consul/acl/authorizer_oss.go
Freddy c58f86a00f
Fixup authz for data imported from peers (#15347)
There are a few changes that needed to be made to to handle authorizing
reads for imported data:

- If the data was imported from a peer we should not attempt to read the
  data using the traditional authz rules. This is because the name of
  services/nodes in a peer cluster are not equivalent to those of the
  importing cluster.

- If the data was imported from a peer we need to check whether the
  token corresponds to a service, meaning that it has service:write
  permissions, or to a local read only token that can read all
  nodes/services in a namespace.

This required changes at the policyAuthorizer level, since that is the
only view available to OSS Consul, and at the enterprise
partition/namespace level.
2022-11-14 11:36:27 -07:00

26 lines
628 B
Go

//go:build !consulent
// +build !consulent
package acl
// AuthorizerContext contains extra information that can be
// used in the determination of an ACL enforcement decision.
type AuthorizerContext struct {
// Peer is the name of the peer that the resource was imported from.
Peer string
}
func (c *AuthorizerContext) PeerOrEmpty() string {
if c == nil {
return ""
}
return c.Peer
}
// enterpriseAuthorizer stub interface
type enterpriseAuthorizer interface{}
func enforceEnterprise(_ Authorizer, _ Resource, _ string, _ string, _ *AuthorizerContext) (bool, EnforcementDecision, error) {
return false, Deny, nil
}