示例#1
0
文件: acl.go 项目: hashicorp/consul
// vetServiceRegister makes sure the service registration action is allowed by
// the given token.
func (a *Agent) vetServiceRegister(token string, service *structs.NodeService) error {
	// Resolve the token and bail if ACLs aren't enabled.
	acl, err := a.resolveToken(token)
	if err != nil {
		return err
	}
	if acl == nil {
		return nil
	}

	// Vet the service itself.
	if !acl.ServiceWrite(service.Service) {
		return permissionDeniedErr
	}

	// Vet any service that might be getting overwritten.
	services := a.state.Services()
	if existing, ok := services[service.ID]; ok {
		if !acl.ServiceWrite(existing.Service) {
			return permissionDeniedErr
		}
	}

	return nil
}
示例#2
0
文件: acl.go 项目: hashicorp/consul
// vetCheckUpdate makes sure that a check update is allowed by the given token.
func (a *Agent) vetCheckUpdate(token string, checkID types.CheckID) error {
	// Resolve the token and bail if ACLs aren't enabled.
	acl, err := a.resolveToken(token)
	if err != nil {
		return err
	}
	if acl == nil {
		return nil
	}

	// Vet any changes based on the existing check's info.
	checks := a.state.Checks()
	if existing, ok := checks[checkID]; ok {
		if len(existing.ServiceName) > 0 {
			if !acl.ServiceWrite(existing.ServiceName) {
				return permissionDeniedErr
			}
		} else {
			if !acl.NodeWrite(a.config.NodeName) {
				return permissionDeniedErr
			}
		}
	} else {
		return fmt.Errorf("Unknown check %q", checkID)
	}

	return nil
}
示例#3
0
文件: acl.go 项目: hashicorp/consul
// vetCheckRegister makes sure the check registration action is allowed by the
// given token.
func (a *Agent) vetCheckRegister(token string, check *structs.HealthCheck) error {
	// Resolve the token and bail if ACLs aren't enabled.
	acl, err := a.resolveToken(token)
	if err != nil {
		return err
	}
	if acl == nil {
		return nil
	}

	// Vet the check itself.
	if len(check.ServiceName) > 0 {
		if !acl.ServiceWrite(check.ServiceName) {
			return permissionDeniedErr
		}
	} else {
		if !acl.NodeWrite(a.config.NodeName) {
			return permissionDeniedErr
		}
	}

	// Vet any check that might be getting overwritten.
	checks := a.state.Checks()
	if existing, ok := checks[check.CheckID]; ok {
		if len(existing.ServiceName) > 0 {
			if !acl.ServiceWrite(existing.ServiceName) {
				return permissionDeniedErr
			}
		} else {
			if !acl.NodeWrite(a.config.NodeName) {
				return permissionDeniedErr
			}
		}
	}

	return nil
}
示例#4
0
文件: acl.go 项目: hashicorp/consul
// vetServiceUpdate makes sure the service update action is allowed by the given
// token.
func (a *Agent) vetServiceUpdate(token string, serviceID string) error {
	// Resolve the token and bail if ACLs aren't enabled.
	acl, err := a.resolveToken(token)
	if err != nil {
		return err
	}
	if acl == nil {
		return nil
	}

	// Vet any changes based on the existing services's info.
	services := a.state.Services()
	if existing, ok := services[serviceID]; ok {
		if !acl.ServiceWrite(existing.Service) {
			return permissionDeniedErr
		}
	} else {
		return fmt.Errorf("Unknown service %q", serviceID)
	}

	return nil
}