mirror of https://github.com/status-im/consul.git
Adds an explicit ACL check that will fail vs. trying other DCs.
This commit is contained in:
parent
c41a3d6c8d
commit
7ca3f0a466
|
@ -292,9 +292,14 @@ func (p *PreparedQuery) execute(query *structs.PreparedQuery,
|
||||||
// the token stored with the query, NOT the passed-in one, which is
|
// the token stored with the query, NOT the passed-in one, which is
|
||||||
// critical to how queries work (the query becomes a proxy for a lookup
|
// critical to how queries work (the query becomes a proxy for a lookup
|
||||||
// using the ACL it was created with).
|
// using the ACL it was created with).
|
||||||
if err := p.srv.filterACL(query.Token, nodes); err != nil {
|
acl, err := p.srv.resolveToken(query.Token)
|
||||||
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
if acl != nil && !acl.ServiceRead(query.Service.Service) {
|
||||||
|
p.srv.logger.Printf("[WARN] consul.prepared_query: Execute of prepared query for service '%s' denied due to ACLs", query.Service.Service)
|
||||||
|
return permissionDeniedErr
|
||||||
|
}
|
||||||
|
|
||||||
// Filter out any unhealthy nodes.
|
// Filter out any unhealthy nodes.
|
||||||
nodes = nodes.Filter(query.Service.OnlyPassing)
|
nodes = nodes.Filter(query.Service.OnlyPassing)
|
||||||
|
|
Loading…
Reference in New Issue