acl: default tenancy with the no-auth ACL resolver (#19006)

When using the no-auth acl resolver (the case for most controllers and the get-envoy-boostrap-params endpoint), ResolveTokenAndDefaultMeta
method only returns an acl resolver. However, the resource service relies on the ent meta to be filled in to do the tenancy defaulting and
inheriting it from the token when one is present.

So this change makes sure that the ent meta defaulting always happens in the ACL resolver.
This commit is contained in:
Iryna Shustava 2023-09-26 11:52:53 -06:00 committed by GitHub
parent 06c15d0656
commit d85fc535fb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 6 additions and 2 deletions

View File

@ -3,13 +3,17 @@
package resolver package resolver
import "github.com/hashicorp/consul/acl" import (
"github.com/hashicorp/consul/acl"
"github.com/hashicorp/consul/agent/structs"
)
// DANGER_NO_AUTH implements an ACL resolver short-circuit authorization in // DANGER_NO_AUTH implements an ACL resolver short-circuit authorization in
// cases where it is handled somewhere else or expressly not required. // cases where it is handled somewhere else or expressly not required.
type DANGER_NO_AUTH struct{} type DANGER_NO_AUTH struct{}
// ResolveTokenAndDefaultMeta returns an authorizer with unfettered permissions. // ResolveTokenAndDefaultMeta returns an authorizer with unfettered permissions.
func (DANGER_NO_AUTH) ResolveTokenAndDefaultMeta(string, *acl.EnterpriseMeta, *acl.AuthorizerContext) (Result, error) { func (DANGER_NO_AUTH) ResolveTokenAndDefaultMeta(_ string, entMeta *acl.EnterpriseMeta, _ *acl.AuthorizerContext) (Result, error) {
entMeta.Merge(structs.DefaultEnterpriseMetaInDefaultPartition())
return Result{Authorizer: acl.ManageAll()}, nil return Result{Authorizer: acl.ManageAll()}, nil
} }