mirror of
https://github.com/neondatabase/neon.git
synced 2026-01-13 08:22:55 +00:00
426b1c5f08
## Problem Storage controller `/control` API mostly requires admin tokens, for interactive use by engineers. But for endpoints used by scripts, we should not require admin tokens. Discussion at https://neondb.slack.com/archives/C033RQ5SPDH/p1728550081788989?thread_ts=1728548232.265019&cid=C033RQ5SPDH ## Summary of changes - Introduce the 'infra' JWT scope, which was not previously used in the neon repo - For pageserver & safekeeper node registrations, require infra scope instead of admin Note that admin will still work, as the controller auth checks permit admin tokens for all endpoints irrespective of what scope they require.
35 lines
1.2 KiB
Rust
35 lines
1.2 KiB
Rust
use utils::auth::{AuthError, Claims, Scope};
|
|
use utils::id::TenantId;
|
|
|
|
/// If tenant_id is provided, allow if token (claims) is for this tenant or
|
|
/// whole safekeeper scope (SafekeeperData). Else, allow only if token is
|
|
/// SafekeeperData.
|
|
pub fn check_permission(claims: &Claims, tenant_id: Option<TenantId>) -> Result<(), AuthError> {
|
|
match (&claims.scope, tenant_id) {
|
|
(Scope::Tenant, None) => Err(AuthError(
|
|
"Attempt to access management api with tenant scope. Permission denied".into(),
|
|
)),
|
|
(Scope::Tenant, Some(tenant_id)) => {
|
|
if claims.tenant_id.unwrap() != tenant_id {
|
|
return Err(AuthError("Tenant id mismatch. Permission denied".into()));
|
|
}
|
|
Ok(())
|
|
}
|
|
(
|
|
Scope::Admin
|
|
| Scope::PageServerApi
|
|
| Scope::GenerationsApi
|
|
| Scope::Infra
|
|
| Scope::Scrubber,
|
|
_,
|
|
) => Err(AuthError(
|
|
format!(
|
|
"JWT scope '{:?}' is ineligible for Safekeeper auth",
|
|
claims.scope
|
|
)
|
|
.into(),
|
|
)),
|
|
(Scope::SafekeeperData, _) => Ok(()),
|
|
}
|
|
}
|