2023-03-28 18:39:22 +00:00
|
|
|
// Copyright (c) HashiCorp, Inc.
|
|
|
|
// SPDX-License-Identifier: MPL-2.0
|
|
|
|
|
2015-08-22 00:23:01 +00:00
|
|
|
package state
|
|
|
|
|
|
|
|
import (
|
2015-08-25 03:51:07 +00:00
|
|
|
"errors"
|
2015-08-22 00:23:01 +00:00
|
|
|
"fmt"
|
2020-03-19 13:11:20 +00:00
|
|
|
|
2020-10-23 18:43:13 +00:00
|
|
|
memdb "github.com/hashicorp/go-memdb"
|
|
|
|
|
2022-04-05 21:10:06 +00:00
|
|
|
"github.com/hashicorp/consul/acl"
|
2020-07-06 20:15:13 +00:00
|
|
|
"github.com/hashicorp/consul/agent/consul/stream"
|
2019-12-10 02:26:41 +00:00
|
|
|
"github.com/hashicorp/consul/agent/structs"
|
2015-08-22 00:23:01 +00:00
|
|
|
)
|
|
|
|
|
2015-08-25 03:51:07 +00:00
|
|
|
var (
|
|
|
|
// ErrMissingNode is the error returned when trying an operation
|
|
|
|
// which requires a node registration but none exists.
|
|
|
|
ErrMissingNode = errors.New("Missing node registration")
|
|
|
|
|
|
|
|
// ErrMissingService is the error we return if trying an
|
|
|
|
// operation which requires a service but none exists.
|
|
|
|
ErrMissingService = errors.New("Missing service registration")
|
2015-09-04 02:11:12 +00:00
|
|
|
|
|
|
|
// ErrMissingSessionID is returned when a session registration
|
|
|
|
// is attempted with an empty session ID.
|
|
|
|
ErrMissingSessionID = errors.New("Missing session ID")
|
2015-09-07 04:13:45 +00:00
|
|
|
|
2019-02-13 17:57:29 +00:00
|
|
|
// ErrMissingACLTokenSecret is returned when a token set is called on a
|
|
|
|
// token with an empty SecretID.
|
2018-10-19 16:04:07 +00:00
|
|
|
ErrMissingACLTokenSecret = errors.New("Missing ACL Token SecretID")
|
|
|
|
|
2019-02-13 17:57:29 +00:00
|
|
|
// ErrMissingACLTokenAccessor is returned when a token set is called on a
|
|
|
|
// token with an empty AccessorID.
|
2018-10-19 16:04:07 +00:00
|
|
|
ErrMissingACLTokenAccessor = errors.New("Missing ACL Token AccessorID")
|
|
|
|
|
2019-05-03 19:22:44 +00:00
|
|
|
// ErrTokenHasNoPrivileges is returned when a token set is called on a
|
|
|
|
// token with no policies, roles, or service identities and the caller
|
|
|
|
// requires at least one to be set.
|
|
|
|
ErrTokenHasNoPrivileges = errors.New("Token has no privileges")
|
|
|
|
|
2019-02-13 17:57:29 +00:00
|
|
|
// ErrMissingACLPolicyID is returned when a policy set is called on a
|
|
|
|
// policy with an empty ID.
|
2018-10-19 16:04:07 +00:00
|
|
|
ErrMissingACLPolicyID = errors.New("Missing ACL Policy ID")
|
|
|
|
|
2019-02-13 17:57:29 +00:00
|
|
|
// ErrMissingACLPolicyName is returned when a policy set is called on a
|
|
|
|
// policy with an empty Name.
|
2018-10-19 16:04:07 +00:00
|
|
|
ErrMissingACLPolicyName = errors.New("Missing ACL Policy Name")
|
2015-11-07 00:59:32 +00:00
|
|
|
|
2019-04-26 17:49:28 +00:00
|
|
|
// ErrMissingACLRoleID is returned when a role set is called on
|
2019-04-15 20:43:19 +00:00
|
|
|
// a role with an empty ID.
|
|
|
|
ErrMissingACLRoleID = errors.New("Missing ACL Role ID")
|
|
|
|
|
2019-04-26 17:49:28 +00:00
|
|
|
// ErrMissingACLRoleName is returned when a role set is called on
|
2019-04-15 20:43:19 +00:00
|
|
|
// a role with an empty Name.
|
|
|
|
ErrMissingACLRoleName = errors.New("Missing ACL Role Name")
|
|
|
|
|
2019-04-26 17:49:28 +00:00
|
|
|
// ErrMissingACLBindingRuleID is returned when a binding rule set
|
|
|
|
// is called on a binding rule with an empty ID.
|
|
|
|
ErrMissingACLBindingRuleID = errors.New("Missing ACL Binding Rule ID")
|
|
|
|
|
|
|
|
// ErrMissingACLBindingRuleAuthMethod is returned when a binding rule set
|
|
|
|
// is called on a binding rule with an empty AuthMethod.
|
|
|
|
ErrMissingACLBindingRuleAuthMethod = errors.New("Missing ACL Binding Rule Auth Method")
|
|
|
|
|
|
|
|
// ErrMissingACLAuthMethodName is returned when an auth method set is
|
|
|
|
// called on an auth method with an empty Name.
|
|
|
|
ErrMissingACLAuthMethodName = errors.New("Missing ACL Auth Method Name")
|
|
|
|
|
|
|
|
// ErrMissingACLAuthMethodType is returned when an auth method set is
|
|
|
|
// called on an auth method with an empty Type.
|
|
|
|
ErrMissingACLAuthMethodType = errors.New("Missing ACL Auth Method Type")
|
2019-04-15 20:43:19 +00:00
|
|
|
|
2015-11-07 00:59:32 +00:00
|
|
|
// ErrMissingQueryID is returned when a Query set is called on
|
|
|
|
// a Query with an empty ID.
|
|
|
|
ErrMissingQueryID = errors.New("Missing Query ID")
|
2018-02-28 06:25:05 +00:00
|
|
|
|
2018-03-17 04:20:54 +00:00
|
|
|
// ErrMissingCARootID is returned when an CARoot set is called
|
|
|
|
// with an CARoot with an empty ID.
|
|
|
|
ErrMissingCARootID = errors.New("Missing CA Root ID")
|
|
|
|
|
2018-02-28 06:25:05 +00:00
|
|
|
// ErrMissingIntentionID is returned when an Intention set is called
|
|
|
|
// with an Intention with an empty ID.
|
|
|
|
ErrMissingIntentionID = errors.New("Missing Intention ID")
|
2015-08-25 03:51:07 +00:00
|
|
|
)
|
|
|
|
|
2020-07-22 20:38:39 +00:00
|
|
|
var (
|
2017-01-20 07:36:50 +00:00
|
|
|
// watchLimit is used as a soft limit to cap how many watches we allow
|
|
|
|
// for a given blocking query. If this is exceeded, then we will use a
|
2020-02-04 12:11:30 +00:00
|
|
|
// higher-level watch that's less fine-grained. Choosing the perfect
|
|
|
|
// value is impossible given how different deployments and workload
|
|
|
|
// are. This value was recommended by customers with many servers. We
|
|
|
|
// expect streaming to arrive soon and that should help a lot with
|
|
|
|
// blocking queries. Please see
|
|
|
|
// https://github.com/hashicorp/consul/pull/7200 and linked issues/prs
|
|
|
|
// for more context
|
|
|
|
watchLimit = 8192
|
2017-01-20 07:36:50 +00:00
|
|
|
)
|
|
|
|
|
2017-04-21 00:46:29 +00:00
|
|
|
// Store is where we store all of Consul's state, including
|
2015-08-22 19:44:33 +00:00
|
|
|
// records of node registrations, services, checks, key/value
|
|
|
|
// pairs and more. The DB is entirely in-memory and is constructed
|
|
|
|
// from the Raft log through the FSM.
|
2017-04-21 00:46:29 +00:00
|
|
|
type Store struct {
|
2015-09-25 19:01:46 +00:00
|
|
|
schema *memdb.DBSchema
|
2020-06-03 16:59:10 +00:00
|
|
|
db *changeTrackerDB
|
2015-09-25 19:01:46 +00:00
|
|
|
|
2017-01-24 18:38:03 +00:00
|
|
|
// abandonCh is used to signal watchers that this state store has been
|
|
|
|
// abandoned (usually during a restore). This is only ever closed.
|
|
|
|
abandonCh chan struct{}
|
|
|
|
|
2015-09-25 19:01:46 +00:00
|
|
|
// kvsGraveyard manages tombstones for the key value store.
|
|
|
|
kvsGraveyard *Graveyard
|
|
|
|
|
|
|
|
// lockDelay holds expiration times for locks associated with keys.
|
|
|
|
lockDelay *Delay
|
2015-09-20 08:36:39 +00:00
|
|
|
}
|
|
|
|
|
2017-04-21 00:46:29 +00:00
|
|
|
// Snapshot is used to provide a point-in-time snapshot. It
|
2015-09-20 08:36:39 +00:00
|
|
|
// works by starting a read transaction against the whole state store.
|
2017-04-21 00:46:29 +00:00
|
|
|
type Snapshot struct {
|
|
|
|
store *Store
|
2020-09-03 23:38:03 +00:00
|
|
|
tx AbortTxn
|
2015-09-20 08:36:39 +00:00
|
|
|
lastIndex uint64
|
2015-08-22 00:23:01 +00:00
|
|
|
}
|
|
|
|
|
2017-04-21 00:46:29 +00:00
|
|
|
// Restore is used to efficiently manage restoring a large amount of
|
2015-10-20 06:06:59 +00:00
|
|
|
// data to a state store.
|
2017-04-21 00:46:29 +00:00
|
|
|
type Restore struct {
|
|
|
|
store *Store
|
2020-06-03 17:21:00 +00:00
|
|
|
tx *txn
|
2015-10-20 06:06:59 +00:00
|
|
|
}
|
|
|
|
|
2015-09-04 02:11:12 +00:00
|
|
|
// sessionCheck is used to create a many-to-one table such that
|
|
|
|
// each check registered by a session can be mapped back to the
|
|
|
|
// session table. This is only used internally in the state
|
|
|
|
// store and thus it is not exported.
|
|
|
|
type sessionCheck struct {
|
|
|
|
Node string
|
|
|
|
Session string
|
2019-12-10 02:26:41 +00:00
|
|
|
|
|
|
|
CheckID structs.CheckID
|
2022-04-05 21:10:06 +00:00
|
|
|
acl.EnterpriseMeta
|
2015-09-04 02:11:12 +00:00
|
|
|
}
|
|
|
|
|
2015-08-22 19:44:33 +00:00
|
|
|
// NewStateStore creates a new in-memory state storage layer.
|
2020-10-23 19:21:37 +00:00
|
|
|
func NewStateStore(gc *TombstoneGC) *Store {
|
2015-09-20 08:36:39 +00:00
|
|
|
// Create the in-memory DB.
|
2021-01-30 00:24:41 +00:00
|
|
|
schema := newDBSchema()
|
2015-09-20 08:36:39 +00:00
|
|
|
db, err := memdb.NewMemDB(schema)
|
2015-08-22 00:23:01 +00:00
|
|
|
if err != nil {
|
2020-10-23 19:21:37 +00:00
|
|
|
// the only way for NewMemDB to error is if the schema is invalid. The
|
|
|
|
// scheme is static and tested to be correct, so any failure here would
|
|
|
|
// be a programming error, which should panic.
|
|
|
|
panic(fmt.Sprintf("failed to create state store: %v", err))
|
2015-08-22 00:23:01 +00:00
|
|
|
}
|
2017-04-21 00:46:29 +00:00
|
|
|
s := &Store{
|
2022-04-12 13:47:42 +00:00
|
|
|
schema: schema,
|
|
|
|
abandonCh: make(chan struct{}),
|
|
|
|
kvsGraveyard: NewGraveyard(gc),
|
|
|
|
lockDelay: NewDelay(),
|
2020-10-23 18:43:13 +00:00
|
|
|
db: &changeTrackerDB{
|
|
|
|
db: db,
|
2020-10-23 19:21:37 +00:00
|
|
|
publisher: stream.NoOpEventPublisher{},
|
2020-10-23 18:43:13 +00:00
|
|
|
processChanges: processDBChanges,
|
|
|
|
},
|
2020-07-15 15:54:50 +00:00
|
|
|
}
|
2020-10-23 19:21:37 +00:00
|
|
|
return s
|
|
|
|
}
|
|
|
|
|
2022-04-12 13:47:42 +00:00
|
|
|
func NewStateStoreWithEventPublisher(gc *TombstoneGC, publisher EventPublisher) *Store {
|
2020-10-23 19:21:37 +00:00
|
|
|
store := NewStateStore(gc)
|
2022-04-12 13:47:42 +00:00
|
|
|
store.db.publisher = publisher
|
2020-09-09 20:26:11 +00:00
|
|
|
|
2020-10-23 19:21:37 +00:00
|
|
|
return store
|
2015-08-22 00:23:01 +00:00
|
|
|
}
|
2015-08-22 19:44:33 +00:00
|
|
|
|
2015-09-20 08:36:39 +00:00
|
|
|
// Snapshot is used to create a point-in-time snapshot of the entire db.
|
2017-04-21 00:46:29 +00:00
|
|
|
func (s *Store) Snapshot() *Snapshot {
|
2015-09-20 08:36:39 +00:00
|
|
|
tx := s.db.Txn(false)
|
|
|
|
|
|
|
|
var tables []string
|
2017-04-20 18:42:22 +00:00
|
|
|
for table := range s.schema.Tables {
|
2015-09-20 08:36:39 +00:00
|
|
|
tables = append(tables, table)
|
|
|
|
}
|
|
|
|
idx := maxIndexTxn(tx, tables...)
|
|
|
|
|
2017-04-21 00:46:29 +00:00
|
|
|
return &Snapshot{s, tx, idx}
|
2021-11-05 18:51:50 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// WalkAllTables basically lets you dump memdb generically and exists primarily
|
|
|
|
// for very specific types of unit tests and should not be executed in
|
|
|
|
// production code.
|
|
|
|
func (s *Store) WalkAllTables(fn func(table string, item interface{}) bool) error {
|
|
|
|
snap := s.Snapshot()
|
|
|
|
defer snap.Close()
|
|
|
|
|
|
|
|
for name := range s.schema.Tables {
|
|
|
|
iter, err := snap.tx.Get(name, indexID)
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("error walking table %q: %w", name, err)
|
|
|
|
}
|
|
|
|
for item := iter.Next(); item != nil; item = iter.Next() {
|
|
|
|
if keepGoing := fn(name, item); !keepGoing {
|
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
2015-09-20 08:36:39 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// LastIndex returns that last index that affects the snapshotted data.
|
2017-04-21 00:46:29 +00:00
|
|
|
func (s *Snapshot) LastIndex() uint64 {
|
2015-09-20 08:36:39 +00:00
|
|
|
return s.lastIndex
|
|
|
|
}
|
|
|
|
|
2018-10-19 16:04:07 +00:00
|
|
|
func (s *Snapshot) Indexes() (memdb.ResultIterator, error) {
|
2021-02-05 22:53:08 +00:00
|
|
|
return s.tx.Get(tableIndex, indexID)
|
2018-10-19 16:04:07 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// IndexRestore is used to restore an index
|
|
|
|
func (s *Restore) IndexRestore(idx *IndexEntry) error {
|
2021-02-05 22:53:08 +00:00
|
|
|
if err := s.tx.Insert(tableIndex, idx); err != nil {
|
2018-10-19 16:04:07 +00:00
|
|
|
return fmt.Errorf("index insert failed: %v", err)
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2015-09-20 08:36:39 +00:00
|
|
|
// Close performs cleanup of a state snapshot.
|
2017-04-21 00:46:29 +00:00
|
|
|
func (s *Snapshot) Close() {
|
2015-09-20 08:36:39 +00:00
|
|
|
s.tx.Abort()
|
|
|
|
}
|
|
|
|
|
2015-10-20 06:06:59 +00:00
|
|
|
// Restore is used to efficiently manage restoring a large amount of data into
|
|
|
|
// the state store. It works by doing all the restores inside of a single
|
|
|
|
// transaction.
|
2017-04-21 00:46:29 +00:00
|
|
|
func (s *Store) Restore() *Restore {
|
2020-03-19 13:11:20 +00:00
|
|
|
tx := s.db.WriteTxnRestore()
|
2017-04-21 00:46:29 +00:00
|
|
|
return &Restore{s, tx}
|
2015-10-20 06:06:59 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Abort abandons the changes made by a restore. This or Commit should always be
|
|
|
|
// called.
|
2017-04-21 00:46:29 +00:00
|
|
|
func (s *Restore) Abort() {
|
2015-10-20 06:06:59 +00:00
|
|
|
s.tx.Abort()
|
|
|
|
}
|
|
|
|
|
|
|
|
// Commit commits the changes made by a restore. This or Abort should always be
|
|
|
|
// called.
|
2020-06-02 20:34:56 +00:00
|
|
|
func (s *Restore) Commit() error {
|
|
|
|
return s.tx.Commit()
|
2015-10-20 06:06:59 +00:00
|
|
|
}
|
|
|
|
|
2017-01-24 18:38:03 +00:00
|
|
|
// AbandonCh returns a channel you can wait on to know if the state store was
|
|
|
|
// abandoned.
|
2017-04-21 00:46:29 +00:00
|
|
|
func (s *Store) AbandonCh() <-chan struct{} {
|
2017-01-24 18:38:03 +00:00
|
|
|
return s.abandonCh
|
|
|
|
}
|
|
|
|
|
|
|
|
// Abandon is used to signal that the given state store has been abandoned.
|
|
|
|
// Calling this more than one time will panic.
|
2017-04-21 00:46:29 +00:00
|
|
|
func (s *Store) Abandon() {
|
2017-01-24 18:38:03 +00:00
|
|
|
close(s.abandonCh)
|
|
|
|
}
|
|
|
|
|
2015-08-25 02:03:28 +00:00
|
|
|
// maxIndex is a helper used to retrieve the highest known index
|
2022-06-23 15:13:25 +00:00
|
|
|
// amongst a set of index keys (e.g. table names) in the db.
|
|
|
|
func (s *Store) maxIndex(keys ...string) uint64 {
|
2015-08-25 02:03:28 +00:00
|
|
|
tx := s.db.Txn(false)
|
|
|
|
defer tx.Abort()
|
2022-06-23 15:13:25 +00:00
|
|
|
return maxIndexTxn(tx, keys...)
|
2015-09-20 08:36:39 +00:00
|
|
|
}
|
2015-08-25 02:03:28 +00:00
|
|
|
|
2015-09-20 08:36:39 +00:00
|
|
|
// maxIndexTxn is a helper used to retrieve the highest known index
|
2022-06-23 15:13:25 +00:00
|
|
|
// amongst a set of index keys (e.g. table names) in the db.
|
|
|
|
func maxIndexTxn(tx ReadTxn, keys ...string) uint64 {
|
|
|
|
return maxIndexWatchTxn(tx, nil, keys...)
|
2019-04-16 16:00:15 +00:00
|
|
|
}
|
|
|
|
|
2022-06-23 15:13:25 +00:00
|
|
|
func maxIndexWatchTxn(tx ReadTxn, ws memdb.WatchSet, keys ...string) uint64 {
|
2015-08-25 02:03:28 +00:00
|
|
|
var lindex uint64
|
2022-06-23 15:13:25 +00:00
|
|
|
for _, key := range keys {
|
|
|
|
ch, ti, err := tx.FirstWatch(tableIndex, "id", key)
|
2015-08-25 02:03:28 +00:00
|
|
|
if err != nil {
|
2022-06-23 15:13:25 +00:00
|
|
|
panic(fmt.Sprintf("unknown index: %s err: %s", key, err))
|
2015-08-25 02:03:28 +00:00
|
|
|
}
|
2015-09-02 20:32:12 +00:00
|
|
|
if idx, ok := ti.(*IndexEntry); ok && idx.Value > lindex {
|
|
|
|
lindex = idx.Value
|
2015-08-25 02:03:28 +00:00
|
|
|
}
|
2019-07-04 15:17:49 +00:00
|
|
|
ws.Add(ch)
|
2015-08-25 02:03:28 +00:00
|
|
|
}
|
|
|
|
return lindex
|
|
|
|
}
|
|
|
|
|
peering: initial sync (#12842)
- Add endpoints related to peering: read, list, generate token, initiate peering
- Update node/service/check table indexing to account for peers
- Foundational changes for pushing service updates to a peer
- Plumb peer name through Health.ServiceNodes path
see: ENT-1765, ENT-1280, ENT-1283, ENT-1283, ENT-1756, ENT-1739, ENT-1750, ENT-1679,
ENT-1709, ENT-1704, ENT-1690, ENT-1689, ENT-1702, ENT-1701, ENT-1683, ENT-1663,
ENT-1650, ENT-1678, ENT-1628, ENT-1658, ENT-1640, ENT-1637, ENT-1597, ENT-1634,
ENT-1613, ENT-1616, ENT-1617, ENT-1591, ENT-1588, ENT-1596, ENT-1572, ENT-1555
Co-authored-by: R.B. Boyer <rb@hashicorp.com>
Co-authored-by: freddygv <freddy@hashicorp.com>
Co-authored-by: Chris S. Kim <ckim@hashicorp.com>
Co-authored-by: Evan Culver <eculver@hashicorp.com>
Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>
2022-04-21 22:34:40 +00:00
|
|
|
// indexUpdateMaxTxn sets the table's index to the given idx only if it's greater than the current index.
|
|
|
|
func indexUpdateMaxTxn(tx WriteTxn, idx uint64, key string) error {
|
|
|
|
ti, err := tx.First(tableIndex, indexID, key)
|
2015-09-20 08:36:39 +00:00
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("failed to retrieve existing index: %s", err)
|
|
|
|
}
|
|
|
|
|
2021-09-23 15:06:23 +00:00
|
|
|
// if this is an update check the idx
|
|
|
|
if ti != nil {
|
|
|
|
cur, ok := ti.(*IndexEntry)
|
|
|
|
if !ok {
|
|
|
|
return fmt.Errorf("failed updating index %T need to be `*IndexEntry`", ti)
|
2015-10-09 06:28:32 +00:00
|
|
|
}
|
2021-09-23 15:06:23 +00:00
|
|
|
// Stored index is newer, don't insert the index
|
|
|
|
if idx <= cur.Value {
|
|
|
|
return nil
|
2015-09-20 08:36:39 +00:00
|
|
|
}
|
|
|
|
}
|
2021-09-23 15:06:23 +00:00
|
|
|
|
peering: initial sync (#12842)
- Add endpoints related to peering: read, list, generate token, initiate peering
- Update node/service/check table indexing to account for peers
- Foundational changes for pushing service updates to a peer
- Plumb peer name through Health.ServiceNodes path
see: ENT-1765, ENT-1280, ENT-1283, ENT-1283, ENT-1756, ENT-1739, ENT-1750, ENT-1679,
ENT-1709, ENT-1704, ENT-1690, ENT-1689, ENT-1702, ENT-1701, ENT-1683, ENT-1663,
ENT-1650, ENT-1678, ENT-1628, ENT-1658, ENT-1640, ENT-1637, ENT-1597, ENT-1634,
ENT-1613, ENT-1616, ENT-1617, ENT-1591, ENT-1588, ENT-1596, ENT-1572, ENT-1555
Co-authored-by: R.B. Boyer <rb@hashicorp.com>
Co-authored-by: freddygv <freddy@hashicorp.com>
Co-authored-by: Chris S. Kim <ckim@hashicorp.com>
Co-authored-by: Evan Culver <eculver@hashicorp.com>
Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>
2022-04-21 22:34:40 +00:00
|
|
|
if err := tx.Insert(tableIndex, &IndexEntry{key, idx}); err != nil {
|
2021-09-23 15:06:23 +00:00
|
|
|
return fmt.Errorf("failed updating index %s", err)
|
|
|
|
}
|
2015-09-20 08:36:39 +00:00
|
|
|
return nil
|
|
|
|
}
|