-
Notifications
You must be signed in to change notification settings - Fork 2k
wi: new endpoint for listing workload attached ACL policies #25588
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
Co-authored-by: Tim Gross <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a really nice feature, and thanks @gulducat for quick local testing policy/job!
command/agent/acl_endpoint.go
Outdated
// Resolve policies for workload identities | ||
policyReply := structs.ACLPolicySetResponse{} | ||
if err := s.agent.RPC("ACL.GetClaimPolicies", &policyArgs, &policyReply); err != nil { | ||
return nil, err | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My objection to this API as it stands is that we're only presenting the ACL policies for Workload Identity claims but the API is /v1/acl/policy/self
. Ignoring unifying the CLI output for the moment, either (a) this API should retrieve policies for any authenticated request or (b) it should be under a different route than /v1/acl/policy/self
or (c) the RPC handler should be changed to cover both ACL tokens and WI claims. Unfortunately it looks like we shipped the RPC handler as-is and now it would be awkward to retrieve ACL token policies there. So I think (a) is my preferred option, but we'd need to split the API to send to different RPC handlers.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
4053a48 implements option (a), but then we end up with a bit of a mess, because GetClaimPolicies
and ListPolicies
RPCs return different types (maps or slices, respectively). I thought perhaps the key in the map is the WI name, but it's just policy name, so I'll follow-up with a change that just returns a list of ACLPolicyStub
to get a unified output.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ah but then we'd lose some data that's useful for WI-attached policies if we only return ACLPolicyStub
:/
// ACLPolicyListStub is used to for listing ACL policies
type ACLPolicyListStub struct {
Name string
Description string
Hash []byte
CreateIndex uint64
ModifyIndex uint64
}
This doesn't contain JobACLs or Rules.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for creating the docs content! I left a few style nits.
Co-authored-by: Aimee Ukasick <[email protected]>
also adds JobACL field to the stub
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Docs approved - thanks Piotr!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is looking great @pkazmierczak. I've left a few minor items to clean up and then I think this will be ready to ship!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
This introduces a new HTTP endpoint (and an associated CLI command) for querying
ACL policies associated with a workload identity. It allows users that want
to learn about the ACL capabilities from within WI-tasks to know what sort of
policies are enabled.
Fixes #24663
Internal ref: https://hashicorp.atlassian.net/browse/NMD-423
(reviewers: this requires #25547 to work)