HaoyuHuang
63ea4b0579
A few more compute_tool changes ( #12687 )
...
## Summary of changes
All changes are no-op except that the tracing-appender lib is upgraded
from 0.2.2 to 0.2.3
2025-07-23 18:30:33 +00:00
Tristan Partin
0ef6851219
Make the audience claim in compute JWTs a vector ( #11845 )
...
According to RFC 7519, `aud` is generally an array of StringOrURI, but
in special cases may be a single StringOrURI value. To accomodate future
control plane work where a single token may work for multiple services,
make the claim a vector.
Link: https://www.rfc-editor.org/rfc/rfc7519#section-4.1.3
Signed-off-by: Tristan Partin <tristan@neon.tech >
2025-05-06 22:19:15 +00:00
Tristan Partin
f9b3a2e059
Add scoping to compute_ctl JWT claims ( #11639 )
...
Currently we only have an admin scope which allows a user to bypass the
compute_id check. When the admin scope is provided, validate the
audience of the JWT to be "compute".
Closes: https://github.com/neondatabase/cloud/issues/27614
Signed-off-by: Tristan Partin <tristan@neon.tech >
2025-05-06 19:51:10 +00:00
Tristan Partin
c002236145
Remove compute_ctl authorization bypass if testing feature was enable ( #11596 )
...
We want to exercise the authorization middleware in our regression
tests.
Signed-off-by: Tristan Partin <tristan@neon.tech >
2025-04-16 17:54:51 +00:00
Tristan Partin
cd9ad75797
Remove compute_ctl authorization bypass on localhost ( #11597 )
...
For whatever reason, this never worked in production computes anyway.
Signed-off-by: Tristan Partin <tristan@neon.tech >
2025-04-15 19:12:34 +00:00
Tristan Partin
eadb05f78e
Teach neon_local to pass the Authorization header to compute_ctl ( #11490 )
...
This allows us to remove hacks in the compute_ctl authorization
middleware which allowed for bypasses of auth checks.
Fixes: https://github.com/neondatabase/neon/issues/11316
Signed-off-by: Tristan Partin <tristan@neon.tech >
2025-04-15 17:27:49 +00:00
Tristan Partin
cbd2fc2395
Clean up logs and error messages in compute_ctl authorize middleware ( #11576 )
...
Signed-off-by: Tristan Partin <tristan@neon.tech >
2025-04-15 01:21:18 +00:00
Tristan Partin
1c237d0c6d
Move compute_ctl claims struct into public API ( #11505 )
...
This is preparatory work for teaching neon_local to pass the
Authorization header to compute_ctl.
Signed-off-by: Tristan Partin <tristan@neon.tech >
2025-04-09 16:58:44 +00:00
Tristan Partin
7602e6ffc0
Skip compute_ctl authorization checks in testing builds ( #11186 )
...
We will require authorization in production. We need to skip in testing
builds for now because regression tests would fail. See
https://github.com/neondatabase/neon/issues/11316 for more information.
Signed-off-by: Tristan Partin <tristan@neon.tech >
Signed-off-by: Tristan Partin <tristan@neon.tech >
2025-04-03 00:00:28 +00:00
Tristan Partin
40672b739e
Move maybe_add_request_id_header middleware into middleware module ( #11187 )
...
This matches the authorization middleware.
---------
Signed-off-by: Tristan Partin <tristan@neon.tech >
Co-authored-by: Mikhail Kot <mikhail@neon.tech >
2025-03-12 15:34:46 +00:00
Tristan Partin
7b7e4a9fd3
Authorize compute_ctl requests from the control plane ( #10530 )
...
The compute should only act if requests come from the control plane.
Signed-off-by: Tristan Partin <tristan@neon.tech >
Signed-off-by: Tristan Partin <tristan@neon.tech >
2025-03-04 18:08:00 +00:00
