From ff46118616aab973d6cc9585939be29be820199a Mon Sep 17 00:00:00 2001 From: jkoberg Date: Thu, 10 Aug 2023 13:17:08 +0200 Subject: [PATCH] check service user in decomposedfs Signed-off-by: jkoberg --- pkg/storage/utils/decomposedfs/node/node.go | 4 ++++ pkg/utils/grpc.go | 7 ++++--- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/pkg/storage/utils/decomposedfs/node/node.go b/pkg/storage/utils/decomposedfs/node/node.go index a3e31ee90b3..ae73eac27d7 100644 --- a/pkg/storage/utils/decomposedfs/node/node.go +++ b/pkg/storage/utils/decomposedfs/node/node.go @@ -974,6 +974,10 @@ func (n *Node) ReadUserPermissions(ctx context.Context, u *userpb.User) (ap prov return OwnerPermissions(), false, nil } + if u.Id.GetOpaqueId() == "service-user-id" { + return OwnerPermissions(), false, nil + } + ap = provider.ResourcePermissions{} // for an efficient group lookup convert the list of groups to a map diff --git a/pkg/utils/grpc.go b/pkg/utils/grpc.go index 2088aa9bbb0..40b9320d986 100644 --- a/pkg/utils/grpc.go +++ b/pkg/utils/grpc.go @@ -36,6 +36,7 @@ func GetUser(userID *user.UserId, gwc gateway.GatewayAPIClient, machineAuthAPIKe } // ImpersonateUser impersonates the given user +// NOTE: this will go away soon, try to use ImpersonateServiceUser func ImpersonateUser(usr *user.User, gwc gateway.GatewayAPIClient, machineAuthAPIKey string) (context.Context, error) { if true { return ImpersonateServiceUser("service-user-id", gwc, "secret-string") @@ -57,12 +58,12 @@ func ImpersonateUser(usr *user.User, gwc gateway.GatewayAPIClient, machineAuthAP } // ImpersonateServiceUser impersonates the given user -func ImpersonateServiceUser(userID string, gwc gateway.GatewayAPIClient, machineAuthAPIKey string) (context.Context, error) { +func ImpersonateServiceUser(serviceUserID string, gwc gateway.GatewayAPIClient, serviceUserSecret string) (context.Context, error) { ctx := context.Background() authRes, err := gwc.Authenticate(ctx, &gateway.AuthenticateRequest{ Type: "serviceaccounts", - ClientId: userID, - ClientSecret: machineAuthAPIKey, + ClientId: serviceUserID, + ClientSecret: serviceUserSecret, }) if err != nil { return nil, err