Allow querying self token
This PR allows querying self ACL token when the SecretID is for the AccessorID in question.
This commit is contained in:
parent
e8629773a2
commit
14e6026938
|
@ -622,11 +622,9 @@ func (a *ACL) GetToken(args *structs.ACLTokenSpecificRequest, reply *structs.Sin
|
|||
}
|
||||
defer metrics.MeasureSince([]string{"nomad", "acl", "get_token"}, time.Now())
|
||||
|
||||
// Check management level permissions
|
||||
if acl, err := a.srv.resolveToken(args.SecretID); err != nil {
|
||||
acl, err := a.srv.resolveToken(args.SecretID)
|
||||
if err != nil {
|
||||
return err
|
||||
} else if acl == nil || !acl.IsManagement() {
|
||||
return structs.ErrPermissionDenied
|
||||
}
|
||||
|
||||
// Setup the blocking query
|
||||
|
@ -640,6 +638,14 @@ func (a *ACL) GetToken(args *structs.ACLTokenSpecificRequest, reply *structs.Sin
|
|||
return err
|
||||
}
|
||||
|
||||
// Check management level permissions or that the secret ID matches the
|
||||
// accessor ID
|
||||
if acl != nil && out != nil {
|
||||
if !acl.IsManagement() && out.SecretID != args.SecretID {
|
||||
return structs.ErrPermissionDenied
|
||||
}
|
||||
}
|
||||
|
||||
// Setup the output
|
||||
reply.Token = out
|
||||
if out != nil {
|
||||
|
|
|
@ -509,6 +509,16 @@ func TestACLEndpoint_GetToken(t *testing.T) {
|
|||
}
|
||||
assert.Equal(t, uint64(1000), resp.Index)
|
||||
assert.Nil(t, resp.Token)
|
||||
|
||||
// Lookup the token by accessor id using the tokens secret ID
|
||||
get.AccessorID = token.AccessorID
|
||||
get.SecretID = token.SecretID
|
||||
var resp2 structs.SingleACLTokenResponse
|
||||
if err := msgpackrpc.CallWithCodec(codec, "ACL.GetToken", get, &resp2); err != nil {
|
||||
t.Fatalf("err: %v", err)
|
||||
}
|
||||
assert.Equal(t, uint64(1000), resp2.Index)
|
||||
assert.Equal(t, token, resp2.Token)
|
||||
}
|
||||
|
||||
func TestACLEndpoint_GetToken_Blocking(t *testing.T) {
|
||||
|
|
|
@ -241,7 +241,7 @@ The table below shows this endpoint's support for
|
|||
|
||||
| Blocking Queries | Consistency Modes | ACL Required |
|
||||
| ---------------- | ----------------- | ------------ |
|
||||
| `YES` | `all` | `management` |
|
||||
| `YES` | `all` | `management` for query other tokens<br>Matching SecretID to AccessorID for querying self |
|
||||
|
||||
### Sample Request
|
||||
|
||||
|
|
Loading…
Reference in a new issue