mirror of
https://github.com/neondatabase/neon.git
synced 2026-01-14 08:52:56 +00:00
426b1c5f08
## Problem Storage controller `/control` API mostly requires admin tokens, for interactive use by engineers. But for endpoints used by scripts, we should not require admin tokens. Discussion at https://neondb.slack.com/archives/C033RQ5SPDH/p1728550081788989?thread_ts=1728548232.265019&cid=C033RQ5SPDH ## Summary of changes - Introduce the 'infra' JWT scope, which was not previously used in the neon repo - For pageserver & safekeeper node registrations, require infra scope instead of admin Note that admin will still work, as the controller auth checks permit admin tokens for all endpoints irrespective of what scope they require.
33 lines
1.1 KiB
Rust
33 lines
1.1 KiB
Rust
use utils::auth::{AuthError, Claims, Scope};
|
|
use utils::id::TenantId;
|
|
|
|
pub fn check_permission(claims: &Claims, tenant_id: Option<TenantId>) -> Result<(), AuthError> {
|
|
match (&claims.scope, tenant_id) {
|
|
(Scope::Tenant, None) => Err(AuthError(
|
|
"Attempt to access management api with tenant scope. Permission denied".into(),
|
|
)),
|
|
(Scope::Tenant, Some(tenant_id)) => {
|
|
if claims.tenant_id.unwrap() != tenant_id {
|
|
return Err(AuthError("Tenant id mismatch. Permission denied".into()));
|
|
}
|
|
Ok(())
|
|
}
|
|
(Scope::PageServerApi, None) => Ok(()), // access to management api for PageServerApi scope
|
|
(Scope::PageServerApi, Some(_)) => Ok(()), // access to tenant api using PageServerApi scope
|
|
(
|
|
Scope::Admin
|
|
| Scope::SafekeeperData
|
|
| Scope::GenerationsApi
|
|
| Scope::Infra
|
|
| Scope::Scrubber,
|
|
_,
|
|
) => Err(AuthError(
|
|
format!(
|
|
"JWT scope '{:?}' is ineligible for Pageserver auth",
|
|
claims.scope
|
|
)
|
|
.into(),
|
|
)),
|
|
}
|
|
}
|