Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

server: strip local ACL tokens from RPCs during forwarding if crossing datacenters #7419

Merged
merged 3 commits into from
Mar 10, 2020
Merged

server: strip local ACL tokens from RPCs during forwarding if crossing datacenters #7419

merged 3 commits into from
Mar 10, 2020

Conversation

rboyer
Copy link
Member

@rboyer rboyer commented Mar 9, 2020

Fixes #7414

Note this is only the server-to-server side portion of 7414. The client-to-server change seems much more involved and seems like it has a higher likelihood of RPC amplification if not done with extreme care.

@rboyer rboyer added this to the 1.8.0 milestone Mar 9, 2020
@rboyer rboyer requested a review from a team March 9, 2020 20:34
@rboyer rboyer self-assigned this Mar 9, 2020
mkeeler
mkeeler approved these changes Mar 9, 2020
View reviewed changes
Copy link
Member

@mkeeler mkeeler left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Small note that there is enterprise code you will need to update as well (mostly stubs where we have alternative ACLIdentity implementors such as for namespaces.

hanshasselberg
hanshasselberg approved these changes Mar 9, 2020
View reviewed changes
Copy link
Member

@hanshasselberg hanshasselberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

agent/consul/rpc.go
if ident != nil && ident.IsLocal() {
// Strip it from the request.
info.SetTokenSecret("")
defer info.SetTokenSecret(token)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was wondering why we need to put it back, but then I saw that RPCInfo is an interface and interfaces are passed by reference.

@rboyer rboyer force-pushed the strip-local-tokens-on-forward branch from f76c96d to 7cedca7 Compare March 10, 2020 15:06
@rboyer
server: strip local ACL tokens from RPCs during forwarding if crossin…
6cdb2d3 
…g datacenters

Fixes #7414
@rboyer
not finding a token should not fail the rpc
fc6d4c3 
This lets you forward an rpc to a remote dc with a remotely-local token
@rboyer
cleanup
428cf7d
@rboyer rboyer force-pushed the strip-local-tokens-on-forward branch from 7cedca7 to 428cf7d Compare March 10, 2020 15:17
@rboyer rboyer merged commit 85a08bf into master Mar 10, 2020
@rboyer rboyer deleted the strip-local-tokens-on-forward branch March 10, 2020 16:15
@rboyer rboyer mentioned this pull request Sep 20, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hanshasselberg hanshasselberg hanshasselberg approved these changes

@mkeeler mkeeler mkeeler approved these changes

Assignees

@rboyer rboyer

Labels
None yet
Projects
None yet
Milestone
1.8.0
Development

Successfully merging this pull request may close these issues.

Strip local ACL tokens from RPCs during forwarding if crossing datacenters
3 participants
@rboyer @hanshasselberg @mkeeler