feat: use different consul service policy rule for service role (#4104)

* feat: use different consul service policy for each service role Closes: #3257` * fix: add consul KV ACL restriction per service and remove service's agent related access rights * fix: address Lenny's feedback comment Signed-off-by: Jim Wang (Intel) <yutsung.jim.wang@intel.com>
edgexfoundry · Jul 28, 2022 · 85bfaaf · 85bfaaf
1 parent 062af8d
commit 85bfaaf
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 11 deletions.
diff --git a/internal/constants.go b/internal/constants.go
@@ -18,9 +18,12 @@ const (
 	BootTimeoutSecondsDefault = 30
 	BootRetrySecondsDefault   = 1
 	ConfigFileName            = "configuration.toml"
-	ConfigStemCore            = "edgex/core/"
-	ConfigStemSecurity        = "edgex/security/"
-	LogDurationKey            = "duration"
+	// TODO: move the config stem constants in go-mod-contracts
+	ConfigStemApp      = "edgex/appservices/"
+	ConfigStemCore     = "edgex/core/"
+	ConfigStemDevice   = "edgex/devices/"
+	ConfigStemSecurity = "edgex/security/"
+	LogDurationKey     = "duration"
 )
 
 const (

diff --git a/internal/security/bootstrapper/command/setupacl/command.go b/internal/security/bootstrapper/command/setupacl/command.go
@@ -1,5 +1,5 @@
 /*******************************************************************************
- * Copyright 2021 Intel Corporation
+ * Copyright 2022 Intel Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
  * in compliance with the License. You may obtain a copy of the License at
@@ -38,6 +38,7 @@ import (
 	"github.com/edgexfoundry/edgex-go/internal/security/bootstrapper/helper"
 	"github.com/edgexfoundry/edgex-go/internal/security/bootstrapper/interfaces"
 
+	baseBootStrapConfig "github.com/edgexfoundry/go-mod-bootstrap/v2/bootstrap/config"
 	"github.com/edgexfoundry/go-mod-bootstrap/v2/bootstrap/startup"
 
 	"github.com/edgexfoundry/go-mod-secrets/v2/pkg"
@@ -249,23 +250,42 @@ func (c *cmd) saveACLTokens(bootstrapACLToken *BootStrapACLTokenInfo) error {
 	return nil
 }
 
-// createEdgeXACLTokenRoles creates secret store roles that can be used for genearting registry tokens
+// createEdgeXACLTokenRoles creates secret store roles that can be used for generating registry tokens
 // via Consul secret engine API /consul/creds/[role_name] later on for all EdgeX microservices
 func (c *cmd) createEdgeXACLTokenRoles(bootstrapACLTokenID, secretstoreToken string) error {
-	edgexServicePolicy, err := c.getOrCreateRegistryPolicy(bootstrapACLTokenID, edgeXServicePolicyName, edgeXPolicyRules)
-	if err != nil {
-		return fmt.Errorf("failed to create edgex service policy: %v", err)
-	}
-
 	roleNames, err := c.getUniqueRoleNames()
 	if err != nil {
 		return fmt.Errorf("failed to get unique role names: %v", err)
 	}
 
 	// create registry roles for EdgeX
 	for roleName := range roleNames {
+		// create policy for each service role
+		servicePolicyRules := `
+			# HCL definition of server agent policy for EdgeX
+			node "" {
+				policy = "read"
+			}
+			node_prefix "edgex" {
+				policy = "write"
+			}
+			service "` + roleName + `" {
+				policy = "write"
+			}
+			service_prefix "" {
+				policy = "read"
+			}
+			key_prefix "` + c.getKeyPrefix(roleName) + `" {
+				policy = "write"
+			}
+		`
+
+		edgexServicePolicy, err := c.getOrCreateRegistryPolicy(bootstrapACLTokenID, "acl_policy_for_"+roleName, servicePolicyRules)
+		if err != nil {
+			return fmt.Errorf("failed to create edgex service policy: %v", err)
+		}
+
 		// create roles based on the service keys as the role names
-		// in phase 2, we are using the same policy rule for all services
 		edgexACLTokenRole := NewRegistryRole(roleName, ClientType, []Policy{
 			*edgexServicePolicy,
 			// localUse set to false as some EdgeX services may be running in a different node
@@ -280,6 +300,22 @@ func (c *cmd) createEdgeXACLTokenRoles(bootstrapACLTokenID, secretstoreToken str
 	return nil
 }
 
+// getKeyPrefix get the consul ACL key prefix for the service with the input roleName, ie. the service key-based
+// Currently we support 2 types of custom services: app and device services
+// if the input role name does not fall into the above two types, then it is categorized into core type for the key prefix
+func (c *cmd) getKeyPrefix(roleName string) string {
+	if strings.HasPrefix(roleName, "app-") {
+		return internal.ConfigStemApp + baseBootStrapConfig.ConfigVersion + "/" + roleName
+	}
+
+	if strings.HasPrefix(roleName, "device-") {
+		return internal.ConfigStemDevice + baseBootStrapConfig.ConfigVersion + "/" + roleName
+	}
+
+	// anything else falls into the 3rd category: core bucket
+	return internal.ConfigStemCore + baseBootStrapConfig.ConfigVersion + "/" + roleName
+}
+
 func (c *cmd) getUniqueRoleNames() (map[string]struct{}, error) {
 	roleNamesFromConfig := c.configuration.StageGate.Registry.ACL.GetACLRoleNames()
 	if len(roleNamesFromConfig) == 0 {