mirror of
https://github.com/status-im/consul.git
synced 2025-01-10 13:55:55 +00:00
c58f86a00f
There are a few changes that needed to be made to to handle authorizing reads for imported data: - If the data was imported from a peer we should not attempt to read the data using the traditional authz rules. This is because the name of services/nodes in a peer cluster are not equivalent to those of the importing cluster. - If the data was imported from a peer we need to check whether the token corresponds to a service, meaning that it has service:write permissions, or to a local read only token that can read all nodes/services in a namespace. This required changes at the policyAuthorizer level, since that is the only view available to OSS Consul, and at the enterprise partition/namespace level.
60 lines
2.0 KiB
Go
60 lines
2.0 KiB
Go
package proxycfgglue
|
|
|
|
import (
|
|
"context"
|
|
|
|
"github.com/hashicorp/consul/agent/structs/aclfilter"
|
|
"github.com/hashicorp/go-memdb"
|
|
|
|
"github.com/hashicorp/consul/agent/cache"
|
|
cachetype "github.com/hashicorp/consul/agent/cache-types"
|
|
"github.com/hashicorp/consul/agent/consul/watch"
|
|
"github.com/hashicorp/consul/agent/proxycfg"
|
|
"github.com/hashicorp/consul/agent/structs"
|
|
)
|
|
|
|
// CacheExportedPeeredServices satisfies the proxycfg.ExportedPeeredServices
|
|
// interface by sourcing data from the agent cache.
|
|
func CacheExportedPeeredServices(c *cache.Cache) proxycfg.ExportedPeeredServices {
|
|
return &cacheProxyDataSource[*structs.DCSpecificRequest]{c, cachetype.ExportedPeeredServicesName}
|
|
}
|
|
|
|
// ServerExportedPeeredServices satisifies the proxycfg.ExportedPeeredServices
|
|
// interface by sourcing data from a blocking query against the server's state
|
|
// store.
|
|
func ServerExportedPeeredServices(deps ServerDataSourceDeps) proxycfg.ExportedPeeredServices {
|
|
return &serverExportedPeeredServices{deps}
|
|
}
|
|
|
|
type serverExportedPeeredServices struct {
|
|
deps ServerDataSourceDeps
|
|
}
|
|
|
|
func (s *serverExportedPeeredServices) Notify(ctx context.Context, req *structs.DCSpecificRequest, correlationID string, ch chan<- proxycfg.UpdateEvent) error {
|
|
return watch.ServerLocalNotify(ctx, correlationID, s.deps.GetStore,
|
|
func(ws memdb.WatchSet, store Store) (uint64, *structs.IndexedExportedServiceList, error) {
|
|
authz, err := s.deps.ACLResolver.ResolveTokenAndDefaultMeta(req.Token, &req.EnterpriseMeta, nil)
|
|
if err != nil {
|
|
return 0, nil, err
|
|
}
|
|
|
|
index, serviceMap, err := store.ExportedServicesForAllPeersByName(ws, req.Datacenter, req.EnterpriseMeta)
|
|
if err != nil {
|
|
return 0, nil, err
|
|
}
|
|
|
|
result := &structs.IndexedExportedServiceList{
|
|
Services: serviceMap,
|
|
QueryMeta: structs.QueryMeta{
|
|
Backend: structs.QueryBackendBlocking,
|
|
Index: index,
|
|
},
|
|
}
|
|
aclfilter.New(authz, s.deps.Logger).Filter(result)
|
|
|
|
return index, result, nil
|
|
},
|
|
dispatchBlockingQueryUpdate[*structs.IndexedExportedServiceList](ch),
|
|
)
|
|
}
|