mirror of
https://github.com/neondatabase/neon.git
synced 2026-01-15 09:22:55 +00:00
11cf16e3f3
When walproposer observes now higher term it restarts instead of crashing whole compute with PANIC; this avoids compute crash after term_bump call. After successfull election we're still checking last_log_term of the highest given vote to ensure basebackup is good, and PANIC otherwise. It will be used for migration per 035-safekeeper-dynamic-membership-change.md and https://github.com/neondatabase/docs/pull/21 ref https://github.com/neondatabase/neon/issues/8700
30 lines
1.1 KiB
Rust
30 lines
1.1 KiB
Rust
use utils::auth::{AuthError, Claims, Scope};
|
|
use utils::id::TenantId;
|
|
|
|
/// If tenant_id is provided, allow if token (claims) is for this tenant or
|
|
/// whole safekeeper scope (SafekeeperData). Else, allow only if token is
|
|
/// SafekeeperData.
|
|
pub fn check_permission(claims: &Claims, tenant_id: Option<TenantId>) -> Result<(), AuthError> {
|
|
match (&claims.scope, tenant_id) {
|
|
(Scope::Tenant, None) => Err(AuthError(
|
|
"Attempt to access management api with tenant scope. Permission denied".into(),
|
|
)),
|
|
(Scope::Tenant, Some(tenant_id)) => {
|
|
if claims.tenant_id.unwrap() != tenant_id {
|
|
return Err(AuthError("Tenant id mismatch. Permission denied".into()));
|
|
}
|
|
Ok(())
|
|
}
|
|
(Scope::Admin | Scope::PageServerApi | Scope::GenerationsApi | Scope::Scrubber, _) => {
|
|
Err(AuthError(
|
|
format!(
|
|
"JWT scope '{:?}' is ineligible for Safekeeper auth",
|
|
claims.scope
|
|
)
|
|
.into(),
|
|
))
|
|
}
|
|
(Scope::SafekeeperData, _) => Ok(()),
|
|
}
|
|
}
|