mirror of https://github.com/hashicorp/consul
26 lines
1.1 KiB
Markdown
26 lines
1.1 KiB
Markdown
|
# xDS Server
|
||
|
|
||
|
The xDS Server is a gRPC service that implements [xDS] and handles requests from
|
||
|
an [envoy proxy].
|
||
|
|
||
|
[xDS]: https://www.envoyproxy.io/docs/envoy/latest/api-docs/xds_protocol
|
||
|
[envoy proxy]: https://www.consul.io/docs/connect/proxies/envoy
|
||
|
|
||
|
|
||
|
## Authorization
|
||
|
|
||
|
Requests to the xDS server are authorized based on an assumption of how
|
||
|
`proxycfg.ConfigSnapshot` are constructed. Most interfaces (HTTP, DNS, RPC)
|
||
|
authorize requests by authorizing the data in the response, or by filtering
|
||
|
out data that the requester is not authorized to view. The xDS server authorizes
|
||
|
requests by looking at the proxy ID in the request and ensuring the ACL token has
|
||
|
`service:write` access to either the destination service (for kind=ConnectProxy), or
|
||
|
the gateway service (for other kinds).
|
||
|
|
||
|
This authorization strategy requires that [agent/proxycfg] only fetches data using a
|
||
|
token with the same permissions, and that it only stores data by proxy ID. We assume
|
||
|
that any data in the snapshot was already filtered, which allows this authorization to
|
||
|
only perform a shallow check against the proxy ID.
|
||
|
|
||
|
[agent/proxycfg]: https://github.com/hashicorp/consul/blob/main/agent/proxycfg
|