github
/
consul
mirror of https://github.com/hashicorp/consul
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

[NET-5329] use acl templated policy under the hood for node/service identities (#18813)

pull/18816/head
Ronald 1 year ago committed by GitHub
parent
e5808d85f7
commit
802122640b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 42 additions and 42 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 3
      .changelog/18813.txt
  2. 57
      agent/structs/acl.go
  3. 12
      command/acl/token/testdata/FormatTokenExpanded/ce/complex.pretty-meta.golden
  4. 12
      command/acl/token/testdata/FormatTokenExpanded/ce/complex.pretty.golden

3
.changelog/18813.txt
Unescape View File

@ -0,0 +1,3 @@
```release-note:improvement
acl: Use templated policy to generate synthetic policies for tokens/roles with node and/or service identities
```

57
agent/structs/acl.go
Unescape View File

@ -9,11 +9,11 @@ import (
"errors"
"fmt"
"hash"
"hash/fnv"
"sort"
"strings"
"time"
"github.com/hashicorp/consul/api"
"github.com/hashicorp/consul/lib/stringslice"
"golang.org/x/crypto/blake2b"
@ -182,22 +182,20 @@ func (s *ACLServiceIdentity) EstimateSize() int {
}
func (s *ACLServiceIdentity) SyntheticPolicy(entMeta *acl.EnterpriseMeta) *ACLPolicy {
// use templated policy to generate synthetic policy
templatedPolicy := ACLTemplatedPolicy{
TemplateID: ACLTemplatedPolicyServiceID,
TemplateName: api.ACLTemplatedPolicyServiceName,
Datacenters: s.Datacenters,
TemplateVariables: &ACLTemplatedPolicyVariables{
Name: s.ServiceName,
},
}
// Given that we validate this string name before persisting, we do not
// have to escape it before doing the following interpolation.
rules := aclServiceIdentityRules(s.ServiceName, entMeta)
hasher := fnv.New128a()
hashID := fmt.Sprintf("%x", hasher.Sum([]byte(rules)))
policy := &ACLPolicy{}
policy.ID = hashID
policy.Name = fmt.Sprintf("synthetic-policy-%s", hashID)
sn := NewServiceName(s.ServiceName, entMeta)
policy.Description = fmt.Sprintf("synthetic policy for service identity %q", sn.String())
policy.Rules = rules
policy.Datacenters = s.Datacenters
policy.EnterpriseMeta.Merge(entMeta)
policy.SetHash(true)
// expect any errors from generating the synthetic policy
policy, _ := templatedPolicy.SyntheticPolicy(entMeta)
return policy
}
@ -254,21 +252,20 @@ func (s *ACLNodeIdentity) EstimateSize() int {
}
func (s *ACLNodeIdentity) SyntheticPolicy(entMeta *acl.EnterpriseMeta) *ACLPolicy {
// use templated policy to generate synthetic policy
templatedPolicy := ACLTemplatedPolicy{
TemplateID: ACLTemplatedPolicyNodeID,
TemplateName: api.ACLTemplatedPolicyNodeName,
Datacenters: []string{s.Datacenter},
TemplateVariables: &ACLTemplatedPolicyVariables{
Name: s.NodeName,
},
}
// Given that we validate this string name before persisting, we do not
// have to escape it before doing the following interpolation.
rules := aclNodeIdentityRules(s.NodeName, entMeta)
hasher := fnv.New128a()
hashID := fmt.Sprintf("%x", hasher.Sum([]byte(rules)))
policy := &ACLPolicy{}
policy.ID = hashID
policy.Name = fmt.Sprintf("synthetic-policy-%s", hashID)
policy.Description = fmt.Sprintf("synthetic policy for node identity %q", s.NodeName)
policy.Rules = rules
policy.Datacenters = []string{s.Datacenter}
policy.EnterpriseMeta.Merge(entMeta)
policy.SetHash(true)
// expect any errors from generating the synthetic policy
policy, _ := templatedPolicy.SyntheticPolicy(entMeta)
return policy
}

12
command/acl/token/testdata/FormatTokenExpanded/ce/complex.pretty-meta.golden vendored
Unescape View File

@ -26,7 +26,7 @@ Policies:
Service Identities:
Name: gardener (Datacenters: middleearth-northwest)
Description: synthetic policy for service identity "gardener"
Description: synthetic policy generated from templated policy: builtin/service
Rules:
service "gardener" {
policy = "write"
@ -43,7 +43,7 @@ Service Identities:
Node Identities:
Name: bagend (Datacenter: middleearth-northwest)
Description: synthetic policy for node identity "bagend"
Description: synthetic policy generated from templated policy: builtin/node
Rules:
node "bagend" {
policy = "write"
@ -96,7 +96,7 @@ Roles:
Service Identities:
Name: foo (Datacenters: middleearth-southwest)
Description: synthetic policy for service identity "foo"
Description: synthetic policy generated from templated policy: builtin/service
Rules:
service "foo" {
policy = "write"
@ -125,7 +125,7 @@ Roles:
Node Identities:
Name: bar (Datacenter: middleearth-southwest)
Description: synthetic policy for node identity "bar"
Description: synthetic policy generated from templated policy: builtin/node
Rules:
node "bar" {
policy = "write"
@ -158,7 +158,7 @@ Namespace Role Defaults:
Service Identities:
Name: web (Datacenters: middleearth-northeast)
Description: synthetic policy for service identity "web"
Description: synthetic policy generated from templated policy: builtin/service
Rules:
service "web" {
policy = "write"
@ -175,7 +175,7 @@ Namespace Role Defaults:
Node Identities:
Name: db (Datacenter: middleearth-northwest)
Description: synthetic policy for node identity "db"
Description: synthetic policy generated from templated policy: builtin/node
Rules:
node "db" {
policy = "write"

12
command/acl/token/testdata/FormatTokenExpanded/ce/complex.pretty.golden vendored
Unescape View File

@ -23,7 +23,7 @@ Policies:
Service Identities:
Name: gardener (Datacenters: middleearth-northwest)
Description: synthetic policy for service identity "gardener"
Description: synthetic policy generated from templated policy: builtin/service
Rules:
service "gardener" {
policy = "write"
@ -40,7 +40,7 @@ Service Identities:
Node Identities:
Name: bagend (Datacenter: middleearth-northwest)
Description: synthetic policy for node identity "bagend"
Description: synthetic policy generated from templated policy: builtin/node
Rules:
node "bagend" {
policy = "write"
@ -93,7 +93,7 @@ Roles:
Service Identities:
Name: foo (Datacenters: middleearth-southwest)
Description: synthetic policy for service identity "foo"
Description: synthetic policy generated from templated policy: builtin/service
Rules:
service "foo" {
policy = "write"
@ -122,7 +122,7 @@ Roles:
Node Identities:
Name: bar (Datacenter: middleearth-southwest)
Description: synthetic policy for node identity "bar"
Description: synthetic policy generated from templated policy: builtin/node
Rules:
node "bar" {
policy = "write"
@ -155,7 +155,7 @@ Namespace Role Defaults:
Service Identities:
Name: web (Datacenters: middleearth-northeast)
Description: synthetic policy for service identity "web"
Description: synthetic policy generated from templated policy: builtin/service
Rules:
service "web" {
policy = "write"
@ -172,7 +172,7 @@ Namespace Role Defaults:
Node Identities:
Name: db (Datacenter: middleearth-northwest)
Description: synthetic policy for node identity "db"
Description: synthetic policy generated from templated policy: builtin/node
Rules:
node "db" {
policy = "write"

Write Preview
Loading…
Cancel
Save