open-consul/agent/proxycfg-glue
Freddy e96c0e1dad
Fixup authz for data imported from peers (#15347)
There are a few changes that needed to be made to to handle authorizing
reads for imported data:

- If the data was imported from a peer we should not attempt to read the
  data using the traditional authz rules. This is because the name of
  services/nodes in a peer cluster are not equivalent to those of the
  importing cluster.

- If the data was imported from a peer we need to check whether the
  token corresponds to a service, meaning that it has service:write
  permissions, or to a local read only token that can read all
  nodes/services in a namespace.

This required changes at the policyAuthorizer level, since that is the
only view available to OSS Consul, and at the enterprise
partition/namespace level.
2022-11-14 11:36:27 -07:00
..
config_entry.go proxycfg: watch service-defaults config entries (#15025) 2022-10-24 12:50:28 -06:00
config_entry_test.go proxycfg: server-local config entry data sources 2022-07-04 10:48:36 +01:00
discovery_chain.go proxycfg-glue: server-local compiled discovery chain data source 2022-07-14 18:22:12 +01:00
discovery_chain_test.go proxycfg-glue: server-local compiled discovery chain data source 2022-07-14 18:22:12 +01:00
exported_peered_services.go Fixup authz for data imported from peers (#15347) 2022-11-14 11:36:27 -07:00
exported_peered_services_test.go Prevent consul peer-exports by discovery chain. 2022-10-13 12:45:09 -05:00
federation_state_list_mesh_gateways.go proxycfg-glue: server-local implementation of `FederationStateListMeshGateways` 2022-07-14 18:22:12 +01:00
federation_state_list_mesh_gateways_test.go proxycfg-glue: server-local implementation of `FederationStateListMeshGateways` 2022-07-14 18:22:12 +01:00
gateway_services.go proxycfg-glue: server-local implementation of `GatewayServices` 2022-07-14 18:22:12 +01:00
gateway_services_test.go proxycfg-glue: server-local implementation of `GatewayServices` 2022-07-14 18:22:12 +01:00
glue.go Prevent consul peer-exports by discovery chain. 2022-10-13 12:45:09 -05:00
health.go proxycfg-glue: server-local implementation of the `Health` interface 2022-07-14 18:22:12 +01:00
health_test.go proxycfg-glue: server-local implementation of the `Health` interface 2022-07-14 18:22:12 +01:00
helpers_test.go proxycfg-glue: server-local implementation of `ExportedPeeredServices` 2022-07-22 15:23:23 +01:00
intention_upstreams.go proxycfg-glue: server-local implementation of IntentionUpstreamsDestination 2022-09-06 23:27:25 +01:00
intention_upstreams_test.go proxycfg-glue: server-local compiled discovery chain data source 2022-07-14 18:22:12 +01:00
intentions.go proxycfg: terminate stream on irrecoverable errors 2022-08-23 20:17:49 +01:00
intentions_ent_test.go proxycfg-glue: server-local compiled discovery chain data source 2022-07-14 18:22:12 +01:00
intentions_oss.go proxycfg: server-local intentions data source 2022-07-04 10:48:36 +01:00
intentions_test.go feat: xDS updates for peerings control plane through mesh gw 2022-10-07 08:46:42 -06:00
internal_service_dump.go Fixup authz for data imported from peers (#15347) 2022-11-14 11:36:27 -07:00
internal_service_dump_test.go proxycfg-glue: server-local implementation of InternalServiceDump 2022-09-06 23:27:25 +01:00
peered_upstreams.go sync more acl enforcement 2022-07-28 12:01:52 -07:00
peered_upstreams_test.go sync more acl enforcement 2022-07-28 12:01:52 -07:00
peering_list.go feat: xDS updates for peerings control plane through mesh gw 2022-10-07 08:46:42 -06:00
peering_list_test.go feat: xDS updates for peerings control plane through mesh gw 2022-10-07 08:46:42 -06:00
resolved_service_config.go proxycfg-glue: server-local implementation of ResolvedServiceConfig 2022-09-06 23:27:25 +01:00
resolved_service_config_test.go proxycfg-glue: server-local implementation of ResolvedServiceConfig 2022-09-06 23:27:25 +01:00
service_http_checks.go Service http checks data source for agentless proxies (#14924) 2022-10-12 07:49:56 -07:00
service_http_checks_test.go Service http checks data source for agentless proxies (#14924) 2022-10-12 07:49:56 -07:00
service_list.go proxycfg-glue: server-local implementation of `ServiceList` 2022-07-14 18:22:12 +01:00
service_list_test.go proxycfg-glue: server-local implementation of `ServiceList` 2022-07-14 18:22:12 +01:00
trust_bundle.go sync more acl enforcement 2022-07-28 12:01:52 -07:00
trust_bundle_test.go fix: persist peering CA updates to dialing clusters (#15243) 2022-11-04 12:53:20 -04:00