Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backport of acls,catalog,mesh: properly authorize workload selectors on writes into release/1.17.x #19296

Merged
merged 1 commit into from
Oct 19, 2023
Merged

Backport of acls,catalog,mesh: properly authorize workload selectors on writes into release/1.17.x #19296

merged 1 commit into from
Oct 19, 2023

Conversation

hc-github-team-consul-core
Copy link
Collaborator

Backport

This PR is auto-generated from #19260 to be assessed for backporting due to the inclusion of the label backport/1.17.

The below text is copied from the body of the original PR.

Description

To properly enforce writes on resources that have workload selectors with prefixes, we need another service authorization rule that allows us to check whether read is allowed within a given prefix. Specifically we need to only allow writes if the policy prefix allows for a wider set of names than the prefix selector on the resource. We should also not allow policies with exact names for prefix matches.

Part of NET-3993

Examples:
(when default is deny)

Decision: deny
selector:

Workloads: { Prefixes = ["api"] }

policy:

...
service "api" { policy = "read" }

Decision: allow
selector:

Workloads: { Prefixes = ["api"] }

policy:

...
service_prefix "api" { policy = "read" }

Decision: deny
selector:

Workloads: { Prefixes = ["api"] }

policy:

...
service_prefix "api1" { policy = "read" }

Testing & Reproduction steps

Links

PR Checklist

  • updated test coverage
  • external facing docs updated
  • appropriate backport labels added
  • [] not a security concern
Overview of commits

@hc-github-team-consul-core hc-github-team-consul-core requested a review from a team as a code owner October 19, 2023 17:10
@hc-github-team-consul-core hc-github-team-consul-core force-pushed the backport/ishustava/selector-prefix-enforcement/properly-elegant-scorpion branch from d191257 to 3611fed Compare October 19, 2023 17:10
@hc-github-team-consul-core hc-github-team-consul-core force-pushed the backport/ishustava/selector-prefix-enforcement/properly-elegant-scorpion branch from afabe80 to f3d9824 Compare October 19, 2023 17:10
github-team-consul-core-pr-approver
github-team-consul-core-pr-approver approved these changes Oct 19, 2023
View reviewed changes
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Auto approved Consul Bot automated PR

@github-actions github-actions bot added the theme/acls ACL and token generation label Oct 19, 2023
@hc-github-team-consul-core hc-github-team-consul-core merged commit 8a3a15e into release/1.17.x Oct 19, 2023
94 checks passed
@hc-github-team-consul-core hc-github-team-consul-core deleted the backport/ishustava/selector-prefix-enforcement/properly-elegant-scorpion branch October 19, 2023 17:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@github-team-consul-core-pr-approver github-team-consul-core-pr-approver github-team-consul-core-pr-approver approved these changes

@ishustava ishustava Awaiting requested review from ishustava

Assignees

@ishustava ishustava

Labels
theme/acls ACL and token generation
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@hc-github-team-consul-core @github-team-consul-core-pr-approver @ishustava