Skip to content

Commit

Permalink
Address review comments
Browse files Browse the repository at this point in the history
  • Loading branch information
ishustava committed Aug 2, 2023
1 parent 9f0ab4b commit 3f6b2ca
Showing 1 changed file with 15 additions and 3 deletions.
18 changes: 15 additions & 3 deletions internal/mesh/internal/types/proxy_state_template.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,15 +28,27 @@ func RegisterProxyStateTemplate(r resource.Registry) {
Validate: nil,
ACLs: &resource.ACLHooks{
Read: func(authorizer acl.Authorizer, id *pbresource.ID) error {
return authorizer.ToAllowAuthorizer().ServiceReadAllowed(id.Name, resource.AuthorizerContext(id.Tenancy))
// Check service:read and operator:read permissions.
// If service:read is not allowed, check operator:read.
serviceReadErr := authorizer.ToAllowAuthorizer().ServiceReadAllowed(id.Name, resource.AuthorizerContext(id.Tenancy))
operatorReadErr := authorizer.ToAllowAuthorizer().OperatorReadAllowed(resource.AuthorizerContext(id.Tenancy))

switch {
case serviceReadErr != nil:
return serviceReadErr
case operatorReadErr != nil:
return operatorReadErr
}

return nil
},
Write: func(authorizer acl.Authorizer, p *pbresource.Resource) error {
// Require operator:write only for "break-glass" scenarios as this resource should be mostly
// be managed by the mesh controller.
// managed by a controller.
return authorizer.ToAllowAuthorizer().OperatorWriteAllowed(resource.AuthorizerContext(p.Id.Tenancy))
},
List: func(authorizer acl.Authorizer, tenancy *pbresource.Tenancy) error {
// No-op List permission as we want to default to filtering resource resources
// No-op List permission as we want to default to filtering resources
// from the list using the Read enforcement.
return nil
},
Expand Down

0 comments on commit 3f6b2ca

Please sign in to comment.