-
Notifications
You must be signed in to change notification settings - Fork 480
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: use different consul service policy rule for service role #4104
feat: use different consul service policy rule for service role #4104
Conversation
Closes: edgexfoundry#3257 Signed-off-by: Jim Wang (Intel) <yutsung.jim.wang@intel.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, but not expert in this area. Will defer to @bnevis-i
Discussed with Bryon, @bnevis-i and we put this on hold in draft because there is no clean way to determine the dynamic structure for key-prefix from security-bootstrapper point of view: |
…gent related access rights Signed-off-by: Jim Wang (Intel) <yutsung.jim.wang@intel.com>
Signed-off-by: Jim Wang (Intel) <yutsung.jim.wang@intel.com>
Kudos, SonarCloud Quality Gate passed! 0 Bugs No Coverage information |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, deferring to @bnevis-i for final approval
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Does exactly what I expect it to do.
Closes: #3257
Signed-off-by: Jim Wang (Intel) yutsung.jim.wang@intel.com
If your build fails due to your commit message not passing the build checks, please review the guidelines here: https://github.com/edgexfoundry/edgex-go/blob/main/.github/Contributing.md
PR Checklist
Please check if your PR fulfills the following requirements:
BREAKING CHANGE:
describing the break)Testing Instructions
git clone this branch and build security-bootstrapper docker image:
make docker_security_bootstrapper
go to
edgex-compse
repo and use this local built image for security-bootstrapper in the docker-compose file, i.e.:make gen dev
or run it withmake run dev
run it up with docker-compose or
make run dev
once the stack is up, please obtain the consul admin token via
make get-consul-acl-token
and we will use it to verify policies and tokens were generated by login into consul UI and check them.Use consul admin token to login consul in any browser at
http://localhost:8500
After login, go to Policy view (click on
Policies
hyperlink on the left panel) and check that policies were generated for all services, something looks like the following:Then go to Token view (click on
Tokens
hyperlink on the left panel) and check that consul tokens were generated per service policy:Now we can test the key-value store only accessible to its own service per kv api point of view: copy the app-http-export's consul token and export it and then use it to read some key of its own:
as we can see its own consul token works for kv read, now we can also test kv write for its own key:
so kv read is permission denied when we use other's consul token to access read it.
again, the kv write permission is denied as we intended it to.
New Dependency Instructions (If applicable)