grpc/acl: relax permissions required for "core" endpoints #15346
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Previously, these endpoints required
service:write
permission on any service as a sort of proxy for "is the caller allowed to participate in the mesh?".Now, they're called as part of the process of establishing a server connection by any consumer of the consul-server-connection-manager library, which will include non-mesh workloads (e.g. Consul KV as a storage backend for Vault) as well as ancillary components such as consul-k8s' acl-init process, which likely won't have
service:write
permission.So this commit relaxes those requirements to accept any valid ACL token on the following gRPC endpoints:
hashicorp.consul.dataplane.DataplaneService/GetSupportedDataplaneFeatures
hashicorp.consul.serverdiscovery.ServerDiscoveryService/WatchServers
hashicorp.consul.connectca.ConnectCAService/WatchRoots