2014-03-31 21:15:49 +00:00
|
|
|
package consul
|
|
|
|
|
2014-03-31 23:00:23 +00:00
|
|
|
import (
|
|
|
|
"fmt"
|
2014-08-13 19:09:39 +00:00
|
|
|
"time"
|
|
|
|
|
2014-03-31 23:00:23 +00:00
|
|
|
"github.com/armon/go-metrics"
|
2016-05-07 00:50:58 +00:00
|
|
|
"github.com/hashicorp/consul/acl"
|
pkg refactor
command/agent/* -> agent/*
command/consul/* -> agent/consul/*
command/agent/command{,_test}.go -> command/agent{,_test}.go
command/base/command.go -> command/base.go
command/base/* -> command/*
commands.go -> command/commands.go
The script which did the refactor is:
(
cd $GOPATH/src/github.com/hashicorp/consul
git mv command/agent/command.go command/agent.go
git mv command/agent/command_test.go command/agent_test.go
git mv command/agent/flag_slice_value{,_test}.go command/
git mv command/agent .
git mv command/base/command.go command/base.go
git mv command/base/config_util{,_test}.go command/
git mv commands.go command/
git mv consul agent
rmdir command/base/
gsed -i -e 's|package agent|package command|' command/agent{,_test}.go
gsed -i -e 's|package agent|package command|' command/flag_slice_value{,_test}.go
gsed -i -e 's|package base|package command|' command/base.go command/config_util{,_test}.go
gsed -i -e 's|package main|package command|' command/commands.go
gsed -i -e 's|base.Command|BaseCommand|' command/commands.go
gsed -i -e 's|agent.Command|AgentCommand|' command/commands.go
gsed -i -e 's|\tCommand:|\tBaseCommand:|' command/commands.go
gsed -i -e 's|base\.||' command/commands.go
gsed -i -e 's|command\.||' command/commands.go
gsed -i -e 's|command|c|' main.go
gsed -i -e 's|range Commands|range command.Commands|' main.go
gsed -i -e 's|Commands: Commands|Commands: command.Commands|' main.go
gsed -i -e 's|base\.BoolValue|BoolValue|' command/operator_autopilot_set.go
gsed -i -e 's|base\.DurationValue|DurationValue|' command/operator_autopilot_set.go
gsed -i -e 's|base\.StringValue|StringValue|' command/operator_autopilot_set.go
gsed -i -e 's|base\.UintValue|UintValue|' command/operator_autopilot_set.go
gsed -i -e 's|\bCommand\b|BaseCommand|' command/base.go
gsed -i -e 's|BaseCommand Options|Command Options|' command/base.go
gsed -i -e 's|base.Command|BaseCommand|' command/*.go
gsed -i -e 's|c\.Command|c.BaseCommand|g' command/*.go
gsed -i -e 's|\tCommand:|\tBaseCommand:|' command/*_test.go
gsed -i -e 's|base\.||' command/*_test.go
gsed -i -e 's|\bCommand\b|AgentCommand|' command/agent{,_test}.go
gsed -i -e 's|cmd.AgentCommand|cmd.BaseCommand|' command/agent.go
gsed -i -e 's|cli.AgentCommand = new(Command)|cli.Command = new(AgentCommand)|' command/agent_test.go
gsed -i -e 's|exec.AgentCommand|exec.Command|' command/agent_test.go
gsed -i -e 's|exec.BaseCommand|exec.Command|' command/agent_test.go
gsed -i -e 's|NewTestAgent|agent.NewTestAgent|' command/agent_test.go
gsed -i -e 's|= TestConfig|= agent.TestConfig|' command/agent_test.go
gsed -i -e 's|: RetryJoin|: agent.RetryJoin|' command/agent_test.go
gsed -i -e 's|\.\./\.\./|../|' command/config_util_test.go
gsed -i -e 's|\bverifyUniqueListeners|VerifyUniqueListeners|' agent/config{,_test}.go command/agent.go
gsed -i -e 's|\bserfLANKeyring\b|SerfLANKeyring|g' agent/{agent,keyring,testagent}.go command/agent.go
gsed -i -e 's|\bserfWANKeyring\b|SerfWANKeyring|g' agent/{agent,keyring,testagent}.go command/agent.go
gsed -i -e 's|\bNewAgent\b|agent.New|g' command/agent{,_test}.go
gsed -i -e 's|\bNewAgent|New|' agent/{acl_test,agent,testagent}.go
gsed -i -e 's|\bAgent\b|agent.&|g' command/agent{,_test}.go
gsed -i -e 's|\bBool\b|agent.&|g' command/agent{,_test}.go
gsed -i -e 's|\bConfig\b|agent.&|g' command/agent{,_test}.go
gsed -i -e 's|\bDefaultConfig\b|agent.&|g' command/agent{,_test}.go
gsed -i -e 's|\bDevConfig\b|agent.&|g' command/agent{,_test}.go
gsed -i -e 's|\bMergeConfig\b|agent.&|g' command/agent{,_test}.go
gsed -i -e 's|\bReadConfigPaths\b|agent.&|g' command/agent{,_test}.go
gsed -i -e 's|\bParseMetaPair\b|agent.&|g' command/agent{,_test}.go
gsed -i -e 's|\bSerfLANKeyring\b|agent.&|g' command/agent{,_test}.go
gsed -i -e 's|\bSerfWANKeyring\b|agent.&|g' command/agent{,_test}.go
gsed -i -e 's|circonus\.agent|circonus|g' command/agent{,_test}.go
gsed -i -e 's|logger\.agent|logger|g' command/agent{,_test}.go
gsed -i -e 's|metrics\.agent|metrics|g' command/agent{,_test}.go
gsed -i -e 's|// agent.Agent|// agent|' command/agent{,_test}.go
gsed -i -e 's|a\.agent\.Config|a.Config|' command/agent{,_test}.go
gsed -i -e 's|agent\.AppendSliceValue|AppendSliceValue|' command/{configtest,validate}.go
gsed -i -e 's|consul/consul|agent/consul|' GNUmakefile
gsed -i -e 's|\.\./test|../../test|' agent/consul/server_test.go
# fix imports
f=$(grep -rl 'github.com/hashicorp/consul/command/agent' * | grep '\.go')
gsed -i -e 's|github.com/hashicorp/consul/command/agent|github.com/hashicorp/consul/agent|' $f
goimports -w $f
f=$(grep -rl 'github.com/hashicorp/consul/consul' * | grep '\.go')
gsed -i -e 's|github.com/hashicorp/consul/consul|github.com/hashicorp/consul/agent/consul|' $f
goimports -w $f
goimports -w command/*.go main.go
)
2017-06-09 22:28:28 +00:00
|
|
|
"github.com/hashicorp/consul/agent/consul/state"
|
2017-07-06 10:34:00 +00:00
|
|
|
"github.com/hashicorp/consul/agent/structs"
|
2017-04-19 23:00:11 +00:00
|
|
|
"github.com/hashicorp/consul/api"
|
2017-01-24 19:20:51 +00:00
|
|
|
"github.com/hashicorp/go-memdb"
|
2014-03-31 23:00:23 +00:00
|
|
|
)
|
2014-03-31 21:15:49 +00:00
|
|
|
|
|
|
|
// KVS endpoint is used to manipulate the Key-Value store
|
|
|
|
type KVS struct {
|
|
|
|
srv *Server
|
|
|
|
}
|
2014-03-31 23:00:23 +00:00
|
|
|
|
2016-05-07 00:50:58 +00:00
|
|
|
// preApply does all the verification of a KVS update that is performed BEFORE
|
|
|
|
// we submit as a Raft log entry. This includes enforcing the lock delay which
|
|
|
|
// must only be done on the leader.
|
2018-10-19 16:04:07 +00:00
|
|
|
func kvsPreApply(srv *Server, rule acl.Authorizer, op api.KVOp, dirEnt *structs.DirEntry) (bool, error) {
|
2016-05-07 00:50:58 +00:00
|
|
|
// Verify the entry.
|
2017-09-14 19:31:01 +00:00
|
|
|
|
2017-04-19 23:00:11 +00:00
|
|
|
if dirEnt.Key == "" && op != api.KVDeleteTree {
|
2016-05-07 00:50:58 +00:00
|
|
|
return false, fmt.Errorf("Must provide key")
|
2014-03-31 23:00:23 +00:00
|
|
|
}
|
|
|
|
|
2016-05-07 00:50:58 +00:00
|
|
|
// Apply the ACL policy if any.
|
2017-08-23 14:52:48 +00:00
|
|
|
if rule != nil {
|
2016-05-07 00:50:58 +00:00
|
|
|
switch op {
|
2017-04-19 23:00:11 +00:00
|
|
|
case api.KVDeleteTree:
|
2019-10-15 20:58:50 +00:00
|
|
|
// TODO (namespaces) use actual ent authz context - ensure we set the Sentinel Scope
|
|
|
|
if rule.KeyWritePrefix(dirEnt.Key, nil) != acl.Allow {
|
2017-08-23 14:52:48 +00:00
|
|
|
return false, acl.ErrPermissionDenied
|
2014-08-15 02:25:12 +00:00
|
|
|
}
|
2016-05-10 18:23:47 +00:00
|
|
|
|
2017-04-19 23:00:11 +00:00
|
|
|
case api.KVGet, api.KVGetTree:
|
2016-05-13 22:58:55 +00:00
|
|
|
// Filtering for GETs is done on the output side.
|
|
|
|
|
2017-04-19 23:00:11 +00:00
|
|
|
case api.KVCheckSession, api.KVCheckIndex:
|
2016-05-13 22:58:55 +00:00
|
|
|
// These could reveal information based on the outcome
|
|
|
|
// of the transaction, and they operate on individual
|
|
|
|
// keys so we check them here.
|
2019-10-15 20:58:50 +00:00
|
|
|
if rule.KeyRead(dirEnt.Key, nil) != acl.Allow {
|
2017-08-23 14:52:48 +00:00
|
|
|
return false, acl.ErrPermissionDenied
|
2016-05-10 18:23:47 +00:00
|
|
|
}
|
|
|
|
|
2014-08-15 02:25:12 +00:00
|
|
|
default:
|
2019-10-15 20:58:50 +00:00
|
|
|
// TODO (namespaces) use actual ent authz context - ensure we set the Sentinel Scope
|
|
|
|
if rule.KeyWrite(dirEnt.Key, nil) != acl.Allow {
|
2017-08-23 14:52:48 +00:00
|
|
|
return false, acl.ErrPermissionDenied
|
2014-08-15 02:25:12 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2014-05-19 19:50:29 +00:00
|
|
|
// If this is a lock, we must check for a lock-delay. Since lock-delay
|
2016-05-07 00:50:58 +00:00
|
|
|
// is based on wall-time, each peer would expire the lock-delay at a slightly
|
2014-05-19 19:50:29 +00:00
|
|
|
// different time. This means the enforcement of lock-delay cannot be done
|
|
|
|
// after the raft log is committed as it would lead to inconsistent FSMs.
|
|
|
|
// Instead, the lock-delay must be enforced before commit. This means that
|
|
|
|
// only the wall-time of the leader node is used, preventing any inconsistencies.
|
2017-04-19 23:00:11 +00:00
|
|
|
if op == api.KVLock {
|
2016-05-11 04:41:47 +00:00
|
|
|
state := srv.fsm.State()
|
2016-05-07 00:50:58 +00:00
|
|
|
expires := state.KVSLockDelay(dirEnt.Key)
|
2014-05-19 19:50:29 +00:00
|
|
|
if expires.After(time.Now()) {
|
2016-05-11 04:41:47 +00:00
|
|
|
srv.logger.Printf("[WARN] consul.kvs: Rejecting lock of %s due to lock-delay until %v",
|
2016-05-07 00:50:58 +00:00
|
|
|
dirEnt.Key, expires)
|
|
|
|
return false, nil
|
2014-05-19 19:50:29 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-05-07 00:50:58 +00:00
|
|
|
return true, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Apply is used to apply a KVS update request to the data store.
|
|
|
|
func (k *KVS) Apply(args *structs.KVSRequest, reply *bool) error {
|
|
|
|
if done, err := k.srv.forward("KVS.Apply", args, args, reply); done {
|
|
|
|
return err
|
|
|
|
}
|
2017-10-04 23:43:27 +00:00
|
|
|
defer metrics.MeasureSince([]string{"kvs", "apply"}, time.Now())
|
2016-05-07 00:50:58 +00:00
|
|
|
|
|
|
|
// Perform the pre-apply checks.
|
2018-10-19 16:04:07 +00:00
|
|
|
acl, err := k.srv.ResolveToken(args.Token)
|
2016-05-07 00:50:58 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2016-05-11 04:41:47 +00:00
|
|
|
ok, err := kvsPreApply(k.srv, acl, args.Op, &args.DirEnt)
|
2016-05-07 00:50:58 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
if !ok {
|
|
|
|
*reply = false
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Apply the update.
|
2014-03-31 23:10:49 +00:00
|
|
|
resp, err := k.srv.raftApply(structs.KVSRequestType, args)
|
2014-03-31 23:00:23 +00:00
|
|
|
if err != nil {
|
2014-03-31 23:10:49 +00:00
|
|
|
k.srv.logger.Printf("[ERR] consul.kvs: Apply failed: %v", err)
|
2014-03-31 23:00:23 +00:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
if respErr, ok := resp.(error); ok {
|
|
|
|
return respErr
|
|
|
|
}
|
|
|
|
|
2016-05-07 00:50:58 +00:00
|
|
|
// Check if the return type is a bool.
|
2014-03-31 23:00:23 +00:00
|
|
|
if respBool, ok := resp.(bool); ok {
|
|
|
|
*reply = respBool
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2016-05-07 00:50:58 +00:00
|
|
|
// Get is used to lookup a single key.
|
2014-03-31 23:00:23 +00:00
|
|
|
func (k *KVS) Get(args *structs.KeyRequest, reply *structs.IndexedDirEntries) error {
|
2014-04-19 00:17:12 +00:00
|
|
|
if done, err := k.srv.forward("KVS.Get", args, args, reply); done {
|
2014-03-31 23:00:23 +00:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2018-10-19 16:04:07 +00:00
|
|
|
aclRule, err := k.srv.ResolveToken(args.Token)
|
2014-08-13 19:09:39 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2017-01-24 19:20:51 +00:00
|
|
|
return k.srv.blockingQuery(
|
2015-10-09 19:00:15 +00:00
|
|
|
&args.QueryOptions,
|
|
|
|
&reply.QueryMeta,
|
2017-04-21 00:46:29 +00:00
|
|
|
func(ws memdb.WatchSet, state *state.Store) error {
|
2017-01-24 19:20:51 +00:00
|
|
|
index, ent, err := state.KVSGet(ws, args.Key)
|
2014-03-31 23:00:23 +00:00
|
|
|
if err != nil {
|
2014-04-21 18:18:27 +00:00
|
|
|
return err
|
2014-03-31 23:00:23 +00:00
|
|
|
}
|
2019-10-15 20:58:50 +00:00
|
|
|
if aclRule != nil && aclRule.KeyRead(args.Key, nil) != acl.Allow {
|
2017-10-02 22:10:21 +00:00
|
|
|
return acl.ErrPermissionDenied
|
2014-08-13 19:09:39 +00:00
|
|
|
}
|
2017-09-14 19:31:01 +00:00
|
|
|
|
2014-03-31 23:00:23 +00:00
|
|
|
if ent == nil {
|
2014-04-01 03:00:46 +00:00
|
|
|
// Must provide non-zero index to prevent blocking
|
|
|
|
// Index 1 is impossible anyways (due to Raft internals)
|
2015-10-13 18:48:35 +00:00
|
|
|
if index == 0 {
|
|
|
|
reply.Index = 1
|
|
|
|
} else {
|
|
|
|
reply.Index = index
|
|
|
|
}
|
2014-03-31 23:00:23 +00:00
|
|
|
reply.Entries = nil
|
|
|
|
} else {
|
|
|
|
reply.Index = ent.ModifyIndex
|
|
|
|
reply.Entries = structs.DirEntries{ent}
|
|
|
|
}
|
2014-04-21 18:18:27 +00:00
|
|
|
return nil
|
2015-10-09 19:00:15 +00:00
|
|
|
})
|
2014-03-31 23:00:23 +00:00
|
|
|
}
|
|
|
|
|
2016-05-07 00:50:58 +00:00
|
|
|
// List is used to list all keys with a given prefix.
|
2014-03-31 23:00:23 +00:00
|
|
|
func (k *KVS) List(args *structs.KeyRequest, reply *structs.IndexedDirEntries) error {
|
2014-04-19 00:17:12 +00:00
|
|
|
if done, err := k.srv.forward("KVS.List", args, args, reply); done {
|
2014-03-31 23:00:23 +00:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2018-10-19 16:04:07 +00:00
|
|
|
aclToken, err := k.srv.ResolveToken(args.Token)
|
2014-08-13 19:09:39 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2019-10-15 20:58:50 +00:00
|
|
|
if aclToken != nil && k.srv.config.ACLEnableKeyListPolicy && aclToken.KeyList(args.Key, nil) != acl.Allow {
|
2017-10-02 22:10:21 +00:00
|
|
|
return acl.ErrPermissionDenied
|
|
|
|
}
|
|
|
|
|
2017-01-24 19:20:51 +00:00
|
|
|
return k.srv.blockingQuery(
|
2015-10-09 19:00:15 +00:00
|
|
|
&args.QueryOptions,
|
|
|
|
&reply.QueryMeta,
|
2017-04-21 00:46:29 +00:00
|
|
|
func(ws memdb.WatchSet, state *state.Store) error {
|
2017-01-24 19:20:51 +00:00
|
|
|
index, ent, err := state.KVSList(ws, args.Key)
|
2014-03-31 23:00:23 +00:00
|
|
|
if err != nil {
|
2014-04-21 18:18:27 +00:00
|
|
|
return err
|
2014-03-31 23:00:23 +00:00
|
|
|
}
|
2017-10-02 22:10:21 +00:00
|
|
|
if aclToken != nil {
|
|
|
|
ent = FilterDirEnt(aclToken, ent)
|
2014-08-13 19:09:39 +00:00
|
|
|
}
|
2017-08-09 22:06:57 +00:00
|
|
|
|
2014-12-19 00:50:15 +00:00
|
|
|
if len(ent) == 0 {
|
|
|
|
// Must provide non-zero index to prevent blocking
|
|
|
|
// Index 1 is impossible anyways (due to Raft internals)
|
|
|
|
if index == 0 {
|
|
|
|
reply.Index = 1
|
2014-12-19 00:27:46 +00:00
|
|
|
} else {
|
2014-12-19 00:50:15 +00:00
|
|
|
reply.Index = index
|
2014-03-31 23:00:23 +00:00
|
|
|
}
|
2015-01-13 19:51:24 +00:00
|
|
|
reply.Entries = nil
|
2014-12-19 00:50:15 +00:00
|
|
|
} else {
|
2015-10-09 19:00:15 +00:00
|
|
|
reply.Index = index
|
2014-03-31 23:00:23 +00:00
|
|
|
reply.Entries = ent
|
|
|
|
}
|
2014-04-21 18:18:27 +00:00
|
|
|
return nil
|
2015-10-09 19:00:15 +00:00
|
|
|
})
|
2014-03-31 23:00:23 +00:00
|
|
|
}
|
2014-04-28 23:33:54 +00:00
|
|
|
|
2016-05-07 00:50:58 +00:00
|
|
|
// ListKeys is used to list all keys with a given prefix to a separator.
|
2014-04-28 23:33:54 +00:00
|
|
|
func (k *KVS) ListKeys(args *structs.KeyListRequest, reply *structs.IndexedKeyList) error {
|
|
|
|
if done, err := k.srv.forward("KVS.ListKeys", args, args, reply); done {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2018-10-19 16:04:07 +00:00
|
|
|
aclToken, err := k.srv.ResolveToken(args.Token)
|
2014-08-13 19:09:39 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2019-10-15 20:58:50 +00:00
|
|
|
if aclToken != nil && k.srv.config.ACLEnableKeyListPolicy && aclToken.KeyList(args.Prefix, nil) != acl.Allow {
|
2017-10-02 22:10:21 +00:00
|
|
|
return acl.ErrPermissionDenied
|
|
|
|
}
|
|
|
|
|
2017-01-24 19:20:51 +00:00
|
|
|
return k.srv.blockingQuery(
|
2015-10-09 19:00:15 +00:00
|
|
|
&args.QueryOptions,
|
|
|
|
&reply.QueryMeta,
|
2017-04-21 00:46:29 +00:00
|
|
|
func(ws memdb.WatchSet, state *state.Store) error {
|
2017-01-24 19:20:51 +00:00
|
|
|
index, keys, err := state.KVSListKeys(ws, args.Prefix, args.Seperator)
|
2015-10-09 19:00:15 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
// Must provide non-zero index to prevent blocking
|
|
|
|
// Index 1 is impossible anyways (due to Raft internals)
|
|
|
|
if index == 0 {
|
|
|
|
reply.Index = 1
|
|
|
|
} else {
|
|
|
|
reply.Index = index
|
|
|
|
}
|
|
|
|
|
2017-10-02 22:10:21 +00:00
|
|
|
if aclToken != nil {
|
|
|
|
keys = FilterKeys(aclToken, keys)
|
2014-08-13 19:09:39 +00:00
|
|
|
}
|
|
|
|
reply.Keys = keys
|
2015-10-09 19:00:15 +00:00
|
|
|
return nil
|
|
|
|
})
|
2014-04-28 23:33:54 +00:00
|
|
|
}
|