Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

agent: protect the ui metrics proxy endpoint behind ACLs #9099

Merged
merged 1 commit into from
Nov 4, 2020
Merged

agent: protect the ui metrics proxy endpoint behind ACLs #9099

merged 1 commit into from
Nov 4, 2020

Conversation

rboyer
Copy link
Member

@rboyer rboyer commented Nov 4, 2020

This ensures the metrics proxy endpoint is ACL protected behind a
wildcard service:read and node:read set of rules. For Consul
Enterprise these will need to span all namespaces:

service_prefix "" { policy = "read" }
node_prefix ""    { policy = "read" }

namespace_prefix "" {
  service_prefix "" { policy = "read" }
  node_prefix ""    { policy = "read" }
}

This PR contains just the backend changes. The frontend changes to
actually pass the consul token header to the proxy through the JS plugin
will come in another PR.

@rboyer
agent: protect the ui metrics proxy endpoint behind ACLs
38147b0 
This ensures the metrics proxy endpoint is ACL protected behind a
wildcard `service:read` and `node:read` set of rules. For Consul
Enterprise these will need to span all namespaces:

```
service_prefix "" { policy = "read" }
node_prefix ""    { policy = "read" }

namespace_prefix "" {
  service_prefix "" { policy = "read" }
  node_prefix ""    { policy = "read" }
}
```

This PR contains just the backend changes. The frontend changes to
actually pass the consul token header to the proxy through the JS plugin
will come in another PR.
@rboyer rboyer added this to the 1.9.0-beta2 milestone Nov 4, 2020
@rboyer rboyer requested review from banks and a team November 4, 2020 16:35
@rboyer rboyer self-assigned this Nov 4, 2020
@github-actions github-actions bot added the theme/acls ACL and token generation label Nov 4, 2020
@rboyer rboyer merged commit 6ba776b into master Nov 4, 2020
@rboyer rboyer deleted the metrics-acls branch November 4, 2020 18:50
@hashicorp-ci
Copy link
Contributor

🍒✅ Cherry pick of commit 6ba776b onto release/1.9.x succeeded!

hashicorp-ci pushed a commit that referenced this pull request Nov 4, 2020
@rboyer @hashicorp-ci
agent: protect the ui metrics proxy endpoint behind ACLs (#9099)
c14439a 
This ensures the metrics proxy endpoint is ACL protected behind a
wildcard `service:read` and `node:read` set of rules. For Consul
Enterprise these will need to span all namespaces:

```
service_prefix "" { policy = "read" }
node_prefix ""    { policy = "read" }

namespace_prefix "" {
  service_prefix "" { policy = "read" }
  node_prefix ""    { policy = "read" }
}
```

This PR contains just the backend changes. The frontend changes to
actually pass the consul token header to the proxy through the JS plugin
will come in another PR.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@freddygv freddygv freddygv approved these changes

@banks banks Awaiting requested review from banks

Assignees

@rboyer rboyer

Labels
theme/acls ACL and token generation
Projects
None yet
Milestone
1.9.0-beta2
Development

Successfully merging this pull request may close these issues.
3 participants
@rboyer @hashicorp-ci @freddygv