-
Notifications
You must be signed in to change notification settings - Fork 321
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Replication token needs acl write on all ns's #370
Conversation
b25cb0c
to
bb3a68d
Compare
bb3a68d
to
84f5548
Compare
@@ -233,6 +232,7 @@ node_prefix "" { | |||
{{- if .EnableNamespaces }} | |||
namespace_prefix "" { | |||
{{- end }} | |||
acl = "write" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The key is here. Moving this inside the namespace_prefix ""
block.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does namespace_prefix ""
mean the token created from these rules has that permission for any namespace?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes exactly. If it was namespace "blah"
then it would be only for blah
and if it was namespace_prefix "blah-"
it would be for blah-.*
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🦊
@@ -233,6 +232,7 @@ node_prefix "" { | |||
{{- if .EnableNamespaces }} | |||
namespace_prefix "" { | |||
{{- end }} | |||
acl = "write" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does namespace_prefix ""
mean the token created from these rules has that permission for any namespace?
If namespaces are enabled, the replication token will need to be able to replicate all tokens and policies from all namespaces. Without this functionality, users won't be able to use namespaced tokens/policies/roles in secondary datacenters (since they won't be replicated).
84f5548
to
0e2cf92
Compare
If namespaces are enabled, the replication token will need to be able to
replicate all tokens and policies from all namespaces. Without this
functionality, users won't be able to use namespaced
tokens/policies/roles in secondary datacenters (since they won't be
replicated).
Fixes #364
How I've tested this PR:
luke
luke
:curl -H "X-Consul-Token: 5207f7dd-cfb0-7d7f-b0a5-964295bcb3a1" -k https://localhost:8501/v1/acl/token/self ACL not found
namespace_prefix ""
How I expect reviewers to test this PR:
Checklist: