luxolus
/
open-consul
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity

added permission denied error message (#8044)

This commit is contained in:
Alexander Mykolaichuk 2020-09-22 20:36:07 +02:00 committed by GitHub
parent d48d2bf550
commit e4f9c19772
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 9 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
agent/acl.go
View File

@ -105,14 +105,16 @@ func (a *Agent) vetServiceRegisterWithAuthorizer(authz acl.Authorizer, service *
service.FillAuthzContext(&authzContext) service.FillAuthzContext(&authzContext)
// Vet the service itself. // Vet the service itself.
if authz.ServiceWrite(service.Service, &authzContext) != acl.Allow { if authz.ServiceWrite(service.Service, &authzContext) != acl.Allow {
return acl.ErrPermissionDenied serviceName := service.CompoundServiceName()
return acl.PermissionDenied("Missing service:write on %s", serviceName.String())
} }
// Vet any service that might be getting overwritten. // Vet any service that might be getting overwritten.
if existing := a.State.Service(service.CompoundServiceID()); existing != nil { if existing := a.State.Service(service.CompoundServiceID()); existing != nil {
existing.FillAuthzContext(&authzContext) existing.FillAuthzContext(&authzContext)
if authz.ServiceWrite(existing.Service, &authzContext) != acl.Allow { if authz.ServiceWrite(existing.Service, &authzContext) != acl.Allow {
return acl.ErrPermissionDenied serviceName := service.CompoundServiceName()
return acl.PermissionDenied("Missing service:write on %s", serviceName.String())
} }
} }
@ -121,7 +123,7 @@ func (a *Agent) vetServiceRegisterWithAuthorizer(authz acl.Authorizer, service *
if service.Kind == structs.ServiceKindConnectProxy { if service.Kind == structs.ServiceKindConnectProxy {
service.FillAuthzContext(&authzContext) service.FillAuthzContext(&authzContext)
if authz.ServiceWrite(service.Proxy.DestinationServiceName, &authzContext) != acl.Allow { if authz.ServiceWrite(service.Proxy.DestinationServiceName, &authzContext) != acl.Allow {
return acl.ErrPermissionDenied return acl.PermissionDenied("Missing service:write on %s", service.Proxy.DestinationServiceName)
} }
} }
@ -151,7 +153,8 @@ func (a *Agent) vetServiceUpdateWithAuthorizer(authz acl.Authorizer, serviceID s
if existing := a.State.Service(serviceID); existing != nil { if existing := a.State.Service(serviceID); existing != nil {
existing.FillAuthzContext(&authzContext) existing.FillAuthzContext(&authzContext)
if authz.ServiceWrite(existing.Service, &authzContext) != acl.Allow { if authz.ServiceWrite(existing.Service, &authzContext) != acl.Allow {
return acl.ErrPermissionDenied serviceName := existing.CompoundServiceName()
return acl.PermissionDenied("Missing service:write on %s", serviceName.String())
} }
} else { } else {
return fmt.Errorf("Unknown service %q", serviceID) return fmt.Errorf("Unknown service %q", serviceID)
@ -229,11 +232,11 @@ func (a *Agent) vetCheckUpdateWithAuthorizer(authz acl.Authorizer, checkID struc
if existing := a.State.Check(checkID); existing != nil { if existing := a.State.Check(checkID); existing != nil {
if len(existing.ServiceName) > 0 { if len(existing.ServiceName) > 0 {
if authz.ServiceWrite(existing.ServiceName, &authzContext) != acl.Allow { if authz.ServiceWrite(existing.ServiceName, &authzContext) != acl.Allow {
return acl.ErrPermissionDenied return acl.PermissionDenied("Missing service:write on %s", existing.ServiceName)
} }
} else { } else {
if authz.NodeWrite(a.config.NodeName, &authzContext) != acl.Allow { if authz.NodeWrite(a.config.NodeName, &authzContext) != acl.Allow {
return acl.ErrPermissionDenied return acl.PermissionDenied("Missing node:write on %s", a.config.NodeName)
} }
} }
} else { } else {