09 00:38:39 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Compile the ACL
|
2014-08-12 17:54:56 +00:00
|
|
|
acl, err := acl.New(parent, p.Policy)
|
2014-08-09 00:38:39 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
// Cache the policy
|
|
|
|
s.aclPolicyCache.Add(p.ETag, acl)
|
|
|
|
compiled = acl
|
|
|
|
}
|
|
|
|
|
|
|
|
// Cache the ACL
|
|
|
|
cached = &aclCacheEntry{
|
|
|
|
ACL: compiled,
|
|
|
|
ETag: p.ETag,
|
|
|
|
}
|
|
|
|
if p.TTL > 0 {
|
|
|
|
cached.Expires = time.Now().Add(p.TTL)
|
|
|
|
}
|
|
|
|
s.aclCache.Add(id, cached)
|
2014-08-11 21:01:45 +00:00
|
|
|
return compiled, nil
|
2014-08-09 00:38:39 +00:00
|
|
|
}
|
2015-06-09 19:36:25 +00:00
|
|
|
|
|
|
|
// discoveryFilter is used to determine if we should return a given node
|
|
|
|
// or service based on the ACL passed in.
|
|
|
|
func (s *Server) discoveryFilter(node, service string, acl acl.ACL) bool {
|
|
|
|
if acl == nil {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
|
|
|
// Filter service discovery ACLs
|
|
|
|
if service != "" && service != ConsulServiceID && !acl.ServiceRead(service) {
|
|
|
|
s.logger.Printf("[DEBUG] consul: reading service '%s' denied due to ACLs", service)
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
// Filtering passed
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
|
|
|
// applyDiscoveryACLs is used to filter results from our service catalog based
|
|
|
|
// on the configured rules for the request ACL. Nodes or services which do
|
|
|
|
// not match the ACL rules will be dropped from the result.
|
|
|
|
func (s *Server) applyDiscoveryACLs(token string, subj interface{}) error {
|
|
|
|
// Get the ACL from the token
|
|
|
|
acl, err := s.resolveToken(token)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
// Fast path if ACLs are not enabled
|
|
|
|
if acl == nil {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
filt := func(service string) bool {
|
|
|
|
// Don't filter the "consul" service or empty service names
|
|
|
|
if service == "" || service == ConsulServiceID {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
|
|
|
// Check the ACL
|
|
|
|
if !acl.ServiceRead(service) {
|
|
|
|
s.logger.Printf("[DEBUG] consul: reading service '%s' denied due to ACLs", service)
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
|
|
|
switch v := subj.(type) {
|
|
|
|
// Filter health checks
|
|
|
|
case *structs.IndexedHealthChecks:
|
|
|
|
for i := 0; i < len(v.HealthChecks); i++ {
|
|
|
|
hc := v.HealthChecks[i]
|
|
|
|
if filt(hc.ServiceName) {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
v.HealthChecks = append(v.HealthChecks[:i], v.HealthChecks[i+1:]...)
|
|
|
|
i--
|
|
|
|
}
|
|
|
|
|
|
|
|
// Filter services
|
|
|
|
case *structs.IndexedServices:
|
|
|
|
for svc, _ := range v.Services {
|
|
|
|
if filt(svc) {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
delete(v.Services, svc)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Filter service nodes
|
|
|
|
case *structs.IndexedServiceNodes:
|
|
|
|
for i := 0; i < len(v.ServiceNodes); i++ {
|
|
|
|
node := v.ServiceNodes[i]
|
|
|
|
if filt(node.ServiceName) {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
v.ServiceNodes = append(v.ServiceNodes[:i], v.ServiceNodes[i+1:]...)
|
|
|
|
i--
|
|
|
|
}
|
|
|
|
|
|
|
|
// Filter node services
|
|
|
|
case *structs.IndexedNodeServices:
|
|
|
|
for svc, _ := range v.NodeServices.Services {
|
|
|
|
if filt(svc) {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
delete(v.NodeServices.Services, svc)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Filter check service nodes
|
|
|
|
case *structs.IndexedCheckServiceNodes:
|
|
|
|
for i := 0; i < len(v.Nodes); i++ {
|
|
|
|
cs := v.Nodes[i]
|
|
|
|
if filt(cs.Service.Service) {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
v.Nodes = append(v.Nodes[:i], v.Nodes[i+1:]...)
|
|
|
|
i--
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|