Add local file-based access-control rule support.#329
Merged
ZhidongPeng merged 13 commits intoAzure:devfrom Apr 27, 2026
Merged
Add local file-based access-control rule support.#329ZhidongPeng merged 13 commits intoAzure:devfrom
ZhidongPeng merged 13 commits intoAzure:devfrom
Conversation
Collaborator
ZhidongPeng
commented
Mar 18, 2026
ZhidongPeng
commented
- Added base64 = "0.22" dependency
- Introduces a new local_rules module that
- Added rules_dir: PathBuf field to KeyKeeper struct and refactored update_access_control_rules() to accept state tracker, call resolve_effective_rules() for WireServer/IMDS/HostGA, and handle local-rule-merged effective rules
ZhidongPeng
commented
Mar 19, 2026
Collaborator
Author
ZhidongPeng
left a comment
ZhidongPeng
left a comment
There was a problem hiding this comment.
PR Review ??? Add local file-based access-control rule support
Thanks for the PR. Overall the design is clean: base64-encoded rule-id descriptors, fail-closed on parse errors, and file-state tracking across polls are all solid patterns.
Below are inline comments ranging from a potential behavioral regression to minor nits. Please take a look.
Co-authored-by: Copilot <copilot@github.com>
Co-authored-by: Copilot <copilot@github.com>
srikrishnaveturi
approved these changes
Apr 27, 2026
ZhidongPeng
added a commit
that referenced
this pull request
Apr 27, 2026
* Report eBPF service statuses instead of checking installation (#334) * Report eBPF service statuses instead of checking installation --------- Co-authored-by: Srikrishna Veturi <sveturi@microsoft.com> * Fix clippy::unnecessary_sort_by (#336) * Bump rand from 0.8.5 to 0.8.6 (#339) Bumps [rand](https://github.com/rust-random/rand) from 0.8.5 to 0.8.6. - [Release notes](https://github.com/rust-random/rand/releases) - [Changelog](https://github.com/rust-random/rand/blob/0.8.6/CHANGELOG.md) - [Commits](rust-random/rand@0.8.5...0.8.6) --- updated-dependencies: - dependency-name: rand dependency-version: 0.8.6 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump openssl from 0.10.73 to 0.10.78 (#338) Bumps [openssl](https://github.com/rust-openssl/rust-openssl) from 0.10.73 to 0.10.78. - [Release notes](https://github.com/rust-openssl/rust-openssl/releases) - [Commits](rust-openssl/rust-openssl@openssl-v0.10.73...openssl-v0.10.78) --- updated-dependencies: - dependency-name: openssl dependency-version: 0.10.78 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Zhidong Peng <zpeng@microsoft.com> * GPA service to use host-date-time for signed http requests (#335) * GPA service to use host-date-time for signed http requests * add logging * fix typo * Bump rand from 0.8.5 to 0.8.6 (#339) Bumps [rand](https://github.com/rust-random/rand) from 0.8.5 to 0.8.6. - [Release notes](https://github.com/rust-random/rand/releases) - [Changelog](https://github.com/rust-random/rand/blob/0.8.6/CHANGELOG.md) - [Commits](rust-random/rand@0.8.5...0.8.6) --- updated-dependencies: - dependency-name: rand dependency-version: 0.8.6 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump openssl from 0.10.73 to 0.10.78 (#338) Bumps [openssl](https://github.com/rust-openssl/rust-openssl) from 0.10.73 to 0.10.78. - [Release notes](https://github.com/rust-openssl/rust-openssl/releases) - [Commits](rust-openssl/rust-openssl@openssl-v0.10.73...openssl-v0.10.78) --- updated-dependencies: - dependency-name: openssl dependency-version: 0.10.78 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Zhidong Peng <zpeng@microsoft.com> * resolve comments Co-authored-by: Copilot <copilot@github.com> * fix spelling --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Zhidong Peng <zpeng@micrsoft.com> Co-authored-by: Copilot <copilot@github.com> * Add local file-based access-control rule support. (#329) * Add local file-based access-control rule support. * formatting * resolve comments and validate the parsed local rules. * fix formatting. * fix case-insensitive match * prefix_local_rule_names Co-authored-by: Copilot <copilot@github.com> * Display useLocalFileRules. * update log level at attemptting Co-authored-by: Copilot <copilot@github.com> * fix formatting --------- Co-authored-by: Zhidong Peng <zpeng@micrsoft.com> Co-authored-by: Copilot <copilot@github.com> * cmdline to take the first 4 arguments (#340) * cmdline to take the first 4 arguments * fix in common code path * Update version to 1.0.43 --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Srikrishna Veturi <veturi.srikrishna@gmail.com> Co-authored-by: Srikrishna Veturi <sveturi@microsoft.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Zhidong Peng <zpeng@micrsoft.com> Co-authored-by: Copilot <copilot@github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.