From 3f6b2ca8b3e43c4ff2843ff813ce94b3df5d73f7 Mon Sep 17 00:00:00 2001 From: Iryna Shustava Date: Thu, 27 Jul 2023 16:02:54 -0600 Subject: [PATCH] Address review comments --- .../internal/types/proxy_state_template.go | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/internal/mesh/internal/types/proxy_state_template.go b/internal/mesh/internal/types/proxy_state_template.go index c71ecd9de8e9d..73839825e80f3 100644 --- a/internal/mesh/internal/types/proxy_state_template.go +++ b/internal/mesh/internal/types/proxy_state_template.go @@ -28,15 +28,27 @@ func RegisterProxyStateTemplate(r resource.Registry) { Validate: nil, ACLs: &resource.ACLHooks{ Read: func(authorizer acl.Authorizer, id *pbresource.ID) error { - return authorizer.ToAllowAuthorizer().ServiceReadAllowed(id.Name, resource.AuthorizerContext(id.Tenancy)) + // Check service:read and operator:read permissions. + // If service:read is not allowed, check operator:read. + serviceReadErr := authorizer.ToAllowAuthorizer().ServiceReadAllowed(id.Name, resource.AuthorizerContext(id.Tenancy)) + operatorReadErr := authorizer.ToAllowAuthorizer().OperatorReadAllowed(resource.AuthorizerContext(id.Tenancy)) + + switch { + case serviceReadErr != nil: + return serviceReadErr + case operatorReadErr != nil: + return operatorReadErr + } + + return nil }, Write: func(authorizer acl.Authorizer, p *pbresource.Resource) error { // Require operator:write only for "break-glass" scenarios as this resource should be mostly - // be managed by the mesh controller. + // managed by a controller. return authorizer.ToAllowAuthorizer().OperatorWriteAllowed(resource.AuthorizerContext(p.Id.Tenancy)) }, List: func(authorizer acl.Authorizer, tenancy *pbresource.Tenancy) error { - // No-op List permission as we want to default to filtering resource resources + // No-op List permission as we want to default to filtering resources // from the list using the Read enforcement. return nil },