e96c0e1dad
There are a few changes that needed to be made to to handle authorizing reads for imported data: - If the data was imported from a peer we should not attempt to read the data using the traditional authz rules. This is because the name of services/nodes in a peer cluster are not equivalent to those of the importing cluster. - If the data was imported from a peer we need to check whether the token corresponds to a service, meaning that it has service:write permissions, or to a local read only token that can read all nodes/services in a namespace. This required changes at the policyAuthorizer level, since that is the only view available to OSS Consul, and at the enterprise partition/namespace level.
26 lines
628 B
Go
26 lines
628 B
Go
//go:build !consulent
|
|
// +build !consulent
|
|
|
|
package acl
|
|
|
|
// AuthorizerContext contains extra information that can be
|
|
// used in the determination of an ACL enforcement decision.
|
|
type AuthorizerContext struct {
|
|
// Peer is the name of the peer that the resource was imported from.
|
|
Peer string
|
|
}
|
|
|
|
func (c *AuthorizerContext) PeerOrEmpty() string {
|
|
if c == nil {
|
|
return ""
|
|
}
|
|
return c.Peer
|
|
}
|
|
|
|
// enterpriseAuthorizer stub interface
|
|
type enterpriseAuthorizer interface{}
|
|
|
|
func enforceEnterprise(_ Authorizer, _ Resource, _ string, _ string, _ *AuthorizerContext) (bool, EnforcementDecision, error) {
|
|
return false, Deny, nil
|
|
}
|