Skip to content

feat: use different consul service policy rule for service role #4104

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Jul 28, 2022
Merged

feat: use different consul service policy rule for service role #4104

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
10f78b5
feat: use different consul service policy for each service role
Jul 26, 2022
a0601c7
fix: add consul KV ACL restriction per service and remove service's a…
Jul 27, 2022
41dd0d2
fix: address Lenny's feedback comment
Jul 28, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 6 additions & 3 deletions internal/constants.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,9 +18,12 @@ const (
BootTimeoutSecondsDefault = 30
BootRetrySecondsDefault = 1
ConfigFileName = "configuration.toml"
ConfigStemCore = "edgex/core/"
ConfigStemSecurity = "edgex/security/"
LogDurationKey = "duration"
// TODO: move the config stem constants in go-mod-contracts
ConfigStemApp = "edgex/appservices/"
ConfigStemCore = "edgex/core/"
ConfigStemDevice = "edgex/devices/"
ConfigStemSecurity = "edgex/security/"
LogDurationKey = "duration"
)

const (
Expand Down
52 changes: 44 additions & 8 deletions internal/security/bootstrapper/command/setupacl/command.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*******************************************************************************
* Copyright 2021 Intel Corporation
* Copyright 2022 Intel Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
* in compliance with the License. You may obtain a copy of the License at
Expand Down Expand Up @@ -38,6 +38,7 @@ import (
"github.com/edgexfoundry/edgex-go/internal/security/bootstrapper/helper"
"github.com/edgexfoundry/edgex-go/internal/security/bootstrapper/interfaces"

baseBootStrapConfig "github.com/edgexfoundry/go-mod-bootstrap/v2/bootstrap/config"
"github.com/edgexfoundry/go-mod-bootstrap/v2/bootstrap/startup"

"github.com/edgexfoundry/go-mod-secrets/v2/pkg"
Expand Down Expand Up @@ -249,23 +250,42 @@ func (c *cmd) saveACLTokens(bootstrapACLToken *BootStrapACLTokenInfo) error {
return nil
}

// createEdgeXACLTokenRoles creates secret store roles that can be used for genearting registry tokens
// createEdgeXACLTokenRoles creates secret store roles that can be used for generating registry tokens
// via Consul secret engine API /consul/creds/[role_name] later on for all EdgeX microservices
func (c *cmd) createEdgeXACLTokenRoles(bootstrapACLTokenID, secretstoreToken string) error {
edgexServicePolicy, err := c.getOrCreateRegistryPolicy(bootstrapACLTokenID, edgeXServicePolicyName, edgeXPolicyRules)
if err != nil {
return fmt.Errorf("failed to create edgex service policy: %v", err)
}

roleNames, err := c.getUniqueRoleNames()
if err != nil {
return fmt.Errorf("failed to get unique role names: %v", err)
}

// create registry roles for EdgeX
for roleName := range roleNames {
// create policy for each service role
servicePolicyRules := `
# HCL definition of server agent policy for EdgeX
node "" {
policy = "read"
}
node_prefix "edgex" {
policy = "write"
}
service "` + roleName + `" {
policy = "write"
}
service_prefix "" {
policy = "read"
}
key_prefix "` + c.getKeyPrefix(roleName) + `" {
policy = "write"
}
`

edgexServicePolicy, err := c.getOrCreateRegistryPolicy(bootstrapACLTokenID, "acl_policy_for_"+roleName, servicePolicyRules)
if err != nil {
return fmt.Errorf("failed to create edgex service policy: %v", err)
}

// create roles based on the service keys as the role names
// in phase 2, we are using the same policy rule for all services
edgexACLTokenRole := NewRegistryRole(roleName, ClientType, []Policy{
*edgexServicePolicy,
// localUse set to false as some EdgeX services may be running in a different node
Expand All @@ -280,6 +300,22 @@ func (c *cmd) createEdgeXACLTokenRoles(bootstrapACLTokenID, secretstoreToken str
return nil
}

// getKeyPrefix get the consul ACL key prefix for the service with the input roleName, ie. the service key-based
// Currently we support 2 types of custom services: app and device services
// if the input role name does not fall into the above two types, then it is categorized into core type for the key prefix
func (c *cmd) getKeyPrefix(roleName string) string {
if strings.HasPrefix(roleName, "app-") {
return internal.ConfigStemApp + baseBootStrapConfig.ConfigVersion + "/" + roleName
}

if strings.HasPrefix(roleName, "device-") {
return internal.ConfigStemDevice + baseBootStrapConfig.ConfigVersion + "/" + roleName
}

// anything else falls into the 3rd category: core bucket
return internal.ConfigStemCore + baseBootStrapConfig.ConfigVersion + "/" + roleName
}

func (c *cmd) getUniqueRoleNames() (map[string]struct{}, error) {
roleNamesFromConfig := c.configuration.StageGate.Registry.ACL.GetACLRoleNames()
if len(roleNamesFromConfig) == 0 {
Expand Down