Commit 139a3ee3 authored by Mahmood Ali's avatar Mahmood Ali
Browse files

log exec for forensics

parent f028c2cb
Showing with 35 additions and 8 deletions
+35 -8
......@@ -70,38 +70,43 @@ func (c *cachedACLValue) Age() time.Duration {
// ResolveToken is used to translate an ACL Token Secret ID into
// an ACL object, nil if ACLs are disabled, or an error.
func (c *Client) ResolveToken(secretID string) (*acl.ACL, error) {
a, _, err := c.resolveTokenAndACL(secretID)
return a, err
}
func (c *Client) resolveTokenAndACL(secretID string) (*acl.ACL, *structs.ACLToken, error) {
// Fast-path if ACLs are disabled
if !c.config.ACLEnabled {
return nil, nil
return nil, nil, nil
}
defer metrics.MeasureSince([]string{"client", "acl", "resolve_token"}, time.Now())
// Resolve the token value
token, err := c.resolveTokenValue(secretID)
if err != nil {
return nil, err
return nil, nil, err
}
if token == nil {
return nil, structs.ErrTokenNotFound
return nil, nil, structs.ErrTokenNotFound
}
// Check if this is a management token
if token.Type == structs.ACLManagementToken {
return acl.ManagementACL, nil
return acl.ManagementACL, token, nil
}
// Resolve the policies
policies, err := c.resolvePolicies(token.SecretID, token.Policies)
if err != nil {
return nil, err
return nil, nil, err
}
// Resolve the ACL object
aclObj, err := structs.CompileACLObject(c.aclCache, policies)
if err != nil {
return nil, err
return nil, nil, err
}
return aclObj, nil
return aclObj, token, nil
}
// resolveTokenValue is used to translate a secret ID into an ACL token with caching
......
......@@ -12,6 +12,7 @@ import (
"github.com/hashicorp/nomad/acl"
cstructs "github.com/hashicorp/nomad/client/structs"
"github.com/hashicorp/nomad/helper"
"github.com/hashicorp/nomad/helper/uuid"
"github.com/hashicorp/nomad/nomad/structs"
nstructs "github.com/hashicorp/nomad/nomad/structs"
"github.com/hashicorp/nomad/plugins/drivers"
......@@ -130,8 +131,29 @@ func (a *Allocations) exec(conn io.ReadWriteCloser) {
return
}
aclObj, token, err := a.c.resolveTokenAndACL(req.QueryOptions.AuthToken)
{
// log access
execID := uuid.Generate()
tokenName, tokenID := "", ""
if token != nil {
tokenName, tokenID = token.Name, token.AccessorID
}
a.c.logger.Info("task exec session starting",
"exec_id", execID,
"alloc_id", req.AllocID,
"task", req.Task,
"command", req.Cmd,
"tty", req.Tty,
"access_token_name", tokenName,
"access_token_id", tokenID,
)
defer a.c.logger.Info("task exec session ended", "exec_id", execID)
}
// Check read permissions
aclObj, err := a.c.ResolveToken(req.QueryOptions.AuthToken)
if err != nil {
handleStreamResultError(err, nil, encoder)
return
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment