Adds an explicit ACL check that will fail vs. trying other DCs.

This commit is contained in:
James Phillips 2015-11-09 20:42:52 -08:00
parent c41a3d6c8d
commit 7ca3f0a466
1 changed files with 6 additions and 1 deletions

View File

@ -292,9 +292,14 @@ func (p *PreparedQuery) execute(query *structs.PreparedQuery,
// the token stored with the query, NOT the passed-in one, which is // the token stored with the query, NOT the passed-in one, which is
// critical to how queries work (the query becomes a proxy for a lookup // critical to how queries work (the query becomes a proxy for a lookup
// using the ACL it was created with). // using the ACL it was created with).
if err := p.srv.filterACL(query.Token, nodes); err != nil { acl, err := p.srv.resolveToken(query.Token)
if err != nil {
return err return err
} }
if acl != nil && !acl.ServiceRead(query.Service.Service) {
p.srv.logger.Printf("[WARN] consul.prepared_query: Execute of prepared query for service '%s' denied due to ACLs", query.Service.Service)
return permissionDeniedErr
}
// Filter out any unhealthy nodes. // Filter out any unhealthy nodes.
nodes = nodes.Filter(query.Service.OnlyPassing) nodes = nodes.Filter(query.Service.OnlyPassing)