Properly handle leafnode spoke permissions. #1480
Conversation
When a leafnode would connect with credentials that had permissions the spoke did not have a way of knowing what those were. This could lead to being disconnected when sending subscriptions or messages to the hub which were not allowed. Signed-off-by: Derek Collison <[email protected]>
Signed-off-by: Derek Collison <[email protected]>
| // to resend back to soliciting server. These are reversed from the | ||
| // way routes interpret them since this is how the soliciting server | ||
| // will receive these back in an update INFO. | ||
| if c.isHubLeafNode() { |
There was a problem hiding this comment.
Not sure why we are storing the perms of this client in c.opts.Import/Export? Would it not be enough to send c.perms when needed?
There was a problem hiding this comment.
This is an easy way to remember when we need to send from the hub back to the spoke via async info.
| @@ -177,10 +177,10 @@ func newLeafNodeCfg(remote *RemoteLeafOpts) *leafNodeCfg { | |||
| if len(remote.DenyExports) > 0 || len(remote.DenyImports) > 0 { | |||
| perms := &Permissions{} | |||
| if len(remote.DenyExports) > 0 { | |||
| perms.Subscribe = &SubjectPermission{Deny: remote.DenyExports} | |||
| perms.Publish = &SubjectPermission{Deny: remote.DenyExports} | |||
There was a problem hiding this comment.
Originally the DenyExport was a subscribe permission because it meant that if on this LN connection, if we deny export of "foo" it means that it would reject a subscription (hence subscribe permission) on "foo" from the other side. Now you are changing to simply not allowing this server to publish on "foo". I am not saying this is wrong, but we completely flip the meaning.
There was a problem hiding this comment.
The previous way was wrong. I do honor local deny clauses though now as well.
| @@ -1057,6 +1065,10 @@ func (c *client) processLeafNodeConnect(s *Server, arg []byte, lang string) erro | |||
| c.leaf.isSpoke = true | |||
| } | |||
|
|
|||
| // If we have permissions bound to this leafnode we need to send then back to the | |||
| // origin server for local enforcement. | |||
| s.sendPermsInfo(c) | |||
There was a problem hiding this comment.
But LN permissions IIRC are only configured in the "remotes" section of leafnodes block, that is, only soliciting LNs configured. And if we process a CONNECT, we are not the soliciting, so there should not be any permissions here???
There was a problem hiding this comment.
We are sending back the perms that are associated with this user. This user was sent from the spoke but does not know what permissions are associated with the bound user on the hub.
| @@ -1662,7 +1707,7 @@ func (c *client) processInboundLeafMsg(msg []byte) { | |||
| c.in.bytes += int32(len(msg) - LEN_CR_LF) | |||
|
|
|||
| // Check pub permissions | |||
| if c.perms != nil && (c.perms.pub.allow != nil || c.perms.pub.deny != nil) && !c.pubAllowed(string(c.pa.subject)) { | |||
| if c.perms != nil && (c.perms.pub.allow != nil || c.perms.pub.deny != nil) && c.isHubLeafNode() && !c.pubAllowed(string(c.pa.subject)) { | |||
Signed-off-by: Derek Collison <[email protected]>
Signed-off-by: Derek Collison <[email protected]>
When a leafnode would connect with credentials that had permissions the spoke did not have a way of knowing what those were. This could lead to being disconnected when sending subscriptions or messages to the hub which were not allowed.
Signed-off-by: Derek Collison [email protected]
/cc @nats-io/core