gopkg.in/hashicorp/nomad.v0@v0.11.8/nomad/acl.go (about) 1 package nomad 2 3 import ( 4 "time" 5 6 metrics "github.com/armon/go-metrics" 7 lru "github.com/hashicorp/golang-lru" 8 "github.com/hashicorp/nomad/acl" 9 "github.com/hashicorp/nomad/nomad/state" 10 "github.com/hashicorp/nomad/nomad/structs" 11 ) 12 13 // ResolveToken is used to translate an ACL Token Secret ID into 14 // an ACL object, nil if ACLs are disabled, or an error. 15 func (s *Server) ResolveToken(secretID string) (*acl.ACL, error) { 16 // Fast-path if ACLs are disabled 17 if !s.config.ACLEnabled { 18 return nil, nil 19 } 20 defer metrics.MeasureSince([]string{"nomad", "acl", "resolveToken"}, time.Now()) 21 22 // Check if the secret ID is the leader secret ID, in which case treat it as 23 // a management token. 24 if leaderAcl := s.getLeaderAcl(); leaderAcl != "" && secretID == leaderAcl { 25 return acl.ManagementACL, nil 26 } 27 28 // Snapshot the state 29 snap, err := s.fsm.State().Snapshot() 30 if err != nil { 31 return nil, err 32 } 33 34 // Resolve the ACL 35 return resolveTokenFromSnapshotCache(snap, s.aclCache, secretID) 36 } 37 38 // resolveTokenFromSnapshotCache is used to resolve an ACL object from a snapshot of state, 39 // using a cache to avoid parsing and ACL construction when possible. It is split from resolveToken 40 // to simplify testing. 41 func resolveTokenFromSnapshotCache(snap *state.StateSnapshot, cache *lru.TwoQueueCache, secretID string) (*acl.ACL, error) { 42 // Lookup the ACL Token 43 var token *structs.ACLToken 44 var err error 45 46 // Handle anonymous requests 47 if secretID == "" { 48 token = structs.AnonymousACLToken 49 } else { 50 token, err = snap.ACLTokenBySecretID(nil, secretID) 51 if err != nil { 52 return nil, err 53 } 54 if token == nil { 55 return nil, structs.ErrTokenNotFound 56 } 57 } 58 59 // Check if this is a management token 60 if token.Type == structs.ACLManagementToken { 61 return acl.ManagementACL, nil 62 } 63 64 // Get all associated policies 65 policies := make([]*structs.ACLPolicy, 0, len(token.Policies)) 66 for _, policyName := range token.Policies { 67 policy, err := snap.ACLPolicyByName(nil, policyName) 68 if err != nil { 69 return nil, err 70 } 71 if policy == nil { 72 // Ignore policies that don't exist, since they don't grant any more privilege 73 continue 74 } 75 76 // Save the policy and update the cache key 77 policies = append(policies, policy) 78 } 79 80 // Compile and cache the ACL object 81 aclObj, err := structs.CompileACLObject(cache, policies) 82 if err != nil { 83 return nil, err 84 } 85 return aclObj, nil 86 } 87 88 // ResolveSecretToken is used to translate an ACL Token Secret ID into 89 // an ACLToken object, nil if ACLs are disabled, or an error. 90 func (s *Server) ResolveSecretToken(secretID string) (*structs.ACLToken, error) { 91 // TODO(Drew) Look into using ACLObject cache or create a separate cache 92 93 // Fast-path if ACLs are disabled 94 if !s.config.ACLEnabled { 95 return nil, nil 96 } 97 defer metrics.MeasureSince([]string{"nomad", "acl", "resolveSecretToken"}, time.Now()) 98 99 snap, err := s.fsm.State().Snapshot() 100 if err != nil { 101 return nil, err 102 } 103 104 // Lookup the ACL Token 105 var token *structs.ACLToken 106 // Handle anonymous requests 107 if secretID == "" { 108 token = structs.AnonymousACLToken 109 } else { 110 token, err = snap.ACLTokenBySecretID(nil, secretID) 111 if err != nil { 112 return nil, err 113 } 114 if token == nil { 115 return nil, structs.ErrTokenNotFound 116 } 117 } 118 119 return token, nil 120 }