consul/agent/grpc-external/services/connectca
Dan Upton 7c7503c849
grpc/acl: relax permissions required for "core" endpoints (#15346)
Previously, these endpoints required `service:write` permission on _any_
service as a sort of proxy for "is the caller allowed to participate in
the mesh?".

Now, they're called as part of the process of establishing a server
connection by any consumer of the consul-server-connection-manager
library, which will include non-mesh workloads (e.g. Consul KV as a
storage backend for Vault) as well as ancillary components such as
consul-k8s' acl-init process, which likely won't have `service:write`
permission.

So this commit relaxes those requirements to accept *any* valid ACL token
on the following gRPC endpoints:

- `hashicorp.consul.dataplane.DataplaneService/GetSupportedDataplaneFeatures`
- `hashicorp.consul.serverdiscovery.ServerDiscoveryService/WatchServers`
- `hashicorp.consul.connectca.ConnectCAService/WatchRoots`
2023-01-04 12:40:34 +00:00
..
mock_ACLResolver.go
mock_CAManager.go
server.go
server_test.go Update hcp-scada-provider to fix diamond dependency problem with go-msgpack (#15185) 2022-11-07 11:34:30 -05:00
sign.go Support Stale Queries for Trust Bundle Lookups (#14724) 2022-09-28 09:56:59 -07:00
sign_test.go grpc/acl: relax permissions required for "core" endpoints (#15346) 2023-01-04 12:40:34 +00:00
watch_roots.go grpc/acl: relax permissions required for "core" endpoints (#15346) 2023-01-04 12:40:34 +00:00
watch_roots_test.go grpc/acl: relax permissions required for "core" endpoints (#15346) 2023-01-04 12:40:34 +00:00