mirror of https://github.com/hashicorp/consul
c58f86a00f
There are a few changes that needed to be made to to handle authorizing reads for imported data: - If the data was imported from a peer we should not attempt to read the data using the traditional authz rules. This is because the name of services/nodes in a peer cluster are not equivalent to those of the importing cluster. - If the data was imported from a peer we need to check whether the token corresponds to a service, meaning that it has service:write permissions, or to a local read only token that can read all nodes/services in a namespace. This required changes at the policyAuthorizer level, since that is the only view available to OSS Consul, and at the enterprise partition/namespace level. |
||
|---|---|---|
| .. | ||
| config_entry.go | ||
| config_entry_test.go | ||
| discovery_chain.go | ||
| discovery_chain_test.go | ||
| exported_peered_services.go | ||
| exported_peered_services_test.go | ||
| federation_state_list_mesh_gateways.go | ||
| federation_state_list_mesh_gateways_test.go | ||
| gateway_services.go | ||
| gateway_services_test.go | ||
| glue.go | ||
| health.go | ||
| health_test.go | ||
| helpers_test.go | ||
| intention_upstreams.go | ||
| intention_upstreams_test.go | ||
| intentions.go | ||
| intentions_ent_test.go | ||
| intentions_oss.go | ||
| intentions_test.go | ||
| internal_service_dump.go | ||
| internal_service_dump_test.go | ||
| peered_upstreams.go | ||
| peered_upstreams_test.go | ||
| peering_list.go | ||
| peering_list_test.go | ||
| resolved_service_config.go | ||
| resolved_service_config_test.go | ||
| service_http_checks.go | ||
| service_http_checks_test.go | ||
| service_list.go | ||
| service_list_test.go | ||
| trust_bundle.go | ||
| trust_bundle_test.go | ||