Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

acl: adding Roles to Tokens #5514

Merged
merged 2 commits into from
Apr 15, 2019
Merged

acl: adding Roles to Tokens #5514

merged 2 commits into from
Apr 15, 2019

Conversation

rboyer
Copy link
Member

@rboyer rboyer commented Mar 19, 2019

Parent PR: #5390
Note: this is merging into a long lived feature branch, not master. Future PRs in this series may adjust the contents here slightly as needed. These are separated out for digestibility.

Roles are named and can express the same bundle of permissions that can
currently be assigned to a Token (lists of Policies and Service
Identities). The difference with a Role is that it not itself a bearer
token, but just another entity that can be tied to a Token.

This lets an operator potentially curate a set of smaller reusable
Policies and compose them together into reusable Roles, rather than
always exploding that same list of Policies on any Token that needs
similar permissions.

This also refactors the acl replication code to be semi-generic to avoid
3x copypasta.

@rboyer rboyer added the theme/acls ACL and token generation label Mar 19, 2019
@rboyer rboyer requested review from a team and mkeeler March 19, 2019 18:06
mkeeler
mkeeler reviewed Mar 26, 2019
View reviewed changes
Copy link
Member

@mkeeler mkeeler left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall this looks great and I don't have any issues that would block merging this. Just a few question to help with my understanding things mostly.

agent/consul/acl.go Show resolved Hide resolved
agent/consul/acl_client.go Outdated Show resolved Hide resolved
agent/consul/acl_endpoint.go Outdated Show resolved Hide resolved
agent/consul/acl_endpoint.go Show resolved Hide resolved
agent/consul/acl_endpoint.go Show resolved Hide resolved
agent/structs/acl.go Outdated Show resolved Hide resolved
@rboyer rboyer force-pushed the f-acl-service-identities branch from 523289b to 1f0bdd9 Compare April 1, 2019 16:44
@rboyer rboyer mentioned this pull request Apr 3, 2019
Merged
5 tasks
@pearkes pearkes mentioned this pull request Apr 3, 2019
Open
@rboyer rboyer added this to the 1.5.0 milestone Apr 8, 2019
@rboyer rboyer force-pushed the f-acl-service-identities branch 2 times, most recently from c70a096 to 7951e92 Compare April 8, 2019 17:18
@rboyer rboyer changed the base branch from f-acl-service-identities to f-acl-ux April 8, 2019 18:35
@rboyer rboyer requested a review from mkeeler April 12, 2019 17:38
@rboyer
acl: adding Roles to Tokens
de43694 
Roles are named and can express the same bundle of permissions that can
currently be assigned to a Token (lists of Policies and Service
Identities). The difference with a Role is that it not itself a bearer
token, but just another entity that can be tied to a Token.

This lets an operator potentially curate a set of smaller reusable
Policies and compose them together into reusable Roles, rather than
always exploding that same list of Policies on any Token that needs
similar permissions.

This also refactors the acl replication code to be semi-generic to avoid
3x copypasta.
mkeeler
mkeeler approved these changes Apr 15, 2019
View reviewed changes
Copy link
Member

@mkeeler mkeeler left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

@rboyer rboyer merged commit 9253c5a into f-acl-ux Apr 15, 2019
@rboyer rboyer deleted the f-acl-roles branch April 15, 2019 20:44
rboyer added a commit that referenced this pull request Apr 24, 2019
@rboyer
acl: adding Roles to Tokens (#5514)
f0b7433 
Roles are named and can express the same bundle of permissions that can
currently be assigned to a Token (lists of Policies and Service
Identities). The difference with a Role is that it not itself a bearer
token, but just another entity that can be tied to a Token.

This lets an operator potentially curate a set of smaller reusable
Policies and compose them together into reusable Roles, rather than
always exploding that same list of Policies on any Token that needs
similar permissions.

This also refactors the acl replication code to be semi-generic to avoid
3x copypasta.
rboyer added a commit that referenced this pull request Apr 26, 2019
@rboyer
acl: adding Roles to Tokens (#5514)
cc1aa3f 
Roles are named and can express the same bundle of permissions that can
currently be assigned to a Token (lists of Policies and Service
Identities). The difference with a Role is that it not itself a bearer
token, but just another entity that can be tied to a Token.

This lets an operator potentially curate a set of smaller reusable
Policies and compose them together into reusable Roles, rather than
always exploding that same list of Policies on any Token that needs
similar permissions.

This also refactors the acl replication code to be semi-generic to avoid
3x copypasta.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mkeeler mkeeler mkeeler approved these changes

Assignees
No one assigned
Labels
theme/acls ACL and token generation
Projects
None yet
Milestone
1.5.0
Development

Successfully merging this pull request may close these issues.
2 participants
@rboyer @mkeeler