search

openziti / ziti

The parent project for OpenZiti. Here you will find the executables for a fully zero trust, application embedded, programmable network @OpenZiti
https://openziti.io
Apache License 2.0
2.82k stars 159 forks source link

permissions enum doesn't contain "Invalid" #1962

Closed dovholuknf closed 6 months ago

dovholuknf commented 6 months ago

When enumerating services as an administrator using the management api, such as ziti edge list services -j, if the identity doesn't have permissions because no service policy exists to grant the admin access, the permissions array returns "Invalid":

"permissions": [
                "Invalid"
            ]

This causes problems with generated clients because "Invalid" doesn't appear in the spec

andrewpmartinez commented 6 months ago

Tracing it through the code is because of the change to admin access where dial/bind is no longer assumed, and instead, Invalid is purposefully returned.

The downside is that the spec was never updated, and any admin client accessing the service list will encounter similar errors. Most OpenAPI clients are generated with value checking for enumerations and will not accept unknown values.

The workaround is to hand patch the dialBind enum and add —Invalid and then regenerate your client.

Once a new version of ziti is released with this issue fixed, upgrading and regenerating from the spec the controller provides will also fix the issue.