gravitl/netmaker
1
1
Fork 0
mirror of https://github.com/gravitl/netmaker.git synced 2025-09-13 08:34:44 +08:00
Code Issues Projects Releases Packages Wiki Activity

make node acls generic

Browse source
This commit is contained in:
Abhishek Kondur 2022-09-30 20:59:03 +05:30
parent 1827f8c3b5
commit 4678332e3a
3 changed files with 167 additions and 162 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
controllers/node.go
View file

@ -100,7 +100,7 @@ func authenticate(response http.ResponseWriter, request *http.Request) {
logic.ReturnErrorResponse(response, request, errorResponse) logic.ReturnErrorResponse(response, request, errorResponse)
return return
} }
// creates network role, node role,node client (added here to resolve any missing configuration in MQ) // creates network role,node client (added here to resolve any missing configuration in MQ)
event := mq.MqDynsecPayload{ event := mq.MqDynsecPayload{
Commands: []mq.MqDynSecCmd{ Commands: []mq.MqDynSecCmd{
@ -110,13 +110,6 @@ func authenticate(response http.ResponseWriter, request *http.Request) {
Textname: "Network wide role with Acls for nodes", Textname: "Network wide role with Acls for nodes",
Acls: mq.FetchNetworkAcls(result.Network), Acls: mq.FetchNetworkAcls(result.Network),
}, },
{
Command: mq.CreateRoleCmd,
RoleName: fmt.Sprintf("%s-%s", "Node", result.ID),
Acls: mq.FetchNodeAcls(result.ID),
Textname: "Role for node " + result.Name,
},
{ {
Command: mq.CreateClientCmd, Command: mq.CreateClientCmd,
Username: result.ID, Username: result.ID,
@ -124,7 +117,7 @@ func authenticate(response http.ResponseWriter, request *http.Request) {
Textname: result.Name, Textname: result.Name,
Roles: []mq.MqDynSecRole{ Roles: []mq.MqDynSecRole{
{ {
Rolename: fmt.Sprintf("%s-%s", "Node", result.ID), Rolename: mq.NodeRole,
Priority: -1, Priority: -1,
}, },
{ {
@ -677,7 +670,7 @@ func createNode(w http.ResponseWriter, r *http.Request) {
// Create client for this node in Mq // Create client for this node in Mq
event := mq.MqDynsecPayload{ event := mq.MqDynsecPayload{
Commands: []mq.MqDynSecCmd{ Commands: []mq.MqDynSecCmd{
{ { // delete if any client exists already
Command: mq.DeleteClientCmd, Command: mq.DeleteClientCmd,
Username: node.ID, Username: node.ID,
}, },
@ -687,12 +680,6 @@ func createNode(w http.ResponseWriter, r *http.Request) {
Textname: "Network wide role with Acls for nodes", Textname: "Network wide role with Acls for nodes",
Acls: mq.FetchNetworkAcls(node.Network), Acls: mq.FetchNetworkAcls(node.Network),
}, },
{
Command: mq.CreateRoleCmd,
RoleName: fmt.Sprintf("%s-%s", "Node", node.ID),
Acls: mq.FetchNodeAcls(node.ID),
Textname: "Role for node " + node.Name,
},
{ {
Command: mq.CreateClientCmd, Command: mq.CreateClientCmd,
Username: node.ID, Username: node.ID,
@ -700,7 +687,7 @@ func createNode(w http.ResponseWriter, r *http.Request) {
Textname: node.Name, Textname: node.Name,
Roles: []mq.MqDynSecRole{ Roles: []mq.MqDynSecRole{
{ {
Rolename: fmt.Sprintf("%s-%s", "Node", node.ID), Rolename: mq.NodeRole,
Priority: -1, Priority: -1,
}, },
{ {

307
mq/dynsec_helper.go
View file

@ -17,6 +17,8 @@ const (
serverRole = "server" serverRole = "server"
// constant for exporter role // constant for exporter role
exporterRole = "exporter" exporterRole = "exporter"
// constant for node role
NodeRole = "node"
// const for dynamic security file // const for dynamic security file
dynamicSecurityFile = "dynamic-security.json" dynamicSecurityFile = "dynamic-security.json"
@ -54,121 +56,15 @@ var (
Roles: []role{ Roles: []role{
{ {
Rolename: adminRole, Rolename: adminRole,
Acls: []Acl{ Acls: fetchAdminAcls(),
{
AclType: "publishClientSend",
Topic: "$CONTROL/dynamic-security/#",
Priority: -1,
Allow: true,
},
{
AclType: "publishClientReceive",
Topic: "$CONTROL/dynamic-security/#",
Priority: -1,
Allow: true,
},
{
AclType: "subscribePattern",
Topic: "$CONTROL/dynamic-security/#",
Priority: -1,
Allow: true,
},
{
AclType: "publishClientReceive",
Topic: "$SYS/#",
Priority: -1,
Allow: true,
},
{
AclType: "subscribePattern",
Topic: "$SYS/#",
Priority: -1,
Allow: true,
},
{
AclType: "publishClientReceive",
Topic: "#",
Priority: -1,
Allow: true,
},
{
AclType: "subscribePattern",
Topic: "#",
Priority: -1,
Allow: true,
},
{
AclType: "unsubscribePattern",
Topic: "#",
Priority: -1,
Allow: true,
},
{
AclType: "publishClientSend",
Topic: "#",
Priority: -1,
Allow: true,
},
},
}, },
{ {
Rolename: serverRole, Rolename: serverRole,
Acls: []Acl{ Acls: fetchServerAcls(),
{ },
AclType: "publishClientSend", {
Topic: "peers/#", Rolename: NodeRole,
Priority: -1, Acls: fetchNodeAcls(),
Allow: true,
},
{
AclType: "publishClientSend",
Topic: "update/#",
Priority: -1,
Allow: true,
},
{
AclType: "publishClientSend",
Topic: "metrics_exporter",
Priority: -1,
Allow: true,
},
{
AclType: "publishClientReceive",
Topic: "ping/#",
Priority: -1,
Allow: true,
},
{
AclType: "publishClientReceive",
Topic: "update/#",
Priority: -1,
Allow: true,
},
{
AclType: "publishClientReceive",
Topic: "signal/#",
Priority: -1,
Allow: true,
},
{
AclType: "publishClientReceive",
Topic: "metrics/#",
Priority: -1,
Allow: true,
},
{
AclType: "subscribePattern",
Topic: "#",
Priority: -1,
Allow: true,
},
{
AclType: "unsubscribePattern",
Topic: "#",
Priority: -1,
Allow: true,
},
},
}, },
}, },
DefaultAcl: defaultAccessAcl{ DefaultAcl: defaultAccessAcl{
@ -193,26 +89,7 @@ var (
} }
exporterMQRole = role{ exporterMQRole = role{
Rolename: exporterRole, Rolename: exporterRole,
Acls: []Acl{ Acls: fetchExporterAcls(),
{
AclType: "publishClientReceive",
Topic: "metrics_exporter",
Allow: true,
Priority: -1,
},
{
AclType: "subscribePattern",
Topic: "#",
Priority: -1,
Allow: true,
},
{
AclType: "unsubscribePattern",
Topic: "#",
Priority: -1,
Allow: true,
},
},
} }
) )
@ -318,35 +195,47 @@ func FetchNetworkAcls(network string) []Acl {
} }
} }
// FetchNodeAcls - fetches node acls // serverAcls - fetches server role related acls
func FetchNodeAcls(nodeID string) []Acl { func fetchServerAcls() []Acl {
// keeping node acls generic as of now.
return []Acl{ return []Acl{
{ {
AclType: "publishClientSend", AclType: "publishClientSend",
//Topic: fmt.Sprintf("signal/%s", nodeID), Topic: "peers/#",
Topic: "signal/#",
Priority: -1, Priority: -1,
Allow: true, Allow: true,
}, },
{ {
AclType: "publishClientSend", AclType: "publishClientSend",
// Topic: fmt.Sprintf("update/%s", nodeID),
Topic: "update/#", Topic: "update/#",
Priority: -1, Priority: -1,
Allow: true, Allow: true,
}, },
{ {
AclType: "publishClientSend", AclType: "publishClientSend",
//Topic: fmt.Sprintf("ping/%s", nodeID), Topic: "metrics_exporter",
Priority: -1,
Allow: true,
},
{
AclType: "publishClientReceive",
Topic: "ping/#", Topic: "ping/#",
Priority: -1, Priority: -1,
Allow: true, Allow: true,
}, },
{ {
AclType: "publishClientSend", AclType: "publishClientReceive",
//Topic: fmt.Sprintf("metrics/%s", nodeID), Topic: "update/#",
Priority: -1,
Allow: true,
},
{
AclType: "publishClientReceive",
Topic: "signal/#",
Priority: -1,
Allow: true,
},
{
AclType: "publishClientReceive",
Topic: "metrics/#", Topic: "metrics/#",
Priority: -1, Priority: -1,
Allow: true, Allow: true,
@ -365,3 +254,131 @@ func FetchNodeAcls(nodeID string) []Acl {
}, },
} }
} }
// fetchNodeAcls - fetches node related acls
func fetchNodeAcls() []Acl {
// keeping node acls generic as of now.
return []Acl{
{
AclType: "publishClientSend",
Topic: "signal/#",
Priority: -1,
Allow: true,
},
{
AclType: "publishClientSend",
Topic: "update/#",
Priority: -1,
Allow: true,
},
{
AclType: "publishClientSend",
Topic: "ping/#",
Priority: -1,
Allow: true,
},
{
AclType: "publishClientSend",
Topic: "metrics/#",
Priority: -1,
Allow: true,
},
{
AclType: "subscribePattern",
Topic: "#",
Priority: -1,
Allow: true,
},
{
AclType: "unsubscribePattern",
Topic: "#",
Priority: -1,
Allow: true,
},
}
}
// fetchExporterAcls - fetch exporter role related acls
func fetchExporterAcls() []Acl {
return []Acl{
{
AclType: "publishClientReceive",
Topic: "metrics_exporter",
Allow: true,
Priority: -1,
},
{
AclType: "subscribePattern",
Topic: "#",
Priority: -1,
Allow: true,
},
{
AclType: "unsubscribePattern",
Topic: "#",
Priority: -1,
Allow: true,
},
}
}
// fetchAdminAcls - fetches admin role related acls
func fetchAdminAcls() []Acl {
return []Acl{
{
AclType: "publishClientSend",
Topic: "$CONTROL/dynamic-security/#",
Priority: -1,
Allow: true,
},
{
AclType: "publishClientReceive",
Topic: "$CONTROL/dynamic-security/#",
Priority: -1,
Allow: true,
},
{
AclType: "subscribePattern",
Topic: "$CONTROL/dynamic-security/#",
Priority: -1,
Allow: true,
},
{
AclType: "publishClientReceive",
Topic: "$SYS/#",
Priority: -1,
Allow: true,
},
{
AclType: "subscribePattern",
Topic: "$SYS/#",
Priority: -1,
Allow: true,
},
{
AclType: "publishClientReceive",
Topic: "#",
Priority: -1,
Allow: true,
},
{
AclType: "subscribePattern",
Topic: "#",
Priority: -1,
Allow: true,
},
{
AclType: "unsubscribePattern",
Topic: "#",
Priority: -1,
Allow: true,
},
{
AclType: "publishClientSend",
Topic: "#",
Priority: -1,
Allow: true,
},
}
}

1
mq/handlers.go
View file

@ -71,6 +71,7 @@ func UpdateNode(client mqtt.Client, msg mqtt.Message) {
logger.Log(1, "error getting node.ID sent on ", msg.Topic(), err.Error()) logger.Log(1, "error getting node.ID sent on ", msg.Topic(), err.Error())
return return
} }
logger.Log(0, "----------->###### Recieved Node Update for: ", id)
currentNode, err := logic.GetNodeByID(id) currentNode, err := logic.GetNodeByID(id)
if err != nil { if err != nil {
logger.Log(1, "error getting node ", id, err.Error()) logger.Log(1, "error getting node ", id, err.Error())