Skip to content

Commit e1d4749

Browse files
committed
feat: allow talosctl wipe disk command
Impersonate the `os:admin` role in the Talos gRPC proxy to make the request work both in maintenance and normal modes. Fixes: #1143 Signed-off-by: Artem Chernyshev <[email protected]>
1 parent 877b379 commit e1d4749

File tree

1 file changed

+13
-0
lines changed

1 file changed

+13
-0
lines changed

internal/backend/grpc/router/talos_backend.go

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@ import (
1212
"github.com/siderolabs/gen/xslices"
1313
"github.com/siderolabs/go-api-signature/pkg/message"
1414
"github.com/siderolabs/talos/pkg/machinery/api/machine"
15+
"github.com/siderolabs/talos/pkg/machinery/api/storage"
1516
"github.com/siderolabs/talos/pkg/machinery/constants"
1617
talosrole "github.com/siderolabs/talos/pkg/machinery/role"
1718
"google.golang.org/grpc"
@@ -41,6 +42,11 @@ var operatorMethodSet = xslices.ToSet([]string{
4142
grpcutil.MustFullMethodName(&machine.MachineService_ServiceDesc, "Shutdown"),
4243
})
4344

45+
// adminMethodSet is the set of methods that are allowed to be called by the minimum role of os:admin.
46+
var adminMethodSet = xslices.ToSet([]string{
47+
grpcutil.MustFullMethodName(&storage.StorageService_ServiceDesc, "BlockDeviceWipe"),
48+
})
49+
4450
// TalosBackend implements a backend (proxying one2one to a Talos node).
4551
type TalosBackend struct {
4652
conn *grpc.ClientConn
@@ -157,6 +163,13 @@ func (backend *TalosBackend) setRoleHeaders(ctx context.Context, md metadata.MD,
157163

158164
minTalosVersion := backend.minTalosVersion(info)
159165

166+
// methods that should have admin access
167+
if _, ok := adminMethodSet[fullMethodName]; ok {
168+
setHeaderData(ctx, md, constants.APIAuthzRoleMetadataKey, talosrole.MakeSet(talosrole.Admin).Strings()...)
169+
170+
return
171+
}
172+
160173
// min Talos version is >= 1.4.0, we can use Operator role
161174
if minTalosVersion != nil && minTalosVersion.GTE(semver.MustParse("1.4.0")) {
162175
setHeaderData(ctx, md, constants.APIAuthzRoleMetadataKey, talosrole.MakeSet(talosrole.Operator).Strings()...)

0 commit comments

Comments
 (0)