-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Skip unneeded resolve role #22597
Skip unneeded resolve role #22597
Changes from 6 commits
fd38356
4b1c5cd
105954e
d890ed4
e59b252
e4a58f6
19d4707
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
```release-note:bug | ||
core/quotas: Only perform ResolveRoleOperation for role-based quotas and lease creation. | ||
``` |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -1485,7 +1485,8 @@ func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (re | |
|
||
// Check for request role in context to role based quotas | ||
var role string | ||
if reqRole := ctx.Value(logical.CtxKeyRequestRole{}); reqRole != nil { | ||
reqRole := ctx.Value(logical.CtxKeyRequestRole{}) | ||
if reqRole != nil { | ||
role = reqRole.(string) | ||
} | ||
|
||
|
@@ -1686,6 +1687,13 @@ func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (re | |
// Attach the display name, might be used by audit backends | ||
req.DisplayName = auth.DisplayName | ||
|
||
// If this is not a role-based quota, we still need to associate the | ||
// login role with this lease for later lease-count quotas to be | ||
// accurate. | ||
if reqRole == nil && resp.Auth.TokenType != logical.TokenTypeBatch { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Is this how we determine if a request generates a lease? just make sure it's not a batch token? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yes, for login requests. In general it's more complicated. |
||
role = c.DetermineRoleFromLoginRequest(ctx, req.MountPoint, req.Data) | ||
} | ||
|
||
leaseGen, respTokenCreate, errCreateToken := c.LoginCreateToken(ctx, ns, req.Path, source, role, resp) | ||
leaseGenerated = leaseGen | ||
if errCreateToken != nil { | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this used anywhere upstream? We are changing the request downstream and I am wondering what effect could it have for the upstream caller?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good thought. Note that this is specifically for the
quotas.Request
, so I don't think it will have any outside impacts (this is just used internally to query memdb). This is consistent with the way its done for other queries if you look atqueryQuota
.