open-consul/agent/grpc-external/services/serverdiscovery
Dan Upton 4719b717ea
grpc/acl: relax permissions required for "core" endpoints (#15346)
Previously, these endpoints required `service:write` permission on _any_
service as a sort of proxy for "is the caller allowed to participate in
the mesh?".

Now, they're called as part of the process of establishing a server
connection by any consumer of the consul-server-connection-manager
library, which will include non-mesh workloads (e.g. Consul KV as a
storage backend for Vault) as well as ancillary components such as
consul-k8s' acl-init process, which likely won't have `service:write`
permission.

So this commit relaxes those requirements to accept *any* valid ACL token
on the following gRPC endpoints:

- `hashicorp.consul.dataplane.DataplaneService/GetSupportedDataplaneFeatures`
- `hashicorp.consul.serverdiscovery.ServerDiscoveryService/WatchServers`
- `hashicorp.consul.connectca.ConnectCAService/WatchRoots`
2023-01-04 12:40:34 +00:00
..
mock_ACLResolver.go grpc: rename public/private directories to external/internal (#13721) 2022-07-13 16:33:48 +01:00
server.go grpc: rename public/private directories to external/internal (#13721) 2022-07-13 16:33:48 +01:00
server_test.go Update hcp-scada-provider to fix diamond dependency problem with go-msgpack (#15185) 2022-11-07 11:34:30 -05:00
watch_servers.go grpc/acl: relax permissions required for "core" endpoints (#15346) 2023-01-04 12:40:34 +00:00
watch_servers_test.go grpc/acl: relax permissions required for "core" endpoints (#15346) 2023-01-04 12:40:34 +00:00