From d85fc535fb57698226c25a8f3ce25fd294a77204 Mon Sep 17 00:00:00 2001 From: Iryna Shustava Date: Tue, 26 Sep 2023 11:52:53 -0600 Subject: [PATCH] acl: default tenancy with the no-auth ACL resolver (#19006) When using the no-auth acl resolver (the case for most controllers and the get-envoy-boostrap-params endpoint), ResolveTokenAndDefaultMeta method only returns an acl resolver. However, the resource service relies on the ent meta to be filled in to do the tenancy defaulting and inheriting it from the token when one is present. So this change makes sure that the ent meta defaulting always happens in the ACL resolver. --- acl/resolver/danger.go | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/acl/resolver/danger.go b/acl/resolver/danger.go index c2ae1a3c40..29b4f35ac1 100644 --- a/acl/resolver/danger.go +++ b/acl/resolver/danger.go @@ -3,13 +3,17 @@ package resolver -import "github.com/hashicorp/consul/acl" +import ( + "github.com/hashicorp/consul/acl" + "github.com/hashicorp/consul/agent/structs" +) // DANGER_NO_AUTH implements an ACL resolver short-circuit authorization in // cases where it is handled somewhere else or expressly not required. type DANGER_NO_AUTH struct{} // ResolveTokenAndDefaultMeta returns an authorizer with unfettered permissions. -func (DANGER_NO_AUTH) ResolveTokenAndDefaultMeta(string, *acl.EnterpriseMeta, *acl.AuthorizerContext) (Result, error) { +func (DANGER_NO_AUTH) ResolveTokenAndDefaultMeta(_ string, entMeta *acl.EnterpriseMeta, _ *acl.AuthorizerContext) (Result, error) { + entMeta.Merge(structs.DefaultEnterpriseMetaInDefaultPartition()) return Result{Authorizer: acl.ManageAll()}, nil }