kemko/nomad
1
0
Fork 0
mirror of https://github.com/kemko/nomad.git synced 2026-01-04 09:25:46 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
8ab7ab0db462bee1ab5033efe2bdea330c723809
nomad/client/client_stats_endpoint.go
Tim Gross cbd7248248 auth: use ACLsDisabledACL when ACLs are disabled (#18754) 
The RPC handlers expect to see `nil` ACL objects whenever ACLs are disabled. By
using `nil` as a sentinel value, we have the risk of nil pointer exceptions and
improper handling of `nil` when returned from our various auth methods that can
lead to privilege escalation bugs. This is the final patch in a series to
eliminate the use of `nil` ACLs as a sentinel value for when ACLs are disabled.

This patch adds a new virtual ACL policy field for when ACLs are disabled and
updates our authentication logic to use it. Included:

* Extends auth package tests to demonstrate that nil ACLs are treated as failed
  auth and disabled ACLs succeed auth.
* Adds a new `AllowDebug` ACL check for the weird special casing we have for
  pprof debugging when ACLs are disabled.
* Removes the remaining unexported methods (and repeated tests) from the
  `nomad/acl.go` file.
* Update the semgrep rules to detect improper nil ACL checking and remove the
  old invalid ACL checks.
* Update the contributing guide for RPC authentication.

Ref: https://github.com/hashicorp/nomad-enterprise/pull/1218
Ref: https://github.com/hashicorp/nomad/pull/18703
Ref: https://github.com/hashicorp/nomad/pull/18715
Ref: https://github.com/hashicorp/nomad/pull/16799
Ref: https://github.com/hashicorp/nomad/pull/18730
Ref: https://github.com/hashicorp/nomad/pull/18744
2023-10-16 09:30:24 -04:00

34 lines
884 B
Go
Raw Blame History

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1
package client
import (
"time"
metrics "github.com/armon/go-metrics"
"github.com/hashicorp/nomad/client/structs"
nstructs "github.com/hashicorp/nomad/nomad/structs"
)
// ClientStats endpoint is used for retrieving stats about a client
type ClientStats struct {
c *Client
}
// Stats is used to retrieve the Clients stats.
func (s *ClientStats) Stats(args *nstructs.NodeSpecificRequest, reply *structs.ClientStatsResponse) error {
defer metrics.MeasureSince([]string{"client", "client_stats", "stats"}, time.Now())
// Check node read permissions
if aclObj, err := s.c.ResolveToken(args.AuthToken); err != nil {
return err
} else if !aclObj.AllowNodeRead() {
return nstructs.ErrPermissionDenied
}
clientStats := s.c.StatsReporter()
reply.HostStats = clientStats.LatestHostStats()
return nil
}
Reference in New Issue View Git Blame Copy Permalink