-
Notifications
You must be signed in to change notification settings - Fork 4.4k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Intentions ACL enforcement updates (#7028)
* Renamed structs.IntentionWildcard to structs.WildcardSpecifier * Refactor ACL Config Get rid of remnants of enterprise only renaming. Add a WildcardName field for specifying what string should be used to indicate a wildcard. * Add wildcard support in the ACL package For read operations they can call anyAllowed to determine if any read access to the given resource would be granted. For write operations they can call allAllowed to ensure that write access is granted to everything. * Make v1/agent/connect/authorize namespace aware * Update intention ACL enforcement This also changes how intention:read is granted. Before the Intention.List RPC would allow viewing an intention if the token had intention:read on the destination. However Intention.Match allowed viewing if access was allowed for either the source or dest side. Now Intention.List and Intention.Get fall in line with Intention.Matches previous behavior. Due to this being done a few different places ACL enforcement for a singular intention is now done with the CanRead and CanWrite methods on the intention itself. * Refactor Intention.Apply to make things easier to follow.
- Loading branch information
Showing
27 changed files
with
1,564 additions
and
255 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
package acl | ||
|
||
const ( | ||
WildcardName = "*" | ||
) | ||
|
||
// Config encapsualtes all of the generic configuration parameters used for | ||
// policy parsing and enforcement | ||
type Config struct { | ||
// WildcardName is the string that represents a request to authorize a wildcard permission | ||
WildcardName string | ||
|
||
// embedded enterprise configuration | ||
EnterpriseConfig | ||
} | ||
|
||
// GetWildcardName will retrieve the configured wildcard name or provide a default | ||
// in the case that the config is Nil or the wildcard name is unset. | ||
func (c *Config) GetWildcardName() string { | ||
if c == nil || c.WildcardName == "" { | ||
return WildcardName | ||
} | ||
return c.WildcardName | ||
} | ||
|
||
// Close will relinquish any resources this Config might be holding on to or | ||
// managing. | ||
func (c *Config) Close() { | ||
if c != nil { | ||
c.EnterpriseConfig.Close() | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.