Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
94e29e2e
Commit
94e29e2e
authored
Apr 22, 2024
by
Brad Davidson
Committed by
Brad Davidson
Apr 22, 2024
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Make /db/info available anonymously from localhost
Signed-off-by:
Brad Davidson
<
brad.davidson@rancher.com
>
parent
d3b60543
Show whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
36 additions
and
11 deletions
+36
-11
etcd.go
pkg/etcd/etcd.go
+12
-6
auth.go
pkg/server/auth/auth.go
+20
-1
router.go
pkg/server/router.go
+4
-4
No files found.
pkg/etcd/etcd.go
View file @
94e29e2e
...
@@ -664,12 +664,18 @@ func (e *ETCD) setName(force bool) error {
...
@@ -664,12 +664,18 @@ func (e *ETCD) setName(force bool) error {
// handler wraps the handler with routes for database info
// handler wraps the handler with routes for database info
func
(
e
*
ETCD
)
handler
(
next
http
.
Handler
)
http
.
Handler
{
func
(
e
*
ETCD
)
handler
(
next
http
.
Handler
)
http
.
Handler
{
mux
:=
mux
.
NewRouter
()
.
SkipClean
(
true
)
r
:=
mux
.
NewRouter
()
.
SkipClean
(
true
)
mux
.
Use
(
auth
.
Middleware
(
e
.
config
,
version
.
Program
+
":server"
))
r
.
NotFoundHandler
=
next
mux
.
Handle
(
"/db/info"
,
e
.
infoHandler
())
mux
.
Handle
(
"/db/snapshot"
,
e
.
snapshotHandler
())
ir
:=
r
.
Path
(
"/db/info"
)
.
Subrouter
()
mux
.
NotFoundHandler
=
next
ir
.
Use
(
auth
.
IsLocalOrHasRole
(
e
.
config
,
version
.
Program
+
":server"
))
return
mux
ir
.
Handle
(
""
,
e
.
infoHandler
())
sr
:=
r
.
Path
(
"/db/snapshot"
)
.
Subrouter
()
sr
.
Use
(
auth
.
HasRole
(
e
.
config
,
version
.
Program
+
":server"
))
sr
.
Handle
(
""
,
e
.
snapshotHandler
())
return
r
}
}
// infoHandler returns etcd cluster information. This is used by new members when joining the cluster.
// infoHandler returns etcd cluster information. This is used by new members when joining the cluster.
...
...
pkg/server/auth/auth.go
View file @
94e29e2e
package
auth
package
auth
import
(
import
(
"net"
"net/http"
"net/http"
"github.com/gorilla/mux"
"github.com/gorilla/mux"
...
@@ -22,6 +23,7 @@ func hasRole(mustRoles []string, roles []string) bool {
...
@@ -22,6 +23,7 @@ func hasRole(mustRoles []string, roles []string) bool {
return
false
return
false
}
}
// doAuth calls the cluster's authenticator to validate that the client has at least one of the listed roles
func
doAuth
(
roles
[]
string
,
serverConfig
*
config
.
Control
,
next
http
.
Handler
,
rw
http
.
ResponseWriter
,
req
*
http
.
Request
)
{
func
doAuth
(
roles
[]
string
,
serverConfig
*
config
.
Control
,
next
http
.
Handler
,
rw
http
.
ResponseWriter
,
req
*
http
.
Request
)
{
switch
{
switch
{
case
serverConfig
==
nil
:
case
serverConfig
==
nil
:
...
@@ -51,10 +53,27 @@ func doAuth(roles []string, serverConfig *config.Control, next http.Handler, rw
...
@@ -51,10 +53,27 @@ func doAuth(roles []string, serverConfig *config.Control, next http.Handler, rw
next
.
ServeHTTP
(
rw
,
req
)
next
.
ServeHTTP
(
rw
,
req
)
}
}
func
Middleware
(
serverConfig
*
config
.
Control
,
roles
...
string
)
mux
.
MiddlewareFunc
{
// HasRole returns a middleware function that validates that the request
// is being made with at least one of the listed roles.
func
HasRole
(
serverConfig
*
config
.
Control
,
roles
...
string
)
mux
.
MiddlewareFunc
{
return
func
(
next
http
.
Handler
)
http
.
Handler
{
return
func
(
next
http
.
Handler
)
http
.
Handler
{
return
http
.
HandlerFunc
(
func
(
rw
http
.
ResponseWriter
,
req
*
http
.
Request
)
{
return
http
.
HandlerFunc
(
func
(
rw
http
.
ResponseWriter
,
req
*
http
.
Request
)
{
doAuth
(
roles
,
serverConfig
,
next
,
rw
,
req
)
doAuth
(
roles
,
serverConfig
,
next
,
rw
,
req
)
})
})
}
}
}
}
// IsLocalOrHasRole returns a middleware function that validates that the request
// is from a local client or has at least one of the listed roles.
func
IsLocalOrHasRole
(
serverConfig
*
config
.
Control
,
roles
...
string
)
mux
.
MiddlewareFunc
{
return
func
(
next
http
.
Handler
)
http
.
Handler
{
return
http
.
HandlerFunc
(
func
(
rw
http
.
ResponseWriter
,
req
*
http
.
Request
)
{
client
,
_
,
_
:=
net
.
SplitHostPort
(
req
.
RemoteAddr
)
if
client
==
"127.0.0.1"
||
client
==
"::1"
{
next
.
ServeHTTP
(
rw
,
req
)
}
else
{
doAuth
(
roles
,
serverConfig
,
next
,
rw
,
req
)
}
})
}
}
pkg/server/router.go
View file @
94e29e2e
...
@@ -52,7 +52,7 @@ func router(ctx context.Context, config *Config, cfg *cmds.Server) http.Handler
...
@@ -52,7 +52,7 @@ func router(ctx context.Context, config *Config, cfg *cmds.Server) http.Handler
prefix
:=
"/v1-"
+
version
.
Program
prefix
:=
"/v1-"
+
version
.
Program
authed
:=
mux
.
NewRouter
()
.
SkipClean
(
true
)
authed
:=
mux
.
NewRouter
()
.
SkipClean
(
true
)
authed
.
Use
(
auth
.
Middlewar
e
(
serverConfig
,
version
.
Program
+
":agent"
,
user
.
NodesGroup
,
bootstrapapi
.
BootstrapDefaultGroup
))
authed
.
Use
(
auth
.
HasRol
e
(
serverConfig
,
version
.
Program
+
":agent"
,
user
.
NodesGroup
,
bootstrapapi
.
BootstrapDefaultGroup
))
authed
.
Path
(
prefix
+
"/serving-kubelet.crt"
)
.
Handler
(
servingKubeletCert
(
serverConfig
,
serverConfig
.
Runtime
.
ServingKubeletKey
,
nodeAuth
))
authed
.
Path
(
prefix
+
"/serving-kubelet.crt"
)
.
Handler
(
servingKubeletCert
(
serverConfig
,
serverConfig
.
Runtime
.
ServingKubeletKey
,
nodeAuth
))
authed
.
Path
(
prefix
+
"/client-kubelet.crt"
)
.
Handler
(
clientKubeletCert
(
serverConfig
,
serverConfig
.
Runtime
.
ClientKubeletKey
,
nodeAuth
))
authed
.
Path
(
prefix
+
"/client-kubelet.crt"
)
.
Handler
(
clientKubeletCert
(
serverConfig
,
serverConfig
.
Runtime
.
ClientKubeletKey
,
nodeAuth
))
authed
.
Path
(
prefix
+
"/client-kube-proxy.crt"
)
.
Handler
(
fileHandler
(
serverConfig
.
Runtime
.
ClientKubeProxyCert
,
serverConfig
.
Runtime
.
ClientKubeProxyKey
))
authed
.
Path
(
prefix
+
"/client-kube-proxy.crt"
)
.
Handler
(
fileHandler
(
serverConfig
.
Runtime
.
ClientKubeProxyCert
,
serverConfig
.
Runtime
.
ClientKubeProxyKey
))
...
@@ -71,12 +71,12 @@ func router(ctx context.Context, config *Config, cfg *cmds.Server) http.Handler
...
@@ -71,12 +71,12 @@ func router(ctx context.Context, config *Config, cfg *cmds.Server) http.Handler
nodeAuthed
:=
mux
.
NewRouter
()
.
SkipClean
(
true
)
nodeAuthed
:=
mux
.
NewRouter
()
.
SkipClean
(
true
)
nodeAuthed
.
NotFoundHandler
=
authed
nodeAuthed
.
NotFoundHandler
=
authed
nodeAuthed
.
Use
(
auth
.
Middlewar
e
(
serverConfig
,
user
.
NodesGroup
))
nodeAuthed
.
Use
(
auth
.
HasRol
e
(
serverConfig
,
user
.
NodesGroup
))
nodeAuthed
.
Path
(
prefix
+
"/connect"
)
.
Handler
(
serverConfig
.
Runtime
.
Tunnel
)
nodeAuthed
.
Path
(
prefix
+
"/connect"
)
.
Handler
(
serverConfig
.
Runtime
.
Tunnel
)
serverAuthed
:=
mux
.
NewRouter
()
.
SkipClean
(
true
)
serverAuthed
:=
mux
.
NewRouter
()
.
SkipClean
(
true
)
serverAuthed
.
NotFoundHandler
=
nodeAuthed
serverAuthed
.
NotFoundHandler
=
nodeAuthed
serverAuthed
.
Use
(
auth
.
Middlewar
e
(
serverConfig
,
version
.
Program
+
":server"
))
serverAuthed
.
Use
(
auth
.
HasRol
e
(
serverConfig
,
version
.
Program
+
":server"
))
serverAuthed
.
Path
(
prefix
+
"/encrypt/status"
)
.
Handler
(
encryptionStatusHandler
(
serverConfig
))
serverAuthed
.
Path
(
prefix
+
"/encrypt/status"
)
.
Handler
(
encryptionStatusHandler
(
serverConfig
))
serverAuthed
.
Path
(
prefix
+
"/encrypt/config"
)
.
Handler
(
encryptionConfigHandler
(
ctx
,
serverConfig
))
serverAuthed
.
Path
(
prefix
+
"/encrypt/config"
)
.
Handler
(
encryptionConfigHandler
(
ctx
,
serverConfig
))
serverAuthed
.
Path
(
prefix
+
"/cert/cacerts"
)
.
Handler
(
caCertReplaceHandler
(
serverConfig
))
serverAuthed
.
Path
(
prefix
+
"/cert/cacerts"
)
.
Handler
(
caCertReplaceHandler
(
serverConfig
))
...
@@ -86,7 +86,7 @@ func router(ctx context.Context, config *Config, cfg *cmds.Server) http.Handler
...
@@ -86,7 +86,7 @@ func router(ctx context.Context, config *Config, cfg *cmds.Server) http.Handler
systemAuthed
:=
mux
.
NewRouter
()
.
SkipClean
(
true
)
systemAuthed
:=
mux
.
NewRouter
()
.
SkipClean
(
true
)
systemAuthed
.
NotFoundHandler
=
serverAuthed
systemAuthed
.
NotFoundHandler
=
serverAuthed
systemAuthed
.
MethodNotAllowedHandler
=
serverAuthed
systemAuthed
.
MethodNotAllowedHandler
=
serverAuthed
systemAuthed
.
Use
(
auth
.
Middlewar
e
(
serverConfig
,
user
.
SystemPrivilegedGroup
))
systemAuthed
.
Use
(
auth
.
HasRol
e
(
serverConfig
,
user
.
SystemPrivilegedGroup
))
systemAuthed
.
Methods
(
http
.
MethodConnect
)
.
Handler
(
serverConfig
.
Runtime
.
Tunnel
)
systemAuthed
.
Methods
(
http
.
MethodConnect
)
.
Handler
(
serverConfig
.
Runtime
.
Tunnel
)
staticDir
:=
filepath
.
Join
(
serverConfig
.
DataDir
,
"static"
)
staticDir
:=
filepath
.
Join
(
serverConfig
.
DataDir
,
"static"
)
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment