Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

acl: correctly resolve ACL roles within client cache. #14922

Merged
merged 3 commits into from
Oct 20, 2022
Merged

acl: correctly resolve ACL roles within client cache. #14922

merged 3 commits into from
Oct 20, 2022

Conversation

jrasell
Copy link
Member

@jrasell jrasell commented Oct 18, 2022

The client ACL cache was not accounting for tokens which included ACL role links. This change modifies the behaviour to resolve role links to policies. It will also now store ACL roles within the cache for quick lookup. The cache TTL is configurable in the same manner as policies or tokens.

Another small fix is included that takes into account the ACL token expiry time. This was not included, which meant tokens with expiry could be used past the expiry time, until they were GC'd.

@jrasell
acl: correctly resolve ACL roles within client cache.
af0c94a 
The client ACL cache was not accounting for tokens which included
ACL role links. This change modifies the behaviour to resolve role
links to policies. It will also now store ACL roles within the
cache for quick lookup. The cache TTL is configurable in the same
manner as policies or tokens.

Another small fix is included that takes into account the ACL
token expiry time. This was not included, which meant tokens with
expiry could be used past the expiry time, until they were GC'd.
@jrasell jrasell added this to the 1.4.2 milestone Oct 18, 2022
@jrasell jrasell self-assigned this Oct 18, 2022
@jrasell jrasell mentioned this pull request Oct 18, 2022
Merged
@jrasell jrasell added the backport/1.4.x backport to 1.4.x release line label Oct 18, 2022
tgross
tgross reviewed Oct 18, 2022
View reviewed changes
Copy link
Member

@tgross tgross left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great. I've left a few mostly non-blocking comments but the one in client/acl.go about failing open probably needs some consideration.

client/acl_test.go Outdated Show resolved Hide resolved
client/acl_test.go Outdated Show resolved Hide resolved
client/acl.go Outdated Show resolved Hide resolved
client/acl.go Show resolved Hide resolved
client/acl.go Show resolved Hide resolved
@jrasell jrasell merged commit eaea916 into main Oct 20, 2022
@jrasell jrasell deleted the jrasell/client-acl-cache-roles branch October 20, 2022 07:37
This was referenced Oct 20, 2022
Merged
Merged
@github-actions
Copy link

I'm going to lock this pull request because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 19, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@tgross tgross tgross left review comments

@shoenig shoenig shoenig left review comments

@lgfa29 lgfa29 lgfa29 approved these changes

@schmichael schmichael Awaiting requested review from schmichael

Assignees

@jrasell jrasell

Labels
backport/1.4.x backport to 1.4.x release line
Projects
None yet
Milestone
1.4.2
Development

Successfully merging this pull request may close these issues.
4 participants
@jrasell @shoenig @lgfa29 @tgross