New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix bad sys request for different account #3382
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this violate account isolation? Can any account simply import this from a system account and be able to monitor other accounts?
I am ok if the system account itself can inquire about other accounts, and that user credentials for the system account could be minted to just have access to this subject.
@derekcollison I don't think this violates account isolation as the mandatory export/import is still needed. In the example, a dedicated account to monitor was trying to access information of another account. I also tried this out by removing the export from the unit test.
|
ok so the system has to allow broader access to any given account, so our reasoning is this would be done on purpose to allow an account to monitor other accounts anyway. |
@derekcollison I have to rescind my earlier comment. With some more playing I was able to import without explicit export. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Oh ok.. Then maybe we should discuss. My LGTM was before that last comment. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's look a bit more.
4862e47
to
ee66082
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remember to call defer nc.Close() after creating a client connection.
e11a8cc
to
c4b217c
Compare
When a request for a system service like $SYS.REQ.ACCOUNT.*.CONNZ is imported/exported we ensured that the requesting account is identical to the account referenced in the subject. In #3250 this check was extended from CONNZ to all $SYS.REQ.ACCOUNT.*.* requests. In general this check interferes with monitoring accounts that need to query all other accounts, not just itself. There the use case is that account A sends a request with account B in the subject. The check for equal accounts prevents this. This change removes the check to support these use cases. Instead of the check, the default export now uses exportAuth tokenPos to ensure that the 4th token is the importer account id. This guarantees that an explicit export (done by user) can only import for the own account. This change also ensures that an explicit export is not overwritten by the system. This is not a problem when the export is public. Automatic imports set the account id correctly and do not use wildcards. To cover cases where the export is private, automatically added imports are not subject a token check. Signed-off-by: Matthias Hanel <mh@synadia.com>
c4b217c
to
6e44dd5
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM (at least the tests missing defers). Defer (pun intended) to Derek for the actual code changes.
When a request for a system service like $SYS.REQ.ACCOUNT.*.CONNZ
is imported/exported we ensured that the requesting account is identical
to the account referenced in the subject.
In #3250 this check was extended from CONNZ to all $SYS.REQ.ACCOUNT..
requests.
In general this check interferes with monitoring accounts that need
to query all other accounts, not just itself.
There the use case is that account A sends a request with account B
in the subject. The check for equal accounts prevents this.
This change removes the check to support these use cases.
Instead of the check, the default export now uses exportAuth
tokenPos to ensure that the 4th token is the importer account id.
This guarantees that an explicit export (done by user) can only import
for the own account.
This change also ensures that an explicit export is not overwritten
by the system.
This is not a problem when the export is public.
Automatic imports set the account id correctly and do not use wildcards.
To cover cases where the export is private, automatically added imports
are not subject a token check.