agent:read acl policy for monitor
This commit is contained in:
Drew Bailey
parent
f46fd5b3e1
commit
db65b1f4a5
|
|
@ -7,7 +7,6 @@ import (
|
|||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/hashicorp/nomad/acl"
|
||||
"github.com/hashicorp/nomad/command/agent/monitor"
|
||||
"github.com/hashicorp/nomad/helper"
|
||||
"github.com/hashicorp/nomad/nomad/structs"
|
||||
|
|
@ -43,10 +42,10 @@ func (m *Monitor) monitor(conn io.ReadWriteCloser) {
|
|||
}
|
||||
|
||||
// Check acl
|
||||
if aclObj, err := m.c.ResolveToken(args.QueryOptions.AuthToken); err != nil {
|
||||
if aclObj, err := m.c.ResolveToken(args.AuthToken); err != nil {
|
||||
handleStreamResultError(err, helper.Int64ToPtr(403), encoder)
|
||||
return
|
||||
} else if aclObj != nil && !aclObj.AllowNsOp(args.Namespace, acl.NamespaceCapabilityReadFS) {
|
||||
} else if aclObj != nil && !aclObj.AllowAgentRead() {
|
||||
handleStreamResultError(structs.ErrPermissionDenied, helper.Int64ToPtr(403), encoder)
|
||||
return
|
||||
}
|
||||
|
|
|
|||
|
|
@ -86,7 +86,6 @@ OUTER:
|
|||
if msg.Error != nil {
|
||||
t.Fatalf("Got error: %v", msg.Error.Error())
|
||||
}
|
||||
|
||||
received += string(msg.Payload)
|
||||
if strings.Contains(received, expected) {
|
||||
require.Nil(p2.Close())
|
||||
|
|
@ -105,11 +104,16 @@ func TestMonitor_Monitor_ACL(t *testing.T) {
|
|||
defer s.Shutdown()
|
||||
testutil.WaitForLeader(t, s.RPC)
|
||||
|
||||
policyBad := mock.NamespacePolicy("other", "", []string{acl.NamespaceCapabilityReadFS})
|
||||
c, cleanup := TestClient(t, func(c *config.Config) {
|
||||
c.ACLEnabled = true
|
||||
c.Servers = []string{s.GetConfig().RPCAddr.String()}
|
||||
})
|
||||
defer cleanup()
|
||||
|
||||
policyBad := mock.NodePolicy(acl.PolicyDeny)
|
||||
tokenBad := mock.CreatePolicyAndToken(t, s.State(), 1005, "invalid", policyBad)
|
||||
|
||||
policyGood := mock.NamespacePolicy(structs.DefaultNamespace, "",
|
||||
[]string{acl.NamespaceCapabilityReadLogs, acl.NamespaceCapabilityReadFS})
|
||||
policyGood := mock.AgentPolicy(acl.PolicyRead)
|
||||
tokenGood := mock.CreatePolicyAndToken(t, s.State(), 1009, "valid", policyGood)
|
||||
|
||||
cases := []struct {
|
||||
|
|
@ -145,7 +149,7 @@ func TestMonitor_Monitor_ACL(t *testing.T) {
|
|||
},
|
||||
}
|
||||
|
||||
handler, err := s.StreamingRpcHandler("Agent.Monitor")
|
||||
handler, err := c.StreamingRpcHandler("Agent.Monitor")
|
||||
require.Nil(err)
|
||||
|
||||
// create pipe
|
||||
|
|
|
|||
|
|
@ -225,7 +225,7 @@ func (s *HTTPServer) AgentMonitor(resp http.ResponseWriter, req *http.Request) (
|
|||
httpPipe.Close()
|
||||
}()
|
||||
|
||||
// Create an ouput that gets flushed on every write
|
||||
// Create an output that gets flushed on every write
|
||||
output := ioutils.NewWriteFlusher(resp)
|
||||
|
||||
// create an error channel to handle errors
|
||||
|
|
|
|||
|
|
@ -54,7 +54,7 @@ func (d *Monitor) Start(stopCh <-chan struct{}) <-chan []byte {
|
|||
return logCh
|
||||
}
|
||||
|
||||
// Write attemps to send latest log to logCh
|
||||
// Write attempts to send latest log to logCh
|
||||
// it drops the log if channel is unavailable to receive
|
||||
func (d *Monitor) Write(p []byte) (n int, err error) {
|
||||
d.Lock()
|
||||
|
|
|
|||
|
|
@ -9,7 +9,6 @@ import (
|
|||
"strings"
|
||||
|
||||
log "github.com/hashicorp/go-hclog"
|
||||
"github.com/hashicorp/nomad/acl"
|
||||
cstructs "github.com/hashicorp/nomad/client/structs"
|
||||
"github.com/hashicorp/nomad/command/agent/monitor"
|
||||
"github.com/hashicorp/nomad/helper"
|
||||
|
|
@ -43,8 +42,8 @@ func (m *Monitor) monitor(conn io.ReadWriteCloser) {
|
|||
if aclObj, err := m.srv.ResolveToken(args.AuthToken); err != nil {
|
||||
handleStreamResultError(err, nil, encoder)
|
||||
return
|
||||
} else if aclObj != nil && !aclObj.AllowNsOp(args.Namespace, acl.NamespaceCapabilityReadFS) {
|
||||
handleStreamResultError(structs.ErrPermissionDenied, nil, encoder)
|
||||
} else if aclObj != nil && !aclObj.AllowAgentRead() {
|
||||
handleStreamResultError(structs.ErrPermissionDenied, helper.Int64ToPtr(403), encoder)
|
||||
return
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -202,8 +202,7 @@ func TestMonitor_Monitor_ACL(t *testing.T) {
|
|||
policyBad := mock.NamespacePolicy("other", "", []string{acl.NamespaceCapabilityReadFS})
|
||||
tokenBad := mock.CreatePolicyAndToken(t, s.State(), 1005, "invalid", policyBad)
|
||||
|
||||
policyGood := mock.NamespacePolicy(structs.DefaultNamespace, "",
|
||||
[]string{acl.NamespaceCapabilityReadLogs, acl.NamespaceCapabilityReadFS})
|
||||
policyGood := mock.AgentPolicy(acl.PolicyRead)
|
||||
tokenGood := mock.CreatePolicyAndToken(t, s.State(), 1009, "valid", policyGood)
|
||||
|
||||
cases := []struct {
|
||||
|
|
|
|||
Loading…
Reference in New Issue