Skip to content

Commit

Permalink
Fix some minor issues.
Browse files Browse the repository at this point in the history
  • Loading branch information
jjacobson93 committed Jul 31, 2023
1 parent 75552a9 commit 209e57a
Show file tree
Hide file tree
Showing 5 changed files with 56 additions and 70 deletions.
2 changes: 1 addition & 1 deletion acl/validation.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ const (
var (
validServiceIdentityName = regexp.MustCompile(`^[a-z0-9]([a-z0-9\-_]*[a-z0-9])?$`)
validNodeIdentityName = regexp.MustCompile(`^[a-z0-9]([a-z0-9\-_]*[a-z0-9])?$`)
validPolicyName = regexp.MustCompile(`^[A-Za-z0-9\-_]+/?[A-Za-z0-9\-_]*$`)
validPolicyName = regexp.MustCompile(`^[A-Za-z0-9\-_]+\/?[A-Za-z0-9\-_]*$`)
validRoleName = regexp.MustCompile(`^[A-Za-z0-9\-_]{1,256}$`)
validAuthMethodName = regexp.MustCompile(`^[A-Za-z0-9\-_]{1,128}$`)
)
Expand Down
2 changes: 1 addition & 1 deletion agent/consul/state/acl.go
Original file line number Diff line number Diff line change
Expand Up @@ -886,7 +886,7 @@ func aclPolicySetTxn(tx WriteTxn, idx uint64, policy *structs.ACLPolicy) error {
if existing != nil {
if builtinPolicy, ok := structs.ACLBuiltinPolicies[policy.ID]; ok {
// Only the name and description are modifiable
// Here we specifically check that the rules on the global management policy
// Here we specifically check that the rules on the builtin policy
// are identical to the correct policy rules within the binary. This is opposed
// to checking against the current rules to allow us to update the rules during
// upgrades.
Expand Down
8 changes: 8 additions & 0 deletions agent/consul/state/acl_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,12 @@ func setupGlobalManagement(t *testing.T, s *Store) {
require.NoError(t, s.ACLPolicySet(1, &policy))
}

func setupBuiltinGlobalReadOnly(t *testing.T, s *Store) {
policy := structs.ACLBuiltinPolicies[structs.ACLPolicyGlobalReadOnlyID]
policy.SetHash(true)
require.NoError(t, s.ACLPolicySet(2, &policy))
}

func setupAnonymous(t *testing.T, s *Store) {
token := structs.ACLToken{
AccessorID: acl.AnonymousTokenID,
Expand All @@ -48,6 +54,7 @@ func setupAnonymous(t *testing.T, s *Store) {
func testACLStateStore(t *testing.T) *Store {
s := testStateStore(t)
setupGlobalManagement(t, s)
setupBuiltinGlobalReadOnly(t, s)
setupAnonymous(t, s)
return s
}
Expand Down Expand Up @@ -179,6 +186,7 @@ func TestStateStore_ACLBootstrap(t *testing.T) {

s := testStateStore(t)
setupGlobalManagement(t, s)
setupBuiltinGlobalReadOnly(t, s)

canBootstrap, index, err := s.CanBootstrapACLToken()
require.NoError(t, err)
Expand Down
110 changes: 44 additions & 66 deletions agent/structs/acl.go
Original file line number Diff line number Diff line change
Expand Up @@ -45,87 +45,65 @@ const (

// This policy gives unlimited access to everything. Users
// may rename if desired but cannot delete or modify the rules.
ACLPolicyGlobalManagementID = "00000000-0000-0000-0000-000000000001"
ACLPolicyGlobalManagementName = "global-management"
ACLPolicyGlobalManagementDesc = "Builtin Policy that grants unlimited access"
ACLPolicyGlobalManagementRules = `
acl = "write"
agent_prefix "" {
policy = "write"
}
event_prefix "" {
policy = "write"
}
key_prefix "" {
policy = "write"
}
keyring = "write"
node_prefix "" {
policy = "write"
}
operator = "write"
mesh = "write"
peering = "write"
query_prefix "" {
policy = "write"
}
service_prefix "" {
policy = "write"
intentions = "write"
}
session_prefix "" {
policy = "write"
}` + EnterpriseACLPolicyGlobalManagement

ACLPolicyGlobalReadOnlyID = "00000000-0000-0000-0000-000000000002"
ACLPolicyGlobalReadOnlyName = "builtin/global-read-only"
ACLPolicyGlobalReadOnlyDesc = "Builtin Policy that grants unlimited read-only access to all components"
ACLPolicyGlobalReadOnlyRules = `
acl = "read"
ACLPolicyGlobalManagementID = "00000000-0000-0000-0000-000000000001"
ACLPolicyGlobalManagementName = "global-management"
ACLPolicyGlobalManagementDesc = "Builtin Policy that grants unlimited access"

ACLPolicyGlobalReadOnlyID = "00000000-0000-0000-0000-000000000002"
ACLPolicyGlobalReadOnlyName = "builtin/global-read-only"
ACLPolicyGlobalReadOnlyDesc = "Builtin Policy that grants unlimited read-only access to all components"

ACLReservedIDPrefix = "00000000-0000-0000-0000-0000000000"

aclPolicyGlobalRulesTemplate = `
acl = "###"
agent_prefix "" {
policy = "read"
policy = "###"
}
event_prefix "" {
policy = "read"
policy = "###"
}
key_prefix "" {
policy = "read"
policy = "###"
}
keyring = "read"
keyring = "###"
node_prefix "" {
policy = "read"
policy = "###"
}
operator = "read"
mesh = "read"
peering = "read"
operator = "###"
mesh = "###"
peering = "###"
query_prefix "" {
policy = "read"
policy = "###"
}
service_prefix "" {
policy = "read"
intentions = "read"
policy = "###"
intentions = "###"
}
session_prefix "" {
policy = "read"
}` + EnterpriseACLPolicyGlobalReadOnly

ACLReservedIDPrefix = "00000000-0000-0000-0000-0000000000"
policy = "###"
}`
)

var ACLBuiltinPolicies = map[string]ACLPolicy{
ACLPolicyGlobalManagementID: {
ID: ACLPolicyGlobalManagementID,
Name: ACLPolicyGlobalManagementName,
Description: ACLPolicyGlobalManagementDesc,
Rules: ACLPolicyGlobalManagementRules,
},
ACLPolicyGlobalReadOnlyID: {
ID: ACLPolicyGlobalReadOnlyID,
Name: ACLPolicyGlobalReadOnlyName,
Description: ACLPolicyGlobalReadOnlyDesc,
Rules: ACLPolicyGlobalReadOnlyRules,
},
}
var (
ACLPolicyGlobalReadOnlyRules = strings.ReplaceAll(aclPolicyGlobalRulesTemplate, "###", "read") + EnterpriseACLPolicyGlobalReadOnly
ACLPolicyGlobalManagementRules = strings.ReplaceAll(aclPolicyGlobalRulesTemplate, "###", "write") + EnterpriseACLPolicyGlobalManagement

ACLBuiltinPolicies = map[string]ACLPolicy{
ACLPolicyGlobalManagementID: {
ID: ACLPolicyGlobalManagementID,
Name: ACLPolicyGlobalManagementName,
Description: ACLPolicyGlobalManagementDesc,
Rules: ACLPolicyGlobalManagementRules,
},
ACLPolicyGlobalReadOnlyID: {
ID: ACLPolicyGlobalReadOnlyID,
Name: ACLPolicyGlobalReadOnlyName,
Description: ACLPolicyGlobalReadOnlyDesc,
Rules: ACLPolicyGlobalReadOnlyRules,
},
}
)

func ACLIDReserved(id string) bool {
return strings.HasPrefix(id, ACLReservedIDPrefix)
Expand Down
4 changes: 2 additions & 2 deletions website/content/docs/security/acl/acl-policies.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -391,11 +391,11 @@ New installations of Consul ship with the following built-in policies.

### Global Management

The `global-management` policy grants unrestricted privileges to any token linked to it. The policy is assigned the reserved ID of `00000000-0000-0000-0000-000000000001`. You can rename the global management policy, but Consul will prevent you from modifying any other attributes, including the rule set and datacenter scope.
The `global-management` policy grants unrestricted privileges to any token linked to it. The policy is assigned the reserved ID of `00000000-0000-0000-0000-000000000001`. You can rename the global management policy, but Consul prevents you from modifying any other attributes, including the rule set and datacenter scope.

### Global Read-Only

The `builtin/global-read-only` policy grants unrestricted _read-only_ privileges to any token linked to it. The policy is assigned the reserved ID of `00000000-0000-0000-0000-000000000002`. You can rename the global read-only policy, but Consul will prevent you from modifying any other attributes, including the rule set and datacenter scope.
The `builtin/global-read-only` policy grants unrestricted _read-only_ privileges to any token linked to it. The policy is assigned the reserved ID of `00000000-0000-0000-0000-000000000002`. You can rename the global read-only policy, but Consul prevents you from modifying any other attributes, including the rule set and datacenter scope.

### Namespace Management <EnterpriseAlert inline />

Expand Down

0 comments on commit 209e57a

Please sign in to comment.