mirror of
https://github.com/openziti/zrok.git
synced 2025-06-26 20:52:33 +02:00
Merge pull request #974 from openziti/default_closed
Default to Closed Permission Mode (#971)
This commit is contained in:
Michael Quigley
GitHub
commit
14b40b3875
@ -2,6 +2,8 @@
|
||||
|
||||
## v1.0.5
|
||||
|
||||
CHANGE: `zrok share public`, `zrok share private`, and `zrok reserve` all default to the "closed" permission mode (they previously defaulted to the "open" permission mode). The `--closed` flag has been replaced with a new `--open` flag. See the [Permission Modes](https://docs.zrok.io/docs/guides/permission-modes/) docs for details (https://github.com/openziti/zrok/issues/971)
|
||||
|
||||
FIX: `zrok enable` now handles the case where the user ID does not resolve to a username when generating the default environment description (https://github.com/openziti/zrok/issues/959)
|
||||
|
||||
FIX: Linux packages were optimized to avoid manage file revision conflicts (https://github.com/openziti/zrok/issues/817)
|
||||
|
||||
@ -28,7 +28,7 @@ type reserveCommand struct {
|
||||
oauthProvider string
|
||||
oauthEmailAddressPatterns []string
|
||||
oauthCheckInterval time.Duration
|
||||
closed bool
|
||||
open bool
|
||||
accessGrants []string
|
||||
cmd *cobra.Command
|
||||
}
|
||||
@ -54,7 +54,7 @@ func newReserveCommand() *reserveCommand {
|
||||
cmd.Flags().StringArrayVar(&command.oauthEmailAddressPatterns, "oauth-email-address-patterns", []string{}, "Allow only these email domains to authenticate via OAuth")
|
||||
cmd.Flags().DurationVar(&command.oauthCheckInterval, "oauth-check-interval", 3*time.Hour, "Maximum lifetime for OAuth authentication; reauthenticate after expiry")
|
||||
cmd.MarkFlagsMutuallyExclusive("basic-auth", "oauth-provider")
|
||||
cmd.Flags().BoolVar(&command.closed, "closed", false, "Enable closed permission mode (see --access-grant)")
|
||||
cmd.Flags().BoolVar(&command.open, "open", false, "Enable open permission mode")
|
||||
cmd.Flags().StringArrayVar(&command.accessGrants, "access-grant", []string{}, "zrok accounts that are allowed to access this share (see --closed)")
|
||||
|
||||
cmd.Run = command.run
|
||||
@ -147,12 +147,14 @@ func (cmd *reserveCommand) run(_ *cobra.Command, args []string) {
|
||||
}
|
||||
|
||||
req := &sdk.ShareRequest{
|
||||
Reserved: true,
|
||||
UniqueName: cmd.uniqueName,
|
||||
BackendMode: sdk.BackendMode(cmd.backendMode),
|
||||
ShareMode: shareMode,
|
||||
BasicAuth: cmd.basicAuth,
|
||||
Target: target,
|
||||
Reserved: true,
|
||||
UniqueName: cmd.uniqueName,
|
||||
BackendMode: sdk.BackendMode(cmd.backendMode),
|
||||
ShareMode: shareMode,
|
||||
BasicAuth: cmd.basicAuth,
|
||||
Target: target,
|
||||
PermissionMode: sdk.ClosedPermissionMode,
|
||||
AccessGrants: cmd.accessGrants,
|
||||
}
|
||||
if shareMode == sdk.PublicShareMode {
|
||||
req.Frontends = cmd.frontendSelection
|
||||
@ -165,9 +167,8 @@ func (cmd *reserveCommand) run(_ *cobra.Command, args []string) {
|
||||
req.OauthEmailAddressPatterns = cmd.oauthEmailAddressPatterns
|
||||
req.OauthAuthorizationCheckInterval = cmd.oauthCheckInterval
|
||||
}
|
||||
if cmd.closed {
|
||||
req.PermissionMode = sdk.ClosedPermissionMode
|
||||
req.AccessGrants = cmd.accessGrants
|
||||
if cmd.open {
|
||||
req.PermissionMode = sdk.OpenPermissionMode
|
||||
}
|
||||
shr, err := sdk.CreateShare(env, req)
|
||||
if err != nil {
|
||||
|
||||
@ -41,7 +41,7 @@ type sharePrivateCommand struct {
|
||||
forceLocal bool
|
||||
forceAgent bool
|
||||
insecure bool
|
||||
closed bool
|
||||
open bool
|
||||
accessGrants []string
|
||||
cmd *cobra.Command
|
||||
}
|
||||
@ -65,7 +65,7 @@ func newSharePrivateCommand() *sharePrivateCommand {
|
||||
cmd.Flags().BoolVar(&command.forceAgent, "force-agent", false, "Skip agent detection and force agent mode")
|
||||
cmd.MarkFlagsMutuallyExclusive("force-local", "force-agent")
|
||||
cmd.Flags().BoolVar(&command.insecure, "insecure", false, "Enable insecure TLS certificate validation for <target>")
|
||||
cmd.Flags().BoolVar(&command.closed, "closed", false, "Enable closed permission mode (see --access-grant)")
|
||||
cmd.Flags().BoolVar(&command.open, "open", false, "Enable open permission mode")
|
||||
cmd.Flags().StringArrayVar(&command.accessGrants, "access-grant", []string{}, "zrok accounts that are allowed to access this share (see --closed)")
|
||||
cmd.Run = command.run
|
||||
return command
|
||||
@ -184,13 +184,14 @@ func (cmd *sharePrivateCommand) shareLocal(args []string, root env_core.Root) {
|
||||
}
|
||||
|
||||
req := &sdk.ShareRequest{
|
||||
BackendMode: sdk.BackendMode(cmd.backendMode),
|
||||
ShareMode: sdk.PrivateShareMode,
|
||||
Target: target,
|
||||
BackendMode: sdk.BackendMode(cmd.backendMode),
|
||||
ShareMode: sdk.PrivateShareMode,
|
||||
Target: target,
|
||||
PermissionMode: sdk.ClosedPermissionMode,
|
||||
AccessGrants: cmd.accessGrants,
|
||||
}
|
||||
if cmd.closed {
|
||||
req.PermissionMode = sdk.ClosedPermissionMode
|
||||
req.AccessGrants = cmd.accessGrants
|
||||
if cmd.open {
|
||||
req.PermissionMode = sdk.OpenPermissionMode
|
||||
}
|
||||
shr, err := sdk.CreateShare(root, req)
|
||||
if err != nil {
|
||||
@ -548,7 +549,7 @@ func (cmd *sharePrivateCommand) shareAgent(args []string, root env_core.Root) {
|
||||
Target: target,
|
||||
BackendMode: cmd.backendMode,
|
||||
Insecure: cmd.insecure,
|
||||
Closed: cmd.closed,
|
||||
Closed: !cmd.open,
|
||||
AccessGrants: cmd.accessGrants,
|
||||
})
|
||||
if err != nil {
|
||||
|
||||
@ -43,7 +43,7 @@ type sharePublicCommand struct {
|
||||
oauthProvider string
|
||||
oauthEmailAddressPatterns []string
|
||||
oauthCheckInterval time.Duration
|
||||
closed bool
|
||||
open bool
|
||||
accessGrants []string
|
||||
cmd *cobra.Command
|
||||
}
|
||||
@ -73,7 +73,7 @@ func newSharePublicCommand() *sharePublicCommand {
|
||||
cmd.Flags().BoolVar(&command.forceAgent, "force-agent", false, "Skip agent detection and force agent mode")
|
||||
cmd.MarkFlagsMutuallyExclusive("force-local", "force-agent")
|
||||
cmd.Flags().BoolVar(&command.insecure, "insecure", false, "Enable insecure TLS certificate validation for <target>")
|
||||
cmd.Flags().BoolVar(&command.closed, "closed", false, "Enable closed permission mode (see --access-grant)")
|
||||
cmd.Flags().BoolVar(&command.open, "open", false, "Enable open permission mode")
|
||||
cmd.Flags().StringArrayVar(&command.accessGrants, "access-grant", []string{}, "zrok accounts that are allowed to access this share (see --closed)")
|
||||
cmd.Flags().StringArrayVar(&command.basicAuth, "basic-auth", []string{}, "Basic authentication users (<username:password>,...)")
|
||||
cmd.Flags().StringVar(&command.oauthProvider, "oauth-provider", "", "Enable OAuth provider [google, github]")
|
||||
@ -148,15 +148,16 @@ func (cmd *sharePublicCommand) shareLocal(args []string, root env_core.Root) {
|
||||
}
|
||||
|
||||
req := &sdk.ShareRequest{
|
||||
BackendMode: sdk.BackendMode(cmd.backendMode),
|
||||
ShareMode: sdk.PublicShareMode,
|
||||
Frontends: cmd.frontendSelection,
|
||||
BasicAuth: cmd.basicAuth,
|
||||
Target: target,
|
||||
BackendMode: sdk.BackendMode(cmd.backendMode),
|
||||
ShareMode: sdk.PublicShareMode,
|
||||
Frontends: cmd.frontendSelection,
|
||||
BasicAuth: cmd.basicAuth,
|
||||
Target: target,
|
||||
PermissionMode: sdk.ClosedPermissionMode,
|
||||
AccessGrants: cmd.accessGrants,
|
||||
}
|
||||
if cmd.closed {
|
||||
req.PermissionMode = sdk.ClosedPermissionMode
|
||||
req.AccessGrants = cmd.accessGrants
|
||||
if cmd.open {
|
||||
req.PermissionMode = sdk.OpenPermissionMode
|
||||
}
|
||||
if cmd.oauthProvider != "" {
|
||||
req.OauthProvider = cmd.oauthProvider
|
||||
@ -414,7 +415,7 @@ func (cmd *sharePublicCommand) shareAgent(args []string, root env_core.Root) {
|
||||
OauthProvider: cmd.oauthProvider,
|
||||
OauthEmailAddressPatterns: cmd.oauthEmailAddressPatterns,
|
||||
OauthCheckInterval: cmd.oauthCheckInterval.String(),
|
||||
Closed: cmd.closed,
|
||||
Closed: !cmd.open,
|
||||
AccessGrants: cmd.accessGrants,
|
||||
})
|
||||
if err != nil {
|
||||
|
||||
@ -5,6 +5,10 @@ sidebar_label: Permission Modes
|
||||
|
||||
# Permission Modes
|
||||
|
||||
:::note
|
||||
As of `v1.0.5` zrok sharing now defaults to the `closed` permission mode. The `--closed` flag has been removed and has been replaced with a new `--open` flag for users who want to retain the open permission model. Otherwise, the closed permission mode works exactly the same.
|
||||
:::
|
||||
|
||||
Shares created in zrok `v0.4.26` and newer now include a choice of _permission mode_.
|
||||
|
||||
Shares created with zrok `v0.4.25` and older were created using what is now called the _open permission mode_. Whether _public_ or _private_, these shares can be accessed by any user of the zrok service instance, as long as they know the _share token_ of the share. Effectively shares with the _open permission mode_ are accessible by any user of the zrok service instance.
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user