Daniel Nephin
parent
37c67cb280
commit
c80b9565e2
|
|
@ -227,7 +227,7 @@ func (c *Catalog) Register(args *structs.RegisterRequest, reply *struct{}) error
|
||||||
// worst let a service update revert a recent node update, so it doesn't open up
|
// worst let a service update revert a recent node update, so it doesn't open up
|
||||||
// too much abuse).
|
// too much abuse).
|
||||||
func vetRegisterWithACL(
|
func vetRegisterWithACL(
|
||||||
rule acl.Authorizer,
|
authz acl.Authorizer,
|
||||||
subj *structs.RegisterRequest,
|
subj *structs.RegisterRequest,
|
||||||
ns *structs.NodeServices,
|
ns *structs.NodeServices,
|
||||||
) error {
|
) error {
|
||||||
|
|
@ -239,7 +239,7 @@ func vetRegisterWithACL(
|
||||||
// privileges.
|
// privileges.
|
||||||
needsNode := ns == nil || subj.ChangesNode(ns.Node)
|
needsNode := ns == nil || subj.ChangesNode(ns.Node)
|
||||||
|
|
||||||
if needsNode && rule.NodeWrite(subj.Node, &authzContext) != acl.Allow {
|
if needsNode && authz.NodeWrite(subj.Node, &authzContext) != acl.Allow {
|
||||||
return acl.ErrPermissionDenied
|
return acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -247,7 +247,7 @@ func vetRegisterWithACL(
|
||||||
// the given service, and that we can write to any existing service that
|
// the given service, and that we can write to any existing service that
|
||||||
// is being modified by id (if any).
|
// is being modified by id (if any).
|
||||||
if subj.Service != nil {
|
if subj.Service != nil {
|
||||||
if rule.ServiceWrite(subj.Service.Service, &authzContext) != acl.Allow {
|
if authz.ServiceWrite(subj.Service.Service, &authzContext) != acl.Allow {
|
||||||
return acl.ErrPermissionDenied
|
return acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -261,7 +261,7 @@ func vetRegisterWithACL(
|
||||||
var secondaryCtx acl.AuthorizerContext
|
var secondaryCtx acl.AuthorizerContext
|
||||||
other.FillAuthzContext(&secondaryCtx)
|
other.FillAuthzContext(&secondaryCtx)
|
||||||
|
|
||||||
if rule.ServiceWrite(other.Service, &secondaryCtx) != acl.Allow {
|
if authz.ServiceWrite(other.Service, &secondaryCtx) != acl.Allow {
|
||||||
return acl.ErrPermissionDenied
|
return acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -291,7 +291,7 @@ func vetRegisterWithACL(
|
||||||
|
|
||||||
// Node-level check.
|
// Node-level check.
|
||||||
if check.ServiceID == "" {
|
if check.ServiceID == "" {
|
||||||
if rule.NodeWrite(subj.Node, &authzContext) != acl.Allow {
|
if authz.NodeWrite(subj.Node, &authzContext) != acl.Allow {
|
||||||
return acl.ErrPermissionDenied
|
return acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
continue
|
continue
|
||||||
|
|
@ -322,7 +322,7 @@ func vetRegisterWithACL(
|
||||||
var secondaryCtx acl.AuthorizerContext
|
var secondaryCtx acl.AuthorizerContext
|
||||||
other.FillAuthzContext(&secondaryCtx)
|
other.FillAuthzContext(&secondaryCtx)
|
||||||
|
|
||||||
if rule.ServiceWrite(other.Service, &secondaryCtx) != acl.Allow {
|
if authz.ServiceWrite(other.Service, &secondaryCtx) != acl.Allow {
|
||||||
return acl.ErrPermissionDenied
|
return acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -385,7 +385,7 @@ func (c *Catalog) Deregister(args *structs.DeregisterRequest, reply *struct{}) e
|
||||||
// endpoint. The NodeService for the referenced service must be supplied, and can
|
// endpoint. The NodeService for the referenced service must be supplied, and can
|
||||||
// be nil; similar for the HealthCheck for the referenced health check.
|
// be nil; similar for the HealthCheck for the referenced health check.
|
||||||
func vetDeregisterWithACL(
|
func vetDeregisterWithACL(
|
||||||
rule acl.Authorizer,
|
authz acl.Authorizer,
|
||||||
subj *structs.DeregisterRequest,
|
subj *structs.DeregisterRequest,
|
||||||
ns *structs.NodeService,
|
ns *structs.NodeService,
|
||||||
nc *structs.HealthCheck,
|
nc *structs.HealthCheck,
|
||||||
|
|
@ -400,7 +400,7 @@ func vetDeregisterWithACL(
|
||||||
// Allow service deregistration if the token has write permission for the node.
|
// Allow service deregistration if the token has write permission for the node.
|
||||||
// This accounts for cases where the agent no longer has a token with write permission
|
// This accounts for cases where the agent no longer has a token with write permission
|
||||||
// on the service to deregister it.
|
// on the service to deregister it.
|
||||||
if rule.NodeWrite(subj.Node, &authzContext) == acl.Allow {
|
if authz.NodeWrite(subj.Node, &authzContext) == acl.Allow {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -415,7 +415,7 @@ func vetDeregisterWithACL(
|
||||||
|
|
||||||
ns.FillAuthzContext(&authzContext)
|
ns.FillAuthzContext(&authzContext)
|
||||||
|
|
||||||
if rule.ServiceWrite(ns.Service, &authzContext) != acl.Allow {
|
if authz.ServiceWrite(ns.Service, &authzContext) != acl.Allow {
|
||||||
return acl.ErrPermissionDenied
|
return acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
} else if subj.CheckID != "" {
|
} else if subj.CheckID != "" {
|
||||||
|
|
@ -426,11 +426,11 @@ func vetDeregisterWithACL(
|
||||||
nc.FillAuthzContext(&authzContext)
|
nc.FillAuthzContext(&authzContext)
|
||||||
|
|
||||||
if nc.ServiceID != "" {
|
if nc.ServiceID != "" {
|
||||||
if rule.ServiceWrite(nc.ServiceName, &authzContext) != acl.Allow {
|
if authz.ServiceWrite(nc.ServiceName, &authzContext) != acl.Allow {
|
||||||
return acl.ErrPermissionDenied
|
return acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
if rule.NodeWrite(subj.Node, &authzContext) != acl.Allow {
|
if authz.NodeWrite(subj.Node, &authzContext) != acl.Allow {
|
||||||
return acl.ErrPermissionDenied
|
return acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -109,29 +109,29 @@ func (t *Txn) preCheck(authorizer acl.Authorizer, ops structs.TxnOps) structs.Tx
|
||||||
}
|
}
|
||||||
|
|
||||||
// vetNodeTxnOp applies the given ACL policy to a node transaction operation.
|
// vetNodeTxnOp applies the given ACL policy to a node transaction operation.
|
||||||
func vetNodeTxnOp(op *structs.TxnNodeOp, rule acl.Authorizer) error {
|
func vetNodeTxnOp(op *structs.TxnNodeOp, authz acl.Authorizer) error {
|
||||||
var authzContext acl.AuthorizerContext
|
var authzContext acl.AuthorizerContext
|
||||||
op.FillAuthzContext(&authzContext)
|
op.FillAuthzContext(&authzContext)
|
||||||
|
|
||||||
if rule.NodeWrite(op.Node.Node, &authzContext) != acl.Allow {
|
if authz.NodeWrite(op.Node.Node, &authzContext) != acl.Allow {
|
||||||
return acl.ErrPermissionDenied
|
return acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// vetCheckTxnOp applies the given ACL policy to a check transaction operation.
|
// vetCheckTxnOp applies the given ACL policy to a check transaction operation.
|
||||||
func vetCheckTxnOp(op *structs.TxnCheckOp, rule acl.Authorizer) error {
|
func vetCheckTxnOp(op *structs.TxnCheckOp, authz acl.Authorizer) error {
|
||||||
var authzContext acl.AuthorizerContext
|
var authzContext acl.AuthorizerContext
|
||||||
op.FillAuthzContext(&authzContext)
|
op.FillAuthzContext(&authzContext)
|
||||||
|
|
||||||
if op.Check.ServiceID == "" {
|
if op.Check.ServiceID == "" {
|
||||||
// Node-level check.
|
// Node-level check.
|
||||||
if rule.NodeWrite(op.Check.Node, &authzContext) != acl.Allow {
|
if authz.NodeWrite(op.Check.Node, &authzContext) != acl.Allow {
|
||||||
return acl.ErrPermissionDenied
|
return acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
// Service-level check.
|
// Service-level check.
|
||||||
if rule.ServiceWrite(op.Check.ServiceName, &authzContext) != acl.Allow {
|
if authz.ServiceWrite(op.Check.ServiceName, &authzContext) != acl.Allow {
|
||||||
return acl.ErrPermissionDenied
|
return acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue