Fix issue with trust bundle read ACL check. (#16630)

This commit fixes an issue where trust bundles could not be read
by services in a non-default namespace, unless they had excessive
ACL permissions given to them.

Prior to this change, `service:write` was required in the default
namespace in order to read the trust bundle. Now, `service:write`
to a service in any namespace is sufficient.
This commit is contained in:
Derek Menteer 2023-03-14 12:24:33 -05:00 committed by GitHub
parent 0ad653b5bb
commit f3be5d9b80
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 13 additions and 5 deletions

3
.changelog/_4696.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:bug
peering: **(Consul Enterprise only)** Fix issue where connect-enabled services with peer upstreams incorrectly required `service:write` access in the `default` namespace to query data, which was too restrictive. Now having `service:write` to any namespace is sufficient to query the peering data.
```

View File

@ -33,12 +33,14 @@ type serverTrustBundle struct {
} }
func (s *serverTrustBundle) Notify(ctx context.Context, req *cachetype.TrustBundleReadRequest, correlationID string, ch chan<- proxycfg.UpdateEvent) error { func (s *serverTrustBundle) Notify(ctx context.Context, req *cachetype.TrustBundleReadRequest, correlationID string, ch chan<- proxycfg.UpdateEvent) error {
entMeta := structs.NodeEnterpriseMetaInPartition(req.Request.Partition) // Having the ability to write a service in ANY (at least one) namespace should be
// sufficient for reading the trust bundle, which is why we use a wildcard.
entMeta := acl.NewEnterpriseMetaWithPartition(req.Request.Partition, acl.WildcardName)
return watch.ServerLocalNotify(ctx, correlationID, s.deps.GetStore, return watch.ServerLocalNotify(ctx, correlationID, s.deps.GetStore,
func(ws memdb.WatchSet, store Store) (uint64, *pbpeering.TrustBundleReadResponse, error) { func(ws memdb.WatchSet, store Store) (uint64, *pbpeering.TrustBundleReadResponse, error) {
var authzCtx acl.AuthorizerContext var authzCtx acl.AuthorizerContext
authz, err := s.deps.ACLResolver.ResolveTokenAndDefaultMeta(req.Token, entMeta, &authzCtx) authz, err := s.deps.ACLResolver.ResolveTokenAndDefaultMeta(req.Token, &entMeta, &authzCtx)
if err != nil { if err != nil {
return 0, nil, err return 0, nil, err
} }

View File

@ -924,9 +924,12 @@ func (s *Server) TrustBundleRead(ctx context.Context, req *pbpeering.TrustBundle
defer metrics.MeasureSince([]string{"peering", "trust_bundle_read"}, time.Now()) defer metrics.MeasureSince([]string{"peering", "trust_bundle_read"}, time.Now())
// Having the ability to write a service in ANY (at least one) namespace should be
// sufficient for reading the trust bundle, which is why we use a wildcard.
entMeta := acl.NewEnterpriseMetaWithPartition(req.Partition, acl.WildcardName)
entMeta.Normalize()
var authzCtx acl.AuthorizerContext var authzCtx acl.AuthorizerContext
entMeta := structs.DefaultEnterpriseMetaInPartition(req.Partition) authz, err := s.Backend.ResolveTokenAndDefaultMeta(options.Token, &entMeta, &authzCtx)
authz, err := s.Backend.ResolveTokenAndDefaultMeta(options.Token, entMeta, &authzCtx)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -937,7 +940,7 @@ func (s *Server) TrustBundleRead(ctx context.Context, req *pbpeering.TrustBundle
idx, trustBundle, err := s.Backend.Store().PeeringTrustBundleRead(nil, state.Query{ idx, trustBundle, err := s.Backend.Store().PeeringTrustBundleRead(nil, state.Query{
Value: req.Name, Value: req.Name,
EnterpriseMeta: *entMeta, EnterpriseMeta: entMeta,
}) })
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to read trust bundle for peer %s: %w", req.Name, err) return nil, fmt.Errorf("failed to read trust bundle for peer %s: %w", req.Name, err)