mirror of https://github.com/hashicorp/consul
[NET-5329] use acl templated policy under the hood for node/service identities (#18813)
parent
e5808d85f7
commit
802122640b
|
@ -0,0 +1,3 @@
|
|||
```release-note:improvement
|
||||
acl: Use templated policy to generate synthetic policies for tokens/roles with node and/or service identities
|
||||
```
|
|
@ -9,11 +9,11 @@ import (
|
|||
"errors"
|
||||
"fmt"
|
||||
"hash"
|
||||
"hash/fnv"
|
||||
"sort"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/hashicorp/consul/api"
|
||||
"github.com/hashicorp/consul/lib/stringslice"
|
||||
|
||||
"golang.org/x/crypto/blake2b"
|
||||
|
@ -182,22 +182,20 @@ func (s *ACLServiceIdentity) EstimateSize() int {
|
|||
}
|
||||
|
||||
func (s *ACLServiceIdentity) SyntheticPolicy(entMeta *acl.EnterpriseMeta) *ACLPolicy {
|
||||
// use templated policy to generate synthetic policy
|
||||
templatedPolicy := ACLTemplatedPolicy{
|
||||
TemplateID: ACLTemplatedPolicyServiceID,
|
||||
TemplateName: api.ACLTemplatedPolicyServiceName,
|
||||
Datacenters: s.Datacenters,
|
||||
TemplateVariables: &ACLTemplatedPolicyVariables{
|
||||
Name: s.ServiceName,
|
||||
},
|
||||
}
|
||||
|
||||
// Given that we validate this string name before persisting, we do not
|
||||
// have to escape it before doing the following interpolation.
|
||||
rules := aclServiceIdentityRules(s.ServiceName, entMeta)
|
||||
// expect any errors from generating the synthetic policy
|
||||
policy, _ := templatedPolicy.SyntheticPolicy(entMeta)
|
||||
|
||||
hasher := fnv.New128a()
|
||||
hashID := fmt.Sprintf("%x", hasher.Sum([]byte(rules)))
|
||||
|
||||
policy := &ACLPolicy{}
|
||||
policy.ID = hashID
|
||||
policy.Name = fmt.Sprintf("synthetic-policy-%s", hashID)
|
||||
sn := NewServiceName(s.ServiceName, entMeta)
|
||||
policy.Description = fmt.Sprintf("synthetic policy for service identity %q", sn.String())
|
||||
policy.Rules = rules
|
||||
policy.Datacenters = s.Datacenters
|
||||
policy.EnterpriseMeta.Merge(entMeta)
|
||||
policy.SetHash(true)
|
||||
return policy
|
||||
}
|
||||
|
||||
|
@ -254,21 +252,20 @@ func (s *ACLNodeIdentity) EstimateSize() int {
|
|||
}
|
||||
|
||||
func (s *ACLNodeIdentity) SyntheticPolicy(entMeta *acl.EnterpriseMeta) *ACLPolicy {
|
||||
// use templated policy to generate synthetic policy
|
||||
templatedPolicy := ACLTemplatedPolicy{
|
||||
TemplateID: ACLTemplatedPolicyNodeID,
|
||||
TemplateName: api.ACLTemplatedPolicyNodeName,
|
||||
Datacenters: []string{s.Datacenter},
|
||||
TemplateVariables: &ACLTemplatedPolicyVariables{
|
||||
Name: s.NodeName,
|
||||
},
|
||||
}
|
||||
|
||||
// Given that we validate this string name before persisting, we do not
|
||||
// have to escape it before doing the following interpolation.
|
||||
rules := aclNodeIdentityRules(s.NodeName, entMeta)
|
||||
// expect any errors from generating the synthetic policy
|
||||
policy, _ := templatedPolicy.SyntheticPolicy(entMeta)
|
||||
|
||||
hasher := fnv.New128a()
|
||||
hashID := fmt.Sprintf("%x", hasher.Sum([]byte(rules)))
|
||||
|
||||
policy := &ACLPolicy{}
|
||||
policy.ID = hashID
|
||||
policy.Name = fmt.Sprintf("synthetic-policy-%s", hashID)
|
||||
policy.Description = fmt.Sprintf("synthetic policy for node identity %q", s.NodeName)
|
||||
policy.Rules = rules
|
||||
policy.Datacenters = []string{s.Datacenter}
|
||||
policy.EnterpriseMeta.Merge(entMeta)
|
||||
policy.SetHash(true)
|
||||
return policy
|
||||
}
|
||||
|
||||
|
|
|
@ -26,7 +26,7 @@ Policies:
|
|||
|
||||
Service Identities:
|
||||
Name: gardener (Datacenters: middleearth-northwest)
|
||||
Description: synthetic policy for service identity "gardener"
|
||||
Description: synthetic policy generated from templated policy: builtin/service
|
||||
Rules:
|
||||
service "gardener" {
|
||||
policy = "write"
|
||||
|
@ -43,7 +43,7 @@ Service Identities:
|
|||
|
||||
Node Identities:
|
||||
Name: bagend (Datacenter: middleearth-northwest)
|
||||
Description: synthetic policy for node identity "bagend"
|
||||
Description: synthetic policy generated from templated policy: builtin/node
|
||||
Rules:
|
||||
node "bagend" {
|
||||
policy = "write"
|
||||
|
@ -96,7 +96,7 @@ Roles:
|
|||
|
||||
Service Identities:
|
||||
Name: foo (Datacenters: middleearth-southwest)
|
||||
Description: synthetic policy for service identity "foo"
|
||||
Description: synthetic policy generated from templated policy: builtin/service
|
||||
Rules:
|
||||
service "foo" {
|
||||
policy = "write"
|
||||
|
@ -125,7 +125,7 @@ Roles:
|
|||
|
||||
Node Identities:
|
||||
Name: bar (Datacenter: middleearth-southwest)
|
||||
Description: synthetic policy for node identity "bar"
|
||||
Description: synthetic policy generated from templated policy: builtin/node
|
||||
Rules:
|
||||
node "bar" {
|
||||
policy = "write"
|
||||
|
@ -158,7 +158,7 @@ Namespace Role Defaults:
|
|||
|
||||
Service Identities:
|
||||
Name: web (Datacenters: middleearth-northeast)
|
||||
Description: synthetic policy for service identity "web"
|
||||
Description: synthetic policy generated from templated policy: builtin/service
|
||||
Rules:
|
||||
service "web" {
|
||||
policy = "write"
|
||||
|
@ -175,7 +175,7 @@ Namespace Role Defaults:
|
|||
|
||||
Node Identities:
|
||||
Name: db (Datacenter: middleearth-northwest)
|
||||
Description: synthetic policy for node identity "db"
|
||||
Description: synthetic policy generated from templated policy: builtin/node
|
||||
Rules:
|
||||
node "db" {
|
||||
policy = "write"
|
||||
|
|
|
@ -23,7 +23,7 @@ Policies:
|
|||
|
||||
Service Identities:
|
||||
Name: gardener (Datacenters: middleearth-northwest)
|
||||
Description: synthetic policy for service identity "gardener"
|
||||
Description: synthetic policy generated from templated policy: builtin/service
|
||||
Rules:
|
||||
service "gardener" {
|
||||
policy = "write"
|
||||
|
@ -40,7 +40,7 @@ Service Identities:
|
|||
|
||||
Node Identities:
|
||||
Name: bagend (Datacenter: middleearth-northwest)
|
||||
Description: synthetic policy for node identity "bagend"
|
||||
Description: synthetic policy generated from templated policy: builtin/node
|
||||
Rules:
|
||||
node "bagend" {
|
||||
policy = "write"
|
||||
|
@ -93,7 +93,7 @@ Roles:
|
|||
|
||||
Service Identities:
|
||||
Name: foo (Datacenters: middleearth-southwest)
|
||||
Description: synthetic policy for service identity "foo"
|
||||
Description: synthetic policy generated from templated policy: builtin/service
|
||||
Rules:
|
||||
service "foo" {
|
||||
policy = "write"
|
||||
|
@ -122,7 +122,7 @@ Roles:
|
|||
|
||||
Node Identities:
|
||||
Name: bar (Datacenter: middleearth-southwest)
|
||||
Description: synthetic policy for node identity "bar"
|
||||
Description: synthetic policy generated from templated policy: builtin/node
|
||||
Rules:
|
||||
node "bar" {
|
||||
policy = "write"
|
||||
|
@ -155,7 +155,7 @@ Namespace Role Defaults:
|
|||
|
||||
Service Identities:
|
||||
Name: web (Datacenters: middleearth-northeast)
|
||||
Description: synthetic policy for service identity "web"
|
||||
Description: synthetic policy generated from templated policy: builtin/service
|
||||
Rules:
|
||||
service "web" {
|
||||
policy = "write"
|
||||
|
@ -172,7 +172,7 @@ Namespace Role Defaults:
|
|||
|
||||
Node Identities:
|
||||
Name: db (Datacenter: middleearth-northwest)
|
||||
Description: synthetic policy for node identity "db"
|
||||
Description: synthetic policy generated from templated policy: builtin/node
|
||||
Rules:
|
||||
node "db" {
|
||||
policy = "write"
|
||||
|
|
Loading…
Reference in New Issue