Intentions ACL enforcement updates #7028
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Get rid of remnants of enterprise only renaming. Add a WildcardName field for specifying what string should be used to indicate a wildcard.
For read operations they can call anyAllowed to determine if any read access to the given resource would be granted. For write operations they can call allAllowed to ensure that write access is granted to everything.
This also changes how intention:read is granted. Before the Intention.List RPC would allow viewing an intention if the token had intention:read on the destination. However Intention.Match allowed viewing if access was allowed for either the source or dest side. Now Intention.List and Intention.Get fall in line with Intention.Matches previous behavior. Due to this being done a few different places ACL enforcement for a singular intention is now done with the CanRead and CanWrite methods on the intention itself.
mkeeler
force-pushed
the
feature/intention-acls-and-namespaces
branch
from
7bfe82e to
75f0f23
Compare
mkcp
approved these changes
Jan 10, 2020
There was a problem hiding this comment.
Really great work! 💯
There is one PLEASEFIX in agent/structs/intention_oss.go where a bunch of noops are implemented. I think a note on the file's intention, even as a TODO or a short explanation, will be key to inform future maintainers.
The remaining review notes are requests for additional docs and various curiosities I had about the codebase (mostly for my own learning). They are certainly non-blocking, and I trust you to use your best judgement as always for merging.
mkeeler
force-pushed
the
feature/intention-acls-and-namespaces
branch
2 times, most recently
from
fc8cd91 to
400cf62
Compare
mkeeler
force-pushed
the
feature/intention-acls-and-namespaces
branch
from
8bc8463 to
0915ede
Compare
|
I checked it out and the one failing test is a flake and unrelated to these changes (and it executes properly locally). Going to go ahead and merge this anyways. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR also contains the necessary OSS changes to support namespaces with Consul Enterprise.