mirror of
https://github.com/neondatabase/neon.git
synced 2026-01-16 18:02:56 +00:00
5d039c6e9b
## Problem Even if you're not enforcing auth, the JwtAuth middleware barfs on scopes it doesn't know about. Add `generations_api` scope, which was invented in the cloud control plane for the pageserver's /re-attach and /validate upcalls: this will be enforced in storage controller's implementation of these in a later PR. Unfortunately the scope's naming doesn't match the other scope's naming styles, so needs a manual serde decorator to give it an underscore. ## Summary of changes - Add `Scope::GenerationsApi` variant - Update pageserver + safekeeper auth code to print appropriate message if they see it.
25 lines
888 B
Rust
25 lines
888 B
Rust
use utils::auth::{AuthError, Claims, Scope};
|
|
use utils::id::TenantId;
|
|
|
|
pub fn check_permission(claims: &Claims, tenant_id: Option<TenantId>) -> Result<(), AuthError> {
|
|
match (&claims.scope, tenant_id) {
|
|
(Scope::Tenant, None) => Err(AuthError(
|
|
"Attempt to access management api with tenant scope. Permission denied".into(),
|
|
)),
|
|
(Scope::Tenant, Some(tenant_id)) => {
|
|
if claims.tenant_id.unwrap() != tenant_id {
|
|
return Err(AuthError("Tenant id mismatch. Permission denied".into()));
|
|
}
|
|
Ok(())
|
|
}
|
|
(Scope::PageServerApi | Scope::GenerationsApi, _) => Err(AuthError(
|
|
format!(
|
|
"JWT scope '{:?}' is ineligible for Safekeeper auth",
|
|
claims.scope
|
|
)
|
|
.into(),
|
|
)),
|
|
(Scope::SafekeeperData, _) => Ok(()),
|
|
}
|
|
}
|