services: reject node secret for Read/List RPC (#23910)

As of Nomad 1.6.0, Nomad clients never make RPC requests to the ServiceRegistrationList/Read RPC without using a specific Workload Identity rather than the node secret. Tighten the ACL permissions on these RPCs so that node secrets are no longer valid tokens. Ref: https://hashicorp.atlassian.net/browse/NET-10009 Ref: https://developer.hashicorp.com/nomad/docs/release-notes/nomad/upcoming#nomad-1-9-0
2026-01-01 16:05:42 +03:00 · 2024-09-05 13:52:32 -04:00
parent a9beef7edd
commit 04ad7165e7
3 changed files with 5 additions and 26 deletions
--- a/acl/acl.go
+++ b/acl/acl.go
@@ -906,10 +906,6 @@ func (a *ACL) AllowServiceRegistrationReadList(ns string, isWorkload bool) bool
 	switch {
 	case a == nil:
 		return false
-	case a.client == PolicyRead,
-		a.client == PolicyWrite:
-		// COMPAT: older clients won't send WI tokens for these requests
-		return true
 	case a.aclsDisabled, a.management:
 		return true
 	}