Commit Graph

27 Commits

Author SHA1 Message Date
James Phillips f0150ff5ce Adds missing token redact in the GET path. 2016-02-26 15:59:00 -08:00
James Phillips 3b91618d7d Changes to more idiomatic "ok" pattern for prefix getter. 2016-02-24 16:26:43 -08:00
James Phillips 54f0b7bbb6 Completes switch of prepared_query ACLs to govern query names. 2016-02-24 01:26:16 -08:00
James Phillips 633c231d67 Creates new "prepared-query" ACL type and new token capture behavior.
Prior to this change, prepared queries had the following behavior for
ACLs, which will need to change to support templates:

1. A management token, or a token with read access to the service being
   queried needed to be provided in order to create a prepared query.

2. The token used to create the prepared query was stored with the query
   in the state store and used to execute the query.

3. A management token, or the token used to create the query needed to be
   supplied to perform and CRUD operations on an existing prepared query.

This was pretty subtle and complicated behavior, and won't work for
templates since the service name is computed at execution time. To solve
this, we introduce a new "prepared-query" ACL type, where the prefix
applies to the query name for static prepared query types and to the
prefix for template prepared query types.

With this change, the new behavior is:

1. A management token, or a token with "prepared-query" write access to
   the query name or (soon) the given template prefix is required to do
   any CRUD operations on a prepared query, or to list prepared queries
   (the list is filtered by this ACL).

2. You will no longer need a management token to list prepared queries,
   but you will only be able to see prepared queries that you have access
   to (you get an empty list instead of permission denied).

3. When listing or getting a query, because it was easy to capture
   management tokens given the past behavior, this will always blank out
   the "Token" field (replacing the contents as <hidden>) for all tokens
   unless a management token is supplied. Going forward, we should
   discourage people from binding tokens for execution unless strictly
   necessary.

4. No token will be captured by default when a prepared query is created.
   If the user wishes to supply an execution token then can pass it in via
   the "Token" field in the prepared query definition. Otherwise, this
   field will default to empty.

5. At execution time, we will use the captured token if it exists with the
   prepared query definition, otherwise we will use the token that's passed
   in with the request, just like we do for other RPCs (or you can use the
   agent's configured token for DNS).

6. Prepared queries with no name (accessible only by ID) will not require
   ACLs to create or modify (execution time will depend on the service ACL
   configuration). Our argument here is that these are designed to be
   ephemeral and the IDs are as good as an ACL. Management tokens will be
   able to list all of these.

These changes enable templates, but also enable delegation of authority to
manage the prepared query namespace.
2016-02-23 17:12:43 -08:00
Ryan Uber e04a23801e consul: split ACL cache into a reusable struct 2015-06-18 18:13:29 -07:00
Ryan Uber d600fad4e7 consul: fast path a typed nil during ACL filtering 2015-06-12 16:46:15 -07:00
Ryan Uber 2b1a19a906 consul: fail badly if an unsupported type is passed to the ACL filter 2015-06-11 17:06:35 -07:00
Ryan Uber 593b4b3dd6 consul: fix log message 2015-06-11 15:00:26 -07:00
Ryan Uber 63a2737cac consul: testing acl filters in isolation 2015-06-11 14:14:43 -07:00
Ryan Uber 5aeb8202d6 consul: testing internal endpoint acl filtering 2015-06-11 13:05:33 -07:00
Ryan Uber aa87f2b73c consul: rename function to avoid collision and clean up 2015-06-11 13:04:47 -07:00
Ryan Uber 1ff496d6dd consul: break acl filtering into a separate struct 2015-06-11 12:08:21 -07:00
Ryan Uber 4f9161f485 consul: use anonymous function for acl filtering 2015-06-10 18:43:48 -07:00
Ryan Uber b115047919 consul: filter internal endpoints for acls 2015-06-10 18:40:40 -07:00
Ryan Uber 4f3e661b8c acl: initial pass at service discovery acls 2015-06-10 18:40:09 -07:00
Armon Dadgar 6492f06a3e consul: Provide ETag to avoid expensive policy fetch 2014-08-18 15:46:59 -07:00
Armon Dadgar 17ee7f5057 consul: Starting token enforcement 2014-08-18 15:46:23 -07:00
Armon Dadgar 5561148c8e consul: Prevent resolution of root policy 2014-08-18 15:46:23 -07:00
Armon Dadgar 8c5bb94c74 consul: Resolve parent ACLs 2014-08-18 15:46:23 -07:00
Armon Dadgar 8153537e86 consul: Support management tokens 2014-08-18 15:46:23 -07:00
Armon Dadgar 9e16caa497 consul: Adding some metrics for ACL usage 2014-08-18 15:46:23 -07:00
Armon Dadgar 5da5df716d consul: Create anonymous and master tokens 2014-08-18 15:46:22 -07:00
Armon Dadgar 846cc66e6d consul: Testing ACL resolution 2014-08-18 15:46:22 -07:00
Armon Dadgar 61b80e912c consul: Use Etag for policy caching 2014-08-18 15:46:22 -07:00
Armon Dadgar db8f896c58 consul: Support conditional policy fetch 2014-08-18 15:46:22 -07:00
Armon Dadgar 9a4778b7d3 consul: Enable ACL lookup 2014-08-18 15:46:22 -07:00
Armon Dadgar bd124a8da3 consul: Pulling in ACLs 2014-08-18 15:46:21 -07:00