Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSI RPC Token #8626

Merged
merged 3 commits into from
Aug 11, 2020
Merged

CSI RPC Token #8626

merged 3 commits into from
Aug 11, 2020

Conversation

langmartin
Copy link
Contributor

@langmartin langmartin commented Aug 10, 2020
edited

CSI Nodes call RPCs through the server that forward to other client nodes. They should do so with an authorization token that's permitted to execute those RPCs. This PR sends the Node.SecretID, which when provided to the endpoints returns the nil aclObj. All namespace and policy ACL check funcs treat nil as the flag that ACLs are disabled. The ACL checker returns an error if ACLs are active and an appropriate token isn't provided.

The other alternative is to thread the user token through from job submission. I believe that the Node.SecretID is correct since the job could not have been allocated without user permissions at the time of submission, and we don't want an error Unpublishing a volume belonging to a job that was started with an expired or revoked token.

Fixes #8373

@langmartin langmartin marked this pull request as ready for review August 10, 2020 22:14
@langmartin langmartin requested a review from tgross August 10, 2020 22:14
tgross
tgross approved these changes Aug 11, 2020
View reviewed changes
Copy link
Member

@tgross tgross left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@langmartin langmartin merged commit c0bf46d into master Aug 11, 2020
@langmartin langmartin deleted the b-csi-rpc-token branch August 11, 2020 17:08
tgross added a commit that referenced this pull request Oct 9, 2020
@tgross
csi: remove stray TODO comment
c0b5cbe 
This item was completed in #8626
@tgross tgross mentioned this pull request Oct 9, 2020
Merged
tgross added a commit that referenced this pull request Oct 9, 2020
@tgross
csi: remove stray TODO comment
6228cae 
This item was completed in #8626
fredrikhgrelland pushed a commit to fredrikhgrelland/nomad that referenced this pull request Oct 22, 2020
@tgross @fredrikhgrelland
csi: remove stray TODO comment
d4f33c9 
This item was completed in hashicorp#8626
@github-actions
Copy link

I'm going to lock this pull request because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 24, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@tgross tgross tgross approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CSI plugins don't get ACL tokens to send to RPCs
2 participants
@langmartin @tgross