mirror of
https://github.com/neondatabase/neon.git
synced 2026-05-18 05:30:37 +00:00
5accf6e24a
## Problem Attachment service does not do auth based on JWT scopes. ## Summary of changes Do JWT based permission checking for requests coming into the attachment service. Requests into the attachment service must use different tokens based on the endpoint: * `/control` and `/debug` require `admin` scope * `/upcall` requires `generations_api` scope * `/v1/...` requires `pageserverapi` scope Requests into the pageserver from the attachment service must use `pageserverapi` scope.
10 lines
272 B
Rust
10 lines
272 B
Rust
use utils::auth::{AuthError, Claims, Scope};
|
|
|
|
pub fn check_permission(claims: &Claims, required_scope: Scope) -> Result<(), AuthError> {
|
|
if claims.scope != required_scope {
|
|
return Err(AuthError("Scope mismatch. Permission denied".into()));
|
|
}
|
|
|
|
Ok(())
|
|
}
|