Skip to content
GitLab
Menu
Projects
Groups
Snippets
Help
Projects
Groups
Snippets
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Menu
Open sidebar
小 白蛋
Nomad
Commits
139a3ee3
Commit
139a3ee3
authored
6 years ago
by
Mahmood Ali
Browse files
Options
Download
Email Patches
Plain Diff
log exec for forensics
parent
f028c2cb
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
client/acl.go
+12
-7
client/acl.go
client/alloc_endpoint.go
+23
-1
client/alloc_endpoint.go
with
35 additions
and
8 deletions
+35
-8
client/acl.go
+
12
-
7
View file @
139a3ee3
...
...
@@ -70,38 +70,43 @@ func (c *cachedACLValue) Age() time.Duration {
// ResolveToken is used to translate an ACL Token Secret ID into
// an ACL object, nil if ACLs are disabled, or an error.
func
(
c
*
Client
)
ResolveToken
(
secretID
string
)
(
*
acl
.
ACL
,
error
)
{
a
,
_
,
err
:=
c
.
resolveTokenAndACL
(
secretID
)
return
a
,
err
}
func
(
c
*
Client
)
resolveTokenAndACL
(
secretID
string
)
(
*
acl
.
ACL
,
*
structs
.
ACLToken
,
error
)
{
// Fast-path if ACLs are disabled
if
!
c
.
config
.
ACLEnabled
{
return
nil
,
nil
return
nil
,
nil
,
nil
}
defer
metrics
.
MeasureSince
([]
string
{
"client"
,
"acl"
,
"resolve_token"
},
time
.
Now
())
// Resolve the token value
token
,
err
:=
c
.
resolveTokenValue
(
secretID
)
if
err
!=
nil
{
return
nil
,
err
return
nil
,
nil
,
err
}
if
token
==
nil
{
return
nil
,
structs
.
ErrTokenNotFound
return
nil
,
nil
,
structs
.
ErrTokenNotFound
}
// Check if this is a management token
if
token
.
Type
==
structs
.
ACLManagementToken
{
return
acl
.
ManagementACL
,
nil
return
acl
.
ManagementACL
,
token
,
nil
}
// Resolve the policies
policies
,
err
:=
c
.
resolvePolicies
(
token
.
SecretID
,
token
.
Policies
)
if
err
!=
nil
{
return
nil
,
err
return
nil
,
nil
,
err
}
// Resolve the ACL object
aclObj
,
err
:=
structs
.
CompileACLObject
(
c
.
aclCache
,
policies
)
if
err
!=
nil
{
return
nil
,
err
return
nil
,
nil
,
err
}
return
aclObj
,
nil
return
aclObj
,
token
,
nil
}
// resolveTokenValue is used to translate a secret ID into an ACL token with caching
...
...
This diff is collapsed.
Click to expand it.
client/alloc_endpoint.go
+
23
-
1
View file @
139a3ee3
...
...
@@ -12,6 +12,7 @@ import (
"github.com/hashicorp/nomad/acl"
cstructs
"github.com/hashicorp/nomad/client/structs"
"github.com/hashicorp/nomad/helper"
"github.com/hashicorp/nomad/helper/uuid"
"github.com/hashicorp/nomad/nomad/structs"
nstructs
"github.com/hashicorp/nomad/nomad/structs"
"github.com/hashicorp/nomad/plugins/drivers"
...
...
@@ -130,8 +131,29 @@ func (a *Allocations) exec(conn io.ReadWriteCloser) {
return
}
aclObj
,
token
,
err
:=
a
.
c
.
resolveTokenAndACL
(
req
.
QueryOptions
.
AuthToken
)
{
// log access
execID
:=
uuid
.
Generate
()
tokenName
,
tokenID
:=
""
,
""
if
token
!=
nil
{
tokenName
,
tokenID
=
token
.
Name
,
token
.
AccessorID
}
a
.
c
.
logger
.
Info
(
"task exec session starting"
,
"exec_id"
,
execID
,
"alloc_id"
,
req
.
AllocID
,
"task"
,
req
.
Task
,
"command"
,
req
.
Cmd
,
"tty"
,
req
.
Tty
,
"access_token_name"
,
tokenName
,
"access_token_id"
,
tokenID
,
)
defer
a
.
c
.
logger
.
Info
(
"task exec session ended"
,
"exec_id"
,
execID
)
}
// Check read permissions
aclObj
,
err
:=
a
.
c
.
ResolveToken
(
req
.
QueryOptions
.
AuthToken
)
if
err
!=
nil
{
handleStreamResultError
(
err
,
nil
,
encoder
)
return
...
...
This diff is collapsed.
Click to expand it.
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
Menu
Projects
Groups
Snippets
Help