github
/
consul
mirror of https://github.com/hashicorp/consul
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

[NET-5329] use acl templated policy under the hood for node/service identities (#18813)

pull/18816/head
Ronald 2023-09-14 14:36:34 -04:00 committed by GitHub
parent e5808d85f7
commit 802122640b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 40 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.changelog/18813.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:improvement
acl: Use templated policy to generate synthetic policies for tokens/roles with node and/or service identities
```

53
agent/structs/acl.go
View File

@ -9,11 +9,11 @@ import (
"errors" "errors"
"fmt" "fmt"
"hash" "hash"
"hash/fnv"
"sort" "sort"
"strings" "strings"
"time" "time"
"github.com/hashicorp/consul/api"
"github.com/hashicorp/consul/lib/stringslice" "github.com/hashicorp/consul/lib/stringslice"
"golang.org/x/crypto/blake2b" "golang.org/x/crypto/blake2b"
@ -182,22 +182,20 @@ func (s *ACLServiceIdentity) EstimateSize() int {
} }
func (s *ACLServiceIdentity) SyntheticPolicy(entMeta *acl.EnterpriseMeta) *ACLPolicy { func (s *ACLServiceIdentity) SyntheticPolicy(entMeta *acl.EnterpriseMeta) *ACLPolicy {
// use templated policy to generate synthetic policy
templatedPolicy := ACLTemplatedPolicy{
TemplateID: ACLTemplatedPolicyServiceID,
TemplateName: api.ACLTemplatedPolicyServiceName,
Datacenters: s.Datacenters,
TemplateVariables: &ACLTemplatedPolicyVariables{
Name: s.ServiceName,
},
}
// Given that we validate this string name before persisting, we do not // Given that we validate this string name before persisting, we do not
// have to escape it before doing the following interpolation. // expect any errors from generating the synthetic policy
rules := aclServiceIdentityRules(s.ServiceName, entMeta) policy, _ := templatedPolicy.SyntheticPolicy(entMeta)
hasher := fnv.New128a()
hashID := fmt.Sprintf("%x", hasher.Sum([]byte(rules)))
policy := &ACLPolicy{}
policy.ID = hashID
policy.Name = fmt.Sprintf("synthetic-policy-%s", hashID)
sn := NewServiceName(s.ServiceName, entMeta)
policy.Description = fmt.Sprintf("synthetic policy for service identity %q", sn.String())
policy.Rules = rules
policy.Datacenters = s.Datacenters
policy.EnterpriseMeta.Merge(entMeta)
policy.SetHash(true)
return policy return policy
} }
@ -254,21 +252,20 @@ func (s *ACLNodeIdentity) EstimateSize() int {
} }
func (s *ACLNodeIdentity) SyntheticPolicy(entMeta *acl.EnterpriseMeta) *ACLPolicy { func (s *ACLNodeIdentity) SyntheticPolicy(entMeta *acl.EnterpriseMeta) *ACLPolicy {
// use templated policy to generate synthetic policy
templatedPolicy := ACLTemplatedPolicy{
TemplateID: ACLTemplatedPolicyNodeID,
TemplateName: api.ACLTemplatedPolicyNodeName,
Datacenters: []string{s.Datacenter},
TemplateVariables: &ACLTemplatedPolicyVariables{
Name: s.NodeName,
},
}
// Given that we validate this string name before persisting, we do not // Given that we validate this string name before persisting, we do not
// have to escape it before doing the following interpolation. // expect any errors from generating the synthetic policy
rules := aclNodeIdentityRules(s.NodeName, entMeta) policy, _ := templatedPolicy.SyntheticPolicy(entMeta)
hasher := fnv.New128a()
hashID := fmt.Sprintf("%x", hasher.Sum([]byte(rules)))
policy := &ACLPolicy{}
policy.ID = hashID
policy.Name = fmt.Sprintf("synthetic-policy-%s", hashID)
policy.Description = fmt.Sprintf("synthetic policy for node identity %q", s.NodeName)
policy.Rules = rules
policy.Datacenters = []string{s.Datacenter}
policy.EnterpriseMeta.Merge(entMeta)
policy.SetHash(true)
return policy return policy
} }

12
command/acl/token/testdata/FormatTokenExpanded/ce/complex.pretty-meta.golden vendored
View File

@ -26,7 +26,7 @@ Policies:
Service Identities: Service Identities:
Name: gardener (Datacenters: middleearth-northwest) Name: gardener (Datacenters: middleearth-northwest)
Description: synthetic policy for service identity "gardener" Description: synthetic policy generated from templated policy: builtin/service
Rules: Rules:
service "gardener" { service "gardener" {
policy = "write" policy = "write"
@ -43,7 +43,7 @@ Service Identities:
Node Identities: Node Identities:
Name: bagend (Datacenter: middleearth-northwest) Name: bagend (Datacenter: middleearth-northwest)
Description: synthetic policy for node identity "bagend" Description: synthetic policy generated from templated policy: builtin/node
Rules: Rules:
node "bagend" { node "bagend" {
policy = "write" policy = "write"
@ -96,7 +96,7 @@ Roles:
Service Identities: Service Identities:
Name: foo (Datacenters: middleearth-southwest) Name: foo (Datacenters: middleearth-southwest)
Description: synthetic policy for service identity "foo" Description: synthetic policy generated from templated policy: builtin/service
Rules: Rules:
service "foo" { service "foo" {
policy = "write" policy = "write"
@ -125,7 +125,7 @@ Roles:
Node Identities: Node Identities:
Name: bar (Datacenter: middleearth-southwest) Name: bar (Datacenter: middleearth-southwest)
Description: synthetic policy for node identity "bar" Description: synthetic policy generated from templated policy: builtin/node
Rules: Rules:
node "bar" { node "bar" {
policy = "write" policy = "write"
@ -158,7 +158,7 @@ Namespace Role Defaults:
Service Identities: Service Identities:
Name: web (Datacenters: middleearth-northeast) Name: web (Datacenters: middleearth-northeast)
Description: synthetic policy for service identity "web" Description: synthetic policy generated from templated policy: builtin/service
Rules: Rules:
service "web" { service "web" {
policy = "write" policy = "write"
@ -175,7 +175,7 @@ Namespace Role Defaults:
Node Identities: Node Identities:
Name: db (Datacenter: middleearth-northwest) Name: db (Datacenter: middleearth-northwest)
Description: synthetic policy for node identity "db" Description: synthetic policy generated from templated policy: builtin/node
Rules: Rules:
node "db" { node "db" {
policy = "write" policy = "write"

12
command/acl/token/testdata/FormatTokenExpanded/ce/complex.pretty.golden vendored
View File

@ -23,7 +23,7 @@ Policies:
Service Identities: Service Identities:
Name: gardener (Datacenters: middleearth-northwest) Name: gardener (Datacenters: middleearth-northwest)
Description: synthetic policy for service identity "gardener" Description: synthetic policy generated from templated policy: builtin/service
Rules: Rules:
service "gardener" { service "gardener" {
policy = "write" policy = "write"
@ -40,7 +40,7 @@ Service Identities:
Node Identities: Node Identities:
Name: bagend (Datacenter: middleearth-northwest) Name: bagend (Datacenter: middleearth-northwest)
Description: synthetic policy for node identity "bagend" Description: synthetic policy generated from templated policy: builtin/node
Rules: Rules:
node "bagend" { node "bagend" {
policy = "write" policy = "write"
@ -93,7 +93,7 @@ Roles:
Service Identities: Service Identities:
Name: foo (Datacenters: middleearth-southwest) Name: foo (Datacenters: middleearth-southwest)
Description: synthetic policy for service identity "foo" Description: synthetic policy generated from templated policy: builtin/service
Rules: Rules:
service "foo" { service "foo" {
policy = "write" policy = "write"
@ -122,7 +122,7 @@ Roles:
Node Identities: Node Identities:
Name: bar (Datacenter: middleearth-southwest) Name: bar (Datacenter: middleearth-southwest)
Description: synthetic policy for node identity "bar" Description: synthetic policy generated from templated policy: builtin/node
Rules: Rules:
node "bar" { node "bar" {
policy = "write" policy = "write"
@ -155,7 +155,7 @@ Namespace Role Defaults:
Service Identities: Service Identities:
Name: web (Datacenters: middleearth-northeast) Name: web (Datacenters: middleearth-northeast)
Description: synthetic policy for service identity "web" Description: synthetic policy generated from templated policy: builtin/service
Rules: Rules:
service "web" { service "web" {
policy = "write" policy = "write"
@ -172,7 +172,7 @@ Namespace Role Defaults:
Node Identities: Node Identities:
Name: db (Datacenter: middleearth-northwest) Name: db (Datacenter: middleearth-northwest)
Description: synthetic policy for node identity "db" Description: synthetic policy generated from templated policy: builtin/node
Rules: Rules:
node "db" { node "db" {
policy = "write" policy = "write"