|
|
|
@ -214,30 +214,10 @@ func (h *Health) ServiceNodes(args *structs.ServiceSpecificRequest, reply *struc
|
|
|
|
f = h.serviceNodesDefault
|
|
|
|
f = h.serviceNodesDefault
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
authzContext := acl.AuthorizerContext{
|
|
|
|
|
|
|
|
Peer: args.PeerName,
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
authz, err := h.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext)
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
|
|
return err
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if err := h.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
|
|
|
|
if err := h.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
|
|
|
|
return err
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// If we're doing a connect or ingress query, we need read access to the service
|
|
|
|
|
|
|
|
// we're trying to find proxies for, so check that.
|
|
|
|
|
|
|
|
if args.Connect || args.Ingress {
|
|
|
|
|
|
|
|
// TODO(acl-error-enhancements) Look for ways to percolate this information up to give any feedback to the user.
|
|
|
|
|
|
|
|
if authz.ServiceRead(args.ServiceName, &authzContext) != acl.Allow {
|
|
|
|
|
|
|
|
// Just return nil, which will return an empty response (tested)
|
|
|
|
|
|
|
|
// We should be careful to set the index to prevent a busy loop from triggering.
|
|
|
|
|
|
|
|
reply.Index = 1
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
filter, err := bexpr.CreateFilter(args.Filter, nil, reply.Nodes)
|
|
|
|
filter, err := bexpr.CreateFilter(args.Filter, nil, reply.Nodes)
|
|
|
|
if err != nil {
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
return err
|
|
|
|
@ -259,6 +239,25 @@ func (h *Health) ServiceNodes(args *structs.ServiceSpecificRequest, reply *struc
|
|
|
|
return err
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
authzContext := acl.AuthorizerContext{
|
|
|
|
|
|
|
|
Peer: args.PeerName,
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
authz, err := h.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext)
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
|
|
return err
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// If we're doing a connect or ingress query, we need read access to the service
|
|
|
|
|
|
|
|
// we're trying to find proxies for, so check that.
|
|
|
|
|
|
|
|
if args.Connect || args.Ingress {
|
|
|
|
|
|
|
|
// TODO(acl-error-enhancements) Look for ways to percolate this information up to give any feedback to the user.
|
|
|
|
|
|
|
|
if authz.ServiceRead(args.ServiceName, &authzContext) != acl.Allow {
|
|
|
|
|
|
|
|
// Return the index here so that the agent cache does not infinitely loop.
|
|
|
|
|
|
|
|
reply.Index = index
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
resolvedNodes := nodes
|
|
|
|
resolvedNodes := nodes
|
|
|
|
if args.MergeCentralConfig {
|
|
|
|
if args.MergeCentralConfig {
|
|
|
|
for _, node := range resolvedNodes {
|
|
|
|
for _, node := range resolvedNodes {
|
|
|
|
|
Derek Menteer
2 years ago