|
|
@ -214,30 +214,10 @@ func (h *Health) ServiceNodes(args *structs.ServiceSpecificRequest, reply *struc |
|
|
|
f = h.serviceNodesDefault |
|
|
|
f = h.serviceNodesDefault |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
authzContext := acl.AuthorizerContext{ |
|
|
|
|
|
|
|
Peer: args.PeerName, |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
authz, err := h.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext) |
|
|
|
|
|
|
|
if err != nil { |
|
|
|
|
|
|
|
return err |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if err := h.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil { |
|
|
|
if err := h.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil { |
|
|
|
return err |
|
|
|
return err |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
// If we're doing a connect or ingress query, we need read access to the service
|
|
|
|
|
|
|
|
// we're trying to find proxies for, so check that.
|
|
|
|
|
|
|
|
if args.Connect || args.Ingress { |
|
|
|
|
|
|
|
// TODO(acl-error-enhancements) Look for ways to percolate this information up to give any feedback to the user.
|
|
|
|
|
|
|
|
if authz.ServiceRead(args.ServiceName, &authzContext) != acl.Allow { |
|
|
|
|
|
|
|
// Just return nil, which will return an empty response (tested)
|
|
|
|
|
|
|
|
// We should be careful to set the index to prevent a busy loop from triggering.
|
|
|
|
|
|
|
|
reply.Index = 1 |
|
|
|
|
|
|
|
return nil |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
filter, err := bexpr.CreateFilter(args.Filter, nil, reply.Nodes) |
|
|
|
filter, err := bexpr.CreateFilter(args.Filter, nil, reply.Nodes) |
|
|
|
if err != nil { |
|
|
|
if err != nil { |
|
|
|
return err |
|
|
|
return err |
|
|
@ -259,6 +239,25 @@ func (h *Health) ServiceNodes(args *structs.ServiceSpecificRequest, reply *struc |
|
|
|
return err |
|
|
|
return err |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
authzContext := acl.AuthorizerContext{ |
|
|
|
|
|
|
|
Peer: args.PeerName, |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
authz, err := h.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext) |
|
|
|
|
|
|
|
if err != nil { |
|
|
|
|
|
|
|
return err |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// If we're doing a connect or ingress query, we need read access to the service
|
|
|
|
|
|
|
|
// we're trying to find proxies for, so check that.
|
|
|
|
|
|
|
|
if args.Connect || args.Ingress { |
|
|
|
|
|
|
|
// TODO(acl-error-enhancements) Look for ways to percolate this information up to give any feedback to the user.
|
|
|
|
|
|
|
|
if authz.ServiceRead(args.ServiceName, &authzContext) != acl.Allow { |
|
|
|
|
|
|
|
// Return the index here so that the agent cache does not infinitely loop.
|
|
|
|
|
|
|
|
reply.Index = index |
|
|
|
|
|
|
|
return nil |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
resolvedNodes := nodes |
|
|
|
resolvedNodes := nodes |
|
|
|
if args.MergeCentralConfig { |
|
|
|
if args.MergeCentralConfig { |
|
|
|
for _, node := range resolvedNodes { |
|
|
|
for _, node := range resolvedNodes { |
|
|
|