gravitl/netmaker
1
1
Fork 0
mirror of https://github.com/gravitl/netmaker.git synced 2025-09-10 15:14:22 +08:00
Code Issues Projects Releases Packages Wiki Activity

make node acls generic

Browse source
This commit is contained in:
Abhishek Kondur 2022-09-30 20:59:03 +05:30
parent 1827f8c3b5
commit 4678332e3a
3 changed files with 167 additions and 162 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
controllers/node.go
View file

@ -100,7 +100,7 @@ func authenticate(response http.ResponseWriter, request *http.Request) {
logic.ReturnErrorResponse(response, request, errorResponse)
return
}
// creates network role, node role,node client (added here to resolve any missing configuration in MQ)
// creates network role,node client (added here to resolve any missing configuration in MQ)
event := mq.MqDynsecPayload{
Commands: []mq.MqDynSecCmd{
@ -110,13 +110,6 @@ func authenticate(response http.ResponseWriter, request *http.Request) {
Textname: "Network wide role with Acls for nodes",
Acls: mq.FetchNetworkAcls(result.Network),
},
{
Command: mq.CreateRoleCmd,
RoleName: fmt.Sprintf("%s-%s", "Node", result.ID),
Acls: mq.FetchNodeAcls(result.ID),
Textname: "Role for node " + result.Name,
},
{
Command: mq.CreateClientCmd,
Username: result.ID,
@ -124,7 +117,7 @@ func authenticate(response http.ResponseWriter, request *http.Request) {
Textname: result.Name,
Roles: []mq.MqDynSecRole{
{
Rolename: fmt.Sprintf("%s-%s", "Node", result.ID),
Rolename: mq.NodeRole,
Priority: -1,
},
{
@ -677,7 +670,7 @@ func createNode(w http.ResponseWriter, r *http.Request) {
// Create client for this node in Mq
event := mq.MqDynsecPayload{
Commands: []mq.MqDynSecCmd{
{
{ // delete if any client exists already
Command: mq.DeleteClientCmd,
Username: node.ID,
},
@ -687,12 +680,6 @@ func createNode(w http.ResponseWriter, r *http.Request) {
Textname: "Network wide role with Acls for nodes",
Acls: mq.FetchNetworkAcls(node.Network),
},
{
Command: mq.CreateRoleCmd,
RoleName: fmt.Sprintf("%s-%s", "Node", node.ID),
Acls: mq.FetchNodeAcls(node.ID),
Textname: "Role for node " + node.Name,
},
{
Command: mq.CreateClientCmd,
Username: node.ID,
@ -700,7 +687,7 @@ func createNode(w http.ResponseWriter, r *http.Request) {
Textname: node.Name,
Roles: []mq.MqDynSecRole{
{
Rolename: fmt.Sprintf("%s-%s", "Node", node.ID),
Rolename: mq.NodeRole,
Priority: -1,
},
{

307
mq/dynsec_helper.go
View file

@ -17,6 +17,8 @@ const (
serverRole = "server"
// constant for exporter role
exporterRole = "exporter"
// constant for node role
NodeRole = "node"
// const for dynamic security file
dynamicSecurityFile = "dynamic-security.json"
@ -54,121 +56,15 @@ var (
Roles: []role{
{
Rolename: adminRole,
Acls: []Acl{
{
AclType: "publishClientSend",
Topic: "$CONTROL/dynamic-security/#",
Priority: -1,
Allow: true,
},
{
AclType: "publishClientReceive",
Topic: "$CONTROL/dynamic-security/#",
Priority: -1,
Allow: true,
},
{
AclType: "subscribePattern",
Topic: "$CONTROL/dynamic-security/#",
Priority: -1,
Allow: true,
},
{
AclType: "publishClientReceive",
Topic: "$SYS/#",
Priority: -1,
Allow: true,
},
{
AclType: "subscribePattern",
Topic: "$SYS/#",
Priority: -1,
Allow: true,
},
{
AclType: "publishClientReceive",
Topic: "#",
Priority: -1,
Allow: true,
},
{
AclType: "subscribePattern",
Topic: "#",
Priority: -1,
Allow: true,
},
{
AclType: "unsubscribePattern",
Topic: "#",
Priority: -1,
Allow: true,
},
{
AclType: "publishClientSend",
Topic: "#",
Priority: -1,
Allow: true,
},
},
Acls: fetchAdminAcls(),
},
{
Rolename: serverRole,
Acls: []Acl{
{
AclType: "publishClientSend",
Topic: "peers/#",
Priority: -1,
Allow: true,
},
{
AclType: "publishClientSend",
Topic: "update/#",
Priority: -1,
Allow: true,
},
{
AclType: "publishClientSend",
Topic: "metrics_exporter",
Priority: -1,
Allow: true,
},
{
AclType: "publishClientReceive",
Topic: "ping/#",
Priority: -1,
Allow: true,
},
{
AclType: "publishClientReceive",
Topic: "update/#",
Priority: -1,
Allow: true,
},
{
AclType: "publishClientReceive",
Topic: "signal/#",
Priority: -1,
Allow: true,
},
{
AclType: "publishClientReceive",
Topic: "metrics/#",
Priority: -1,
Allow: true,
},
{
AclType: "subscribePattern",
Topic: "#",
Priority: -1,
Allow: true,
},
{
AclType: "unsubscribePattern",
Topic: "#",
Priority: -1,
Allow: true,
},
},
Acls: fetchServerAcls(),
},
{
Rolename: NodeRole,
Acls: fetchNodeAcls(),
},
},
DefaultAcl: defaultAccessAcl{
@ -193,26 +89,7 @@ var (
}
exporterMQRole = role{
Rolename: exporterRole,
Acls: []Acl{
{
AclType: "publishClientReceive",
Topic: "metrics_exporter",
Allow: true,
Priority: -1,
},
{
AclType: "subscribePattern",
Topic: "#",
Priority: -1,
Allow: true,
},
{
AclType: "unsubscribePattern",
Topic: "#",
Priority: -1,
Allow: true,
},
},
Acls: fetchExporterAcls(),
}
)
@ -318,35 +195,47 @@ func FetchNetworkAcls(network string) []Acl {
}
}
// FetchNodeAcls - fetches node acls
func FetchNodeAcls(nodeID string) []Acl {
// keeping node acls generic as of now.
// serverAcls - fetches server role related acls
func fetchServerAcls() []Acl {
return []Acl{
{
AclType: "publishClientSend",
//Topic: fmt.Sprintf("signal/%s", nodeID),
Topic: "signal/#",
AclType: "publishClientSend",
Topic: "peers/#",
Priority: -1,
Allow: true,
},
{
AclType: "publishClientSend",
// Topic: fmt.Sprintf("update/%s", nodeID),
AclType: "publishClientSend",
Topic: "update/#",
Priority: -1,
Allow: true,
},
{
AclType: "publishClientSend",
//Topic: fmt.Sprintf("ping/%s", nodeID),
AclType: "publishClientSend",
Topic: "metrics_exporter",
Priority: -1,
Allow: true,
},
{
AclType: "publishClientReceive",
Topic: "ping/#",
Priority: -1,
Allow: true,
},
{
AclType: "publishClientSend",
//Topic: fmt.Sprintf("metrics/%s", nodeID),
AclType: "publishClientReceive",
Topic: "update/#",
Priority: -1,
Allow: true,
},
{
AclType: "publishClientReceive",
Topic: "signal/#",
Priority: -1,
Allow: true,
},
{
AclType: "publishClientReceive",
Topic: "metrics/#",
Priority: -1,
Allow: true,
@ -365,3 +254,131 @@ func FetchNodeAcls(nodeID string) []Acl {
},
}
}
// fetchNodeAcls - fetches node related acls
func fetchNodeAcls() []Acl {
// keeping node acls generic as of now.
return []Acl{
{
AclType: "publishClientSend",
Topic: "signal/#",
Priority: -1,
Allow: true,
},
{
AclType: "publishClientSend",
Topic: "update/#",
Priority: -1,
Allow: true,
},
{
AclType: "publishClientSend",
Topic: "ping/#",
Priority: -1,
Allow: true,
},
{
AclType: "publishClientSend",
Topic: "metrics/#",
Priority: -1,
Allow: true,
},
{
AclType: "subscribePattern",
Topic: "#",
Priority: -1,
Allow: true,
},
{
AclType: "unsubscribePattern",
Topic: "#",
Priority: -1,
Allow: true,
},
}
}
// fetchExporterAcls - fetch exporter role related acls
func fetchExporterAcls() []Acl {
return []Acl{
{
AclType: "publishClientReceive",
Topic: "metrics_exporter",
Allow: true,
Priority: -1,
},
{
AclType: "subscribePattern",
Topic: "#",
Priority: -1,
Allow: true,
},
{
AclType: "unsubscribePattern",
Topic: "#",
Priority: -1,
Allow: true,
},
}
}
// fetchAdminAcls - fetches admin role related acls
func fetchAdminAcls() []Acl {
return []Acl{
{
AclType: "publishClientSend",
Topic: "$CONTROL/dynamic-security/#",
Priority: -1,
Allow: true,
},
{
AclType: "publishClientReceive",
Topic: "$CONTROL/dynamic-security/#",
Priority: -1,
Allow: true,
},
{
AclType: "subscribePattern",
Topic: "$CONTROL/dynamic-security/#",
Priority: -1,
Allow: true,
},
{
AclType: "publishClientReceive",
Topic: "$SYS/#",
Priority: -1,
Allow: true,
},
{
AclType: "subscribePattern",
Topic: "$SYS/#",
Priority: -1,
Allow: true,
},
{
AclType: "publishClientReceive",
Topic: "#",
Priority: -1,
Allow: true,
},
{
AclType: "subscribePattern",
Topic: "#",
Priority: -1,
Allow: true,
},
{
AclType: "unsubscribePattern",
Topic: "#",
Priority: -1,
Allow: true,
},
{
AclType: "publishClientSend",
Topic: "#",
Priority: -1,
Allow: true,
},
}
}

1
mq/handlers.go
View file

@ -71,6 +71,7 @@ func UpdateNode(client mqtt.Client, msg mqtt.Message) {
logger.Log(1, "error getting node.ID sent on ", msg.Topic(), err.Error())
return
}
logger.Log(0, "----------->###### Recieved Node Update for: ", id)
currentNode, err := logic.GetNodeByID(id)
if err != nil {
logger.Log(1, "error getting node ", id, err.Error())