2014-08-08 22:32:43 +00:00
|
|
|
package consul
|
|
|
|
|
|
|
|
import (
|
2015-06-11 23:46:15 +00:00
|
|
|
"fmt"
|
2019-04-08 18:19:09 +00:00
|
|
|
"sort"
|
2018-06-28 07:06:14 +00:00
|
|
|
"sync"
|
2014-08-08 22:32:43 +00:00
|
|
|
"time"
|
|
|
|
|
2020-11-13 02:12:12 +00:00
|
|
|
"github.com/armon/go-metrics"
|
|
|
|
"github.com/armon/go-metrics/prometheus"
|
2020-01-28 23:50:41 +00:00
|
|
|
"github.com/hashicorp/go-hclog"
|
2019-03-14 14:35:34 +00:00
|
|
|
"golang.org/x/sync/singleflight"
|
2018-10-19 16:04:07 +00:00
|
|
|
"golang.org/x/time/rate"
|
2020-11-17 22:10:21 +00:00
|
|
|
|
|
|
|
"github.com/hashicorp/consul/acl"
|
2022-06-17 09:24:43 +00:00
|
|
|
"github.com/hashicorp/consul/acl/resolver"
|
2020-11-17 22:10:21 +00:00
|
|
|
"github.com/hashicorp/consul/agent/structs"
|
2021-04-14 16:39:35 +00:00
|
|
|
"github.com/hashicorp/consul/agent/token"
|
2020-11-17 22:10:21 +00:00
|
|
|
"github.com/hashicorp/consul/logging"
|
2014-08-08 22:52:52 +00:00
|
|
|
)
|
|
|
|
|
2020-11-13 02:12:12 +00:00
|
|
|
var ACLCounters = []prometheus.CounterDefinition{
|
|
|
|
{
|
2020-11-13 21:18:04 +00:00
|
|
|
Name: []string{"acl", "token", "cache_hit"},
|
2020-11-19 21:29:44 +00:00
|
|
|
Help: "Increments if Consul is able to resolve a token's identity, or a legacy token, from the cache.",
|
2020-11-13 02:12:12 +00:00
|
|
|
},
|
|
|
|
{
|
2020-11-13 21:18:04 +00:00
|
|
|
Name: []string{"acl", "token", "cache_miss"},
|
2020-11-19 21:29:44 +00:00
|
|
|
Help: "Increments if Consul cannot resolve a token's identity, or a legacy token, from the cache.",
|
2020-11-13 02:12:12 +00:00
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
var ACLSummaries = []prometheus.SummaryDefinition{
|
|
|
|
{
|
2020-11-13 21:18:04 +00:00
|
|
|
Name: []string{"acl", "ResolveToken"},
|
2020-11-19 21:06:28 +00:00
|
|
|
Help: "This measures the time it takes to resolve an ACL token.",
|
2020-11-13 02:12:12 +00:00
|
|
|
},
|
|
|
|
}
|
|
|
|
|
2016-12-14 07:21:14 +00:00
|
|
|
// These must be kept in sync with the constants in command/agent/acl.go.
|
2014-08-08 22:52:52 +00:00
|
|
|
const (
|
2016-12-14 07:21:14 +00:00
|
|
|
// anonymousToken is the token ID we re-write to if there is no token ID
|
|
|
|
// provided.
|
2014-08-11 21:54:18 +00:00
|
|
|
anonymousToken = "anonymous"
|
2015-06-18 23:18:10 +00:00
|
|
|
|
Creates new "prepared-query" ACL type and new token capture behavior.
Prior to this change, prepared queries had the following behavior for
ACLs, which will need to change to support templates:
1. A management token, or a token with read access to the service being
queried needed to be provided in order to create a prepared query.
2. The token used to create the prepared query was stored with the query
in the state store and used to execute the query.
3. A management token, or the token used to create the query needed to be
supplied to perform and CRUD operations on an existing prepared query.
This was pretty subtle and complicated behavior, and won't work for
templates since the service name is computed at execution time. To solve
this, we introduce a new "prepared-query" ACL type, where the prefix
applies to the query name for static prepared query types and to the
prefix for template prepared query types.
With this change, the new behavior is:
1. A management token, or a token with "prepared-query" write access to
the query name or (soon) the given template prefix is required to do
any CRUD operations on a prepared query, or to list prepared queries
(the list is filtered by this ACL).
2. You will no longer need a management token to list prepared queries,
but you will only be able to see prepared queries that you have access
to (you get an empty list instead of permission denied).
3. When listing or getting a query, because it was easy to capture
management tokens given the past behavior, this will always blank out
the "Token" field (replacing the contents as <hidden>) for all tokens
unless a management token is supplied. Going forward, we should
discourage people from binding tokens for execution unless strictly
necessary.
4. No token will be captured by default when a prepared query is created.
If the user wishes to supply an execution token then can pass it in via
the "Token" field in the prepared query definition. Otherwise, this
field will default to empty.
5. At execution time, we will use the captured token if it exists with the
prepared query definition, otherwise we will use the token that's passed
in with the request, just like we do for other RPCs (or you can use the
agent's configured token for DNS).
6. Prepared queries with no name (accessible only by ID) will not require
ACLs to create or modify (execution time will depend on the service ACL
configuration). Our argument here is that these are designed to be
ephemeral and the IDs are as good as an ACL. Management tokens will be
able to list all of these.
These changes enable templates, but also enable delegation of authority to
manage the prepared query namespace.
2016-02-23 08:12:58 +00:00
|
|
|
// redactedToken is shown in structures with embedded tokens when they
|
2016-12-14 07:21:14 +00:00
|
|
|
// are not allowed to be displayed.
|
Creates new "prepared-query" ACL type and new token capture behavior.
Prior to this change, prepared queries had the following behavior for
ACLs, which will need to change to support templates:
1. A management token, or a token with read access to the service being
queried needed to be provided in order to create a prepared query.
2. The token used to create the prepared query was stored with the query
in the state store and used to execute the query.
3. A management token, or the token used to create the query needed to be
supplied to perform and CRUD operations on an existing prepared query.
This was pretty subtle and complicated behavior, and won't work for
templates since the service name is computed at execution time. To solve
this, we introduce a new "prepared-query" ACL type, where the prefix
applies to the query name for static prepared query types and to the
prefix for template prepared query types.
With this change, the new behavior is:
1. A management token, or a token with "prepared-query" write access to
the query name or (soon) the given template prefix is required to do
any CRUD operations on a prepared query, or to list prepared queries
(the list is filtered by this ACL).
2. You will no longer need a management token to list prepared queries,
but you will only be able to see prepared queries that you have access
to (you get an empty list instead of permission denied).
3. When listing or getting a query, because it was easy to capture
management tokens given the past behavior, this will always blank out
the "Token" field (replacing the contents as <hidden>) for all tokens
unless a management token is supplied. Going forward, we should
discourage people from binding tokens for execution unless strictly
necessary.
4. No token will be captured by default when a prepared query is created.
If the user wishes to supply an execution token then can pass it in via
the "Token" field in the prepared query definition. Otherwise, this
field will default to empty.
5. At execution time, we will use the captured token if it exists with the
prepared query definition, otherwise we will use the token that's passed
in with the request, just like we do for other RPCs (or you can use the
agent's configured token for DNS).
6. Prepared queries with no name (accessible only by ID) will not require
ACLs to create or modify (execution time will depend on the service ACL
configuration). Our argument here is that these are designed to be
ephemeral and the IDs are as good as an ACL. Management tokens will be
able to list all of these.
These changes enable templates, but also enable delegation of authority to
manage the prepared query namespace.
2016-02-23 08:12:58 +00:00
|
|
|
redactedToken = "<hidden>"
|
2018-10-19 16:04:07 +00:00
|
|
|
|
2019-04-08 17:05:51 +00:00
|
|
|
// aclTokenReapingRateLimit is the number of batch token reaping requests per second allowed.
|
|
|
|
aclTokenReapingRateLimit rate.Limit = 1.0
|
|
|
|
|
|
|
|
// aclTokenReapingBurst is the number of batch token reaping requests per second
|
|
|
|
// that can burst after a period of idleness.
|
|
|
|
aclTokenReapingBurst = 5
|
|
|
|
|
2018-10-19 16:04:07 +00:00
|
|
|
// aclBatchDeleteSize is the number of deletions to send in a single batch operation. 4096 should produce a batch that is <150KB
|
|
|
|
// in size but should be sufficiently large to handle 1 replication round in a single batch
|
|
|
|
aclBatchDeleteSize = 4096
|
|
|
|
|
|
|
|
// aclBatchUpsertSize is the target size in bytes we want to submit for a batch upsert request. We estimate the size at runtime
|
|
|
|
// due to the data being more variable in its size.
|
|
|
|
aclBatchUpsertSize = 256 * 1024
|
|
|
|
|
2019-01-22 18:14:43 +00:00
|
|
|
// Maximum number of re-resolution requests to be made if the token is modified between
|
|
|
|
// resolving the token and resolving its policies that would remove one of its policies.
|
|
|
|
tokenPolicyResolutionMaxRetries = 5
|
2019-04-15 20:43:19 +00:00
|
|
|
|
|
|
|
// Maximum number of re-resolution requests to be made if the token is modified between
|
|
|
|
// resolving the token and resolving its roles that would remove one of its roles.
|
|
|
|
tokenRoleResolutionMaxRetries = 5
|
2014-08-08 22:32:43 +00:00
|
|
|
)
|
|
|
|
|
2019-12-18 18:46:53 +00:00
|
|
|
// missingIdentity is used to return some identity in the event that the real identity cannot be ascertained
|
|
|
|
type missingIdentity struct {
|
|
|
|
reason string
|
|
|
|
token string
|
|
|
|
}
|
|
|
|
|
|
|
|
func (id *missingIdentity) ID() string {
|
|
|
|
return id.reason
|
|
|
|
}
|
|
|
|
|
|
|
|
func (id *missingIdentity) SecretToken() string {
|
|
|
|
return id.token
|
|
|
|
}
|
|
|
|
|
|
|
|
func (id *missingIdentity) PolicyIDs() []string {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (id *missingIdentity) RoleIDs() []string {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (id *missingIdentity) ServiceIdentityList() []*structs.ACLServiceIdentity {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2020-06-16 16:54:27 +00:00
|
|
|
func (id *missingIdentity) NodeIdentityList() []*structs.ACLNodeIdentity {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2019-12-18 18:46:53 +00:00
|
|
|
func (id *missingIdentity) IsExpired(asOf time.Time) bool {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
2020-03-10 16:15:22 +00:00
|
|
|
func (id *missingIdentity) IsLocal() bool {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
2022-04-05 21:10:06 +00:00
|
|
|
func (id *missingIdentity) EnterpriseMetadata() *acl.EnterpriseMeta {
|
2021-07-22 18:20:45 +00:00
|
|
|
return structs.DefaultEnterpriseMetaInDefaultPartition()
|
2019-12-18 18:46:53 +00:00
|
|
|
}
|
|
|
|
|
2018-10-19 16:04:07 +00:00
|
|
|
type ACLRemoteError struct {
|
|
|
|
Err error
|
|
|
|
}
|
2014-08-12 17:38:57 +00:00
|
|
|
|
2018-10-19 16:04:07 +00:00
|
|
|
func (e ACLRemoteError) Error() string {
|
|
|
|
return fmt.Sprintf("Error communicating with the ACL Datacenter: %v", e.Err)
|
|
|
|
}
|
2014-08-12 17:38:57 +00:00
|
|
|
|
2018-10-19 16:04:07 +00:00
|
|
|
func IsACLRemoteError(err error) bool {
|
|
|
|
_, ok := err.(ACLRemoteError)
|
|
|
|
return ok
|
2014-08-08 22:32:43 +00:00
|
|
|
}
|
|
|
|
|
2019-10-25 17:05:43 +00:00
|
|
|
func tokenSecretCacheID(token string) string {
|
|
|
|
return "token-secret:" + token
|
|
|
|
}
|
|
|
|
|
2021-07-30 23:20:02 +00:00
|
|
|
type ACLResolverBackend interface {
|
2021-10-04 22:54:49 +00:00
|
|
|
ACLDatacenter() string
|
2018-10-19 16:04:07 +00:00
|
|
|
ResolveIdentityFromToken(token string) (bool, structs.ACLIdentity, error)
|
|
|
|
ResolvePolicyFromID(policyID string) (bool, *structs.ACLPolicy, error)
|
2019-04-15 20:43:19 +00:00
|
|
|
ResolveRoleFromID(roleID string) (bool, *structs.ACLRole, error)
|
2021-07-30 23:20:02 +00:00
|
|
|
// TODO: separate methods for each RPC call (there are 4)
|
2018-10-19 16:04:07 +00:00
|
|
|
RPC(method string, args interface{}, reply interface{}) error
|
2019-10-25 15:06:16 +00:00
|
|
|
EnterpriseACLResolverDelegate
|
2018-10-19 16:04:07 +00:00
|
|
|
}
|
2014-08-08 22:32:43 +00:00
|
|
|
|
2019-04-15 20:43:19 +00:00
|
|
|
type policyOrRoleTokenError struct {
|
2019-01-22 18:14:43 +00:00
|
|
|
Err error
|
|
|
|
token string
|
|
|
|
}
|
|
|
|
|
2019-04-15 20:43:19 +00:00
|
|
|
func (e policyOrRoleTokenError) Error() string {
|
2019-01-22 18:14:43 +00:00
|
|
|
return e.Err.Error()
|
|
|
|
}
|
|
|
|
|
2018-10-19 16:04:07 +00:00
|
|
|
// ACLResolverConfig holds all the configuration necessary to create an ACLResolver
|
|
|
|
type ACLResolverConfig struct {
|
2021-07-30 22:56:11 +00:00
|
|
|
// TODO: rename this field?
|
|
|
|
Config ACLResolverSettings
|
2020-01-28 23:50:41 +00:00
|
|
|
Logger hclog.Logger
|
2018-10-19 16:04:07 +00:00
|
|
|
|
|
|
|
// CacheConfig is a pass through configuration for ACL cache limits
|
|
|
|
CacheConfig *structs.ACLCachesConfig
|
|
|
|
|
2021-07-30 23:20:02 +00:00
|
|
|
// Backend is used to retrieve data from the state store, or perform RPCs
|
|
|
|
// to fetch data from other Datacenters.
|
|
|
|
Backend ACLResolverBackend
|
2015-06-18 23:18:10 +00:00
|
|
|
|
2021-08-09 20:29:21 +00:00
|
|
|
// DisableDuration is the length of time to leave ACLs disabled when an RPC
|
|
|
|
// request to a server indicates that the ACL system is disabled. If set to
|
|
|
|
// 0 then ACLs will not be disabled locally. This value is always set to 0 on
|
|
|
|
// Servers.
|
|
|
|
DisableDuration time.Duration
|
2018-10-19 16:04:07 +00:00
|
|
|
|
2020-01-13 20:51:40 +00:00
|
|
|
// ACLConfig is the configuration necessary to pass through to the acl package when creating authorizers
|
|
|
|
// and when authorizing access
|
|
|
|
ACLConfig *acl.Config
|
2021-04-14 16:39:35 +00:00
|
|
|
|
|
|
|
// Tokens is the token store of locally managed tokens
|
|
|
|
Tokens *token.Store
|
2018-10-19 16:04:07 +00:00
|
|
|
}
|
|
|
|
|
2021-08-09 20:29:21 +00:00
|
|
|
const aclClientDisabledTTL = 30 * time.Second
|
2021-08-09 20:04:23 +00:00
|
|
|
|
2021-07-30 22:56:11 +00:00
|
|
|
// TODO: rename the fields to remove the ACL prefix
|
|
|
|
type ACLResolverSettings struct {
|
2021-08-25 18:43:11 +00:00
|
|
|
ACLsEnabled bool
|
|
|
|
Datacenter string
|
|
|
|
NodeName string
|
2022-04-05 21:10:06 +00:00
|
|
|
EnterpriseMeta acl.EnterpriseMeta
|
2021-08-06 22:59:05 +00:00
|
|
|
|
|
|
|
// ACLPolicyTTL is used to control the time-to-live of cached ACL policies. This has
|
|
|
|
// a major impact on performance. By default, it is set to 30 seconds.
|
|
|
|
ACLPolicyTTL time.Duration
|
|
|
|
// ACLTokenTTL is used to control the time-to-live of cached ACL tokens. This has
|
|
|
|
// a major impact on performance. By default, it is set to 30 seconds.
|
|
|
|
ACLTokenTTL time.Duration
|
|
|
|
// ACLRoleTTL is used to control the time-to-live of cached ACL roles. This has
|
|
|
|
// a major impact on performance. By default, it is set to 30 seconds.
|
|
|
|
ACLRoleTTL time.Duration
|
|
|
|
|
|
|
|
// ACLDownPolicy is used to control the ACL interaction when we cannot
|
|
|
|
// reach the PrimaryDatacenter and the token is not in the cache.
|
|
|
|
// There are the following modes:
|
|
|
|
// * allow - Allow all requests
|
|
|
|
// * deny - Deny all requests
|
|
|
|
// * extend-cache - Ignore the cache expiration, and allow cached
|
|
|
|
// ACL's to be used to service requests. This
|
|
|
|
// is the default. If the ACL is not in the cache,
|
|
|
|
// this acts like deny.
|
|
|
|
// * async-cache - Same behavior as extend-cache, but perform ACL
|
|
|
|
// Lookups asynchronously when cache TTL is expired.
|
|
|
|
ACLDownPolicy string
|
|
|
|
|
|
|
|
// ACLDefaultPolicy is used to control the ACL interaction when
|
|
|
|
// there is no defined policy. This can be "allow" which means
|
|
|
|
// ACLs are used to deny-list, or "deny" which means ACLs are
|
|
|
|
// allow-lists.
|
2021-07-30 22:56:11 +00:00
|
|
|
ACLDefaultPolicy string
|
|
|
|
}
|
|
|
|
|
2018-10-19 16:04:07 +00:00
|
|
|
// ACLResolver is the type to handle all your token and policy resolution needs.
|
|
|
|
//
|
|
|
|
// Supports:
|
2021-07-30 23:20:02 +00:00
|
|
|
// - Resolving tokens locally via the ACLResolverBackend
|
|
|
|
// - Resolving policies locally via the ACLResolverBackend
|
|
|
|
// - Resolving roles locally via the ACLResolverBackend
|
2020-01-27 19:54:32 +00:00
|
|
|
// - Resolving legacy tokens remotely via an ACL.GetPolicy RPC
|
2018-10-19 16:04:07 +00:00
|
|
|
// - Resolving tokens remotely via an ACL.TokenRead RPC
|
|
|
|
// - Resolving policies remotely via an ACL.PolicyResolve RPC
|
2019-04-15 20:43:19 +00:00
|
|
|
// - Resolving roles remotely via an ACL.RoleResolve RPC
|
2018-10-19 16:04:07 +00:00
|
|
|
//
|
|
|
|
// Remote Resolution:
|
2019-04-08 18:19:09 +00:00
|
|
|
// Remote resolution can be done synchronously or asynchronously depending
|
2018-10-19 16:04:07 +00:00
|
|
|
// on the ACLDownPolicy in the Config passed to the resolver.
|
|
|
|
//
|
|
|
|
// When the down policy is set to async-cache and we have already cached values
|
|
|
|
// then go routines will be spawned to perform the RPCs in the background
|
2019-03-14 14:35:34 +00:00
|
|
|
// and then will update the cache with either the positive or negative result.
|
2018-10-19 16:04:07 +00:00
|
|
|
//
|
2019-04-15 20:43:19 +00:00
|
|
|
// When the down policy is set to extend-cache or the token/policy/role is not already
|
2018-10-19 16:04:07 +00:00
|
|
|
// cached then the same go routines are spawned to do the RPCs in the background.
|
|
|
|
// However in this mode channels are created to receive the results of the RPC
|
|
|
|
// and are registered with the resolver. Those channels are immediately read/blocked
|
|
|
|
// upon.
|
|
|
|
//
|
|
|
|
type ACLResolver struct {
|
2021-07-30 22:56:11 +00:00
|
|
|
config ACLResolverSettings
|
2020-01-28 23:50:41 +00:00
|
|
|
logger hclog.Logger
|
2015-06-18 23:18:10 +00:00
|
|
|
|
2021-07-30 23:20:02 +00:00
|
|
|
backend ACLResolverBackend
|
|
|
|
aclConf *acl.Config
|
2017-09-14 19:31:01 +00:00
|
|
|
|
2021-04-14 16:39:35 +00:00
|
|
|
tokens *token.Store
|
|
|
|
|
2019-03-14 14:35:34 +00:00
|
|
|
cache *structs.ACLCaches
|
|
|
|
identityGroup singleflight.Group
|
|
|
|
policyGroup singleflight.Group
|
2019-04-15 20:43:19 +00:00
|
|
|
roleGroup singleflight.Group
|
2019-03-14 14:35:34 +00:00
|
|
|
legacyGroup singleflight.Group
|
2016-08-04 00:01:32 +00:00
|
|
|
|
2018-10-19 16:04:07 +00:00
|
|
|
down acl.Authorizer
|
2018-06-28 07:06:14 +00:00
|
|
|
|
2021-08-09 20:29:21 +00:00
|
|
|
disableDuration time.Duration
|
|
|
|
disabledUntil time.Time
|
|
|
|
// disabledLock synchronizes access to disabledUntil
|
2018-10-19 16:04:07 +00:00
|
|
|
disabledLock sync.RWMutex
|
2021-04-14 16:39:35 +00:00
|
|
|
|
2022-01-20 12:47:50 +00:00
|
|
|
agentRecoveryAuthz acl.Authorizer
|
2021-04-14 16:39:35 +00:00
|
|
|
}
|
|
|
|
|
2022-04-05 21:10:06 +00:00
|
|
|
func agentRecoveryAuthorizer(nodeName string, entMeta *acl.EnterpriseMeta, aclConf *acl.Config) (acl.Authorizer, error) {
|
2021-12-08 23:11:55 +00:00
|
|
|
var conf acl.Config
|
|
|
|
if aclConf != nil {
|
|
|
|
conf = *aclConf
|
|
|
|
}
|
|
|
|
setEnterpriseConf(entMeta, &conf)
|
2021-08-25 18:43:11 +00:00
|
|
|
|
2022-01-20 12:47:50 +00:00
|
|
|
// Build a policy for the agent recovery token.
|
2021-12-08 23:11:55 +00:00
|
|
|
//
|
2022-01-20 12:47:50 +00:00
|
|
|
// The builtin agent recovery policy allows reading any node information
|
2021-04-14 16:39:35 +00:00
|
|
|
// and allows writes to the agent with the node name of the running agent
|
|
|
|
// only. This used to allow a prefix match on agent names but that seems
|
|
|
|
// entirely unnecessary so it is now using an exact match.
|
2021-12-08 23:11:55 +00:00
|
|
|
policy, err := acl.NewPolicyFromSource(fmt.Sprintf(`
|
|
|
|
agent "%s" {
|
|
|
|
policy = "write"
|
|
|
|
}
|
|
|
|
node_prefix "" {
|
|
|
|
policy = "read"
|
|
|
|
}
|
|
|
|
`, nodeName), acl.SyntaxCurrent, &conf, entMeta.ToEnterprisePolicyMeta())
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
2021-04-14 16:39:35 +00:00
|
|
|
}
|
2021-10-26 18:02:34 +00:00
|
|
|
|
2021-12-08 23:11:55 +00:00
|
|
|
return acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, &conf)
|
2015-06-18 23:18:10 +00:00
|
|
|
}
|
|
|
|
|
2018-10-19 16:04:07 +00:00
|
|
|
func NewACLResolver(config *ACLResolverConfig) (*ACLResolver, error) {
|
|
|
|
if config == nil {
|
|
|
|
return nil, fmt.Errorf("ACL Resolver must be initialized with a config")
|
2015-06-18 23:18:10 +00:00
|
|
|
}
|
2021-07-30 23:20:02 +00:00
|
|
|
if config.Backend == nil {
|
2021-12-01 18:40:41 +00:00
|
|
|
return nil, fmt.Errorf("ACL Resolver must be initialized with a valid backend")
|
2015-06-18 23:18:10 +00:00
|
|
|
}
|
|
|
|
|
2018-10-19 16:04:07 +00:00
|
|
|
if config.Logger == nil {
|
2020-01-28 23:50:41 +00:00
|
|
|
config.Logger = hclog.New(&hclog.LoggerOptions{})
|
2018-10-19 16:04:07 +00:00
|
|
|
}
|
2018-06-28 07:06:14 +00:00
|
|
|
|
2018-10-19 16:04:07 +00:00
|
|
|
cache, err := structs.NewACLCaches(config.CacheConfig)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
2014-08-08 22:32:43 +00:00
|
|
|
}
|
|
|
|
|
2018-10-19 16:04:07 +00:00
|
|
|
var down acl.Authorizer
|
|
|
|
switch config.Config.ACLDownPolicy {
|
|
|
|
case "allow":
|
|
|
|
down = acl.AllowAll()
|
|
|
|
case "deny":
|
|
|
|
down = acl.DenyAll()
|
|
|
|
case "async-cache", "extend-cache":
|
2021-09-23 22:11:16 +00:00
|
|
|
down = acl.RootAuthorizer(config.Config.ACLDefaultPolicy)
|
2018-10-19 16:04:07 +00:00
|
|
|
default:
|
|
|
|
return nil, fmt.Errorf("invalid ACL down policy %q", config.Config.ACLDownPolicy)
|
2014-08-08 22:32:43 +00:00
|
|
|
}
|
2018-10-19 16:04:07 +00:00
|
|
|
|
2022-01-20 12:47:50 +00:00
|
|
|
authz, err := agentRecoveryAuthorizer(config.Config.NodeName, &config.Config.EnterpriseMeta, config.ACLConfig)
|
2021-04-14 16:39:35 +00:00
|
|
|
if err != nil {
|
2022-01-20 12:47:50 +00:00
|
|
|
return nil, fmt.Errorf("failed to initialize the agent recovery authorizer")
|
2021-04-14 16:39:35 +00:00
|
|
|
}
|
|
|
|
|
2018-10-19 16:04:07 +00:00
|
|
|
return &ACLResolver{
|
2022-01-20 12:47:50 +00:00
|
|
|
config: config.Config,
|
|
|
|
logger: config.Logger.Named(logging.ACL),
|
2021-07-30 23:20:02 +00:00
|
|
|
backend: config.Backend,
|
2022-01-20 12:47:50 +00:00
|
|
|
aclConf: config.ACLConfig,
|
|
|
|
cache: cache,
|
|
|
|
disableDuration: config.DisableDuration,
|
|
|
|
down: down,
|
|
|
|
tokens: config.Tokens,
|
|
|
|
agentRecoveryAuthz: authz,
|
2018-10-19 16:04:07 +00:00
|
|
|
}, nil
|
2018-06-28 07:06:14 +00:00
|
|
|
}
|
2014-08-08 22:32:43 +00:00
|
|
|
|
2019-12-06 19:01:34 +00:00
|
|
|
func (r *ACLResolver) Close() {
|
2020-01-13 20:51:40 +00:00
|
|
|
r.aclConf.Close()
|
2019-12-06 19:01:34 +00:00
|
|
|
}
|
|
|
|
|
2019-03-14 14:35:34 +00:00
|
|
|
func (r *ACLResolver) fetchAndCacheIdentityFromToken(token string, cached *structs.IdentityCacheEntry) (structs.ACLIdentity, error) {
|
2018-10-31 20:00:46 +00:00
|
|
|
req := structs.ACLTokenGetRequest{
|
2021-07-30 23:20:02 +00:00
|
|
|
Datacenter: r.backend.ACLDatacenter(),
|
2018-10-19 16:04:07 +00:00
|
|
|
TokenID: token,
|
|
|
|
TokenIDType: structs.ACLTokenSecret,
|
|
|
|
QueryOptions: structs.QueryOptions{
|
|
|
|
Token: token,
|
|
|
|
AllowStale: true,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
var resp structs.ACLTokenResponse
|
2021-07-30 23:20:02 +00:00
|
|
|
err := r.backend.RPC("ACL.TokenRead", &req, &resp)
|
2018-10-19 16:04:07 +00:00
|
|
|
if err == nil {
|
|
|
|
if resp.Token == nil {
|
2022-05-04 16:38:45 +00:00
|
|
|
r.cache.RemoveIdentityWithSecretToken(token)
|
2019-03-14 14:35:34 +00:00
|
|
|
return nil, acl.ErrNotFound
|
2020-06-09 19:13:09 +00:00
|
|
|
} else if resp.Token.Local && r.config.Datacenter != resp.SourceDatacenter {
|
2022-05-04 16:38:45 +00:00
|
|
|
r.cache.RemoveIdentityWithSecretToken(token)
|
2020-06-09 19:13:09 +00:00
|
|
|
return nil, acl.PermissionDeniedError{Cause: fmt.Sprintf("This is a local token in datacenter %q", resp.SourceDatacenter)}
|
2018-10-19 16:04:07 +00:00
|
|
|
} else {
|
2022-05-04 16:38:45 +00:00
|
|
|
r.cache.PutIdentityWithSecretToken(token, resp.Token)
|
2019-03-14 14:35:34 +00:00
|
|
|
return resp.Token, nil
|
2018-10-19 16:04:07 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if acl.IsErrNotFound(err) {
|
|
|
|
// Make sure to remove from the cache if it was deleted
|
2022-05-04 16:38:45 +00:00
|
|
|
r.cache.RemoveIdentityWithSecretToken(token)
|
2019-03-14 14:35:34 +00:00
|
|
|
return nil, acl.ErrNotFound
|
|
|
|
|
2018-06-28 07:06:14 +00:00
|
|
|
}
|
2018-10-19 16:04:07 +00:00
|
|
|
|
|
|
|
// some other RPC error
|
|
|
|
if cached != nil && (r.config.ACLDownPolicy == "extend-cache" || r.config.ACLDownPolicy == "async-cache") {
|
|
|
|
// extend the cache
|
2022-05-04 16:38:45 +00:00
|
|
|
r.cache.PutIdentityWithSecretToken(token, cached.Identity)
|
2019-03-14 14:35:34 +00:00
|
|
|
return cached.Identity, nil
|
2018-10-19 16:04:07 +00:00
|
|
|
}
|
|
|
|
|
2022-05-04 16:38:45 +00:00
|
|
|
r.cache.RemoveIdentityWithSecretToken(token)
|
2019-03-14 14:35:34 +00:00
|
|
|
return nil, err
|
2018-06-28 07:06:14 +00:00
|
|
|
}
|
|
|
|
|
2020-01-27 19:54:32 +00:00
|
|
|
// resolveIdentityFromToken takes a token secret as a string and returns an ACLIdentity.
|
|
|
|
// We read the value from ACLResolver's cache if available, and if the read misses
|
|
|
|
// we initiate an RPC for the value.
|
2018-10-19 16:04:07 +00:00
|
|
|
func (r *ACLResolver) resolveIdentityFromToken(token string) (structs.ACLIdentity, error) {
|
|
|
|
// Attempt to resolve locally first (local results are not cached)
|
2021-07-30 23:20:02 +00:00
|
|
|
if done, identity, err := r.backend.ResolveIdentityFromToken(token); done {
|
2018-10-19 16:04:07 +00:00
|
|
|
return identity, err
|
|
|
|
}
|
|
|
|
|
|
|
|
// Check the cache before making any RPC requests
|
2022-05-04 16:38:45 +00:00
|
|
|
cacheEntry := r.cache.GetIdentityWithSecretToken(token)
|
2018-10-19 16:04:07 +00:00
|
|
|
if cacheEntry != nil && cacheEntry.Age() <= r.config.ACLTokenTTL {
|
|
|
|
metrics.IncrCounter([]string{"acl", "token", "cache_hit"}, 1)
|
2022-05-04 16:38:45 +00:00
|
|
|
return cacheEntry.Identity, nil
|
2018-06-28 07:06:14 +00:00
|
|
|
}
|
2018-10-19 16:04:07 +00:00
|
|
|
|
|
|
|
metrics.IncrCounter([]string{"acl", "token", "cache_miss"}, 1)
|
|
|
|
|
|
|
|
// Background a RPC request and wait on it if we must
|
2019-03-14 14:35:34 +00:00
|
|
|
waitChan := r.identityGroup.DoChan(token, func() (interface{}, error) {
|
|
|
|
identity, err := r.fetchAndCacheIdentityFromToken(token, cacheEntry)
|
|
|
|
return identity, err
|
|
|
|
})
|
2018-10-19 16:04:07 +00:00
|
|
|
|
|
|
|
waitForResult := cacheEntry == nil || r.config.ACLDownPolicy != "async-cache"
|
|
|
|
if !waitForResult {
|
|
|
|
// waitForResult being false requires the cacheEntry to not be nil
|
2022-05-04 16:38:45 +00:00
|
|
|
return cacheEntry.Identity, nil
|
2018-10-19 16:04:07 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// block on the read here, this is why we don't need chan buffering
|
|
|
|
res := <-waitChan
|
|
|
|
|
2019-03-14 14:35:34 +00:00
|
|
|
var identity structs.ACLIdentity
|
|
|
|
if res.Val != nil { // avoid a nil-not-nil bug
|
|
|
|
identity = res.Val.(structs.ACLIdentity)
|
2018-06-28 07:06:14 +00:00
|
|
|
}
|
2018-10-19 16:04:07 +00:00
|
|
|
|
2019-03-14 14:35:34 +00:00
|
|
|
if res.Err != nil && !acl.IsErrNotFound(res.Err) {
|
|
|
|
return identity, ACLRemoteError{Err: res.Err}
|
2014-08-08 22:32:43 +00:00
|
|
|
}
|
2019-03-14 14:35:34 +00:00
|
|
|
return identity, res.Err
|
2014-08-08 22:32:43 +00:00
|
|
|
}
|
2014-08-09 00:38:39 +00:00
|
|
|
|
2019-03-14 14:35:34 +00:00
|
|
|
func (r *ACLResolver) fetchAndCachePoliciesForIdentity(identity structs.ACLIdentity, policyIDs []string, cached map[string]*structs.PolicyCacheEntry) (map[string]*structs.ACLPolicy, error) {
|
2018-10-31 20:00:46 +00:00
|
|
|
req := structs.ACLPolicyBatchGetRequest{
|
2021-07-30 23:20:02 +00:00
|
|
|
Datacenter: r.backend.ACLDatacenter(),
|
2018-10-19 16:04:07 +00:00
|
|
|
PolicyIDs: policyIDs,
|
|
|
|
QueryOptions: structs.QueryOptions{
|
|
|
|
Token: identity.SecretToken(),
|
|
|
|
AllowStale: true,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
2018-10-31 20:00:46 +00:00
|
|
|
var resp structs.ACLPolicyBatchResponse
|
2021-07-30 23:20:02 +00:00
|
|
|
err := r.backend.RPC("ACL.PolicyResolve", &req, &resp)
|
2018-10-19 16:04:07 +00:00
|
|
|
if err == nil {
|
2019-03-14 14:35:34 +00:00
|
|
|
out := make(map[string]*structs.ACLPolicy)
|
2018-10-19 16:04:07 +00:00
|
|
|
for _, policy := range resp.Policies {
|
2019-03-14 14:35:34 +00:00
|
|
|
out[policy.ID] = policy
|
2018-10-19 16:04:07 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
for _, policyID := range policyIDs {
|
2019-03-14 14:35:34 +00:00
|
|
|
if policy, ok := out[policyID]; ok {
|
|
|
|
r.cache.PutPolicy(policyID, policy)
|
|
|
|
} else {
|
|
|
|
r.cache.PutPolicy(policyID, nil)
|
2018-10-19 16:04:07 +00:00
|
|
|
}
|
2014-08-09 00:38:39 +00:00
|
|
|
}
|
2019-03-14 14:35:34 +00:00
|
|
|
return out, nil
|
2014-08-09 00:38:39 +00:00
|
|
|
}
|
|
|
|
|
2019-04-26 17:49:28 +00:00
|
|
|
if handledErr := r.maybeHandleIdentityErrorDuringFetch(identity, err); handledErr != nil {
|
|
|
|
return nil, handledErr
|
2018-10-19 16:04:07 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// other RPC error - use cache if available
|
|
|
|
|
|
|
|
extendCache := r.config.ACLDownPolicy == "extend-cache" || r.config.ACLDownPolicy == "async-cache"
|
2019-03-14 14:35:34 +00:00
|
|
|
|
|
|
|
out := make(map[string]*structs.ACLPolicy)
|
|
|
|
insufficientCache := false
|
2018-10-19 16:04:07 +00:00
|
|
|
for _, policyID := range policyIDs {
|
|
|
|
if entry, ok := cached[policyID]; extendCache && ok {
|
2019-03-14 14:35:34 +00:00
|
|
|
r.cache.PutPolicy(policyID, entry.Policy)
|
|
|
|
if entry.Policy != nil {
|
|
|
|
out[policyID] = entry.Policy
|
|
|
|
}
|
2018-10-19 16:04:07 +00:00
|
|
|
} else {
|
2019-03-14 14:35:34 +00:00
|
|
|
r.cache.PutPolicy(policyID, nil)
|
|
|
|
insufficientCache = true
|
2018-10-19 16:04:07 +00:00
|
|
|
}
|
|
|
|
}
|
2019-03-14 14:35:34 +00:00
|
|
|
if insufficientCache {
|
|
|
|
return nil, ACLRemoteError{Err: err}
|
|
|
|
}
|
|
|
|
return out, nil
|
2018-10-19 16:04:07 +00:00
|
|
|
}
|
|
|
|
|
2019-04-15 20:43:19 +00:00
|
|
|
func (r *ACLResolver) fetchAndCacheRolesForIdentity(identity structs.ACLIdentity, roleIDs []string, cached map[string]*structs.RoleCacheEntry) (map[string]*structs.ACLRole, error) {
|
|
|
|
req := structs.ACLRoleBatchGetRequest{
|
2021-07-30 23:20:02 +00:00
|
|
|
Datacenter: r.backend.ACLDatacenter(),
|
2019-04-15 20:43:19 +00:00
|
|
|
RoleIDs: roleIDs,
|
|
|
|
QueryOptions: structs.QueryOptions{
|
|
|
|
Token: identity.SecretToken(),
|
|
|
|
AllowStale: true,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
var resp structs.ACLRoleBatchResponse
|
2021-07-30 23:20:02 +00:00
|
|
|
err := r.backend.RPC("ACL.RoleResolve", &req, &resp)
|
2019-04-15 20:43:19 +00:00
|
|
|
if err == nil {
|
|
|
|
out := make(map[string]*structs.ACLRole)
|
|
|
|
for _, role := range resp.Roles {
|
|
|
|
out[role.ID] = role
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, roleID := range roleIDs {
|
|
|
|
if role, ok := out[roleID]; ok {
|
|
|
|
r.cache.PutRole(roleID, role)
|
|
|
|
} else {
|
|
|
|
r.cache.PutRole(roleID, nil)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return out, nil
|
|
|
|
}
|
|
|
|
|
2019-04-26 17:49:28 +00:00
|
|
|
if handledErr := r.maybeHandleIdentityErrorDuringFetch(identity, err); handledErr != nil {
|
|
|
|
return nil, handledErr
|
2019-04-15 20:43:19 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// other RPC error - use cache if available
|
|
|
|
|
|
|
|
extendCache := r.config.ACLDownPolicy == "extend-cache" || r.config.ACLDownPolicy == "async-cache"
|
|
|
|
|
|
|
|
out := make(map[string]*structs.ACLRole)
|
|
|
|
insufficientCache := false
|
|
|
|
for _, roleID := range roleIDs {
|
|
|
|
if entry, ok := cached[roleID]; extendCache && ok {
|
|
|
|
r.cache.PutRole(roleID, entry.Role)
|
|
|
|
if entry.Role != nil {
|
|
|
|
out[roleID] = entry.Role
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
r.cache.PutRole(roleID, nil)
|
|
|
|
insufficientCache = true
|
|
|
|
}
|
|
|
|
}
|
2019-04-26 17:49:28 +00:00
|
|
|
|
2019-04-15 20:43:19 +00:00
|
|
|
if insufficientCache {
|
|
|
|
return nil, ACLRemoteError{Err: err}
|
|
|
|
}
|
2019-04-26 17:49:28 +00:00
|
|
|
|
2019-04-15 20:43:19 +00:00
|
|
|
return out, nil
|
|
|
|
}
|
|
|
|
|
2019-04-26 17:49:28 +00:00
|
|
|
func (r *ACLResolver) maybeHandleIdentityErrorDuringFetch(identity structs.ACLIdentity, err error) error {
|
|
|
|
if acl.IsErrNotFound(err) {
|
|
|
|
// make sure to indicate that this identity is no longer valid within
|
|
|
|
// the cache
|
2022-05-04 16:38:45 +00:00
|
|
|
r.cache.RemoveIdentityWithSecretToken(identity.SecretToken())
|
2019-04-26 17:49:28 +00:00
|
|
|
|
|
|
|
// Do not touch the cache. Getting a top level ACL not found error
|
|
|
|
// only indicates that the secret token used in the request
|
|
|
|
// no longer exists
|
|
|
|
return &policyOrRoleTokenError{acl.ErrNotFound, identity.SecretToken()}
|
|
|
|
}
|
|
|
|
|
|
|
|
if acl.IsErrPermissionDenied(err) {
|
|
|
|
// invalidate our ID cache so that identity resolution will take place
|
|
|
|
// again in the future
|
2022-05-04 16:38:45 +00:00
|
|
|
r.cache.RemoveIdentityWithSecretToken(identity.SecretToken())
|
2019-04-26 17:49:28 +00:00
|
|
|
|
|
|
|
// Do not remove from the cache for permission denied
|
|
|
|
// what this does indicate is that our view of the token is out of date
|
|
|
|
return &policyOrRoleTokenError{acl.ErrPermissionDenied, identity.SecretToken()}
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2018-10-19 16:04:07 +00:00
|
|
|
func (r *ACLResolver) filterPoliciesByScope(policies structs.ACLPolicies) structs.ACLPolicies {
|
|
|
|
var out structs.ACLPolicies
|
|
|
|
for _, policy := range policies {
|
|
|
|
if len(policy.Datacenters) == 0 {
|
|
|
|
out = append(out, policy)
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, dc := range policy.Datacenters {
|
|
|
|
if dc == r.config.Datacenter {
|
|
|
|
out = append(out, policy)
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return out
|
|
|
|
}
|
|
|
|
|
|
|
|
func (r *ACLResolver) resolvePoliciesForIdentity(identity structs.ACLIdentity) (structs.ACLPolicies, error) {
|
2021-09-16 14:17:02 +00:00
|
|
|
var (
|
|
|
|
policyIDs = identity.PolicyIDs()
|
|
|
|
roleIDs = identity.RoleIDs()
|
2022-05-04 16:38:45 +00:00
|
|
|
serviceIdentities = structs.ACLServiceIdentities(identity.ServiceIdentityList())
|
|
|
|
nodeIdentities = structs.ACLNodeIdentities(identity.NodeIdentityList())
|
2021-09-16 14:17:02 +00:00
|
|
|
)
|
2019-04-08 18:19:09 +00:00
|
|
|
|
2020-06-16 16:54:27 +00:00
|
|
|
if len(policyIDs) == 0 && len(serviceIdentities) == 0 && len(roleIDs) == 0 && len(nodeIdentities) == 0 {
|
2018-10-19 16:04:07 +00:00
|
|
|
// In this case the default policy will be all that is in effect.
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
2019-04-15 20:43:19 +00:00
|
|
|
// Collect all of the roles tied to this token.
|
|
|
|
roles, err := r.collectRolesForIdentity(identity, roleIDs)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
// Merge the policies and service identities across Token and Role fields.
|
|
|
|
for _, role := range roles {
|
|
|
|
for _, link := range role.Policies {
|
|
|
|
policyIDs = append(policyIDs, link.ID)
|
|
|
|
}
|
|
|
|
serviceIdentities = append(serviceIdentities, role.ServiceIdentities...)
|
2020-06-16 16:54:27 +00:00
|
|
|
nodeIdentities = append(nodeIdentities, role.NodeIdentityList()...)
|
2019-04-15 20:43:19 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Now deduplicate any policies or service identities that occur more than once.
|
|
|
|
policyIDs = dedupeStringSlice(policyIDs)
|
2022-05-04 16:38:45 +00:00
|
|
|
serviceIdentities = serviceIdentities.Deduplicate()
|
|
|
|
nodeIdentities = nodeIdentities.Deduplicate()
|
2019-04-15 20:43:19 +00:00
|
|
|
|
|
|
|
// Generate synthetic policies for all service identities in effect.
|
2019-10-24 18:38:09 +00:00
|
|
|
syntheticPolicies := r.synthesizePoliciesForServiceIdentities(serviceIdentities, identity.EnterpriseMetadata())
|
2021-09-16 14:17:02 +00:00
|
|
|
syntheticPolicies = append(syntheticPolicies, r.synthesizePoliciesForNodeIdentities(nodeIdentities, identity.EnterpriseMetadata())...)
|
2019-04-08 18:19:09 +00:00
|
|
|
|
2018-10-19 16:04:07 +00:00
|
|
|
// For the new ACLs policy replication is mandatory for correct operation on servers. Therefore
|
|
|
|
// we only attempt to resolve policies locally
|
2019-04-08 18:19:09 +00:00
|
|
|
policies, err := r.collectPoliciesForIdentity(identity, policyIDs, len(syntheticPolicies))
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
policies = append(policies, syntheticPolicies...)
|
|
|
|
filtered := r.filterPoliciesByScope(policies)
|
|
|
|
return filtered, nil
|
|
|
|
}
|
|
|
|
|
2022-04-05 21:10:06 +00:00
|
|
|
func (r *ACLResolver) synthesizePoliciesForServiceIdentities(serviceIdentities []*structs.ACLServiceIdentity, entMeta *acl.EnterpriseMeta) []*structs.ACLPolicy {
|
2019-04-08 18:19:09 +00:00
|
|
|
if len(serviceIdentities) == 0 {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
syntheticPolicies := make([]*structs.ACLPolicy, 0, len(serviceIdentities))
|
|
|
|
for _, s := range serviceIdentities {
|
2019-10-24 18:38:09 +00:00
|
|
|
syntheticPolicies = append(syntheticPolicies, s.SyntheticPolicy(entMeta))
|
2019-04-08 18:19:09 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return syntheticPolicies
|
|
|
|
}
|
|
|
|
|
2022-04-05 21:10:06 +00:00
|
|
|
func (r *ACLResolver) synthesizePoliciesForNodeIdentities(nodeIdentities []*structs.ACLNodeIdentity, entMeta *acl.EnterpriseMeta) []*structs.ACLPolicy {
|
2020-06-16 16:54:27 +00:00
|
|
|
if len(nodeIdentities) == 0 {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
syntheticPolicies := make([]*structs.ACLPolicy, 0, len(nodeIdentities))
|
|
|
|
for _, n := range nodeIdentities {
|
2021-09-16 14:17:02 +00:00
|
|
|
syntheticPolicies = append(syntheticPolicies, n.SyntheticPolicy(entMeta))
|
2020-06-16 16:54:27 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return syntheticPolicies
|
|
|
|
}
|
|
|
|
|
2019-04-08 18:19:09 +00:00
|
|
|
func mergeStringSlice(a, b []string) []string {
|
|
|
|
out := make([]string, 0, len(a)+len(b))
|
|
|
|
out = append(out, a...)
|
|
|
|
out = append(out, b...)
|
|
|
|
return dedupeStringSlice(out)
|
|
|
|
}
|
|
|
|
|
|
|
|
func dedupeStringSlice(in []string) []string {
|
|
|
|
// From: https://github.com/golang/go/wiki/SliceTricks#in-place-deduplicate-comparable
|
|
|
|
|
2019-04-15 20:43:19 +00:00
|
|
|
if len(in) <= 1 {
|
|
|
|
return in
|
|
|
|
}
|
|
|
|
|
2019-04-08 18:19:09 +00:00
|
|
|
sort.Strings(in)
|
|
|
|
|
|
|
|
j := 0
|
|
|
|
for i := 1; i < len(in); i++ {
|
|
|
|
if in[j] == in[i] {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
j++
|
|
|
|
in[j] = in[i]
|
|
|
|
}
|
|
|
|
|
|
|
|
return in[:j+1]
|
|
|
|
}
|
|
|
|
|
|
|
|
func (r *ACLResolver) collectPoliciesForIdentity(identity structs.ACLIdentity, policyIDs []string, extraCap int) ([]*structs.ACLPolicy, error) {
|
|
|
|
policies := make([]*structs.ACLPolicy, 0, len(policyIDs)+extraCap)
|
2018-10-19 16:04:07 +00:00
|
|
|
|
|
|
|
// Get all associated policies
|
|
|
|
var missing []string
|
|
|
|
var expired []*structs.ACLPolicy
|
|
|
|
expCacheMap := make(map[string]*structs.PolicyCacheEntry)
|
|
|
|
|
2020-01-27 19:54:32 +00:00
|
|
|
var accessorID string
|
|
|
|
if identity != nil {
|
|
|
|
accessorID = identity.ID()
|
|
|
|
}
|
|
|
|
|
2018-10-19 16:04:07 +00:00
|
|
|
for _, policyID := range policyIDs {
|
2021-07-30 23:20:02 +00:00
|
|
|
if done, policy, err := r.backend.ResolvePolicyFromID(policyID); done {
|
2018-10-19 16:04:07 +00:00
|
|
|
if err != nil && !acl.IsErrNotFound(err) {
|
2014-08-12 17:54:56 +00:00
|
|
|
return nil, err
|
|
|
|
}
|
2018-10-19 16:04:07 +00:00
|
|
|
|
|
|
|
if policy != nil {
|
|
|
|
policies = append(policies, policy)
|
|
|
|
} else {
|
2020-01-28 23:50:41 +00:00
|
|
|
r.logger.Warn("policy not found for identity",
|
|
|
|
"policy", policyID,
|
2020-01-29 17:16:08 +00:00
|
|
|
"accessorID", accessorID,
|
|
|
|
)
|
2018-10-19 16:04:07 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
// create the missing list which we can execute an RPC to get all the missing policies at once
|
|
|
|
entry := r.cache.GetPolicy(policyID)
|
|
|
|
if entry == nil {
|
|
|
|
missing = append(missing, policyID)
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
if entry.Policy == nil {
|
2019-04-15 20:43:19 +00:00
|
|
|
// this happens when we cache a negative response for the policy's existence
|
2018-10-19 16:04:07 +00:00
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
if entry.Age() >= r.config.ACLPolicyTTL {
|
|
|
|
expired = append(expired, entry.Policy)
|
|
|
|
expCacheMap[policyID] = entry
|
|
|
|
} else {
|
|
|
|
policies = append(policies, entry.Policy)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Hot-path if we have no missing or expired policies
|
|
|
|
if len(missing)+len(expired) == 0 {
|
2019-04-08 18:19:09 +00:00
|
|
|
return policies, nil
|
2018-10-19 16:04:07 +00:00
|
|
|
}
|
|
|
|
|
2019-03-14 14:35:34 +00:00
|
|
|
hasMissing := len(missing) > 0
|
|
|
|
|
2018-10-19 16:04:07 +00:00
|
|
|
fetchIDs := missing
|
|
|
|
for _, policy := range expired {
|
|
|
|
fetchIDs = append(fetchIDs, policy.ID)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Background a RPC request and wait on it if we must
|
2019-03-14 14:35:34 +00:00
|
|
|
waitChan := r.policyGroup.DoChan(identity.SecretToken(), func() (interface{}, error) {
|
|
|
|
policies, err := r.fetchAndCachePoliciesForIdentity(identity, fetchIDs, expCacheMap)
|
|
|
|
return policies, err
|
|
|
|
})
|
2014-08-09 00:38:39 +00:00
|
|
|
|
2019-03-14 14:35:34 +00:00
|
|
|
waitForResult := hasMissing || r.config.ACLDownPolicy != "async-cache"
|
2018-10-19 16:04:07 +00:00
|
|
|
if !waitForResult {
|
|
|
|
// waitForResult being false requires that all the policies were cached already
|
|
|
|
policies = append(policies, expired...)
|
2019-04-08 18:19:09 +00:00
|
|
|
return policies, nil
|
2014-08-09 00:38:39 +00:00
|
|
|
}
|
|
|
|
|
2019-03-14 14:35:34 +00:00
|
|
|
res := <-waitChan
|
2018-10-19 16:04:07 +00:00
|
|
|
|
2019-03-14 14:35:34 +00:00
|
|
|
if res.Err != nil {
|
|
|
|
return nil, res.Err
|
|
|
|
}
|
2018-10-19 16:04:07 +00:00
|
|
|
|
2019-03-14 14:35:34 +00:00
|
|
|
if res.Val != nil {
|
|
|
|
foundPolicies := res.Val.(map[string]*structs.ACLPolicy)
|
2019-01-22 18:14:43 +00:00
|
|
|
|
2019-03-14 14:35:34 +00:00
|
|
|
for _, policy := range foundPolicies {
|
|
|
|
policies = append(policies, policy)
|
2018-10-19 16:04:07 +00:00
|
|
|
}
|
2014-08-09 00:38:39 +00:00
|
|
|
}
|
2018-10-19 16:04:07 +00:00
|
|
|
|
2019-04-08 18:19:09 +00:00
|
|
|
return policies, nil
|
2018-10-19 16:04:07 +00:00
|
|
|
}
|
|
|
|
|
2019-04-15 20:43:19 +00:00
|
|
|
func (r *ACLResolver) resolveRolesForIdentity(identity structs.ACLIdentity) (structs.ACLRoles, error) {
|
|
|
|
return r.collectRolesForIdentity(identity, identity.RoleIDs())
|
|
|
|
}
|
|
|
|
|
|
|
|
func (r *ACLResolver) collectRolesForIdentity(identity structs.ACLIdentity, roleIDs []string) (structs.ACLRoles, error) {
|
|
|
|
if len(roleIDs) == 0 {
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// For the new ACLs policy & role replication is mandatory for correct operation
|
|
|
|
// on servers. Therefore we only attempt to resolve roles locally
|
|
|
|
roles := make([]*structs.ACLRole, 0, len(roleIDs))
|
|
|
|
|
|
|
|
var missing []string
|
|
|
|
var expired []*structs.ACLRole
|
|
|
|
expCacheMap := make(map[string]*structs.RoleCacheEntry)
|
|
|
|
|
|
|
|
for _, roleID := range roleIDs {
|
2021-07-30 23:20:02 +00:00
|
|
|
if done, role, err := r.backend.ResolveRoleFromID(roleID); done {
|
2019-04-15 20:43:19 +00:00
|
|
|
if err != nil && !acl.IsErrNotFound(err) {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
if role != nil {
|
|
|
|
roles = append(roles, role)
|
|
|
|
} else {
|
2020-01-27 19:54:32 +00:00
|
|
|
var accessorID string
|
|
|
|
if identity != nil {
|
|
|
|
accessorID = identity.ID()
|
|
|
|
}
|
2020-01-28 23:50:41 +00:00
|
|
|
r.logger.Warn("role not found for identity",
|
|
|
|
"role", roleID,
|
|
|
|
"accessorID", accessorID,
|
|
|
|
)
|
2019-04-15 20:43:19 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
// create the missing list which we can execute an RPC to get all the missing roles at once
|
|
|
|
entry := r.cache.GetRole(roleID)
|
|
|
|
if entry == nil {
|
|
|
|
missing = append(missing, roleID)
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
if entry.Role == nil {
|
|
|
|
// this happens when we cache a negative response for the role's existence
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
if entry.Age() >= r.config.ACLRoleTTL {
|
|
|
|
expired = append(expired, entry.Role)
|
|
|
|
expCacheMap[roleID] = entry
|
|
|
|
} else {
|
|
|
|
roles = append(roles, entry.Role)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Hot-path if we have no missing or expired roles
|
|
|
|
if len(missing)+len(expired) == 0 {
|
|
|
|
return roles, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
hasMissing := len(missing) > 0
|
|
|
|
|
|
|
|
fetchIDs := missing
|
|
|
|
for _, role := range expired {
|
|
|
|
fetchIDs = append(fetchIDs, role.ID)
|
|
|
|
}
|
|
|
|
|
|
|
|
waitChan := r.roleGroup.DoChan(identity.SecretToken(), func() (interface{}, error) {
|
|
|
|
roles, err := r.fetchAndCacheRolesForIdentity(identity, fetchIDs, expCacheMap)
|
|
|
|
return roles, err
|
|
|
|
})
|
|
|
|
|
|
|
|
waitForResult := hasMissing || r.config.ACLDownPolicy != "async-cache"
|
|
|
|
if !waitForResult {
|
|
|
|
// waitForResult being false requires that all the roles were cached already
|
|
|
|
roles = append(roles, expired...)
|
|
|
|
return roles, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
res := <-waitChan
|
|
|
|
|
|
|
|
if res.Err != nil {
|
|
|
|
return nil, res.Err
|
|
|
|
}
|
|
|
|
|
|
|
|
if res.Val != nil {
|
|
|
|
foundRoles := res.Val.(map[string]*structs.ACLRole)
|
|
|
|
|
|
|
|
for _, role := range foundRoles {
|
|
|
|
roles = append(roles, role)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return roles, nil
|
|
|
|
}
|
|
|
|
|
2019-01-22 18:14:43 +00:00
|
|
|
func (r *ACLResolver) resolveTokenToIdentityAndPolicies(token string) (structs.ACLIdentity, structs.ACLPolicies, error) {
|
|
|
|
var lastErr error
|
|
|
|
var lastIdentity structs.ACLIdentity
|
|
|
|
|
|
|
|
for i := 0; i < tokenPolicyResolutionMaxRetries; i++ {
|
|
|
|
// Resolve the token to an ACLIdentity
|
|
|
|
identity, err := r.resolveIdentityFromToken(token)
|
|
|
|
if err != nil {
|
|
|
|
return nil, nil, err
|
|
|
|
} else if identity == nil {
|
|
|
|
return nil, nil, acl.ErrNotFound
|
2019-04-08 17:05:51 +00:00
|
|
|
} else if identity.IsExpired(time.Now()) {
|
|
|
|
return nil, nil, acl.ErrNotFound
|
2019-01-22 18:14:43 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
lastIdentity = identity
|
|
|
|
|
|
|
|
policies, err := r.resolvePoliciesForIdentity(identity)
|
|
|
|
if err == nil {
|
|
|
|
return identity, policies, nil
|
|
|
|
}
|
|
|
|
lastErr = err
|
|
|
|
|
2019-04-15 20:43:19 +00:00
|
|
|
if tokenErr, ok := err.(*policyOrRoleTokenError); ok {
|
2019-01-22 18:14:43 +00:00
|
|
|
if acl.IsErrNotFound(err) && tokenErr.token == identity.SecretToken() {
|
|
|
|
// token was deleted while resolving policies
|
|
|
|
return nil, nil, acl.ErrNotFound
|
|
|
|
}
|
|
|
|
|
2019-04-15 20:43:19 +00:00
|
|
|
// other types of policyOrRoleTokenErrors should cause retrying the whole token
|
|
|
|
// resolution process
|
|
|
|
} else {
|
|
|
|
return identity, nil, err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return lastIdentity, nil, lastErr
|
|
|
|
}
|
|
|
|
|
|
|
|
func (r *ACLResolver) resolveTokenToIdentityAndRoles(token string) (structs.ACLIdentity, structs.ACLRoles, error) {
|
|
|
|
var lastErr error
|
|
|
|
var lastIdentity structs.ACLIdentity
|
|
|
|
|
|
|
|
for i := 0; i < tokenRoleResolutionMaxRetries; i++ {
|
|
|
|
// Resolve the token to an ACLIdentity
|
|
|
|
identity, err := r.resolveIdentityFromToken(token)
|
|
|
|
if err != nil {
|
|
|
|
return nil, nil, err
|
|
|
|
} else if identity == nil {
|
|
|
|
return nil, nil, acl.ErrNotFound
|
|
|
|
} else if identity.IsExpired(time.Now()) {
|
|
|
|
return nil, nil, acl.ErrNotFound
|
|
|
|
}
|
|
|
|
|
|
|
|
lastIdentity = identity
|
|
|
|
|
|
|
|
roles, err := r.resolveRolesForIdentity(identity)
|
|
|
|
if err == nil {
|
|
|
|
return identity, roles, nil
|
|
|
|
}
|
|
|
|
lastErr = err
|
|
|
|
|
|
|
|
if tokenErr, ok := err.(*policyOrRoleTokenError); ok {
|
|
|
|
if acl.IsErrNotFound(err) && tokenErr.token == identity.SecretToken() {
|
|
|
|
// token was deleted while resolving roles
|
|
|
|
return nil, nil, acl.ErrNotFound
|
|
|
|
}
|
|
|
|
|
|
|
|
// other types of policyOrRoleTokenErrors should cause retrying the whole token
|
2019-01-22 18:14:43 +00:00
|
|
|
// resolution process
|
|
|
|
} else {
|
|
|
|
return identity, nil, err
|
|
|
|
}
|
2014-08-09 00:38:39 +00:00
|
|
|
}
|
2018-10-19 16:04:07 +00:00
|
|
|
|
2019-01-22 18:14:43 +00:00
|
|
|
return lastIdentity, nil, lastErr
|
2018-10-19 16:04:07 +00:00
|
|
|
}
|
|
|
|
|
2021-08-09 20:29:21 +00:00
|
|
|
func (r *ACLResolver) handleACLDisabledError(err error) {
|
|
|
|
if r.disableDuration == 0 || err == nil || !acl.IsErrDisabled(err) {
|
|
|
|
return
|
2018-10-19 16:04:07 +00:00
|
|
|
}
|
|
|
|
|
2021-08-09 20:29:21 +00:00
|
|
|
r.logger.Debug("ACLs disabled on servers, will retry", "retry_interval", r.disableDuration)
|
2018-10-19 16:04:07 +00:00
|
|
|
r.disabledLock.Lock()
|
2021-08-09 20:29:21 +00:00
|
|
|
r.disabledUntil = time.Now().Add(r.disableDuration)
|
2018-10-19 16:04:07 +00:00
|
|
|
r.disabledLock.Unlock()
|
|
|
|
}
|
|
|
|
|
2021-04-14 16:39:35 +00:00
|
|
|
func (r *ACLResolver) resolveLocallyManagedToken(token string) (structs.ACLIdentity, acl.Authorizer, bool) {
|
|
|
|
// can only resolve local tokens if we were given a token store
|
|
|
|
if r.tokens == nil {
|
|
|
|
return nil, nil, false
|
|
|
|
}
|
|
|
|
|
2021-12-07 12:12:47 +00:00
|
|
|
if r.tokens.IsAgentRecoveryToken(token) {
|
2022-01-20 12:47:50 +00:00
|
|
|
return structs.NewAgentRecoveryTokenIdentity(r.config.NodeName, token), r.agentRecoveryAuthz, true
|
2021-04-14 16:39:35 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return r.resolveLocallyManagedEnterpriseToken(token)
|
|
|
|
}
|
|
|
|
|
2022-01-23 17:31:48 +00:00
|
|
|
// ResolveToken to an acl.Authorizer and structs.ACLIdentity. The acl.Authorizer
|
|
|
|
// can be used to check permissions granted to the token, and the ACLIdentity
|
|
|
|
// describes the token and any defaults applied to it.
|
2022-06-17 09:24:43 +00:00
|
|
|
func (r *ACLResolver) ResolveToken(token string) (resolver.Result, error) {
|
2018-10-19 16:04:07 +00:00
|
|
|
if !r.ACLsEnabled() {
|
2022-06-17 09:24:43 +00:00
|
|
|
return resolver.Result{Authorizer: acl.ManageAll()}, nil
|
2018-10-19 16:04:07 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if acl.RootAuthorizer(token) != nil {
|
2022-06-17 09:24:43 +00:00
|
|
|
return resolver.Result{}, acl.ErrRootDenied
|
2018-10-19 16:04:07 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// handle the anonymous token
|
|
|
|
if token == "" {
|
|
|
|
token = anonymousToken
|
|
|
|
}
|
|
|
|
|
2021-04-14 16:39:35 +00:00
|
|
|
if ident, authz, ok := r.resolveLocallyManagedToken(token); ok {
|
2022-06-17 09:24:43 +00:00
|
|
|
return resolver.Result{Authorizer: authz, ACLIdentity: ident}, nil
|
2021-04-14 16:39:35 +00:00
|
|
|
}
|
|
|
|
|
2018-10-19 16:04:07 +00:00
|
|
|
defer metrics.MeasureSince([]string{"acl", "ResolveToken"}, time.Now())
|
|
|
|
|
2019-10-25 15:06:16 +00:00
|
|
|
identity, policies, err := r.resolveTokenToIdentityAndPolicies(token)
|
2018-10-19 16:04:07 +00:00
|
|
|
if err != nil {
|
2021-08-09 20:29:21 +00:00
|
|
|
r.handleACLDisabledError(err)
|
2018-10-19 16:04:07 +00:00
|
|
|
if IsACLRemoteError(err) {
|
2020-01-28 23:50:41 +00:00
|
|
|
r.logger.Error("Error resolving token", "error", err)
|
2022-01-23 17:31:48 +00:00
|
|
|
ident := &missingIdentity{reason: "primary-dc-down", token: token}
|
2022-06-17 09:24:43 +00:00
|
|
|
return resolver.Result{Authorizer: r.down, ACLIdentity: ident}, nil
|
2018-10-19 16:04:07 +00:00
|
|
|
}
|
|
|
|
|
2022-06-17 09:24:43 +00:00
|
|
|
return resolver.Result{}, err
|
2018-10-19 16:04:07 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Build the Authorizer
|
2019-10-25 15:06:16 +00:00
|
|
|
var chain []acl.Authorizer
|
2021-10-22 11:41:35 +00:00
|
|
|
var conf acl.Config
|
|
|
|
if r.aclConf != nil {
|
|
|
|
conf = *r.aclConf
|
|
|
|
}
|
2021-10-26 18:02:34 +00:00
|
|
|
setEnterpriseConf(identity.EnterpriseMetadata(), &conf)
|
2019-10-25 15:06:16 +00:00
|
|
|
|
2021-10-22 11:41:35 +00:00
|
|
|
authz, err := policies.Compile(r.cache, &conf)
|
2019-10-25 15:06:16 +00:00
|
|
|
if err != nil {
|
2022-06-17 09:24:43 +00:00
|
|
|
return resolver.Result{}, err
|
2019-10-25 15:06:16 +00:00
|
|
|
}
|
|
|
|
chain = append(chain, authz)
|
|
|
|
|
|
|
|
authz, err = r.resolveEnterpriseDefaultsForIdentity(identity)
|
|
|
|
if err != nil {
|
|
|
|
if IsACLRemoteError(err) {
|
2020-01-28 23:50:41 +00:00
|
|
|
r.logger.Error("Error resolving identity defaults", "error", err)
|
2022-06-17 09:24:43 +00:00
|
|
|
return resolver.Result{Authorizer: r.down, ACLIdentity: identity}, nil
|
2019-10-25 15:06:16 +00:00
|
|
|
}
|
2022-06-17 09:24:43 +00:00
|
|
|
return resolver.Result{}, err
|
2019-10-25 15:06:16 +00:00
|
|
|
} else if authz != nil {
|
|
|
|
chain = append(chain, authz)
|
|
|
|
}
|
2018-10-19 16:04:07 +00:00
|
|
|
|
2019-10-25 15:06:16 +00:00
|
|
|
chain = append(chain, acl.RootAuthorizer(r.config.ACLDefaultPolicy))
|
2022-06-17 09:24:43 +00:00
|
|
|
return resolver.Result{Authorizer: acl.NewChainedAuthorizer(chain), ACLIdentity: identity}, nil
|
2022-03-18 17:32:25 +00:00
|
|
|
}
|
|
|
|
|
2018-10-19 16:04:07 +00:00
|
|
|
func (r *ACLResolver) ACLsEnabled() bool {
|
|
|
|
// Whether we desire ACLs to be enabled according to configuration
|
2020-07-03 20:52:08 +00:00
|
|
|
if !r.config.ACLsEnabled {
|
2018-10-19 16:04:07 +00:00
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
2021-08-09 20:29:21 +00:00
|
|
|
if r.disableDuration != 0 {
|
2018-10-19 16:04:07 +00:00
|
|
|
// Whether ACLs are disabled according to RPCs failing with a ACLs Disabled error
|
|
|
|
r.disabledLock.RLock()
|
|
|
|
defer r.disabledLock.RUnlock()
|
2021-08-09 20:29:21 +00:00
|
|
|
return time.Now().After(r.disabledUntil)
|
2018-10-19 16:04:07 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
peering: initial sync (#12842)
- Add endpoints related to peering: read, list, generate token, initiate peering
- Update node/service/check table indexing to account for peers
- Foundational changes for pushing service updates to a peer
- Plumb peer name through Health.ServiceNodes path
see: ENT-1765, ENT-1280, ENT-1283, ENT-1283, ENT-1756, ENT-1739, ENT-1750, ENT-1679,
ENT-1709, ENT-1704, ENT-1690, ENT-1689, ENT-1702, ENT-1701, ENT-1683, ENT-1663,
ENT-1650, ENT-1678, ENT-1628, ENT-1658, ENT-1640, ENT-1637, ENT-1597, ENT-1634,
ENT-1613, ENT-1616, ENT-1617, ENT-1591, ENT-1588, ENT-1596, ENT-1572, ENT-1555
Co-authored-by: R.B. Boyer <rb@hashicorp.com>
Co-authored-by: freddygv <freddy@hashicorp.com>
Co-authored-by: Chris S. Kim <ckim@hashicorp.com>
Co-authored-by: Evan Culver <eculver@hashicorp.com>
Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>
2022-04-21 22:34:40 +00:00
|
|
|
// TODO(peering): fix all calls to use the new signature and rename it back
|
|
|
|
func (r *ACLResolver) ResolveTokenAndDefaultMeta(
|
|
|
|
token string,
|
|
|
|
entMeta *acl.EnterpriseMeta,
|
|
|
|
authzContext *acl.AuthorizerContext,
|
2022-06-17 09:24:43 +00:00
|
|
|
) (resolver.Result, error) {
|
peering: initial sync (#12842)
- Add endpoints related to peering: read, list, generate token, initiate peering
- Update node/service/check table indexing to account for peers
- Foundational changes for pushing service updates to a peer
- Plumb peer name through Health.ServiceNodes path
see: ENT-1765, ENT-1280, ENT-1283, ENT-1283, ENT-1756, ENT-1739, ENT-1750, ENT-1679,
ENT-1709, ENT-1704, ENT-1690, ENT-1689, ENT-1702, ENT-1701, ENT-1683, ENT-1663,
ENT-1650, ENT-1678, ENT-1628, ENT-1658, ENT-1640, ENT-1637, ENT-1597, ENT-1634,
ENT-1613, ENT-1616, ENT-1617, ENT-1591, ENT-1588, ENT-1596, ENT-1572, ENT-1555
Co-authored-by: R.B. Boyer <rb@hashicorp.com>
Co-authored-by: freddygv <freddy@hashicorp.com>
Co-authored-by: Chris S. Kim <ckim@hashicorp.com>
Co-authored-by: Evan Culver <eculver@hashicorp.com>
Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>
2022-04-21 22:34:40 +00:00
|
|
|
return r.ResolveTokenAndDefaultMetaWithPeerName(token, entMeta, structs.DefaultPeerKeyword, authzContext)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (r *ACLResolver) ResolveTokenAndDefaultMetaWithPeerName(
|
|
|
|
token string,
|
|
|
|
entMeta *acl.EnterpriseMeta,
|
|
|
|
peerName string,
|
|
|
|
authzContext *acl.AuthorizerContext,
|
2022-06-17 09:24:43 +00:00
|
|
|
) (resolver.Result, error) {
|
2022-01-23 17:31:48 +00:00
|
|
|
result, err := r.ResolveToken(token)
|
2022-01-22 19:12:08 +00:00
|
|
|
if err != nil {
|
2022-06-17 09:24:43 +00:00
|
|
|
return resolver.Result{}, err
|
2022-01-22 19:12:08 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if entMeta == nil {
|
2022-04-05 21:10:06 +00:00
|
|
|
entMeta = &acl.EnterpriseMeta{}
|
2022-01-22 19:12:08 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Default the EnterpriseMeta based on the Tokens meta or actual defaults
|
|
|
|
// in the case of unknown identity
|
peering: initial sync (#12842)
- Add endpoints related to peering: read, list, generate token, initiate peering
- Update node/service/check table indexing to account for peers
- Foundational changes for pushing service updates to a peer
- Plumb peer name through Health.ServiceNodes path
see: ENT-1765, ENT-1280, ENT-1283, ENT-1283, ENT-1756, ENT-1739, ENT-1750, ENT-1679,
ENT-1709, ENT-1704, ENT-1690, ENT-1689, ENT-1702, ENT-1701, ENT-1683, ENT-1663,
ENT-1650, ENT-1678, ENT-1628, ENT-1658, ENT-1640, ENT-1637, ENT-1597, ENT-1634,
ENT-1613, ENT-1616, ENT-1617, ENT-1591, ENT-1588, ENT-1596, ENT-1572, ENT-1555
Co-authored-by: R.B. Boyer <rb@hashicorp.com>
Co-authored-by: freddygv <freddy@hashicorp.com>
Co-authored-by: Chris S. Kim <ckim@hashicorp.com>
Co-authored-by: Evan Culver <eculver@hashicorp.com>
Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>
2022-04-21 22:34:40 +00:00
|
|
|
switch {
|
|
|
|
case peerName == "" && result.ACLIdentity != nil:
|
2022-01-23 17:31:48 +00:00
|
|
|
entMeta.Merge(result.ACLIdentity.EnterpriseMetadata())
|
peering: initial sync (#12842)
- Add endpoints related to peering: read, list, generate token, initiate peering
- Update node/service/check table indexing to account for peers
- Foundational changes for pushing service updates to a peer
- Plumb peer name through Health.ServiceNodes path
see: ENT-1765, ENT-1280, ENT-1283, ENT-1283, ENT-1756, ENT-1739, ENT-1750, ENT-1679,
ENT-1709, ENT-1704, ENT-1690, ENT-1689, ENT-1702, ENT-1701, ENT-1683, ENT-1663,
ENT-1650, ENT-1678, ENT-1628, ENT-1658, ENT-1640, ENT-1637, ENT-1597, ENT-1634,
ENT-1613, ENT-1616, ENT-1617, ENT-1591, ENT-1588, ENT-1596, ENT-1572, ENT-1555
Co-authored-by: R.B. Boyer <rb@hashicorp.com>
Co-authored-by: freddygv <freddy@hashicorp.com>
Co-authored-by: Chris S. Kim <ckim@hashicorp.com>
Co-authored-by: Evan Culver <eculver@hashicorp.com>
Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>
2022-04-21 22:34:40 +00:00
|
|
|
case result.ACLIdentity != nil:
|
|
|
|
// We _do not_ normalize the enterprise meta from the token when a peer
|
|
|
|
// name was specified because namespaces across clusters are not
|
|
|
|
// equivalent. A local namespace is _never_ correct for a remote query.
|
|
|
|
entMeta.Merge(
|
|
|
|
structs.DefaultEnterpriseMetaInPartition(
|
|
|
|
result.ACLIdentity.EnterpriseMetadata().PartitionOrDefault(),
|
|
|
|
),
|
|
|
|
)
|
|
|
|
default:
|
2022-01-22 19:12:08 +00:00
|
|
|
entMeta.Merge(structs.DefaultEnterpriseMetaInDefaultPartition())
|
|
|
|
}
|
|
|
|
|
|
|
|
// Use the meta to fill in the ACL authorization context
|
|
|
|
entMeta.FillAuthzContext(authzContext)
|
|
|
|
|
2022-01-23 17:31:48 +00:00
|
|
|
return result, err
|
2022-01-22 19:12:08 +00:00
|
|
|
}
|
|
|
|
|
2015-06-11 19:08:21 +00:00
|
|
|
// aclFilter is used to filter results from our state store based on ACL rules
|
|
|
|
// configured for the provided token.
|
|
|
|
type aclFilter struct {
|
2020-05-29 21:16:03 +00:00
|
|
|
authorizer acl.Authorizer
|
|
|
|
logger hclog.Logger
|
2015-06-11 19:08:21 +00:00
|
|
|
}
|
|
|
|
|
2017-04-21 00:02:42 +00:00
|
|
|
// newACLFilter constructs a new aclFilter.
|
2020-05-29 21:16:03 +00:00
|
|
|
func newACLFilter(authorizer acl.Authorizer, logger hclog.Logger) *aclFilter {
|
2015-06-11 21:14:43 +00:00
|
|
|
if logger == nil {
|
2020-01-28 23:50:41 +00:00
|
|
|
logger = hclog.New(&hclog.LoggerOptions{})
|
2015-06-11 21:14:43 +00:00
|
|
|
}
|
2016-12-11 00:00:11 +00:00
|
|
|
return &aclFilter{
|
2020-05-29 21:16:03 +00:00
|
|
|
authorizer: authorizer,
|
|
|
|
logger: logger,
|
2016-12-11 00:00:11 +00:00
|
|
|
}
|
2015-06-11 21:14:43 +00:00
|
|
|
}
|
|
|
|
|
2016-12-11 21:22:14 +00:00
|
|
|
// allowNode is used to determine if a node is accessible for an ACL.
|
2019-12-18 18:43:24 +00:00
|
|
|
func (f *aclFilter) allowNode(node string, ent *acl.AuthorizerContext) bool {
|
2019-10-15 20:58:50 +00:00
|
|
|
return f.authorizer.NodeRead(node, ent) == acl.Allow
|
2016-12-11 21:22:14 +00:00
|
|
|
}
|
|
|
|
|
2020-05-11 17:35:17 +00:00
|
|
|
// allowNode is used to determine if the gateway and service are accessible for an ACL
|
|
|
|
func (f *aclFilter) allowGateway(gs *structs.GatewayService) bool {
|
|
|
|
var authzContext acl.AuthorizerContext
|
|
|
|
|
|
|
|
// Need read on service and gateway. Gateway may have different EnterpriseMeta so we fill authzContext twice
|
|
|
|
gs.Gateway.FillAuthzContext(&authzContext)
|
2020-06-12 14:57:41 +00:00
|
|
|
if !f.allowService(gs.Gateway.Name, &authzContext) {
|
2020-05-11 17:35:17 +00:00
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
gs.Service.FillAuthzContext(&authzContext)
|
2020-06-12 14:57:41 +00:00
|
|
|
if !f.allowService(gs.Service.Name, &authzContext) {
|
2020-05-11 17:35:17 +00:00
|
|
|
return false
|
|
|
|
}
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
2016-12-11 21:22:14 +00:00
|
|
|
// allowService is used to determine if a service is accessible for an ACL.
|
2019-12-18 18:43:24 +00:00
|
|
|
func (f *aclFilter) allowService(service string, ent *acl.AuthorizerContext) bool {
|
2017-03-23 23:10:50 +00:00
|
|
|
if service == "" {
|
2015-06-11 19:08:21 +00:00
|
|
|
return true
|
2015-06-09 19:36:25 +00:00
|
|
|
}
|
2017-03-23 23:10:50 +00:00
|
|
|
|
2019-10-15 20:58:50 +00:00
|
|
|
return f.authorizer.ServiceRead(service, ent) == acl.Allow
|
2015-06-11 19:08:21 +00:00
|
|
|
}
|
2015-06-09 19:36:25 +00:00
|
|
|
|
2016-12-13 05:59:22 +00:00
|
|
|
// allowSession is used to determine if a session for a node is accessible for
|
|
|
|
// an ACL.
|
2019-12-18 18:43:24 +00:00
|
|
|
func (f *aclFilter) allowSession(node string, ent *acl.AuthorizerContext) bool {
|
2019-10-15 20:58:50 +00:00
|
|
|
return f.authorizer.SessionRead(node, ent) == acl.Allow
|
2016-12-13 05:59:22 +00:00
|
|
|
}
|
|
|
|
|
2015-06-11 19:08:21 +00:00
|
|
|
// filterHealthChecks is used to filter a set of health checks down based on
|
2021-12-03 17:31:32 +00:00
|
|
|
// the configured ACL rules for a token. Returns true if any elements were
|
|
|
|
// removed.
|
|
|
|
func (f *aclFilter) filterHealthChecks(checks *structs.HealthChecks) bool {
|
2015-06-11 19:08:21 +00:00
|
|
|
hc := *checks
|
2019-12-18 18:43:24 +00:00
|
|
|
var authzContext acl.AuthorizerContext
|
2021-12-03 17:31:32 +00:00
|
|
|
var removed bool
|
2019-12-10 02:26:41 +00:00
|
|
|
|
2015-06-11 19:08:21 +00:00
|
|
|
for i := 0; i < len(hc); i++ {
|
|
|
|
check := hc[i]
|
2019-12-10 02:26:41 +00:00
|
|
|
check.FillAuthzContext(&authzContext)
|
|
|
|
if f.allowNode(check.Node, &authzContext) && f.allowService(check.ServiceName, &authzContext) {
|
2015-06-11 19:08:21 +00:00
|
|
|
continue
|
|
|
|
}
|
2019-12-10 02:26:41 +00:00
|
|
|
|
2020-01-28 23:50:41 +00:00
|
|
|
f.logger.Debug("dropping check from result due to ACLs", "check", check.CheckID)
|
2021-12-03 17:31:32 +00:00
|
|
|
removed = true
|
2015-06-11 19:08:21 +00:00
|
|
|
hc = append(hc[:i], hc[i+1:]...)
|
|
|
|
i--
|
2015-06-09 19:36:25 +00:00
|
|
|
}
|
2015-06-11 19:08:21 +00:00
|
|
|
*checks = hc
|
2021-12-03 17:31:32 +00:00
|
|
|
return removed
|
2015-06-11 19:08:21 +00:00
|
|
|
}
|
2015-06-09 19:36:25 +00:00
|
|
|
|
2021-12-03 20:56:14 +00:00
|
|
|
// filterServices is used to filter a set of services based on ACLs. Returns
|
|
|
|
// true if any elements were removed.
|
2022-04-05 21:10:06 +00:00
|
|
|
func (f *aclFilter) filterServices(services structs.Services, entMeta *acl.EnterpriseMeta) bool {
|
2019-12-18 18:43:24 +00:00
|
|
|
var authzContext acl.AuthorizerContext
|
2019-12-10 02:26:41 +00:00
|
|
|
entMeta.FillAuthzContext(&authzContext)
|
|
|
|
|
2021-12-03 20:56:14 +00:00
|
|
|
var removed bool
|
|
|
|
|
2017-04-20 18:42:22 +00:00
|
|
|
for svc := range services {
|
2019-12-10 02:26:41 +00:00
|
|
|
if f.allowService(svc, &authzContext) {
|
2015-06-11 19:08:21 +00:00
|
|
|
continue
|
2015-06-09 19:36:25 +00:00
|
|
|
}
|
2020-01-28 23:50:41 +00:00
|
|
|
f.logger.Debug("dropping service from result due to ACLs", "service", svc)
|
2021-12-03 20:56:14 +00:00
|
|
|
removed = true
|
2015-06-11 19:08:21 +00:00
|
|
|
delete(services, svc)
|
|
|
|
}
|
2021-12-03 20:56:14 +00:00
|
|
|
|
|
|
|
return removed
|
2015-06-11 19:08:21 +00:00
|
|
|
}
|
2015-06-09 19:36:25 +00:00
|
|
|
|
2015-06-11 19:08:21 +00:00
|
|
|
// filterServiceNodes is used to filter a set of nodes for a given service
|
2021-12-03 20:56:14 +00:00
|
|
|
// based on the configured ACL rules. Returns true if any elements were removed.
|
|
|
|
func (f *aclFilter) filterServiceNodes(nodes *structs.ServiceNodes) bool {
|
2015-06-11 19:08:21 +00:00
|
|
|
sn := *nodes
|
2019-12-18 18:43:24 +00:00
|
|
|
var authzContext acl.AuthorizerContext
|
2021-12-03 20:56:14 +00:00
|
|
|
var removed bool
|
2019-12-10 02:26:41 +00:00
|
|
|
|
2015-06-11 19:08:21 +00:00
|
|
|
for i := 0; i < len(sn); i++ {
|
|
|
|
node := sn[i]
|
2019-12-10 02:26:41 +00:00
|
|
|
|
|
|
|
node.FillAuthzContext(&authzContext)
|
|
|
|
if f.allowNode(node.Node, &authzContext) && f.allowService(node.ServiceName, &authzContext) {
|
2015-06-11 19:08:21 +00:00
|
|
|
continue
|
2015-06-09 19:36:25 +00:00
|
|
|
}
|
2021-12-03 20:56:14 +00:00
|
|
|
removed = true
|
2021-08-25 18:43:11 +00:00
|
|
|
f.logger.Debug("dropping node from result due to ACLs", "node", structs.NodeNameString(node.Node, &node.EnterpriseMeta))
|
2015-06-11 19:08:21 +00:00
|
|
|
sn = append(sn[:i], sn[i+1:]...)
|
|
|
|
i--
|
2015-06-09 19:36:25 +00:00
|
|
|
}
|
2015-06-11 19:08:21 +00:00
|
|
|
*nodes = sn
|
2021-12-03 20:56:14 +00:00
|
|
|
return removed
|
2015-06-11 19:08:21 +00:00
|
|
|
}
|
2015-06-09 19:36:25 +00:00
|
|
|
|
2015-06-11 19:08:21 +00:00
|
|
|
// filterNodeServices is used to filter services on a given node base on ACLs.
|
2021-12-03 20:56:14 +00:00
|
|
|
// Returns true if any elements were removed
|
|
|
|
func (f *aclFilter) filterNodeServices(services **structs.NodeServices) bool {
|
2016-12-13 00:53:31 +00:00
|
|
|
if *services == nil {
|
2021-12-03 20:56:14 +00:00
|
|
|
return false
|
2016-12-13 00:53:31 +00:00
|
|
|
}
|
|
|
|
|
2019-12-18 18:43:24 +00:00
|
|
|
var authzContext acl.AuthorizerContext
|
2021-08-25 18:43:11 +00:00
|
|
|
(*services).Node.FillAuthzContext(&authzContext)
|
2019-12-10 02:26:41 +00:00
|
|
|
if !f.allowNode((*services).Node.Node, &authzContext) {
|
2016-12-13 00:53:31 +00:00
|
|
|
*services = nil
|
2021-12-03 20:56:14 +00:00
|
|
|
return true
|
2016-12-13 00:53:31 +00:00
|
|
|
}
|
|
|
|
|
2021-12-03 20:56:14 +00:00
|
|
|
var removed bool
|
2019-12-10 02:26:41 +00:00
|
|
|
for svcName, svc := range (*services).Services {
|
|
|
|
svc.FillAuthzContext(&authzContext)
|
|
|
|
|
|
|
|
if f.allowNode((*services).Node.Node, &authzContext) && f.allowService(svcName, &authzContext) {
|
2015-06-11 19:08:21 +00:00
|
|
|
continue
|
2015-06-09 19:36:25 +00:00
|
|
|
}
|
2020-01-28 23:50:41 +00:00
|
|
|
f.logger.Debug("dropping service from result due to ACLs", "service", svc.CompoundServiceID())
|
2021-12-03 20:56:14 +00:00
|
|
|
removed = true
|
2019-12-10 02:26:41 +00:00
|
|
|
delete((*services).Services, svcName)
|
|
|
|
}
|
2021-12-03 20:56:14 +00:00
|
|
|
|
|
|
|
return removed
|
2019-12-10 02:26:41 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// filterNodeServices is used to filter services on a given node base on ACLs.
|
2021-12-03 20:56:14 +00:00
|
|
|
// Returns true if any elements were removed.
|
|
|
|
func (f *aclFilter) filterNodeServiceList(services *structs.NodeServiceList) bool {
|
|
|
|
if services.Node == nil {
|
|
|
|
return false
|
2019-12-10 02:26:41 +00:00
|
|
|
}
|
|
|
|
|
2019-12-18 18:43:24 +00:00
|
|
|
var authzContext acl.AuthorizerContext
|
2021-12-03 20:56:14 +00:00
|
|
|
services.Node.FillAuthzContext(&authzContext)
|
|
|
|
if !f.allowNode(services.Node.Node, &authzContext) {
|
|
|
|
*services = structs.NodeServiceList{}
|
|
|
|
return true
|
2019-12-10 02:26:41 +00:00
|
|
|
}
|
|
|
|
|
2021-12-03 20:56:14 +00:00
|
|
|
var removed bool
|
|
|
|
svcs := services.Services
|
2019-12-10 02:26:41 +00:00
|
|
|
for i := 0; i < len(svcs); i++ {
|
|
|
|
svc := svcs[i]
|
|
|
|
svc.FillAuthzContext(&authzContext)
|
|
|
|
|
2021-12-03 20:56:14 +00:00
|
|
|
if f.allowService(svc.Service, &authzContext) {
|
2019-12-10 02:26:41 +00:00
|
|
|
continue
|
|
|
|
}
|
2021-12-03 20:56:14 +00:00
|
|
|
|
2020-01-28 23:50:41 +00:00
|
|
|
f.logger.Debug("dropping service from result due to ACLs", "service", svc.CompoundServiceID())
|
2019-12-10 02:26:41 +00:00
|
|
|
svcs = append(svcs[:i], svcs[i+1:]...)
|
|
|
|
i--
|
2021-12-03 20:56:14 +00:00
|
|
|
removed = true
|
2019-12-10 02:26:41 +00:00
|
|
|
}
|
2021-12-03 20:56:14 +00:00
|
|
|
services.Services = svcs
|
2019-12-10 02:26:41 +00:00
|
|
|
|
2021-12-03 20:56:14 +00:00
|
|
|
return removed
|
2015-06-11 19:08:21 +00:00
|
|
|
}
|
2015-06-09 19:36:25 +00:00
|
|
|
|
2021-12-03 17:31:32 +00:00
|
|
|
// filterCheckServiceNodes is used to filter nodes based on ACL rules. Returns
|
|
|
|
// true if any elements were removed.
|
|
|
|
func (f *aclFilter) filterCheckServiceNodes(nodes *structs.CheckServiceNodes) bool {
|
2015-06-11 19:08:21 +00:00
|
|
|
csn := *nodes
|
2019-12-18 18:43:24 +00:00
|
|
|
var authzContext acl.AuthorizerContext
|
2021-12-03 17:31:32 +00:00
|
|
|
var removed bool
|
2019-12-10 02:26:41 +00:00
|
|
|
|
2015-06-11 19:08:21 +00:00
|
|
|
for i := 0; i < len(csn); i++ {
|
|
|
|
node := csn[i]
|
2019-12-10 02:26:41 +00:00
|
|
|
node.Service.FillAuthzContext(&authzContext)
|
|
|
|
if f.allowNode(node.Node.Node, &authzContext) && f.allowService(node.Service.Service, &authzContext) {
|
2015-06-11 19:08:21 +00:00
|
|
|
continue
|
2015-06-09 19:36:25 +00:00
|
|
|
}
|
2021-08-25 18:43:11 +00:00
|
|
|
f.logger.Debug("dropping node from result due to ACLs", "node", structs.NodeNameString(node.Node.Node, node.Node.GetEnterpriseMeta()))
|
2021-12-03 17:31:32 +00:00
|
|
|
removed = true
|
2015-06-11 19:08:21 +00:00
|
|
|
csn = append(csn[:i], csn[i+1:]...)
|
|
|
|
i--
|
|
|
|
}
|
|
|
|
*nodes = csn
|
2021-12-03 17:31:32 +00:00
|
|
|
return removed
|
2015-06-11 19:08:21 +00:00
|
|
|
}
|
2015-06-09 19:36:25 +00:00
|
|
|
|
2020-09-29 01:41:47 +00:00
|
|
|
// filterServiceTopology is used to filter upstreams/downstreams based on ACL rules.
|
2020-10-02 00:10:49 +00:00
|
|
|
// this filter is unlike others in that it also returns whether the result was filtered by ACLs
|
2020-09-29 01:41:47 +00:00
|
|
|
func (f *aclFilter) filterServiceTopology(topology *structs.ServiceTopology) bool {
|
2021-12-03 17:31:32 +00:00
|
|
|
filteredUpstreams := f.filterCheckServiceNodes(&topology.Upstreams)
|
|
|
|
filteredDownstreams := f.filterCheckServiceNodes(&topology.Downstreams)
|
|
|
|
return filteredUpstreams || filteredDownstreams
|
2020-09-29 01:41:47 +00:00
|
|
|
}
|
|
|
|
|
2020-03-09 20:59:02 +00:00
|
|
|
// filterDatacenterCheckServiceNodes is used to filter nodes based on ACL rules.
|
2021-12-03 20:56:55 +00:00
|
|
|
// Returns true if any elements are removed.
|
|
|
|
func (f *aclFilter) filterDatacenterCheckServiceNodes(datacenterNodes *map[string]structs.CheckServiceNodes) bool {
|
2020-03-09 20:59:02 +00:00
|
|
|
dn := *datacenterNodes
|
|
|
|
out := make(map[string]structs.CheckServiceNodes)
|
2021-12-03 20:56:55 +00:00
|
|
|
var removed bool
|
2020-06-16 17:19:31 +00:00
|
|
|
for dc := range dn {
|
2020-03-09 20:59:02 +00:00
|
|
|
nodes := dn[dc]
|
2021-12-03 20:56:55 +00:00
|
|
|
if f.filterCheckServiceNodes(&nodes) {
|
|
|
|
removed = true
|
|
|
|
}
|
2020-03-09 20:59:02 +00:00
|
|
|
if len(nodes) > 0 {
|
|
|
|
out[dc] = nodes
|
|
|
|
}
|
|
|
|
}
|
|
|
|
*datacenterNodes = out
|
2021-12-03 20:56:55 +00:00
|
|
|
return removed
|
2020-03-09 20:59:02 +00:00
|
|
|
}
|
|
|
|
|
2021-12-03 20:43:43 +00:00
|
|
|
// filterSessions is used to filter a set of sessions based on ACLs. Returns
|
|
|
|
// true if any elements were removed.
|
|
|
|
func (f *aclFilter) filterSessions(sessions *structs.Sessions) bool {
|
2016-12-13 05:59:22 +00:00
|
|
|
s := *sessions
|
2021-12-03 20:43:43 +00:00
|
|
|
|
|
|
|
var removed bool
|
2016-12-13 05:59:22 +00:00
|
|
|
for i := 0; i < len(s); i++ {
|
|
|
|
session := s[i]
|
2019-12-06 19:01:34 +00:00
|
|
|
|
2019-12-18 18:43:24 +00:00
|
|
|
var entCtx acl.AuthorizerContext
|
2019-12-06 19:01:34 +00:00
|
|
|
session.FillAuthzContext(&entCtx)
|
|
|
|
|
|
|
|
if f.allowSession(session.Node, &entCtx) {
|
2016-12-13 05:59:22 +00:00
|
|
|
continue
|
|
|
|
}
|
2021-12-03 20:43:43 +00:00
|
|
|
removed = true
|
2020-01-28 23:50:41 +00:00
|
|
|
f.logger.Debug("dropping session from result due to ACLs", "session", session.ID)
|
2016-12-13 05:59:22 +00:00
|
|
|
s = append(s[:i], s[i+1:]...)
|
|
|
|
i--
|
|
|
|
}
|
|
|
|
*sessions = s
|
2021-12-03 20:43:43 +00:00
|
|
|
return removed
|
2016-12-13 05:59:22 +00:00
|
|
|
}
|
|
|
|
|
2016-12-12 19:58:31 +00:00
|
|
|
// filterCoordinates is used to filter nodes in a coordinate dump based on ACL
|
2021-12-03 20:51:02 +00:00
|
|
|
// rules. Returns true if any elements were removed.
|
|
|
|
func (f *aclFilter) filterCoordinates(coords *structs.Coordinates) bool {
|
2016-12-12 19:58:31 +00:00
|
|
|
c := *coords
|
2019-12-18 18:43:24 +00:00
|
|
|
var authzContext acl.AuthorizerContext
|
2021-12-03 20:51:02 +00:00
|
|
|
var removed bool
|
2019-12-10 02:26:41 +00:00
|
|
|
|
2016-12-12 19:58:31 +00:00
|
|
|
for i := 0; i < len(c); i++ {
|
2021-08-25 18:43:11 +00:00
|
|
|
c[i].FillAuthzContext(&authzContext)
|
2016-12-12 19:58:31 +00:00
|
|
|
node := c[i].Node
|
2019-12-10 02:26:41 +00:00
|
|
|
if f.allowNode(node, &authzContext) {
|
2016-12-12 19:58:31 +00:00
|
|
|
continue
|
|
|
|
}
|
2021-08-25 18:43:11 +00:00
|
|
|
f.logger.Debug("dropping node from result due to ACLs", "node", structs.NodeNameString(node, c[i].GetEnterpriseMeta()))
|
2021-12-03 20:51:02 +00:00
|
|
|
removed = true
|
2016-12-12 19:58:31 +00:00
|
|
|
c = append(c[:i], c[i+1:]...)
|
|
|
|
i--
|
|
|
|
}
|
|
|
|
*coords = c
|
2021-12-03 20:51:02 +00:00
|
|
|
return removed
|
2016-12-12 19:58:31 +00:00
|
|
|
}
|
|
|
|
|
2018-03-04 19:53:52 +00:00
|
|
|
// filterIntentions is used to filter intentions based on ACL rules.
|
|
|
|
// We prune entries the user doesn't have access to, and we redact any tokens
|
2021-12-03 20:35:54 +00:00
|
|
|
// if the user doesn't have a management token. Returns true if any elements
|
|
|
|
// were removed.
|
|
|
|
func (f *aclFilter) filterIntentions(ixns *structs.Intentions) bool {
|
2018-03-04 19:53:52 +00:00
|
|
|
ret := make(structs.Intentions, 0, len(*ixns))
|
2021-12-03 20:35:54 +00:00
|
|
|
var removed bool
|
2018-03-04 19:53:52 +00:00
|
|
|
for _, ixn := range *ixns {
|
2020-01-13 20:51:40 +00:00
|
|
|
if !ixn.CanRead(f.authorizer) {
|
2021-12-03 20:35:54 +00:00
|
|
|
removed = true
|
2020-01-28 23:50:41 +00:00
|
|
|
f.logger.Debug("dropping intention from result due to ACLs", "intention", ixn.ID)
|
2018-03-04 19:53:52 +00:00
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
ret = append(ret, ixn)
|
|
|
|
}
|
|
|
|
|
|
|
|
*ixns = ret
|
2021-12-03 20:35:54 +00:00
|
|
|
return removed
|
2018-03-04 19:53:52 +00:00
|
|
|
}
|
|
|
|
|
2015-06-11 19:08:21 +00:00
|
|
|
// filterNodeDump is used to filter through all parts of a node dump and
|
2021-12-03 23:04:24 +00:00
|
|
|
// remove elements the provided ACL token cannot access. Returns true if
|
|
|
|
// any elements were removed.
|
|
|
|
func (f *aclFilter) filterNodeDump(dump *structs.NodeDump) bool {
|
2015-06-11 19:08:21 +00:00
|
|
|
nd := *dump
|
2019-12-10 02:26:41 +00:00
|
|
|
|
2019-12-18 18:43:24 +00:00
|
|
|
var authzContext acl.AuthorizerContext
|
2021-12-03 23:04:24 +00:00
|
|
|
var removed bool
|
2015-06-11 19:08:21 +00:00
|
|
|
for i := 0; i < len(nd); i++ {
|
|
|
|
info := nd[i]
|
|
|
|
|
2016-12-13 02:21:00 +00:00
|
|
|
// Filter nodes
|
2021-08-25 18:43:11 +00:00
|
|
|
info.FillAuthzContext(&authzContext)
|
2019-12-10 02:26:41 +00:00
|
|
|
if node := info.Node; !f.allowNode(node, &authzContext) {
|
2021-08-25 18:43:11 +00:00
|
|
|
f.logger.Debug("dropping node from result due to ACLs", "node", structs.NodeNameString(node, info.GetEnterpriseMeta()))
|
2021-12-03 23:04:24 +00:00
|
|
|
removed = true
|
2016-12-13 02:21:00 +00:00
|
|
|
nd = append(nd[:i], nd[i+1:]...)
|
|
|
|
i--
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
2015-06-11 19:08:21 +00:00
|
|
|
// Filter services
|
2016-12-13 02:21:00 +00:00
|
|
|
for j := 0; j < len(info.Services); j++ {
|
|
|
|
svc := info.Services[j].Service
|
2019-12-10 02:26:41 +00:00
|
|
|
info.Services[j].FillAuthzContext(&authzContext)
|
|
|
|
if f.allowNode(info.Node, &authzContext) && f.allowService(svc, &authzContext) {
|
2015-06-09 19:36:25 +00:00
|
|
|
continue
|
|
|
|
}
|
2020-01-28 23:50:41 +00:00
|
|
|
f.logger.Debug("dropping service from result due to ACLs", "service", svc)
|
2021-12-03 23:04:24 +00:00
|
|
|
removed = true
|
2016-12-13 02:21:00 +00:00
|
|
|
info.Services = append(info.Services[:j], info.Services[j+1:]...)
|
|
|
|
j--
|
2015-06-09 19:36:25 +00:00
|
|
|
}
|
|
|
|
|
2015-06-11 19:08:21 +00:00
|
|
|
// Filter checks
|
2016-12-13 02:21:00 +00:00
|
|
|
for j := 0; j < len(info.Checks); j++ {
|
|
|
|
chk := info.Checks[j]
|
2019-12-10 02:26:41 +00:00
|
|
|
chk.FillAuthzContext(&authzContext)
|
|
|
|
if f.allowNode(info.Node, &authzContext) && f.allowService(chk.ServiceName, &authzContext) {
|
2015-06-09 19:36:25 +00:00
|
|
|
continue
|
|
|
|
}
|
2020-01-28 23:50:41 +00:00
|
|
|
f.logger.Debug("dropping check from result due to ACLs", "check", chk.CheckID)
|
2021-12-03 23:04:24 +00:00
|
|
|
removed = true
|
2016-12-13 02:21:00 +00:00
|
|
|
info.Checks = append(info.Checks[:j], info.Checks[j+1:]...)
|
|
|
|
j--
|
2015-06-09 19:36:25 +00:00
|
|
|
}
|
2015-06-11 19:08:21 +00:00
|
|
|
}
|
2015-06-11 20:05:33 +00:00
|
|
|
*dump = nd
|
2021-12-03 23:04:24 +00:00
|
|
|
return removed
|
2015-06-11 19:08:21 +00:00
|
|
|
}
|
|
|
|
|
2021-12-03 23:04:24 +00:00
|
|
|
// filterServiceDump is used to filter nodes based on ACL rules. Returns true
|
|
|
|
// if any elements were removed.
|
|
|
|
func (f *aclFilter) filterServiceDump(services *structs.ServiceDump) bool {
|
2020-05-11 17:35:17 +00:00
|
|
|
svcs := *services
|
|
|
|
var authzContext acl.AuthorizerContext
|
2021-12-03 23:04:24 +00:00
|
|
|
var removed bool
|
2020-05-11 17:35:17 +00:00
|
|
|
|
|
|
|
for i := 0; i < len(svcs); i++ {
|
|
|
|
service := svcs[i]
|
|
|
|
|
|
|
|
if f.allowGateway(service.GatewayService) {
|
|
|
|
// ServiceDump might only have gateway config and no node information
|
|
|
|
if service.Node == nil {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
service.Service.FillAuthzContext(&authzContext)
|
|
|
|
if f.allowNode(service.Node.Node, &authzContext) {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
f.logger.Debug("dropping service from result due to ACLs", "service", service.GatewayService.Service)
|
2021-12-03 23:04:24 +00:00
|
|
|
removed = true
|
2020-05-11 17:35:17 +00:00
|
|
|
svcs = append(svcs[:i], svcs[i+1:]...)
|
|
|
|
i--
|
|
|
|
}
|
|
|
|
*services = svcs
|
2021-12-03 23:04:24 +00:00
|
|
|
return removed
|
2020-05-11 17:35:17 +00:00
|
|
|
}
|
|
|
|
|
2016-12-11 00:00:11 +00:00
|
|
|
// filterNodes is used to filter through all parts of a node list and remove
|
2021-12-03 20:56:14 +00:00
|
|
|
// elements the provided ACL token cannot access. Returns true if any elements
|
|
|
|
// were removed.
|
|
|
|
func (f *aclFilter) filterNodes(nodes *structs.Nodes) bool {
|
2016-12-11 00:00:11 +00:00
|
|
|
n := *nodes
|
2019-12-10 02:26:41 +00:00
|
|
|
|
2019-12-18 18:43:24 +00:00
|
|
|
var authzContext acl.AuthorizerContext
|
2021-12-03 20:56:14 +00:00
|
|
|
var removed bool
|
2019-12-10 02:26:41 +00:00
|
|
|
|
2016-12-11 00:00:11 +00:00
|
|
|
for i := 0; i < len(n); i++ {
|
2021-08-25 18:43:11 +00:00
|
|
|
n[i].FillAuthzContext(&authzContext)
|
2016-12-11 00:00:11 +00:00
|
|
|
node := n[i].Node
|
2019-12-10 02:26:41 +00:00
|
|
|
if f.allowNode(node, &authzContext) {
|
2016-12-11 00:00:11 +00:00
|
|
|
continue
|
|
|
|
}
|
2021-08-25 18:43:11 +00:00
|
|
|
f.logger.Debug("dropping node from result due to ACLs", "node", structs.NodeNameString(node, n[i].GetEnterpriseMeta()))
|
2021-12-03 20:56:14 +00:00
|
|
|
removed = true
|
2016-12-11 00:00:11 +00:00
|
|
|
n = append(n[:i], n[i+1:]...)
|
|
|
|
i--
|
|
|
|
}
|
|
|
|
*nodes = n
|
2021-12-03 20:56:14 +00:00
|
|
|
return removed
|
2016-12-11 00:00:11 +00:00
|
|
|
}
|
|
|
|
|
2016-02-26 23:59:00 +00:00
|
|
|
// redactPreparedQueryTokens will redact any tokens unless the client has a
|
|
|
|
// management token. This eases the transition to delegated authority over
|
|
|
|
// prepared queries, since it was easy to capture management tokens in Consul
|
|
|
|
// 0.6.3 and earlier, and we don't want to willy-nilly show those. This does
|
|
|
|
// have the limitation of preventing delegated non-management users from seeing
|
|
|
|
// captured tokens, but they can at least see whether or not a token is set.
|
|
|
|
func (f *aclFilter) redactPreparedQueryTokens(query **structs.PreparedQuery) {
|
|
|
|
// Management tokens can see everything with no filtering.
|
2019-12-18 18:43:24 +00:00
|
|
|
var authzContext acl.AuthorizerContext
|
2021-07-22 18:20:45 +00:00
|
|
|
structs.DefaultEnterpriseMetaInDefaultPartition().FillAuthzContext(&authzContext)
|
2019-12-10 02:26:41 +00:00
|
|
|
if f.authorizer.ACLWrite(&authzContext) == acl.Allow {
|
2016-02-26 23:59:00 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
// Let the user see if there's a blank token, otherwise we need
|
|
|
|
// to redact it, since we know they don't have a management
|
|
|
|
// token.
|
|
|
|
if (*query).Token != "" {
|
|
|
|
// Redact the token, using a copy of the query structure
|
|
|
|
// since we could be pointed at a live instance from the
|
|
|
|
// state store so it's not safe to modify it. Note that
|
|
|
|
// this clone will still point to things like underlying
|
|
|
|
// arrays in the original, but for modifying just the
|
|
|
|
// token it will be safe to use.
|
|
|
|
clone := *(*query)
|
|
|
|
clone.Token = redactedToken
|
|
|
|
*query = &clone
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
Creates new "prepared-query" ACL type and new token capture behavior.
Prior to this change, prepared queries had the following behavior for
ACLs, which will need to change to support templates:
1. A management token, or a token with read access to the service being
queried needed to be provided in order to create a prepared query.
2. The token used to create the prepared query was stored with the query
in the state store and used to execute the query.
3. A management token, or the token used to create the query needed to be
supplied to perform and CRUD operations on an existing prepared query.
This was pretty subtle and complicated behavior, and won't work for
templates since the service name is computed at execution time. To solve
this, we introduce a new "prepared-query" ACL type, where the prefix
applies to the query name for static prepared query types and to the
prefix for template prepared query types.
With this change, the new behavior is:
1. A management token, or a token with "prepared-query" write access to
the query name or (soon) the given template prefix is required to do
any CRUD operations on a prepared query, or to list prepared queries
(the list is filtered by this ACL).
2. You will no longer need a management token to list prepared queries,
but you will only be able to see prepared queries that you have access
to (you get an empty list instead of permission denied).
3. When listing or getting a query, because it was easy to capture
management tokens given the past behavior, this will always blank out
the "Token" field (replacing the contents as <hidden>) for all tokens
unless a management token is supplied. Going forward, we should
discourage people from binding tokens for execution unless strictly
necessary.
4. No token will be captured by default when a prepared query is created.
If the user wishes to supply an execution token then can pass it in via
the "Token" field in the prepared query definition. Otherwise, this
field will default to empty.
5. At execution time, we will use the captured token if it exists with the
prepared query definition, otherwise we will use the token that's passed
in with the request, just like we do for other RPCs (or you can use the
agent's configured token for DNS).
6. Prepared queries with no name (accessible only by ID) will not require
ACLs to create or modify (execution time will depend on the service ACL
configuration). Our argument here is that these are designed to be
ephemeral and the IDs are as good as an ACL. Management tokens will be
able to list all of these.
These changes enable templates, but also enable delegation of authority to
manage the prepared query namespace.
2016-02-23 08:12:58 +00:00
|
|
|
// filterPreparedQueries is used to filter prepared queries based on ACL rules.
|
|
|
|
// We prune entries the user doesn't have access to, and we redact any tokens
|
2021-12-03 23:04:09 +00:00
|
|
|
// if the user doesn't have a management token. Returns true if any (named)
|
|
|
|
// queries were removed - un-named queries are meant to be ephemeral and can
|
|
|
|
// only be enumerated by a management token
|
|
|
|
func (f *aclFilter) filterPreparedQueries(queries *structs.PreparedQueries) bool {
|
2019-12-18 18:43:24 +00:00
|
|
|
var authzContext acl.AuthorizerContext
|
2021-07-22 18:20:45 +00:00
|
|
|
structs.DefaultEnterpriseMetaInDefaultPartition().FillAuthzContext(&authzContext)
|
2016-02-24 09:26:16 +00:00
|
|
|
// Management tokens can see everything with no filtering.
|
2019-12-10 02:26:41 +00:00
|
|
|
// TODO is this check even necessary - this looks like a search replace from
|
2019-10-15 20:58:50 +00:00
|
|
|
// the 1.4 ACL rewrite. The global-management token will provide unrestricted query privileges
|
|
|
|
// so asking for ACLWrite should be unnecessary.
|
2019-12-10 02:26:41 +00:00
|
|
|
if f.authorizer.ACLWrite(&authzContext) == acl.Allow {
|
2021-12-03 23:04:09 +00:00
|
|
|
return false
|
2016-02-24 09:26:16 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Otherwise, we need to see what the token has access to.
|
2021-12-03 23:04:09 +00:00
|
|
|
var namedQueriesRemoved bool
|
Creates new "prepared-query" ACL type and new token capture behavior.
Prior to this change, prepared queries had the following behavior for
ACLs, which will need to change to support templates:
1. A management token, or a token with read access to the service being
queried needed to be provided in order to create a prepared query.
2. The token used to create the prepared query was stored with the query
in the state store and used to execute the query.
3. A management token, or the token used to create the query needed to be
supplied to perform and CRUD operations on an existing prepared query.
This was pretty subtle and complicated behavior, and won't work for
templates since the service name is computed at execution time. To solve
this, we introduce a new "prepared-query" ACL type, where the prefix
applies to the query name for static prepared query types and to the
prefix for template prepared query types.
With this change, the new behavior is:
1. A management token, or a token with "prepared-query" write access to
the query name or (soon) the given template prefix is required to do
any CRUD operations on a prepared query, or to list prepared queries
(the list is filtered by this ACL).
2. You will no longer need a management token to list prepared queries,
but you will only be able to see prepared queries that you have access
to (you get an empty list instead of permission denied).
3. When listing or getting a query, because it was easy to capture
management tokens given the past behavior, this will always blank out
the "Token" field (replacing the contents as <hidden>) for all tokens
unless a management token is supplied. Going forward, we should
discourage people from binding tokens for execution unless strictly
necessary.
4. No token will be captured by default when a prepared query is created.
If the user wishes to supply an execution token then can pass it in via
the "Token" field in the prepared query definition. Otherwise, this
field will default to empty.
5. At execution time, we will use the captured token if it exists with the
prepared query definition, otherwise we will use the token that's passed
in with the request, just like we do for other RPCs (or you can use the
agent's configured token for DNS).
6. Prepared queries with no name (accessible only by ID) will not require
ACLs to create or modify (execution time will depend on the service ACL
configuration). Our argument here is that these are designed to be
ephemeral and the IDs are as good as an ACL. Management tokens will be
able to list all of these.
These changes enable templates, but also enable delegation of authority to
manage the prepared query namespace.
2016-02-23 08:12:58 +00:00
|
|
|
ret := make(structs.PreparedQueries, 0, len(*queries))
|
|
|
|
for _, query := range *queries {
|
2016-02-24 09:26:16 +00:00
|
|
|
// If no prefix ACL applies to this query then filter it, since
|
|
|
|
// we know at this point the user doesn't have a management
|
2016-02-25 00:26:43 +00:00
|
|
|
// token, otherwise see what the policy says.
|
2021-12-03 23:04:09 +00:00
|
|
|
prefix, hasName := query.GetACLPrefix()
|
|
|
|
switch {
|
|
|
|
case hasName && f.authorizer.PreparedQueryRead(prefix, &authzContext) != acl.Allow:
|
|
|
|
namedQueriesRemoved = true
|
|
|
|
fallthrough
|
|
|
|
case !hasName:
|
2020-01-28 23:50:41 +00:00
|
|
|
f.logger.Debug("dropping prepared query from result due to ACLs", "query", query.ID)
|
Creates new "prepared-query" ACL type and new token capture behavior.
Prior to this change, prepared queries had the following behavior for
ACLs, which will need to change to support templates:
1. A management token, or a token with read access to the service being
queried needed to be provided in order to create a prepared query.
2. The token used to create the prepared query was stored with the query
in the state store and used to execute the query.
3. A management token, or the token used to create the query needed to be
supplied to perform and CRUD operations on an existing prepared query.
This was pretty subtle and complicated behavior, and won't work for
templates since the service name is computed at execution time. To solve
this, we introduce a new "prepared-query" ACL type, where the prefix
applies to the query name for static prepared query types and to the
prefix for template prepared query types.
With this change, the new behavior is:
1. A management token, or a token with "prepared-query" write access to
the query name or (soon) the given template prefix is required to do
any CRUD operations on a prepared query, or to list prepared queries
(the list is filtered by this ACL).
2. You will no longer need a management token to list prepared queries,
but you will only be able to see prepared queries that you have access
to (you get an empty list instead of permission denied).
3. When listing or getting a query, because it was easy to capture
management tokens given the past behavior, this will always blank out
the "Token" field (replacing the contents as <hidden>) for all tokens
unless a management token is supplied. Going forward, we should
discourage people from binding tokens for execution unless strictly
necessary.
4. No token will be captured by default when a prepared query is created.
If the user wishes to supply an execution token then can pass it in via
the "Token" field in the prepared query definition. Otherwise, this
field will default to empty.
5. At execution time, we will use the captured token if it exists with the
prepared query definition, otherwise we will use the token that's passed
in with the request, just like we do for other RPCs (or you can use the
agent's configured token for DNS).
6. Prepared queries with no name (accessible only by ID) will not require
ACLs to create or modify (execution time will depend on the service ACL
configuration). Our argument here is that these are designed to be
ephemeral and the IDs are as good as an ACL. Management tokens will be
able to list all of these.
These changes enable templates, but also enable delegation of authority to
manage the prepared query namespace.
2016-02-23 08:12:58 +00:00
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
2016-02-26 23:59:00 +00:00
|
|
|
// Redact any tokens if necessary. We make a copy of just the
|
|
|
|
// pointer so we don't mess with the caller's slice.
|
|
|
|
final := query
|
|
|
|
f.redactPreparedQueryTokens(&final)
|
|
|
|
ret = append(ret, final)
|
Creates new "prepared-query" ACL type and new token capture behavior.
Prior to this change, prepared queries had the following behavior for
ACLs, which will need to change to support templates:
1. A management token, or a token with read access to the service being
queried needed to be provided in order to create a prepared query.
2. The token used to create the prepared query was stored with the query
in the state store and used to execute the query.
3. A management token, or the token used to create the query needed to be
supplied to perform and CRUD operations on an existing prepared query.
This was pretty subtle and complicated behavior, and won't work for
templates since the service name is computed at execution time. To solve
this, we introduce a new "prepared-query" ACL type, where the prefix
applies to the query name for static prepared query types and to the
prefix for template prepared query types.
With this change, the new behavior is:
1. A management token, or a token with "prepared-query" write access to
the query name or (soon) the given template prefix is required to do
any CRUD operations on a prepared query, or to list prepared queries
(the list is filtered by this ACL).
2. You will no longer need a management token to list prepared queries,
but you will only be able to see prepared queries that you have access
to (you get an empty list instead of permission denied).
3. When listing or getting a query, because it was easy to capture
management tokens given the past behavior, this will always blank out
the "Token" field (replacing the contents as <hidden>) for all tokens
unless a management token is supplied. Going forward, we should
discourage people from binding tokens for execution unless strictly
necessary.
4. No token will be captured by default when a prepared query is created.
If the user wishes to supply an execution token then can pass it in via
the "Token" field in the prepared query definition. Otherwise, this
field will default to empty.
5. At execution time, we will use the captured token if it exists with the
prepared query definition, otherwise we will use the token that's passed
in with the request, just like we do for other RPCs (or you can use the
agent's configured token for DNS).
6. Prepared queries with no name (accessible only by ID) will not require
ACLs to create or modify (execution time will depend on the service ACL
configuration). Our argument here is that these are designed to be
ephemeral and the IDs are as good as an ACL. Management tokens will be
able to list all of these.
These changes enable templates, but also enable delegation of authority to
manage the prepared query namespace.
2016-02-23 08:12:58 +00:00
|
|
|
}
|
|
|
|
*queries = ret
|
2021-12-03 23:04:09 +00:00
|
|
|
return namedQueriesRemoved
|
Creates new "prepared-query" ACL type and new token capture behavior.
Prior to this change, prepared queries had the following behavior for
ACLs, which will need to change to support templates:
1. A management token, or a token with read access to the service being
queried needed to be provided in order to create a prepared query.
2. The token used to create the prepared query was stored with the query
in the state store and used to execute the query.
3. A management token, or the token used to create the query needed to be
supplied to perform and CRUD operations on an existing prepared query.
This was pretty subtle and complicated behavior, and won't work for
templates since the service name is computed at execution time. To solve
this, we introduce a new "prepared-query" ACL type, where the prefix
applies to the query name for static prepared query types and to the
prefix for template prepared query types.
With this change, the new behavior is:
1. A management token, or a token with "prepared-query" write access to
the query name or (soon) the given template prefix is required to do
any CRUD operations on a prepared query, or to list prepared queries
(the list is filtered by this ACL).
2. You will no longer need a management token to list prepared queries,
but you will only be able to see prepared queries that you have access
to (you get an empty list instead of permission denied).
3. When listing or getting a query, because it was easy to capture
management tokens given the past behavior, this will always blank out
the "Token" field (replacing the contents as <hidden>) for all tokens
unless a management token is supplied. Going forward, we should
discourage people from binding tokens for execution unless strictly
necessary.
4. No token will be captured by default when a prepared query is created.
If the user wishes to supply an execution token then can pass it in via
the "Token" field in the prepared query definition. Otherwise, this
field will default to empty.
5. At execution time, we will use the captured token if it exists with the
prepared query definition, otherwise we will use the token that's passed
in with the request, just like we do for other RPCs (or you can use the
agent's configured token for DNS).
6. Prepared queries with no name (accessible only by ID) will not require
ACLs to create or modify (execution time will depend on the service ACL
configuration). Our argument here is that these are designed to be
ephemeral and the IDs are as good as an ACL. Management tokens will be
able to list all of these.
These changes enable templates, but also enable delegation of authority to
manage the prepared query namespace.
2016-02-23 08:12:58 +00:00
|
|
|
}
|
|
|
|
|
2019-10-24 18:38:09 +00:00
|
|
|
func (f *aclFilter) filterToken(token **structs.ACLToken) {
|
2019-12-18 18:43:24 +00:00
|
|
|
var entCtx acl.AuthorizerContext
|
2019-10-24 18:38:09 +00:00
|
|
|
if token == nil || *token == nil || f == nil {
|
2018-10-19 16:04:07 +00:00
|
|
|
return
|
2015-06-11 19:08:21 +00:00
|
|
|
}
|
2019-10-24 18:38:09 +00:00
|
|
|
|
|
|
|
(*token).FillAuthzContext(&entCtx)
|
|
|
|
|
|
|
|
if f.authorizer.ACLRead(&entCtx) != acl.Allow {
|
|
|
|
// no permissions to read
|
|
|
|
*token = nil
|
|
|
|
} else if f.authorizer.ACLWrite(&entCtx) != acl.Allow {
|
|
|
|
// no write permissions - redact secret
|
|
|
|
clone := *(*token)
|
|
|
|
clone.SecretID = redactedToken
|
|
|
|
*token = &clone
|
|
|
|
}
|
2018-10-19 16:04:07 +00:00
|
|
|
}
|
2015-06-11 19:08:21 +00:00
|
|
|
|
2019-10-24 18:38:09 +00:00
|
|
|
func (f *aclFilter) filterTokens(tokens *structs.ACLTokens) {
|
2018-10-19 16:04:07 +00:00
|
|
|
ret := make(structs.ACLTokens, 0, len(*tokens))
|
|
|
|
for _, token := range *tokens {
|
|
|
|
final := token
|
2019-10-24 18:38:09 +00:00
|
|
|
f.filterToken(&final)
|
|
|
|
if final != nil {
|
|
|
|
ret = append(ret, final)
|
|
|
|
}
|
2015-06-11 19:08:21 +00:00
|
|
|
}
|
2018-10-19 16:04:07 +00:00
|
|
|
*tokens = ret
|
|
|
|
}
|
2015-06-11 19:08:21 +00:00
|
|
|
|
2019-10-24 18:38:09 +00:00
|
|
|
func (f *aclFilter) filterTokenStub(token **structs.ACLTokenListStub) {
|
2019-12-18 18:43:24 +00:00
|
|
|
var entCtx acl.AuthorizerContext
|
2019-10-24 18:38:09 +00:00
|
|
|
if token == nil || *token == nil || f == nil {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
(*token).FillAuthzContext(&entCtx)
|
|
|
|
|
|
|
|
if f.authorizer.ACLRead(&entCtx) != acl.Allow {
|
|
|
|
*token = nil
|
2021-07-08 22:13:08 +00:00
|
|
|
} else if f.authorizer.ACLWrite(&entCtx) != acl.Allow {
|
|
|
|
// no write permissions - redact secret
|
|
|
|
clone := *(*token)
|
|
|
|
clone.SecretID = redactedToken
|
|
|
|
*token = &clone
|
2019-10-24 18:38:09 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (f *aclFilter) filterTokenStubs(tokens *[]*structs.ACLTokenListStub) {
|
|
|
|
ret := make(structs.ACLTokenListStubs, 0, len(*tokens))
|
|
|
|
for _, token := range *tokens {
|
|
|
|
final := token
|
|
|
|
f.filterTokenStub(&final)
|
|
|
|
if final != nil {
|
|
|
|
ret = append(ret, final)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
*tokens = ret
|
|
|
|
}
|
|
|
|
|
|
|
|
func (f *aclFilter) filterPolicy(policy **structs.ACLPolicy) {
|
2019-12-18 18:43:24 +00:00
|
|
|
var entCtx acl.AuthorizerContext
|
2019-10-24 18:38:09 +00:00
|
|
|
if policy == nil || *policy == nil || f == nil {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
(*policy).FillAuthzContext(&entCtx)
|
|
|
|
|
|
|
|
if f.authorizer.ACLRead(&entCtx) != acl.Allow {
|
|
|
|
// no permissions to read
|
|
|
|
*policy = nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (f *aclFilter) filterPolicies(policies *structs.ACLPolicies) {
|
|
|
|
ret := make(structs.ACLPolicies, 0, len(*policies))
|
|
|
|
for _, policy := range *policies {
|
|
|
|
final := policy
|
|
|
|
f.filterPolicy(&final)
|
|
|
|
if final != nil {
|
|
|
|
ret = append(ret, final)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
*policies = ret
|
|
|
|
}
|
|
|
|
|
|
|
|
func (f *aclFilter) filterRole(role **structs.ACLRole) {
|
2019-12-18 18:43:24 +00:00
|
|
|
var entCtx acl.AuthorizerContext
|
2019-10-24 18:38:09 +00:00
|
|
|
if role == nil || *role == nil || f == nil {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
(*role).FillAuthzContext(&entCtx)
|
|
|
|
|
|
|
|
if f.authorizer.ACLRead(&entCtx) != acl.Allow {
|
|
|
|
// no permissions to read
|
|
|
|
*role = nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (f *aclFilter) filterRoles(roles *structs.ACLRoles) {
|
|
|
|
ret := make(structs.ACLRoles, 0, len(*roles))
|
|
|
|
for _, role := range *roles {
|
|
|
|
final := role
|
|
|
|
f.filterRole(&final)
|
|
|
|
if final != nil {
|
|
|
|
ret = append(ret, final)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
*roles = ret
|
|
|
|
}
|
|
|
|
|
|
|
|
func (f *aclFilter) filterBindingRule(rule **structs.ACLBindingRule) {
|
2019-12-18 18:43:24 +00:00
|
|
|
var entCtx acl.AuthorizerContext
|
2019-10-24 18:38:09 +00:00
|
|
|
if rule == nil || *rule == nil || f == nil {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
(*rule).FillAuthzContext(&entCtx)
|
|
|
|
|
|
|
|
if f.authorizer.ACLRead(&entCtx) != acl.Allow {
|
|
|
|
// no permissions to read
|
|
|
|
*rule = nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (f *aclFilter) filterBindingRules(rules *structs.ACLBindingRules) {
|
|
|
|
ret := make(structs.ACLBindingRules, 0, len(*rules))
|
|
|
|
for _, rule := range *rules {
|
|
|
|
final := rule
|
|
|
|
f.filterBindingRule(&final)
|
|
|
|
if final != nil {
|
|
|
|
ret = append(ret, final)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
*rules = ret
|
|
|
|
}
|
|
|
|
|
|
|
|
func (f *aclFilter) filterAuthMethod(method **structs.ACLAuthMethod) {
|
2019-12-18 18:43:24 +00:00
|
|
|
var entCtx acl.AuthorizerContext
|
2019-10-24 18:38:09 +00:00
|
|
|
if method == nil || *method == nil || f == nil {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
(*method).FillAuthzContext(&entCtx)
|
|
|
|
|
|
|
|
if f.authorizer.ACLRead(&entCtx) != acl.Allow {
|
|
|
|
// no permissions to read
|
|
|
|
*method = nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (f *aclFilter) filterAuthMethods(methods *structs.ACLAuthMethods) {
|
|
|
|
ret := make(structs.ACLAuthMethods, 0, len(*methods))
|
|
|
|
for _, method := range *methods {
|
|
|
|
final := method
|
|
|
|
f.filterAuthMethod(&final)
|
|
|
|
if final != nil {
|
|
|
|
ret = append(ret, final)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
*methods = ret
|
|
|
|
}
|
|
|
|
|
2021-12-03 20:56:14 +00:00
|
|
|
func (f *aclFilter) filterServiceList(services *structs.ServiceList) bool {
|
2020-01-24 15:04:58 +00:00
|
|
|
ret := make(structs.ServiceList, 0, len(*services))
|
2021-12-03 20:56:14 +00:00
|
|
|
var removed bool
|
2020-01-24 15:04:58 +00:00
|
|
|
for _, svc := range *services {
|
|
|
|
var authzContext acl.AuthorizerContext
|
|
|
|
|
|
|
|
svc.FillAuthzContext(&authzContext)
|
|
|
|
|
|
|
|
if f.authorizer.ServiceRead(svc.Name, &authzContext) != acl.Allow {
|
2021-12-03 20:56:14 +00:00
|
|
|
removed = true
|
2020-01-24 15:04:58 +00:00
|
|
|
sid := structs.NewServiceID(svc.Name, &svc.EnterpriseMeta)
|
2020-01-28 23:50:41 +00:00
|
|
|
f.logger.Debug("dropping service from result due to ACLs", "service", sid.String())
|
2020-01-24 15:04:58 +00:00
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
ret = append(ret, svc)
|
|
|
|
}
|
|
|
|
|
|
|
|
*services = ret
|
2021-12-03 20:56:14 +00:00
|
|
|
return removed
|
2020-01-24 15:04:58 +00:00
|
|
|
}
|
|
|
|
|
2020-04-08 18:37:24 +00:00
|
|
|
// filterGatewayServices is used to filter gateway to service mappings based on ACL rules.
|
2021-12-03 20:56:14 +00:00
|
|
|
// Returns true if any elements were removed.
|
|
|
|
func (f *aclFilter) filterGatewayServices(mappings *structs.GatewayServices) bool {
|
2020-04-08 18:37:24 +00:00
|
|
|
ret := make(structs.GatewayServices, 0, len(*mappings))
|
2021-12-03 23:04:24 +00:00
|
|
|
var removed bool
|
2020-04-08 18:37:24 +00:00
|
|
|
for _, s := range *mappings {
|
|
|
|
// This filter only checks ServiceRead on the linked service.
|
|
|
|
// ServiceRead on the gateway is checked in the GatewayServices endpoint before filtering.
|
|
|
|
var authzContext acl.AuthorizerContext
|
|
|
|
s.Service.FillAuthzContext(&authzContext)
|
|
|
|
|
2020-06-12 14:57:41 +00:00
|
|
|
if f.authorizer.ServiceRead(s.Service.Name, &authzContext) != acl.Allow {
|
2020-04-08 18:37:24 +00:00
|
|
|
f.logger.Debug("dropping service from result due to ACLs", "service", s.Service.String())
|
2021-12-03 20:56:14 +00:00
|
|
|
removed = true
|
2020-04-08 18:37:24 +00:00
|
|
|
continue
|
|
|
|
}
|
|
|
|
ret = append(ret, s)
|
|
|
|
}
|
|
|
|
*mappings = ret
|
2021-12-03 20:56:14 +00:00
|
|
|
return removed
|
2020-04-08 18:37:24 +00:00
|
|
|
}
|
|
|
|
|
2021-07-30 21:19:57 +00:00
|
|
|
func filterACLWithAuthorizer(logger hclog.Logger, authorizer acl.Authorizer, subj interface{}) {
|
2018-10-19 16:04:07 +00:00
|
|
|
if authorizer == nil {
|
2021-07-30 21:08:58 +00:00
|
|
|
return
|
2018-10-19 16:04:07 +00:00
|
|
|
}
|
2021-07-30 21:19:57 +00:00
|
|
|
filt := newACLFilter(authorizer, logger)
|
2015-06-11 19:08:21 +00:00
|
|
|
|
|
|
|
switch v := subj.(type) {
|
2016-12-11 00:00:11 +00:00
|
|
|
case *structs.CheckServiceNodes:
|
|
|
|
filt.filterCheckServiceNodes(v)
|
|
|
|
|
|
|
|
case *structs.IndexedCheckServiceNodes:
|
2021-12-03 17:31:32 +00:00
|
|
|
v.QueryMeta.ResultsFilteredByACLs = filt.filterCheckServiceNodes(&v.Nodes)
|
2016-12-11 00:00:11 +00:00
|
|
|
|
2021-12-03 23:04:09 +00:00
|
|
|
case *structs.PreparedQueryExecuteResponse:
|
|
|
|
v.QueryMeta.ResultsFilteredByACLs = filt.filterCheckServiceNodes(&v.Nodes)
|
|
|
|
|
2020-09-29 01:41:47 +00:00
|
|
|
case *structs.IndexedServiceTopology:
|
|
|
|
filtered := filt.filterServiceTopology(v.ServiceTopology)
|
|
|
|
if filtered {
|
|
|
|
v.FilteredByACLs = true
|
2021-12-03 17:11:26 +00:00
|
|
|
v.QueryMeta.ResultsFilteredByACLs = true
|
2020-09-29 01:41:47 +00:00
|
|
|
}
|
|
|
|
|
2020-03-09 20:59:02 +00:00
|
|
|
case *structs.DatacenterIndexedCheckServiceNodes:
|
2021-12-03 20:56:55 +00:00
|
|
|
v.QueryMeta.ResultsFilteredByACLs = filt.filterDatacenterCheckServiceNodes(&v.DatacenterNodes)
|
2020-03-09 20:59:02 +00:00
|
|
|
|
2016-12-12 19:58:31 +00:00
|
|
|
case *structs.IndexedCoordinates:
|
2021-12-03 20:51:02 +00:00
|
|
|
v.QueryMeta.ResultsFilteredByACLs = filt.filterCoordinates(&v.Coordinates)
|
2016-12-12 19:58:31 +00:00
|
|
|
|
2015-06-11 19:08:21 +00:00
|
|
|
case *structs.IndexedHealthChecks:
|
2021-12-03 17:31:32 +00:00
|
|
|
v.QueryMeta.ResultsFilteredByACLs = filt.filterHealthChecks(&v.HealthChecks)
|
2018-03-04 19:53:52 +00:00
|
|
|
|
|
|
|
case *structs.IndexedIntentions:
|
2021-12-03 20:35:54 +00:00
|
|
|
v.QueryMeta.ResultsFilteredByACLs = filt.filterIntentions(&v.Intentions)
|
2015-06-11 19:08:21 +00:00
|
|
|
|
2016-12-11 00:00:11 +00:00
|
|
|
case *structs.IndexedNodeDump:
|
2021-12-03 23:04:24 +00:00
|
|
|
v.QueryMeta.ResultsFilteredByACLs = filt.filterNodeDump(&v.Dump)
|
2015-06-11 19:08:21 +00:00
|
|
|
|
2020-05-11 17:35:17 +00:00
|
|
|
case *structs.IndexedServiceDump:
|
2021-12-03 23:04:24 +00:00
|
|
|
v.QueryMeta.ResultsFilteredByACLs = filt.filterServiceDump(&v.Dump)
|
2020-05-11 17:35:17 +00:00
|
|
|
|
2016-12-11 00:00:11 +00:00
|
|
|
case *structs.IndexedNodes:
|
2021-12-03 20:56:14 +00:00
|
|
|
v.QueryMeta.ResultsFilteredByACLs = filt.filterNodes(&v.Nodes)
|
2015-06-11 19:08:21 +00:00
|
|
|
|
|
|
|
case *structs.IndexedNodeServices:
|
2021-12-03 20:56:14 +00:00
|
|
|
v.QueryMeta.ResultsFilteredByACLs = filt.filterNodeServices(&v.NodeServices)
|
2015-06-09 19:36:25 +00:00
|
|
|
|
2021-12-03 20:56:14 +00:00
|
|
|
case *structs.IndexedNodeServiceList:
|
|
|
|
v.QueryMeta.ResultsFilteredByACLs = filt.filterNodeServiceList(&v.NodeServices)
|
2019-12-10 02:26:41 +00:00
|
|
|
|
2016-12-11 00:00:11 +00:00
|
|
|
case *structs.IndexedServiceNodes:
|
2021-12-03 20:56:14 +00:00
|
|
|
v.QueryMeta.ResultsFilteredByACLs = filt.filterServiceNodes(&v.ServiceNodes)
|
Creates new "prepared-query" ACL type and new token capture behavior.
Prior to this change, prepared queries had the following behavior for
ACLs, which will need to change to support templates:
1. A management token, or a token with read access to the service being
queried needed to be provided in order to create a prepared query.
2. The token used to create the prepared query was stored with the query
in the state store and used to execute the query.
3. A management token, or the token used to create the query needed to be
supplied to perform and CRUD operations on an existing prepared query.
This was pretty subtle and complicated behavior, and won't work for
templates since the service name is computed at execution time. To solve
this, we introduce a new "prepared-query" ACL type, where the prefix
applies to the query name for static prepared query types and to the
prefix for template prepared query types.
With this change, the new behavior is:
1. A management token, or a token with "prepared-query" write access to
the query name or (soon) the given template prefix is required to do
any CRUD operations on a prepared query, or to list prepared queries
(the list is filtered by this ACL).
2. You will no longer need a management token to list prepared queries,
but you will only be able to see prepared queries that you have access
to (you get an empty list instead of permission denied).
3. When listing or getting a query, because it was easy to capture
management tokens given the past behavior, this will always blank out
the "Token" field (replacing the contents as <hidden>) for all tokens
unless a management token is supplied. Going forward, we should
discourage people from binding tokens for execution unless strictly
necessary.
4. No token will be captured by default when a prepared query is created.
If the user wishes to supply an execution token then can pass it in via
the "Token" field in the prepared query definition. Otherwise, this
field will default to empty.
5. At execution time, we will use the captured token if it exists with the
prepared query definition, otherwise we will use the token that's passed
in with the request, just like we do for other RPCs (or you can use the
agent's configured token for DNS).
6. Prepared queries with no name (accessible only by ID) will not require
ACLs to create or modify (execution time will depend on the service ACL
configuration). Our argument here is that these are designed to be
ephemeral and the IDs are as good as an ACL. Management tokens will be
able to list all of these.
These changes enable templates, but also enable delegation of authority to
manage the prepared query namespace.
2016-02-23 08:12:58 +00:00
|
|
|
|
2016-12-11 00:00:11 +00:00
|
|
|
case *structs.IndexedServices:
|
2021-12-03 20:56:14 +00:00
|
|
|
v.QueryMeta.ResultsFilteredByACLs = filt.filterServices(v.Services, &v.EnterpriseMeta)
|
2015-06-11 23:46:15 +00:00
|
|
|
|
2016-12-13 05:59:22 +00:00
|
|
|
case *structs.IndexedSessions:
|
2021-12-03 20:43:43 +00:00
|
|
|
v.QueryMeta.ResultsFilteredByACLs = filt.filterSessions(&v.Sessions)
|
2016-12-13 05:59:22 +00:00
|
|
|
|
Creates new "prepared-query" ACL type and new token capture behavior.
Prior to this change, prepared queries had the following behavior for
ACLs, which will need to change to support templates:
1. A management token, or a token with read access to the service being
queried needed to be provided in order to create a prepared query.
2. The token used to create the prepared query was stored with the query
in the state store and used to execute the query.
3. A management token, or the token used to create the query needed to be
supplied to perform and CRUD operations on an existing prepared query.
This was pretty subtle and complicated behavior, and won't work for
templates since the service name is computed at execution time. To solve
this, we introduce a new "prepared-query" ACL type, where the prefix
applies to the query name for static prepared query types and to the
prefix for template prepared query types.
With this change, the new behavior is:
1. A management token, or a token with "prepared-query" write access to
the query name or (soon) the given template prefix is required to do
any CRUD operations on a prepared query, or to list prepared queries
(the list is filtered by this ACL).
2. You will no longer need a management token to list prepared queries,
but you will only be able to see prepared queries that you have access
to (you get an empty list instead of permission denied).
3. When listing or getting a query, because it was easy to capture
management tokens given the past behavior, this will always blank out
the "Token" field (replacing the contents as <hidden>) for all tokens
unless a management token is supplied. Going forward, we should
discourage people from binding tokens for execution unless strictly
necessary.
4. No token will be captured by default when a prepared query is created.
If the user wishes to supply an execution token then can pass it in via
the "Token" field in the prepared query definition. Otherwise, this
field will default to empty.
5. At execution time, we will use the captured token if it exists with the
prepared query definition, otherwise we will use the token that's passed
in with the request, just like we do for other RPCs (or you can use the
agent's configured token for DNS).
6. Prepared queries with no name (accessible only by ID) will not require
ACLs to create or modify (execution time will depend on the service ACL
configuration). Our argument here is that these are designed to be
ephemeral and the IDs are as good as an ACL. Management tokens will be
able to list all of these.
These changes enable templates, but also enable delegation of authority to
manage the prepared query namespace.
2016-02-23 08:12:58 +00:00
|
|
|
case *structs.IndexedPreparedQueries:
|
2021-12-03 23:04:09 +00:00
|
|
|
v.QueryMeta.ResultsFilteredByACLs = filt.filterPreparedQueries(&v.Queries)
|
Creates new "prepared-query" ACL type and new token capture behavior.
Prior to this change, prepared queries had the following behavior for
ACLs, which will need to change to support templates:
1. A management token, or a token with read access to the service being
queried needed to be provided in order to create a prepared query.
2. The token used to create the prepared query was stored with the query
in the state store and used to execute the query.
3. A management token, or the token used to create the query needed to be
supplied to perform and CRUD operations on an existing prepared query.
This was pretty subtle and complicated behavior, and won't work for
templates since the service name is computed at execution time. To solve
this, we introduce a new "prepared-query" ACL type, where the prefix
applies to the query name for static prepared query types and to the
prefix for template prepared query types.
With this change, the new behavior is:
1. A management token, or a token with "prepared-query" write access to
the query name or (soon) the given template prefix is required to do
any CRUD operations on a prepared query, or to list prepared queries
(the list is filtered by this ACL).
2. You will no longer need a management token to list prepared queries,
but you will only be able to see prepared queries that you have access
to (you get an empty list instead of permission denied).
3. When listing or getting a query, because it was easy to capture
management tokens given the past behavior, this will always blank out
the "Token" field (replacing the contents as <hidden>) for all tokens
unless a management token is supplied. Going forward, we should
discourage people from binding tokens for execution unless strictly
necessary.
4. No token will be captured by default when a prepared query is created.
If the user wishes to supply an execution token then can pass it in via
the "Token" field in the prepared query definition. Otherwise, this
field will default to empty.
5. At execution time, we will use the captured token if it exists with the
prepared query definition, otherwise we will use the token that's passed
in with the request, just like we do for other RPCs (or you can use the
agent's configured token for DNS).
6. Prepared queries with no name (accessible only by ID) will not require
ACLs to create or modify (execution time will depend on the service ACL
configuration). Our argument here is that these are designed to be
ephemeral and the IDs are as good as an ACL. Management tokens will be
able to list all of these.
These changes enable templates, but also enable delegation of authority to
manage the prepared query namespace.
2016-02-23 08:12:58 +00:00
|
|
|
|
2016-02-26 23:59:00 +00:00
|
|
|
case **structs.PreparedQuery:
|
|
|
|
filt.redactPreparedQueryTokens(v)
|
|
|
|
|
2018-10-19 16:04:07 +00:00
|
|
|
case *structs.ACLTokens:
|
2019-10-24 18:38:09 +00:00
|
|
|
filt.filterTokens(v)
|
2018-10-19 16:04:07 +00:00
|
|
|
case **structs.ACLToken:
|
2019-10-24 18:38:09 +00:00
|
|
|
filt.filterToken(v)
|
|
|
|
case *[]*structs.ACLTokenListStub:
|
|
|
|
filt.filterTokenStubs(v)
|
|
|
|
case **structs.ACLTokenListStub:
|
|
|
|
filt.filterTokenStub(v)
|
|
|
|
|
|
|
|
case *structs.ACLPolicies:
|
|
|
|
filt.filterPolicies(v)
|
|
|
|
case **structs.ACLPolicy:
|
|
|
|
filt.filterPolicy(v)
|
|
|
|
|
|
|
|
case *structs.ACLRoles:
|
|
|
|
filt.filterRoles(v)
|
|
|
|
case **structs.ACLRole:
|
|
|
|
filt.filterRole(v)
|
|
|
|
|
|
|
|
case *structs.ACLBindingRules:
|
|
|
|
filt.filterBindingRules(v)
|
|
|
|
case **structs.ACLBindingRule:
|
|
|
|
filt.filterBindingRule(v)
|
|
|
|
|
|
|
|
case *structs.ACLAuthMethods:
|
|
|
|
filt.filterAuthMethods(v)
|
|
|
|
case **structs.ACLAuthMethod:
|
|
|
|
filt.filterAuthMethod(v)
|
2018-10-19 16:04:07 +00:00
|
|
|
|
2020-01-24 15:04:58 +00:00
|
|
|
case *structs.IndexedServiceList:
|
2021-12-03 20:56:14 +00:00
|
|
|
v.QueryMeta.ResultsFilteredByACLs = filt.filterServiceList(&v.Services)
|
2020-04-08 18:37:24 +00:00
|
|
|
|
2022-06-06 19:20:41 +00:00
|
|
|
case *structs.IndexedExportedServiceList:
|
|
|
|
for peer, peerServices := range v.Services {
|
|
|
|
v.QueryMeta.ResultsFilteredByACLs = filt.filterServiceList(&peerServices)
|
|
|
|
if len(peerServices) == 0 {
|
|
|
|
delete(v.Services, peer)
|
|
|
|
} else {
|
|
|
|
v.Services[peer] = peerServices
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-12-03 20:56:14 +00:00
|
|
|
case *structs.IndexedGatewayServices:
|
|
|
|
v.QueryMeta.ResultsFilteredByACLs = filt.filterGatewayServices(&v.Services)
|
|
|
|
|
|
|
|
case *structs.IndexedNodesWithGateways:
|
|
|
|
if filt.filterCheckServiceNodes(&v.Nodes) {
|
|
|
|
v.QueryMeta.ResultsFilteredByACLs = true
|
|
|
|
}
|
|
|
|
if filt.filterGatewayServices(&v.Gateways) {
|
|
|
|
v.QueryMeta.ResultsFilteredByACLs = true
|
|
|
|
}
|
2020-04-08 18:37:24 +00:00
|
|
|
|
2015-06-11 23:46:15 +00:00
|
|
|
default:
|
2019-10-24 18:38:09 +00:00
|
|
|
panic(fmt.Errorf("Unhandled type passed to ACL filter: %T %#v", subj, subj))
|
2015-06-09 19:36:25 +00:00
|
|
|
}
|
|
|
|
}
|
2016-12-09 00:01:01 +00:00
|
|
|
|
2021-07-30 21:19:57 +00:00
|
|
|
// filterACL uses the ACLResolver to resolve the token in an acl.Authorizer,
|
|
|
|
// then uses the acl.Authorizer to filter subj. Any entities in subj that are
|
|
|
|
// not authorized for read access will be removed from subj.
|
|
|
|
func filterACL(r *ACLResolver, token string, subj interface{}) error {
|
2018-10-19 16:04:07 +00:00
|
|
|
// Get the ACL from the token
|
2022-01-23 17:31:48 +00:00
|
|
|
authorizer, err := r.ResolveToken(token)
|
2018-10-19 16:04:07 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2021-07-30 21:19:57 +00:00
|
|
|
filterACLWithAuthorizer(r.logger, authorizer, subj)
|
2021-07-30 21:08:58 +00:00
|
|
|
return nil
|
2018-10-19 16:04:07 +00:00
|
|
|
}
|
2021-10-24 22:28:46 +00:00
|
|
|
|
|
|
|
type partitionInfoNoop struct{}
|
|
|
|
|
2021-12-03 06:50:38 +00:00
|
|
|
func (p *partitionInfoNoop) ExportsForPartition(partition string) acl.ExportedServices {
|
|
|
|
return acl.ExportedServices{}
|
2021-10-24 22:28:46 +00:00
|
|
|
}
|