-
Notifications
You must be signed in to change notification settings - Fork 3.8k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
tenantcapabilities: gate tenant access to node metadata and tsdb
Previously, tenants were given access via the kv connector, to node level metrics and metadata. This ability should be gated behind a capability in order to give operators control over what cluster-level information their application tenants would have access to. This commit adds authorization checks using tenant capabilities for the node metadata query RPC and the TSDB query RPC. The connection between the specific capability in the RPC it enables, is encoded in the auth_tenant.go file within the `tenantAuthorizer`. The capability `Authorizer` type simply provides per-capability check utility methods. The `NodesUI` endpoint contains an additional SQL permission gate, which is honored by checking at the tenant-level, and then delegating (via capability gate) to a system tenant level `NodesTenant` endpoint that does no additional SQL gating. Delegating to a system tenant `NodesUI` implementation would fail since the tenant does not have system-level SQL permissions. The liveness and TSDB endpoints do no additional checking at time of writing, hence no changes are made there. This commit additionally modifies the format of the datadriven tests in the `tenantcapabilitiesauthorizer` and `tenantcapabilitieswatcher` packages to conform to the standard datadriven command style instead of implementing custom parsers. Resolves #96975 Epic: CRDB-12100 Release note: None
- Loading branch information
1 parent
a24b178
commit e360cdd
Showing
32 changed files
with
597 additions
and
408 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.