Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

consul: check for acceptable service identity on consul tokens #15928

Merged
merged 1 commit into from
Jan 28, 2023
Merged

consul: check for acceptable service identity on consul tokens #15928

merged 1 commit into from
Jan 28, 2023

Conversation

shoenig
Copy link
Member

@shoenig shoenig commented Jan 27, 2023

When registering a job with a service and 'consul.allow_unauthenticated=false',
we scan the given Consul token for an acceptable policy or role with an
acceptable policy, but did not scan for an acceptable service identity (which
is backed by an acceptable virtual policy). This PR updates our consul token
validation to also accept a matching service identity when registering a service
into Consul.

Fixes #15902

@shoenig
Copy link
Member Author

shoenig commented Jan 27, 2023

Spot check

nomad.hcl (+ dev mode)

log_level = "INFO"
  
server {
  enabled = true
}

client {
  enabled = true
}

consul {
  token = "c1ef7742-9fdf-13d2-de5c-c292305987fb"
  allow_unauthenticated = false
}

create SI token

consul acl token create -local -service-identity=redis

job with redis service

job "demo" {
  datacenters = ["dc1"]

  group "cache" {
    network {
      port "db" {
        to = 6379
      }
    }
    
    service {
      name = "redis"
      port = "db"
    }

    task "redis" {
      driver = "docker"

      config {
        image          = "redis:7"
        ports          = ["db"]
        auth_soft_fail = true
      }

      resources {
        cpu    = 500
        memory = 256
      }
    }
  }
}

job submit works

nomad job run -consul-token=b8091c16-ee9c-2643-86d7-79a8855ab6d3 demo.nomad
...
  ✓ Deployment "805fa0fa" successful

@shoenig shoenig added backport/1.2.x backport to 1.1.x release line backport/1.3.x backport to 1.3.x release line backport/1.4.x backport to 1.4.x release line labels Jan 27, 2023
@shoenig shoenig added this to the 1.4.x milestone Jan 27, 2023
@shoenig
consul: check for acceptable service identity on consul tokens
e4fdccd 
When registering a job with a service and 'consul.allow_unauthenticated=false',
we scan the given Consul token for an acceptable policy or role with an
acceptable policy, but did not scan for an acceptable service identity (which
is backed by an acceptable virtual policy). This PR updates our consul token
validation to also accept a matching service identity when registering a service
into Consul.

Fixes #15902
@shoenig shoenig force-pushed the consul-si-permissions branch from 74670ce to e4fdccd Compare January 27, 2023 19:51
@shoenig shoenig requested review from lgfa29 and gulducat January 27, 2023 20:30
@shoenig shoenig marked this pull request as ready for review January 27, 2023 20:30
gulducat
gulducat approved these changes Jan 27, 2023
View reviewed changes
Copy link
Member

@gulducat gulducat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice and clean 👍

@shoenig shoenig merged commit ce71d2d into main Jan 28, 2023
@shoenig shoenig deleted the consul-si-permissions branch January 28, 2023 00:15
This was referenced Jan 28, 2023
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gulducat gulducat gulducat approved these changes

@lgfa29 lgfa29 lgfa29 approved these changes

Assignees
No one assigned
Labels
backport/1.2.x backport to 1.1.x release line backport/1.3.x backport to 1.3.x release line backport/1.4.x backport to 1.4.x release line
Projects
None yet
Milestone
1.4.x
Development

Successfully merging this pull request may close these issues.

Consul token check for service write permissions, does not consult token's service identities
3 participants
@shoenig @lgfa29 @gulducat