Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Require token replication to be enabled in secondary dcs when ACLs are enabled with AutoConfig #8451

Merged
merged 3 commits into from
Aug 7, 2020
Merged

Require token replication to be enabled in secondary dcs when ACLs are enabled with AutoConfig #8451

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
58f39c7
Require token replication to be enabled in secondary dcs when ACLs ar…
mkeeler Aug 6, 2020
89aa06c
Update agent/config/builder.go
mkeeler Aug 6, 2020
11e1590
Update agent/config/runtime_test.go
mkeeler Aug 6, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 9 additions & 1 deletion agent/config/builder.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2045,7 +2045,6 @@ func (b *Builder) validateAutoConfig(rt RuntimeConfig) error {
return fmt.Errorf("auto_config.enabled is set without providing a list of addresses")
}

// TODO (autoconf) should we validate the DNS and IP SANs? The IP SANs have already been parsed into IPs
return nil
}

Expand All @@ -2055,6 +2054,15 @@ func (b *Builder) validateAutoConfigAuthorizer(rt RuntimeConfig) error {
if !authz.Enabled {
return nil
}

// When in a secondary datacenter with ACLs enabled, we require token replication to be enabled
// as that is what allows us to create the local tokens to distribute to the clients. Otherwise
// we would have to have a token with the ability to create ACL tokens in the primary and make
// RPCs in response to auto config requests.
if rt.ACLsEnabled && rt.PrimaryDatacenter != rt.Datacenter && !rt.ACLTokenReplication {
return fmt.Errorf("Enabling auto-config authorization (auto_config.authorization.enabled) in non primary datacenters with ACLs enabled (acl.enabled) requires also enabling ACL token replication (acl.enable_token_replication)")
}

// Auto Config Authorization is only supported on servers
if !rt.ServerMode {
return fmt.Errorf("auto_config.authorization.enabled cannot be set to true for client agents")
Expand Down
42 changes: 42 additions & 0 deletions agent/config/runtime_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4080,6 +4080,48 @@ func TestConfigFlagsAndEdgecases(t *testing.T) {
err: `auto_config.authorization.static has invalid configuration: exactly one of 'JWTValidationPubKeys', 'JWKSURL', or 'OIDCDiscoveryURL' must be set for type "jwt"`,
},

{
desc: "auto config authorizer require token replication in secondary",
args: []string{
`-data-dir=` + dataDir,
`-server`,
},
hcl: []string{`
primary_datacenter = "otherdc"
acl {
enabled = true
}
auto_config {
authorization {
enabled = true
static {
jwks_url = "https://fake.uri.local"
oidc_discovery_url = "https://fake.uri.local"
}
}
}
cert_file = "foo"
`},
json: []string{`
{
"primary_datacenter": "otherdc",
"acl": {
"enabled": true
},
"auto_config": {
"authorization": {
"enabled": true,
"static": {
"jwks_url": "https://fake.uri.local",
"oidc_discovery_url": "https://fake.uri.local"
}
}
},
"cert_file": "foo"
}`},
err: `Enabling auto-config authorization (auto_config.authorization.enabled) in non primary datacenters with ACLs enabled (acl.enabled) requires also enabling ACL token replication (acl.enable_token_replication)`,
},

{
desc: "auto config authorizer invalid claim assertion",
args: []string{
Expand Down