mirror of
https://github.com/neondatabase/neon.git
synced 2026-01-14 08:52:56 +00:00
ae53dc3326
* Fix https://github.com/neondatabase/neon/issues/1854 * Never log Safekeeper::conninfo in walproposer as it now contains a secret token * control_panel, test_runner: generate and pass JWT tokens for Safekeeper to compute and pageserver * Compute: load JWT token for Safekepeer from the environment variable. Do not reuse the token from pageserver_connstring because it's embedded in there weirdly. * Pageserver: load JWT token for Safekeeper from the environment variable. * Rewrite docs/authentication.md
20 lines
708 B
Rust
20 lines
708 B
Rust
use anyhow::{bail, Result};
|
|
use utils::auth::{Claims, Scope};
|
|
use utils::id::TenantId;
|
|
|
|
pub fn check_permission(claims: &Claims, tenant_id: Option<TenantId>) -> Result<()> {
|
|
match (&claims.scope, tenant_id) {
|
|
(Scope::Tenant, None) => {
|
|
bail!("Attempt to access management api with tenant scope. Permission denied")
|
|
}
|
|
(Scope::Tenant, Some(tenant_id)) => {
|
|
if claims.tenant_id.unwrap() != tenant_id {
|
|
bail!("Tenant id mismatch. Permission denied")
|
|
}
|
|
Ok(())
|
|
}
|
|
(Scope::PageServerApi, _) => bail!("PageServerApi scope makes no sense for Safekeeper"),
|
|
(Scope::SafekeeperData, _) => Ok(()),
|
|
}
|
|
}
|