consul/agent/structs/acl_oss.go
Mark Anderson a89ffba2d4
Cross port of ent #1383 (#11726)
Cross port of ent #1383 "Reject non-default datacenter when making partitioned ACLs"

On the OSS side this is a minor refactor to add some more checks that are only applicable to enterprise code.

Signed-off-by: Mark Anderson <manderson@hashicorp.com>
2021-12-03 10:20:25 -08:00

101 lines
2.3 KiB
Go

//go:build !consulent
// +build !consulent
package structs
import (
"fmt"
"github.com/hashicorp/consul/acl"
)
const (
EnterpriseACLPolicyGlobalManagement = ""
// aclPolicyTemplateServiceIdentity is the template used for synthesizing
// policies for service identities.
aclPolicyTemplateServiceIdentity = `
service "%[1]s" {
policy = "write"
}
service "%[1]s-sidecar-proxy" {
policy = "write"
}
service_prefix "" {
policy = "read"
}
node_prefix "" {
policy = "read"
}`
// A typical Consul node requires two permissions for itself.
// node:write
// - register itself in the catalog
// - update its network coordinates
// - potentially used to delete services during anti-entropy
// service:read
// - used during anti-entropy to discover all services that
// are registered to the node. That way the node can diff
// its local state against an accurate depiction of the
// remote state.
aclPolicyTemplateNodeIdentity = `
node "%[1]s" {
policy = "write"
}
service_prefix "" {
policy = "read"
}`
)
type ACLAuthMethodEnterpriseFields struct{}
type ACLAuthMethodEnterpriseMeta struct{}
func (_ *ACLAuthMethodEnterpriseMeta) FillWithEnterpriseMeta(_ *EnterpriseMeta) {
// do nothing
}
func (_ *ACLAuthMethodEnterpriseMeta) ToEnterpriseMeta() *EnterpriseMeta {
return DefaultEnterpriseMetaInDefaultPartition()
}
func aclServiceIdentityRules(svc string, _ *EnterpriseMeta) string {
return fmt.Sprintf(aclPolicyTemplateServiceIdentity, svc)
}
func aclNodeIdentityRules(node string, _ *EnterpriseMeta) string {
return fmt.Sprintf(aclPolicyTemplateNodeIdentity, node)
}
func (p *ACLPolicy) EnterprisePolicyMeta() *acl.EnterprisePolicyMeta {
return nil
}
func (t *ACLToken) NodeIdentityList() []*ACLNodeIdentity {
if len(t.NodeIdentities) == 0 {
return nil
}
out := make([]*ACLNodeIdentity, 0, len(t.NodeIdentities))
for _, n := range t.NodeIdentities {
out = append(out, n.Clone())
}
return out
}
func (r *ACLRole) NodeIdentityList() []*ACLNodeIdentity {
if len(r.NodeIdentities) == 0 {
return nil
}
out := make([]*ACLNodeIdentity, 0, len(r.NodeIdentities))
for _, n := range r.NodeIdentities {
out = append(out, n.Clone())
}
return out
}
func IsValidPartitionAndDatacenter(meta EnterpriseMeta, datacenters []string, primaryDatacenter string) bool {
return true
}