consul: Enable ACL lookup
This commit is contained in:
Armon Dadgar
parent
bd124a8da3
commit
9a4778b7d3
|
|
@ -1,10 +1,17 @@
|
|||
package consul
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"errors"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/hashicorp/consul/acl"
|
||||
"github.com/hashicorp/consul/consul/structs"
|
||||
)
|
||||
|
||||
const (
|
||||
// aclNotFound indicates there is no matching ACL
|
||||
aclNotFound = "ACL not found"
|
||||
)
|
||||
|
||||
// aclCacheEntry is used to cache non-authoritative ACL's
|
||||
|
|
@ -23,7 +30,7 @@ func (s *Server) aclFault(id string) (string, error) {
|
|||
return "", err
|
||||
}
|
||||
if acl == nil {
|
||||
return "", fmt.Errorf("ACL not found: %s", id)
|
||||
return "", errors.New(aclNotFound)
|
||||
}
|
||||
return acl.Rules, nil
|
||||
}
|
||||
|
|
@ -43,12 +50,12 @@ func (s *Server) resolveToken(id string) (acl.ACL, error) {
|
|||
}
|
||||
|
||||
// Use our non-authoritative cache
|
||||
return s.lookupACL(id)
|
||||
return s.lookupACL(id, authDC)
|
||||
}
|
||||
|
||||
// lookupACL is used when we are non-authoritative, and need
|
||||
// to resolve an ACL
|
||||
func (s *Server) lookupACL(id string) (acl.ACL, error) {
|
||||
func (s *Server) lookupACL(id, authDC string) (acl.ACL, error) {
|
||||
// Check the cache for the ACL
|
||||
var cached *aclCacheEntry
|
||||
raw, ok := s.aclCache.Get(id)
|
||||
|
|
@ -62,7 +69,48 @@ func (s *Server) lookupACL(id string) (acl.ACL, error) {
|
|||
}
|
||||
|
||||
// Attempt to refresh the policy
|
||||
// TODO: GetPolicy...
|
||||
args := structs.ACLSpecificRequest{
|
||||
Datacenter: authDC,
|
||||
ACL: id,
|
||||
}
|
||||
var out structs.ACLPolicy
|
||||
err := s.RPC("ACL.GetPolicy", &args, &out)
|
||||
|
||||
// Handle the happy path
|
||||
if err == nil {
|
||||
// Determine the root
|
||||
var root acl.ACL
|
||||
switch out.Root {
|
||||
case "allow":
|
||||
root = acl.AllowAll()
|
||||
default:
|
||||
root = acl.DenyAll()
|
||||
}
|
||||
|
||||
// Compile the ACL
|
||||
acl, err := acl.New(root, out.Policy)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// Cache the ACL
|
||||
cached := &aclCacheEntry{
|
||||
ACL: acl,
|
||||
TTL: out.TTL,
|
||||
}
|
||||
if out.TTL > 0 {
|
||||
cached.Expires = time.Now().Add(out.TTL)
|
||||
}
|
||||
s.aclCache.Add(id, cached)
|
||||
return acl, nil
|
||||
}
|
||||
|
||||
// Check for not-found
|
||||
if strings.Contains(err.Error(), aclNotFound) {
|
||||
return nil, errors.New(aclNotFound)
|
||||
} else {
|
||||
s.logger.Printf("[ERR] consul.acl: Failed to get policy for '%s': %v", id, err)
|
||||
}
|
||||
|
||||
// Unable to refresh, apply the down policy
|
||||
switch s.config.ACLDownPolicy {
|
||||
|
|
|
|||
|
|
@ -95,8 +95,10 @@ func (a *ACL) GetPolicy(args *structs.ACLSpecificRequest, reply *structs.ACLPoli
|
|||
}
|
||||
|
||||
// Setup the response
|
||||
conf := a.srv.config
|
||||
reply.Policy = policy
|
||||
reply.TTL = a.srv.config.ACLTTL
|
||||
reply.Root = conf.ACLDefaultPolicy
|
||||
reply.TTL = conf.ACLTTL
|
||||
a.srv.setQueryMeta(&reply.QueryMeta)
|
||||
return nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -472,6 +472,7 @@ type IndexedACLs struct {
|
|||
}
|
||||
|
||||
type ACLPolicy struct {
|
||||
Root string
|
||||
Policy *acl.Policy
|
||||
TTL time.Duration
|
||||
QueryMeta
|
||||
|
|
|
|||
Loading…
Reference in New Issue