acl: add ACL roles to event stream topic and resolve policies. (#14923)

This changes adds ACL role creation and deletion to the event stream. It is exposed as a single topic with two types; the filter is primarily the role ID but also includes the role name. While conducting this work it was also discovered that the events stream has its own ACL resolution logic. This did not account for ACL tokens which included role links, or tokens with expiry times. ACL role links are now resolved to their policies and tokens are checked for expiry correctly.
2026-01-06 18:35:44 +03:00 · 2022-10-20 09:43:35 +02:00
parent eaea9164a5
commit 1c9b4e398d
12 changed files with 725 additions and 39 deletions
--- a/website/content/api-docs/events.mdx
+++ b/website/content/api-docs/events.mdx
@@ -33,6 +33,7 @@ by default, requiring a management token.
 | `*`          | `management`         |
 | `ACLToken`   | `management`         |
 | `ACLPolicy`  | `management`         |
+| `ACLRole`    | `management`         |
 | `Job`        | `namespace:read-job` |
 | `Allocation` | `namespace:read-job` |
 | `Deployment` | `namespace:read-job` |
@@ -67,6 +68,7 @@ by default, requiring a management token.
 | ---------- | ------------------------------- |
 | ACLToken   | ACLToken                        |
 | ACLPolicy  | ACLPolicy                       |
+| ACLRoles   | ACLRole                         |
 | Allocation | Allocation (no job information) |
 | Job        | Job                             |
 | Evaluation | Evaluation                      |
@@ -83,6 +85,8 @@ by default, requiring a management token.
 | ACLTokenDeleted               |
 | ACLPolicyUpserted             |
 | ACLPolicyDeleted              |
+| ACLRoleUpserted               |
+| ACLRoleDeleted                |
 | AllocationCreated             |
 | AllocationUpdated             |
 | AllocationUpdateDesiredStatus |