Commits on Aug 19, 2022

1. Fix bad sys request for different account …

   When a request for a system service like $SYS.REQ.ACCOUNT.*.CONNZ
   is imported/exported we ensured that the requesting account is identical
   to the account referenced in the subject.
   
   In #3250 this check was extended from CONNZ to all $SYS.REQ.ACCOUNT.*.*
   requests.
   
   In general this check interferes with monitoring accounts that need
   to query all other accounts, not just itself.
   There the use case is that account A sends a request with account B
   in the subject. The check for equal accounts prevents this.
   
   This change removes the check to support these use cases.
   
   Instead of the check, the default export now uses exportAuth
   tokenPos to ensure that the 4th token is the importer account id.
   This guarantees that an explicit export (done by user) can only import
   for the own account.
   
   This change also ensures that an explicit export is not overwritten
   by the system.
   This is not a problem when the export is public.
   Automatic imports set the account id correctly and do not use wildcards.
   
   To cover cases where the export is private, automatically added imports
   are not subject a token check.
   
   Signed-off-by: Matthias Hanel <mh@synadia.com>

   

   matthiashanel committed Aug 19, 2022
   Configuration menu

   • View commit details
   • Copy full SHA for 6e44dd5
   • Browse repository at this point

   Copy the full SHA

   6e44dd5 View commit details

   Browse the repository at this point in the history