Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

INFRA-18634: Add logging when default acl policy is about to be checked #608

Merged
merged 1 commit into from
Oct 10, 2024
+71 −19
Merged

INFRA-18634: Add logging when default acl policy is about to be checked #608

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions acl/acl_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3290,7 +3290,7 @@ func TestACL(t *testing.T) {
run := func(t *testing.T, tcase aclTest, defaultPolicy Authorizer) {
acl := defaultPolicy
for _, policy := range tcase.policyStack {
newACL, err := NewPolicyAuthorizerWithDefaults(acl, []*Policy{policy}, nil)
newACL, err := NewPolicyAuthorizerWithDefaults(acl, []*Policy{policy}, nil, nil)
require.NoError(t, err)
acl = newACL
}
Expand Down Expand Up @@ -3493,7 +3493,7 @@ func TestACL_ReadAll(t *testing.T) {
policy, err := NewPolicyFromSource(rules, nil, nil)
require.NoError(t, err)

acl, err := NewPolicyAuthorizerWithDefaults(defaultPolicy, []*Policy{policy}, nil)
acl, err := NewPolicyAuthorizerWithDefaults(defaultPolicy, []*Policy{policy}, nil, nil)
require.NoError(t, err)

check(t, acl, "", nil)
Expand Down
6 changes: 4 additions & 2 deletions acl/authorizer.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,8 @@ package acl
import (
"fmt"
"strings"

"github.com/hashicorp/go-hclog"
)

type EnforcementDecision int
Expand Down Expand Up @@ -672,11 +674,11 @@ func Enforce(authz Authorizer, rsc Resource, segment string, access string, ctx

// NewAuthorizerFromRules is a convenience function to invoke NewPolicyFromSource followed by NewPolicyAuthorizer with
// the parse policy.
func NewAuthorizerFromRules(rules string, conf *Config, meta *EnterprisePolicyMeta) (Authorizer, error) {
func NewAuthorizerFromRules(rules string, conf *Config, meta *EnterprisePolicyMeta, logger hclog.Logger) (Authorizer, error) {
policy, err := NewPolicyFromSource(rules, conf, meta)
if err != nil {
return nil, err
}

return NewPolicyAuthorizer([]*Policy{policy}, conf)
return NewPolicyAuthorizer([]*Policy{policy}, conf, logger)
}
55 changes: 51 additions & 4 deletions acl/policy_authorizer.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ package acl

import (
"github.com/armon/go-radix"
"github.com/hashicorp/go-hclog"
)

type policyAuthorizer struct {
Expand Down Expand Up @@ -57,6 +58,8 @@ type policyAuthorizer struct {

// embedded enterprise policy authorizer
enterprisePolicyAuthorizer

logger hclog.Logger
}

// policyAuthorizerRule is a struct to hold an ACL policy decision along
Expand Down Expand Up @@ -388,13 +391,16 @@ func (p *policyAuthorizer) loadRules(policy *PolicyRules) error {
return nil
}

func newPolicyAuthorizer(policies []*Policy, ent *Config) (*policyAuthorizer, error) {
func newPolicyAuthorizer(policies []*Policy, ent *Config, logger hclog.Logger) (*policyAuthorizer, error) {
policy := MergePolicies(policies)

return newPolicyAuthorizerFromRules(&policy.PolicyRules, ent)
return newPolicyAuthorizerFromRules(&policy.PolicyRules, ent, logger)
}

func newPolicyAuthorizerFromRules(rules *PolicyRules, ent *Config) (*policyAuthorizer, error) {
func newPolicyAuthorizerFromRules(rules *PolicyRules, ent *Config, logger hclog.Logger) (*policyAuthorizer, error) {
if logger == nil {
logger = hclog.New(&hclog.LoggerOptions{})
}
p := &policyAuthorizer{
agentRules: radix.New(),
identityRules: radix.New(),
Expand All @@ -406,6 +412,7 @@ func newPolicyAuthorizerFromRules(rules *PolicyRules, ent *Config) (*policyAutho
sessionRules: radix.New(),
eventRules: radix.New(),
preparedQueryRules: radix.New(),
logger: logger.Named("PolicyAuthorizer"),
}

p.enterprisePolicyAuthorizer.init(ent)
Expand Down Expand Up @@ -523,6 +530,7 @@ func (p *policyAuthorizer) ACLRead(*AuthorizerContext) EnforcementDecision {
if p.aclRule != nil {
return enforce(p.aclRule.access, AccessRead)
}
p.logger.Info("Checking default ACLRead")
return Default
}

Expand All @@ -531,6 +539,7 @@ func (p *policyAuthorizer) ACLWrite(*AuthorizerContext) EnforcementDecision {
if p.aclRule != nil {
return enforce(p.aclRule.access, AccessWrite)
}
p.logger.Info("Checking default ACLWrite")
return Default
}

Expand All @@ -540,6 +549,7 @@ func (p *policyAuthorizer) AgentRead(node string, _ *AuthorizerContext) Enforcem
if rule, ok := getPolicy(node, p.agentRules); ok {
return enforce(rule.access, AccessRead)
}
p.logger.Info("Checking default AgentRead", "node", node)
return Default
}

Expand All @@ -549,6 +559,7 @@ func (p *policyAuthorizer) AgentWrite(node string, _ *AuthorizerContext) Enforce
if rule, ok := getPolicy(node, p.agentRules); ok {
return enforce(rule.access, AccessWrite)
}
p.logger.Info("Checking default AgentWrite", "node", node)
return Default
}

Expand All @@ -557,6 +568,7 @@ func (p *policyAuthorizer) Snapshot(_ *AuthorizerContext) EnforcementDecision {
if p.aclRule != nil {
return enforce(p.aclRule.access, AccessWrite)
}
p.logger.Info("Checking default Snapshot")
return Default
}

Expand All @@ -566,6 +578,7 @@ func (p *policyAuthorizer) EventRead(name string, _ *AuthorizerContext) Enforcem
if rule, ok := getPolicy(name, p.eventRules); ok {
return enforce(rule.access, AccessRead)
}
p.logger.Info("Checking default EventRead", "event", name)
return Default
}

Expand All @@ -575,6 +588,7 @@ func (p *policyAuthorizer) EventWrite(name string, _ *AuthorizerContext) Enforce
if rule, ok := getPolicy(name, p.eventRules); ok {
return enforce(rule.access, AccessWrite)
}
p.logger.Info("Checking default EventWrite", "event", name)
return Default
}

Expand All @@ -583,6 +597,7 @@ func (p *policyAuthorizer) IdentityRead(name string, _ *AuthorizerContext) Enfor
if rule, ok := getPolicy(name, p.identityRules); ok {
return enforce(rule.access, AccessRead)
}
p.logger.Info("Checking default IdentityRead", "name", name)
return Default
}

Expand All @@ -597,18 +612,21 @@ func (p *policyAuthorizer) IdentityWrite(name string, _ *AuthorizerContext) Enfo
if rule, ok := getPolicy(name, p.identityRules); ok {
return enforce(rule.access, AccessWrite)
}
p.logger.Info("Checking default IdentityWrite", "name", name)
return Default
}

// IdentityWriteAny checks for write permission on any workload identity.
func (p *policyAuthorizer) IdentityWriteAny(_ *AuthorizerContext) EnforcementDecision {
p.logger.Info("Checking default IdentityWriteAny")
return p.anyAllowed(p.identityRules, AccessWrite)
}

// IntentionDefaultAllow returns whether the default behavior when there are
// no matching intentions is to allow or deny.
func (p *policyAuthorizer) IntentionDefaultAllow(_ *AuthorizerContext) EnforcementDecision {
// We always go up, this can't be determined by a policy.
p.logger.Info("Checking default IntentionDefaultAllow")
return Default
}

Expand All @@ -621,6 +639,7 @@ func (p *policyAuthorizer) IntentionRead(prefix string, _ *AuthorizerContext) En
if rule, ok := getPolicy(prefix, p.intentionRules); ok {
return enforce(rule.access, AccessRead)
}
p.logger.Info("Checking default IntentionRead", "prefix", prefix)
return Default
}

Expand All @@ -634,6 +653,7 @@ func (p *policyAuthorizer) IntentionWrite(prefix string, _ *AuthorizerContext) E
if rule, ok := getPolicy(prefix, p.intentionRules); ok {
return enforce(rule.access, AccessWrite)
}
p.logger.Info("Checking default IntentionWrite", "prefix", prefix)
return Default
}

Expand All @@ -646,6 +666,7 @@ func (p *policyAuthorizer) TrafficPermissionsRead(prefix string, _ *AuthorizerCo
if rule, ok := getPolicy(prefix, p.trafficPermissionsRules); ok {
return enforce(rule.access, AccessRead)
}
p.logger.Info("Checking default TrafficPermissionsRead", "prefix", prefix)
return Default
}

Expand All @@ -659,6 +680,7 @@ func (p *policyAuthorizer) TrafficPermissionsWrite(prefix string, _ *AuthorizerC
if rule, ok := getPolicy(prefix, p.trafficPermissionsRules); ok {
return enforce(rule.access, AccessWrite)
}
p.logger.Info("Checking default TrafficPermissionsWrite", "prefix", prefix)
return Default
}

Expand All @@ -667,6 +689,7 @@ func (p *policyAuthorizer) KeyRead(key string, _ *AuthorizerContext) Enforcement
if rule, ok := getPolicy(key, p.keyRules); ok {
return enforce(rule.access, AccessRead)
}
p.logger.Info("Checking default KeyRead", "key", key)
return Default
}

Expand All @@ -675,6 +698,7 @@ func (p *policyAuthorizer) KeyList(key string, _ *AuthorizerContext) Enforcement
if rule, ok := getPolicy(key, p.keyRules); ok {
return enforce(rule.access, AccessList)
}
p.logger.Info("Checking default KeyList", "key", key)
return Default
}

Expand All @@ -687,6 +711,7 @@ func (p *policyAuthorizer) KeyWrite(key string, entCtx *AuthorizerContext) Enfor
}
return decision
}
p.logger.Info("Checking default KeyWrite", "key", key)
return Default
}

Expand Down Expand Up @@ -769,6 +794,9 @@ func (p *policyAuthorizer) KeyWritePrefix(prefix string, _ *AuthorizerContext) E
// either Default or Allow at this point. Allow if there was a prefix rule
// that was applicable and it granted write access. Default if there was
// no applicable rule.
if baseAccess == Default {
p.logger.Info("Checking default KeyWritePrefix")
}
return baseAccess
}

Expand All @@ -778,6 +806,7 @@ func (p *policyAuthorizer) KeyringRead(*AuthorizerContext) EnforcementDecision {
if p.keyringRule != nil {
return enforce(p.keyringRule.access, AccessRead)
}
p.logger.Info("Checking default KeyringRead")
return Default
}

Expand All @@ -786,6 +815,7 @@ func (p *policyAuthorizer) KeyringWrite(*AuthorizerContext) EnforcementDecision
if p.keyringRule != nil {
return enforce(p.keyringRule.access, AccessWrite)
}
p.logger.Info("Checking default KeyringWrite")
return Default
}

Expand Down Expand Up @@ -832,6 +862,7 @@ func (p *policyAuthorizer) OperatorRead(*AuthorizerContext) EnforcementDecision
if p.operatorRule != nil {
return enforce(p.operatorRule.access, AccessRead)
}
p.logger.Info("Checking default OperatorRead")
return Default
}

Expand All @@ -841,6 +872,7 @@ func (p *policyAuthorizer) OperatorWrite(*AuthorizerContext) EnforcementDecision
if p.operatorRule != nil {
return enforce(p.operatorRule.access, AccessWrite)
}
p.logger.Info("Checking default OperatorWrite")
return Default
}

Expand All @@ -860,6 +892,7 @@ func (p *policyAuthorizer) NodeRead(name string, ctx *AuthorizerContext) Enforce
if rule, ok := getPolicy(name, p.nodeRules); ok {
return enforce(rule.access, AccessRead)
}
p.logger.Info("Checking default NodeRead", "name", name)
return Default
}

Expand All @@ -872,6 +905,7 @@ func (p *policyAuthorizer) NodeWrite(name string, _ *AuthorizerContext) Enforcem
if rule, ok := getPolicy(name, p.nodeRules); ok {
return enforce(rule.access, AccessWrite)
}
p.logger.Info("Checking default NodeWrite", "name", name)
return Default
}

Expand All @@ -881,6 +915,7 @@ func (p *policyAuthorizer) PreparedQueryRead(prefix string, _ *AuthorizerContext
if rule, ok := getPolicy(prefix, p.preparedQueryRules); ok {
return enforce(rule.access, AccessRead)
}
p.logger.Info("Checking default PreparedQueryRead", "prefix", prefix)
return Default
}

Expand All @@ -890,6 +925,7 @@ func (p *policyAuthorizer) PreparedQueryWrite(prefix string, _ *AuthorizerContex
if rule, ok := getPolicy(prefix, p.preparedQueryRules); ok {
return enforce(rule.access, AccessWrite)
}
p.logger.Info("Checking default PreparedQueryWrite", "prefix", prefix)
return Default
}

Expand All @@ -909,11 +945,16 @@ func (p *policyAuthorizer) ServiceRead(name string, ctx *AuthorizerContext) Enfo
if rule, ok := getPolicy(name, p.serviceRules); ok {
return enforce(rule.access, AccessRead)
}
p.logger.Info("Checking default ServiceRead", "name", name)
return Default
}

func (p *policyAuthorizer) ServiceReadAll(_ *AuthorizerContext) EnforcementDecision {
return p.allAllowed(p.serviceRules, AccessRead)
d := p.allAllowed(p.serviceRules, AccessRead)
if d == Default {
p.logger.Info("Checking default ServiceReadAll")
}
return d
}

// ServiceReadPrefix determines whether service read is allowed within the given prefix.
Expand Down Expand Up @@ -969,6 +1010,9 @@ func (p *policyAuthorizer) ServiceReadPrefix(prefix string, _ *AuthorizerContext
return false
})

if access == Default {
p.logger.Info("Checking default ServiceReadPrefix", "prefix", prefix)
}
return access
}

Expand All @@ -977,6 +1021,7 @@ func (p *policyAuthorizer) ServiceWrite(name string, _ *AuthorizerContext) Enfor
if rule, ok := getPolicy(name, p.serviceRules); ok {
return enforce(rule.access, AccessWrite)
}
p.logger.Info("Checking default ServiceReadAll", "name", name)
return Default
}

Expand All @@ -989,6 +1034,7 @@ func (p *policyAuthorizer) SessionRead(node string, _ *AuthorizerContext) Enforc
if rule, ok := getPolicy(node, p.sessionRules); ok {
return enforce(rule.access, AccessRead)
}
p.logger.Info("Checking default SessionRead", "node", node)
return Default
}

Expand All @@ -998,6 +1044,7 @@ func (p *policyAuthorizer) SessionWrite(node string, _ *AuthorizerContext) Enfor
if rule, ok := getPolicy(node, p.sessionRules); ok {
return enforce(rule.access, AccessWrite)
}
p.logger.Info("Checking default SessionWrite", "node", node)
return Default
}

Expand Down
10 changes: 6 additions & 4 deletions acl/policy_authorizer_ce.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@

package acl

import "github.com/hashicorp/go-hclog"

// enterprisePolicyAuthorizer stub
type enterprisePolicyAuthorizer struct{}

Expand All @@ -17,14 +19,14 @@ func (authz *enterprisePolicyAuthorizer) enforce(_ *EnterpriseRule, _ *Authorize
}

// NewPolicyAuthorizer merges the policies and returns an Authorizer that will enforce them
func NewPolicyAuthorizer(policies []*Policy, entConfig *Config) (Authorizer, error) {
return newPolicyAuthorizer(policies, entConfig)
func NewPolicyAuthorizer(policies []*Policy, entConfig *Config, logger hclog.Logger) (Authorizer, error) {
return newPolicyAuthorizer(policies, entConfig, logger)
}

// NewPolicyAuthorizerWithDefaults will actually created a ChainedAuthorizer with
// the policies compiled into one Authorizer and the backup policy of the defaultAuthz
func NewPolicyAuthorizerWithDefaults(defaultAuthz Authorizer, policies []*Policy, entConfig *Config) (Authorizer, error) {
authz, err := newPolicyAuthorizer(policies, entConfig)
func NewPolicyAuthorizerWithDefaults(defaultAuthz Authorizer, policies []*Policy, entConfig *Config, logger hclog.Logger) (Authorizer, error) {
authz, err := newPolicyAuthorizer(policies, entConfig, logger)
if err != nil {
return nil, err
}
Expand Down
2 changes: 1 addition & 1 deletion acl/policy_authorizer_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -787,7 +787,7 @@ func TestPolicyAuthorizer(t *testing.T) {
name := name
tcase := tcase
t.Run(name, func(t *testing.T) {
authz, err := NewPolicyAuthorizer([]*Policy{tcase.policy}, nil)
authz, err := NewPolicyAuthorizer([]*Policy{tcase.policy}, nil, nil)
require.NoError(t, err)

for _, check := range tcase.checks {
Expand Down
2 changes: 1 addition & 1 deletion agent/acl_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -185,7 +185,7 @@ func TestACL_Version8EnabledByDefault(t *testing.T) {
}

func authzFromPolicy(policy *acl.Policy, cfg *acl.Config) (acl.Authorizer, error) {
return acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, cfg)
return acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, cfg, nil)
}

type testTokenRules struct {
Expand Down
Loading
Loading