Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WI: allow workloads to use RPCs associated with HTTP API #15870

Merged
merged 26 commits into from
Jan 25, 2023
Merged

WI: allow workloads to use RPCs associated with HTTP API #15870

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
26 commits
Select commit Hold shift + click to select a range
b0ca24a
WI: update ResolveACL to take AuthenticatedIdentity
tgross Jan 25, 2023
2e70f10
WI: allow workloads to use RPCs for Alloc API
tgross Jan 25, 2023
5df83e3
WI: allow workloads to use RPCs for Deployment API
tgross Jan 25, 2023
8573e2e
WI: allow workloads to use RPCs for Eval API
tgross Jan 25, 2023
6e12913
WI: allow workloads to use RPCs for Job API
tgross Jan 25, 2023
d5091f1
WI: allow workloads to use RPCs for Keyring API
tgross Jan 25, 2023
4502120
WI: allow workloads to use RPCs for Namespace API
tgross Jan 25, 2023
772eeb0
WI: allow workloads to use RPCs for System API
tgross Jan 25, 2023
7f88732
WI: allow workloads to use RPCs for Status API
tgross Jan 25, 2023
e6e9194
WI: allow workloads to use RPCs for Search API
tgross Jan 25, 2023
485c8a1
WI: allow workloads to use RPCs for Scaling API
tgross Jan 25, 2023
d2fe7f5
WI: allow workloads to use RPCs for Periodic API
tgross Jan 25, 2023
b7712c0
WI: allow workloads to use RPCs for Operator API
tgross Jan 25, 2023
1bc35c7
WI: allow workloads to use RPCs for Service Registration API
tgross Jan 25, 2023
1c2a98b
WI: allow workloads to use RPCs for CSI API
tgross Jan 25, 2023
fb8c073
WI: allow workloads to use RPCs for Node API
tgross Jan 25, 2023
da91937
update Variables to resolve token, not full ACL, as needed
tgross Jan 25, 2023
4335576
WI: allow workloads to use RPCs for Agent/Client APIs
tgross Jan 25, 2023
7439230
WI: allow workloads to use RPCs for Event API
tgross Jan 25, 2023
18f5cec
changelog entry
tgross Jan 25, 2023
2ebf3d2
update semgrep rule
tgross Jan 25, 2023
92b393b
WI: allow workloads to use RPCs for ACL API
tgross Jan 25, 2023
14e4497
fixup: add docstring to ResolveACL
tgross Jan 25, 2023
0e91875
fixup: panic in GetNode
tgross Jan 25, 2023
dc34917
fixup: better error messages from alloc RPC
tgross Jan 25, 2023
5e4ac0e
fixup: node deregister auth, error message expectations
tgross Jan 25, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .changelog/15870.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:improvement
identity: Allow workloads to use RPCs associated with HTTP API
```
10 changes: 9 additions & 1 deletion .semgrep/rpc_endpoint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,8 +68,16 @@ rules:
authErr := $A.$B.Authenticate($A.ctx, args)
...
if authErr != nil {
return authErr
return $C
}
...
- pattern-not-inside: |
authErr := $A.$B.Authenticate(nil, args)
...
if authErr != nil {
return $C
}
...
- metavariable-pattern:
metavariable: $METHOD
patterns:
Expand Down
44 changes: 43 additions & 1 deletion nomad/acl.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -156,7 +156,33 @@ func (s *Server) remoteIPFromRPCContext(ctx *RPCContext) (net.IP, error) {
return nil, structs.ErrPermissionDenied
}

func (s *Server) ResolveACL(aclToken *structs.ACLToken) (*acl.ACL, error) {
// ResolveACL is an authentication wrapper which handles resolving both ACL
// tokens and Workload Identities. If both are provided the ACL token is
// preferred, but it is best for the RPC caller to only include the credentials
// for the identity they intend the operation to be performed with.
func (s *Server) ResolveACL(args structs.RequestWithIdentity) (*acl.ACL, error) {
tgross marked this conversation as resolved.
Show resolved Hide resolved
identity := args.GetIdentity()
if !s.config.ACLEnabled || identity == nil {
return nil, nil
}
aclToken := identity.GetACLToken()
if aclToken != nil {
return s.ResolveACLForToken(aclToken)
}
claims := identity.GetClaims()
if claims != nil {
return s.ResolveClaims(claims)
}
return nil, nil
}

// ResolveACLForToken resolves an ACL from a token only. It should be used only
// by Variables endpoints, which have additional implicit policies for their
// claims so we can't wrap them up in ResolveACL.
//
// TODO: figure out a way to the Variables endpoint implicit policies baked into
// their acl.ACL object so that we can avoid using this method.
func (s *Server) ResolveACLForToken(aclToken *structs.ACLToken) (*acl.ACL, error) {
if !s.config.ACLEnabled {
return nil, nil
}
Expand All @@ -167,6 +193,22 @@ func (s *Server) ResolveACL(aclToken *structs.ACLToken) (*acl.ACL, error) {
return resolveACLFromToken(snap, s.aclCache, aclToken)
}

// ResolveClientOrACL resolves an ACL if the identity has a token or claim, and
// falls back to verifying the client ID if one has been set
func (s *Server) ResolveClientOrACL(args structs.RequestWithIdentity) (*acl.ACL, error) {
identity := args.GetIdentity()
if !s.config.ACLEnabled || identity == nil || identity.ClientID != "" {
return nil, nil
}
aclObj, err := s.ResolveACL(args)
if err != nil {
return nil, err
}

// Returns either the users aclObj, or nil if ACLs are disabled.
return aclObj, nil
}

// ResolveToken is used to translate an ACL Token Secret ID into
// an ACL object, nil if ACLs are disabled, or an error.
func (s *Server) ResolveToken(secretID string) (*acl.ACL, error) {
Expand Down
Loading