remove WhoAmI callers from client
#19580
Comments
|
@schmichael pointed out in a sidebar discussion that we probably want to do this sooner rather than later, as the current implementation would make it easy to incorrectly change the code at https://github.com/hashicorp/nomad/blob/v1.7.2/nomad/structs/structs.go#L547 to check the claim expiration, which would be nil on the client. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In Nomad 1.5.0 (542b23e) we started using the
ACL.WhoAmIRPC method from the client to allow clients to check Workload Identity tokens and not just ACL tokens. In Nomad 1.7.0, we broke this by accidentally changing the wire format of theWhoAmIRPC response. See #19555. We've fixed that in #19578, but there's a better long-term solution:ACL.WhoAmIcallers from the clientACL.ResolveToken. For non-WI tokens, have the client check with the server viaACL.ResolveTokenWe'll want to keep the existing
ACL.WhoAmImethod for backwards compatibility, but it might also be a good idea to provide a HTTP endpoint for it to make it a useful debugging tool.The text was updated successfully, but these errors were encountered: