Bulk acl message fixup oss #12470
Bulk acl message fixup oss #12470
Conversation
github-actions
bot
added
theme/acls
|
|
||
| // ToAllowAuthorizer is needed until we can use ResolveResult in all the places this interface is used. | ||
| ToAllowAuthorizer() AllowAuthorizer | ||
| } |
There was a problem hiding this comment.
Eventually this will be unified with the ACLResolveResult structure, but want to take that on as a separate line item. #12481
| // AllowAuthorizer is a wrapper to expose the *Allowed methods. | ||
| // This and the ToAllowAuthorizer function exist to tide us over until the ResolveResult struct | ||
| // is moved into acl. | ||
| type AllowAuthorizer struct { |
There was a problem hiding this comment.
Is the gist about this that we only ever make blah(ctx) != Allow conditionals in the code, so unify those behind a better call structure?
There was a problem hiding this comment.
Yes. That is by far the most common pattern we see.
| @@ -161,6 +162,280 @@ type Authorizer interface { | |||
|
|
|||
| // Embedded Interface for Consul Enterprise specific ACL enforcement | |||
| enterpriseAuthorizer | |||
|
|
|||
| // ToAllowAuthorizer is needed until we can use ResolveResult in all the places this interface is used. | |||
| ToAllowAuthorizer() AllowAuthorizer | |||
There was a problem hiding this comment.
Does this need to be a method? Do any of the implementation of this interface do more than &AllowAuthorizer{a}?
If they are all the same there may be a benefit towards just having func acl.NewAllowAuthorizer(Authorizer) instead
There was a problem hiding this comment.
This is a transitional method; in upcoming PRs more functionality will be loaded onto it (in particular capturing authorization source information), but eventually I'd like to move a bunch of stuff into the ACL directory and hopefully remove this entirely.
| } | ||
|
|
||
| // ACLReadAllowed checks for permission to list all the ACLs | ||
| func (a AllowAuthorizer) ACLReadAllowed(ctx *AuthorizerContext) error { |
There was a problem hiding this comment.
Followup: do these even need to be methods, or could they be a suite of package functions with a leading argument Authorizer so your in-endpoint checks would be:
if acl.ACLReadAllowed(authz, ctx) {
...
}
which is terser than what shows up down below.
There was a problem hiding this comment.
I'm curious about this too; it feels like added indirection and I think RB's suggested functions read better
There was a problem hiding this comment.
The intent is to merge AllowAuthorizer and ACLResolveResult from consul/acl.go in a future PR. These would be methods on the joined class
| @@ -220,6 +220,8 @@ func (h *Health) ServiceNodes(args *structs.ServiceSpecificRequest, reply *struc | |||
| // If we're doing a connect or ingress query, we need read access to the service | |||
| // we're trying to find proxies for, so check that. | |||
| if args.Connect || args.Ingress { | |||
| // TODO: ACL Error improvements; can this be improved? What happens if we returned an error here? | |||
| // Is this similar to filters where we might want to return a hint? | |||
| if authz.ServiceRead(args.ServiceName, &authzContext) != acl.Allow { | |||
There was a problem hiding this comment.
The catalog and health endpoints (and parts of agent) expect the filter style of ACL enforcement (200s instead of 403s).
| @@ -464,16 +464,16 @@ func (m *Internal) KeyringOperation( | |||
| } | |||
| switch args.Operation { | |||
| case structs.KeyringList: | |||
| if authz.KeyringRead(nil) != acl.Allow { | |||
| return fmt.Errorf("Reading keyring denied by ACLs") | |||
There was a problem hiding this comment.
For the record this error message is now changing.
| } | ||
| case structs.KeyringInstall: | ||
| fallthrough | ||
| case structs.KeyringUse: | ||
| fallthrough | ||
| case structs.KeyringRemove: | ||
| if authz.KeyringWrite(nil) != acl.Allow { | ||
| return fmt.Errorf("Modifying keyring denied due to ACLs") |
There was a problem hiding this comment.
For the record this error message is now changing.
| @@ -554,57 +554,64 @@ func TestTxn_Apply_ACLDeny(t *testing.T) { | |||
| } | |||
|
|
|||
| // Verify the transaction's return value. | |||
| var expected structs.TxnResponse | |||
| var outPos int | |||
There was a problem hiding this comment.
Can you explain the intent here please?
There was a problem hiding this comment.
The broad purpose here is to perform a slightly stricter test on what we return; in particular make sure we have the right resource and permission information.
The original code attempted to build an identical result to the expected return value from the API call and directly compare them, but that seemed impractical given the new structure. So I altered this into an element by element comparison inline..
| } | ||
|
|
||
| // ACLReadAllowed checks for permission to list all the ACLs | ||
| func (a AllowAuthorizer) ACLReadAllowed(ctx *AuthorizerContext) error { |
There was a problem hiding this comment.
I'm curious about this too; it feels like added indirection and I think RB's suggested functions read better
markan
force-pushed
the
ma/bulk-acl-message-fixup-oss
branch
from
fe459ff to
0b02f5d
Compare
markan
force-pushed
the
ma/bulk-acl-message-fixup-oss
branch
from
3487780 to
4319d80
Compare
Signed-off-by: Mark Anderson <[email protected]>
Signed-off-by: Mark Anderson <[email protected]>
Signed-off-by: Mark Anderson <[email protected]>
Signed-off-by: Mark Anderson <[email protected]>
Signed-off-by: Mark Anderson <[email protected]>
Signed-off-by: Mark Anderson <[email protected]>
Signed-off-by: Mark Anderson <[email protected]>
Signed-off-by: Mark Anderson <[email protected]>
Signed-off-by: Mark Anderson <[email protected]>
Signed-off-by: Mark Anderson <[email protected]>
Signed-off-by: Mark Anderson <[email protected]>
Signed-off-by: Mark Anderson <[email protected]>
Signed-off-by: Mark Anderson <[email protected]>
Signed-off-by: Mark Anderson <[email protected]>
Signed-off-by: Mark Anderson <[email protected]>
Signed-off-by: Mark Anderson <[email protected]>
Signed-off-by: Mark Anderson <[email protected]>
markan
force-pushed
the
ma/bulk-acl-message-fixup-oss
branch
from
4319d80 to
40ef780
Compare
|
🍒 If backport labels were added before merging, cherry-picking will start automatically. To retroactively trigger a backport after merging, add backport labels and re-run https://circleci.com/gh/hashicorp/consul/605613. |
This does a bulk conversion for improved Permission Denied errors.
Part of issue #12240
The intent is to incrementally move us towards higher resolution errors. While this is a relatively large PR. This can be read by individual commit, which should hopefully be relatively digestible. I've tried to split commits so semantic changes and mechanical changes are done separately in the hope that it will be easier to review.
There are a few areas we will need to pick up in later issues