kemko/nomad
1
0
Fork 0
mirror of https://github.com/kemko/nomad.git synced 2026-01-04 01:15:43 +03:00
Code Issues Packages Projects Releases Wiki Activity

consul: Removed unused ConsulUsage.Kinds. (#11303)

Browse Source
This commit is contained in:
Florian Apolloner
2022-09-22 17:07:14 +02:00
committed by GitHub
parent e4b763f25d
commit fa14b0a4e0
3 changed files with 0 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
nomad/consul.go
View File

@@ -253,17 +253,6 @@ func (c *consulACLsAPI) CheckPermissions(ctx context.Context, namespace string,
}
}
// verify token has service identity permission for connect services
for _, kind := range usage.Kinds {
service := kind.Value()
allowable, err := c.canWriteService(namespace, service, token)
if err != nil {
return err
} else if !allowable {
return fmt.Errorf("insufficient Consul ACL permissions to write Connect service %q", service)
}
}
return nil
}

30
nomad/consul_oss_test.go
View File

@@ -91,34 +91,4 @@ func TestConsulACLsAPI_CheckPermissions_oss(t *testing.T) {
try(t, "", usage, "f1682bde-1e71-90b1-9204-85d35467ba61", errors.New("unable to read consul token: no such token"))
})
})
t.Run("check-permissions connect service identity write", func(t *testing.T) {
usage := &structs.ConsulUsage{Kinds: []structs.TaskKind{structs.NewTaskKind(structs.ConnectProxyPrefix, "service1")}}
t.Run("operator has service write", func(t *testing.T) {
try(t, "", usage, consul.ExampleOperatorTokenID1, nil)
})
t.Run("operator has service_prefix write", func(t *testing.T) {
u := &structs.ConsulUsage{Kinds: []structs.TaskKind{structs.NewTaskKind(structs.ConnectProxyPrefix, "foo-service1")}}
try(t, "", u, consul.ExampleOperatorTokenID2, nil)
})
t.Run("operator has service_prefix write wrong prefix", func(t *testing.T) {
u := &structs.ConsulUsage{Kinds: []structs.TaskKind{structs.NewTaskKind(structs.ConnectProxyPrefix, "bar-service1")}}
try(t, "", u, consul.ExampleOperatorTokenID2, errors.New(`insufficient Consul ACL permissions to write Connect service "bar-service1"`))
})
t.Run("operator permissions insufficient", func(t *testing.T) {
try(t, "", usage, consul.ExampleOperatorTokenID3, errors.New(`insufficient Consul ACL permissions to write Connect service "service1"`))
})
t.Run("operator provided no token", func(t *testing.T) {
try(t, "", usage, "", errors.New("missing consul token"))
})
t.Run("operator provided nonsense token", func(t *testing.T) {
try(t, "", usage, "f1682bde-1e71-90b1-9204-85d35467ba61", errors.New("unable to read consul token: no such token"))
})
})
}

3
nomad/structs/consul.go
View File

@@ -34,7 +34,6 @@ func (c *Consul) Validate() error {
// noting which connect services and normal services will be registered, and
// whether the keystore will be read via template.
type ConsulUsage struct {
Kinds []TaskKind
Services []string
KV bool
}
@@ -45,8 +44,6 @@ func (cu *ConsulUsage) Used() bool {
switch {
case cu.KV:
return true
case len(cu.Kinds) > 0:
return true
case len(cu.Services) > 0:
return true
}