Moving shared ACL objects
This commit is contained in:
Armon Dadgar
parent
dc1904b57a
commit
99cea1ac23
13
acl/acl.go
13
acl/acl.go
|
|
@ -1,9 +1,22 @@
|
|||
package acl
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
|
||||
iradix "github.com/hashicorp/go-immutable-radix"
|
||||
)
|
||||
|
||||
// ManagementACL is a singleton used for management tokens
|
||||
var ManagementACL *ACL
|
||||
|
||||
func init() {
|
||||
var err error
|
||||
ManagementACL, err = NewACL(true, nil)
|
||||
if err != nil {
|
||||
panic(fmt.Errorf("failed to setup management ACL: %v", err))
|
||||
}
|
||||
}
|
||||
|
||||
// capabilitySet is a type wrapper to help managing a set of capabilities
|
||||
type capabilitySet map[string]struct{}
|
||||
|
||||
|
|
|
|||
22
nomad/acl.go
22
nomad/acl.go
|
|
@ -3,7 +3,6 @@ package nomad
|
|||
import (
|
||||
"crypto/sha1"
|
||||
"encoding/binary"
|
||||
"errors"
|
||||
"fmt"
|
||||
"time"
|
||||
|
||||
|
|
@ -14,23 +13,6 @@ import (
|
|||
"github.com/hashicorp/nomad/nomad/structs"
|
||||
)
|
||||
|
||||
var (
|
||||
// tokenNotFound indicates the Token was not found
|
||||
tokenNotFound = errors.New("ACL token not found")
|
||||
|
||||
// managementACL is used for all management tokens
|
||||
managementACL *acl.ACL
|
||||
)
|
||||
|
||||
func init() {
|
||||
// managementACL has management flag enabled
|
||||
var err error
|
||||
managementACL, err = acl.NewACL(true, nil)
|
||||
if err != nil {
|
||||
panic(fmt.Errorf("failed to setup management ACL: %v", err))
|
||||
}
|
||||
}
|
||||
|
||||
// resolveToken is used to translate an ACL Token Secret ID into
|
||||
// an ACL object, nil if ACLs are disabled, or an error.
|
||||
func (s *Server) resolveToken(secretID string) (*acl.ACL, error) {
|
||||
|
|
@ -60,12 +42,12 @@ func resolveTokenFromSnapshotCache(snap *state.StateSnapshot, cache *lru.TwoQueu
|
|||
return nil, err
|
||||
}
|
||||
if token == nil {
|
||||
return nil, tokenNotFound
|
||||
return nil, structs.TokenNotFound
|
||||
}
|
||||
|
||||
// Check if this is a management token
|
||||
if token.Type == structs.ACLManagementToken {
|
||||
return managementACL, nil
|
||||
return acl.ManagementACL, nil
|
||||
}
|
||||
|
||||
// Get all associated policies
|
||||
|
|
|
|||
|
|
@ -38,7 +38,7 @@ func TestResolveACLToken(t *testing.T) {
|
|||
// Attempt resolution of unknown token. Should fail.
|
||||
randID := structs.GenerateUUID()
|
||||
aclObj, err := resolveTokenFromSnapshotCache(snap, cache, randID)
|
||||
assert.Equal(t, tokenNotFound, err)
|
||||
assert.Equal(t, structs.TokenNotFound, err)
|
||||
assert.Nil(t, aclObj)
|
||||
|
||||
// Attempt resolution of management token. Should get singleton.
|
||||
|
|
@ -46,7 +46,7 @@ func TestResolveACLToken(t *testing.T) {
|
|||
assert.Nil(t, err)
|
||||
assert.NotNil(t, aclObj)
|
||||
assert.Equal(t, true, aclObj.IsManagement())
|
||||
if aclObj != managementACL {
|
||||
if aclObj != acl.ManagementACL {
|
||||
t.Fatalf("expected singleton")
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -5421,6 +5421,9 @@ type ACLPolicyUpsertRequest struct {
|
|||
WriteRequest
|
||||
}
|
||||
|
||||
// TokenNotFound indicates the Token was not found
|
||||
var TokenNotFound = errors.New("ACL token not found")
|
||||
|
||||
// ACLToken represents a client token which is used to Authenticate
|
||||
type ACLToken struct {
|
||||
AccessorID string // Public Accessor ID (UUID)
|
||||
|
|
@ -5434,6 +5437,18 @@ type ACLToken struct {
|
|||
ModifyIndex uint64
|
||||
}
|
||||
|
||||
var (
|
||||
// AnonymousACLToken is used no SecretID is provided, and the
|
||||
// request is made anonymously.
|
||||
AnonymousACLToken = &ACLToken{
|
||||
AccessorID: "anonymous",
|
||||
Name: "Anonymous Token",
|
||||
Type: ACLClientToken,
|
||||
Policies: []string{"anonymous"},
|
||||
Global: false,
|
||||
}
|
||||
)
|
||||
|
||||
type ACLTokenListStub struct {
|
||||
AccessorID string
|
||||
Name string
|
||||
|
|
|
|||
Loading…
Reference in New Issue