e0fddee386
Upcoming work to instrument the rate of RPC requests by consumer (and eventually rate limit) require that we authenticate a RPC request before forwarding. Add a new top-level `Authenticate` method to the server and have it return an `AuthenticatedIdentity` struct. RPC handlers will use the relevant fields of this identity for performing authorization. This changeset includes: * The main implementation of `Authenticate` * Provide a new RPC `ACL.WhoAmI` for debugging authentication. This endpoint returns the same `AuthenticatedIdentity` that will be used by RPC handlers. At some point we might want to give this an equivalent HTTP endpoint but I didn't want to add that to our public API until some of the other Workload Identity work is solidified, especially if we don't need it yet. * A full coverage test of the `Authenticate` method. This sets up two server nodes with mTLS and ACLs, some tokens, and some allocations with workload identities. * Wire up an example of using `Authenticate` in the `Namespace.Upsert` RPC and see how authorization happens after forwarding. * A new semgrep rule for `Authenticate`, which we'll need to update once we're ready to wire up more RPC endpoints with authorization steps.
6 lines
227 B
Plaintext
6 lines
227 B
Plaintext
-----BEGIN EC PRIVATE KEY-----
|
|
MHcCAQEEIBxaGxJxJXnAXVmb8E3ALsWqva9F01R0cr/1Ap75YyeAoAoGCCqGSM49
|
|
AwEHoUQDQgAEXSLJPcA7b9P6y0Ls7zR4997+F3251hwEUn8qR01AEVGjYrAjk/ns
|
|
qaq7P9y/w4k9TvhWaq9/L6id468a0/VWCw==
|
|
-----END EC PRIVATE KEY-----
|