Skip to content

Commit

Permalink
Add token access to userACL (#4357)
Browse files Browse the repository at this point in the history
  • Loading branch information
Lisa Kim authored Sep 23, 2020
1 parent 168123b commit b16dff0
Show file tree
Hide file tree
Showing 3 changed files with 8 additions and 0 deletions.
3 changes: 3 additions & 0 deletions lib/defaults/defaults.go
Original file line number Diff line number Diff line change
Expand Up @@ -249,6 +249,9 @@ const (
// CallbackTimeout is how long to wait for a response from SSO provider
// before timeout.
CallbackTimeout = 180 * time.Second

// NodeJoinTokenTTL is when a token for nodes expires.
NodeJoinTokenTTL = 4 * time.Hour
)

var (
Expand Down
4 changes: 4 additions & 0 deletions lib/web/ui/usercontext.go
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,8 @@ type userACL struct {
TrustedClusters access `json:"trustedClusters"`
// Events defines access to audit logs
Events access `json:"events"`
// Tokens defines access to creating tokens ie: node join token.
Tokens access `json:"nodeToken"`
// SSH defines access to servers
SSHLogins []string `json:"sshLogins"`
}
Expand Down Expand Up @@ -118,6 +120,7 @@ func NewUserContext(user services.User, userRoles services.RoleSet) (*userContex
trustedClusterAccess := newAccess(userRoles, ctx, services.KindTrustedCluster)
eventAccess := newAccess(userRoles, ctx, services.KindEvent)
userAccess := newAccess(userRoles, ctx, services.KindUser)
tokenAccess := newAccess(userRoles, ctx, services.KindToken)
logins := getLogins(userRoles)

acl := userACL{
Expand All @@ -128,6 +131,7 @@ func NewUserContext(user services.User, userRoles services.RoleSet) (*userContex
Events: eventAccess,
SSHLogins: logins,
Users: userAccess,
Tokens: tokenAccess,
}

// local user
Expand Down
1 change: 1 addition & 0 deletions lib/web/ui/usercontext_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,7 @@ func (s *UserContextSuite) TestNewUserContext(c *check.C) {
c.Assert(userContext.ACL.Sessions, check.DeepEquals, denied)
c.Assert(userContext.ACL.Roles, check.DeepEquals, denied)
c.Assert(userContext.ACL.Users, check.DeepEquals, denied)
c.Assert(userContext.ACL.Tokens, check.DeepEquals, denied)
c.Assert(userContext.ACL.SSHLogins, check.DeepEquals, []string{"a", "b", "d"})

// test local auth type
Expand Down

0 comments on commit b16dff0

Please sign in to comment.