Merge pull request #9664 from hashicorp/dnephin/state-store-indexes

state: move ACL schema and index definitions to acl_schema.go
2021-02-05 13:38:31 -05:00 · 2021-02-05 13:38:31 -05:00 · 9beadc578b
parent 573f8eb2b4 825b8ade39
commit 9beadc578b
3 changed files with 218 additions and 204 deletions
--- a/agent/consul/state/acl_oss.go
+++ b/agent/consul/state/acl_oss.go
@ -5,207 +5,11 @@ package state
 import (
 	"fmt"

-	"github.com/hashicorp/consul/agent/structs"
 	memdb "github.com/hashicorp/go-memdb"
+
+	"github.com/hashicorp/consul/agent/structs"
 )

-///////////////////////////////////////////////////////////////////////////////
-/////                          ACL Table Schemas                          /////
-///////////////////////////////////////////////////////////////////////////////
-
-func tokensTableSchema() *memdb.TableSchema {
-	return &memdb.TableSchema{
-		Name: "acl-tokens",
-		Indexes: map[string]*memdb.IndexSchema{
-			"accessor": {
-				Name: "accessor",
-				// DEPRECATED (ACL-Legacy-Compat) - we should not AllowMissing here once legacy compat is removed
-				AllowMissing: true,
-				Unique:       true,
-				Indexer: &memdb.UUIDFieldIndex{
-					Field: "AccessorID",
-				},
-			},
-			"id": {
-				Name:         "id",
-				AllowMissing: false,
-				Unique:       true,
-				Indexer: &memdb.StringFieldIndex{
-					Field:     "SecretID",
-					Lowercase: false,
-				},
-			},
-			"policies": {
-				Name: "policies",
-				// Need to allow missing for the anonymous token
-				AllowMissing: true,
-				Unique:       false,
-				Indexer:      &TokenPoliciesIndex{},
-			},
-			"roles": {
-				Name:         "roles",
-				AllowMissing: true,
-				Unique:       false,
-				Indexer:      &TokenRolesIndex{},
-			},
-			"authmethod": {
-				Name:         "authmethod",
-				AllowMissing: true,
-				Unique:       false,
-				Indexer: &memdb.StringFieldIndex{
-					Field:     "AuthMethod",
-					Lowercase: false,
-				},
-			},
-			"local": {
-				Name:         "local",
-				AllowMissing: false,
-				Unique:       false,
-				Indexer: &memdb.ConditionalIndex{
-					Conditional: func(obj interface{}) (bool, error) {
-						if token, ok := obj.(*structs.ACLToken); ok {
-							return token.Local, nil
-						}
-						return false, nil
-					},
-				},
-			},
-			"expires-global": {
-				Name:         "expires-global",
-				AllowMissing: true,
-				Unique:       false,
-				Indexer:      &TokenExpirationIndex{LocalFilter: false},
-			},
-			"expires-local": {
-				Name:         "expires-local",
-				AllowMissing: true,
-				Unique:       false,
-				Indexer:      &TokenExpirationIndex{LocalFilter: true},
-			},
-
-			//DEPRECATED (ACL-Legacy-Compat) - This index is only needed while we support upgrading v1 to v2 acls
-			// This table indexes all the ACL tokens that do not have an AccessorID
-			"needs-upgrade": {
-				Name:         "needs-upgrade",
-				AllowMissing: false,
-				Unique:       false,
-				Indexer: &memdb.ConditionalIndex{
-					Conditional: func(obj interface{}) (bool, error) {
-						if token, ok := obj.(*structs.ACLToken); ok {
-							return token.AccessorID == "", nil
-						}
-						return false, nil
-					},
-				},
-			},
-		},
-	}
-}
-
-func policiesTableSchema() *memdb.TableSchema {
-	return &memdb.TableSchema{
-		Name: "acl-policies",
-		Indexes: map[string]*memdb.IndexSchema{
-			"id": {
-				Name:         "id",
-				AllowMissing: false,
-				Unique:       true,
-				Indexer: &memdb.UUIDFieldIndex{
-					Field: "ID",
-				},
-			},
-			"name": {
-				Name:         "name",
-				AllowMissing: false,
-				Unique:       true,
-				Indexer: &memdb.StringFieldIndex{
-					Field: "Name",
-					// TODO (ACL-V2) - should we coerce to lowercase?
-					Lowercase: true,
-				},
-			},
-		},
-	}
-}
-
-func rolesTableSchema() *memdb.TableSchema {
-	return &memdb.TableSchema{
-		Name: "acl-roles",
-		Indexes: map[string]*memdb.IndexSchema{
-			"id": {
-				Name:         "id",
-				AllowMissing: false,
-				Unique:       true,
-				Indexer: &memdb.UUIDFieldIndex{
-					Field: "ID",
-				},
-			},
-			"name": {
-				Name:         "name",
-				AllowMissing: false,
-				Unique:       true,
-				Indexer: &memdb.StringFieldIndex{
-					Field:     "Name",
-					Lowercase: true,
-				},
-			},
-			"policies": {
-				Name: "policies",
-				// Need to allow missing for the anonymous token
-				AllowMissing: true,
-				Unique:       false,
-				Indexer:      &RolePoliciesIndex{},
-			},
-		},
-	}
-}
-
-func bindingRulesTableSchema() *memdb.TableSchema {
-	return &memdb.TableSchema{
-		Name: "acl-binding-rules",
-		Indexes: map[string]*memdb.IndexSchema{
-			"id": {
-				Name:         "id",
-				AllowMissing: false,
-				Unique:       true,
-				Indexer: &memdb.UUIDFieldIndex{
-					Field: "ID",
-				},
-			},
-			"authmethod": {
-				Name:         "authmethod",
-				AllowMissing: false,
-				Unique:       false,
-				Indexer: &memdb.StringFieldIndex{
-					Field:     "AuthMethod",
-					Lowercase: true,
-				},
-			},
-		},
-	}
-}
-
-func authMethodsTableSchema() *memdb.TableSchema {
-	return &memdb.TableSchema{
-		Name: "acl-auth-methods",
-		Indexes: map[string]*memdb.IndexSchema{
-			"id": {
-				Name:         "id",
-				AllowMissing: false,
-				Unique:       true,
-				Indexer: &memdb.StringFieldIndex{
-					Field:     "Name",
-					Lowercase: true,
-				},
-			},
-		},
-	}
-}
-
-///////////////////////////////////////////////////////////////////////////////
-/////                        ACL Policy Functions                         /////
-///////////////////////////////////////////////////////////////////////////////
-
 func aclPolicyInsert(tx *txn, policy *structs.ACLPolicy) error {
 	if err := tx.Insert("acl-policies", policy); err != nil {
 		return fmt.Errorf("failed inserting acl policy: %v", err)
--- a/agent/consul/state/acl_schema.go
+++ b/agent/consul/state/acl_schema.go
@ -0,0 +1,210 @@
+package state
+
+import (
+	"github.com/hashicorp/go-memdb"
+
+	"github.com/hashicorp/consul/agent/structs"
+)
+
+const (
+	tableACLTokens       = "acl-tokens"
+	tableACLPolicies     = "acl-policies"
+	tableACLRoles        = "acl-roles"
+	tableACLBindingRules = "acl-binding-rules"
+	tableACLAuthMethods  = "acl-auth-methods"
+
+	indexPolicies   = "policies"
+	indexRoles      = "roles"
+	indexAuthMethod = "authmethod"
+	indexLocal      = "local"
+	indexName       = "name"
+)
+
+func tokensTableSchema() *memdb.TableSchema {
+	return &memdb.TableSchema{
+		Name: tableACLTokens,
+		Indexes: map[string]*memdb.IndexSchema{
+			"accessor": {
+				Name: "accessor",
+				// DEPRECATED (ACL-Legacy-Compat) - we should not AllowMissing here once legacy compat is removed
+				AllowMissing: true,
+				Unique:       true,
+				Indexer: &memdb.UUIDFieldIndex{
+					Field: "AccessorID",
+				},
+			},
+			indexID: {
+				Name:         indexID,
+				AllowMissing: false,
+				Unique:       true,
+				Indexer: &memdb.StringFieldIndex{
+					Field:     "SecretID",
+					Lowercase: false,
+				},
+			},
+			indexPolicies: {
+				Name: indexPolicies,
+				// Need to allow missing for the anonymous token
+				AllowMissing: true,
+				Unique:       false,
+				Indexer:      &TokenPoliciesIndex{},
+			},
+			indexRoles: {
+				Name:         indexRoles,
+				AllowMissing: true,
+				Unique:       false,
+				Indexer:      &TokenRolesIndex{},
+			},
+			indexAuthMethod: {
+				Name:         indexAuthMethod,
+				AllowMissing: true,
+				Unique:       false,
+				Indexer: &memdb.StringFieldIndex{
+					Field:     "AuthMethod",
+					Lowercase: false,
+				},
+			},
+			indexLocal: {
+				Name:         indexLocal,
+				AllowMissing: false,
+				Unique:       false,
+				Indexer: &memdb.ConditionalIndex{
+					Conditional: func(obj interface{}) (bool, error) {
+						if token, ok := obj.(*structs.ACLToken); ok {
+							return token.Local, nil
+						}
+						return false, nil
+					},
+				},
+			},
+			"expires-global": {
+				Name:         "expires-global",
+				AllowMissing: true,
+				Unique:       false,
+				Indexer:      &TokenExpirationIndex{LocalFilter: false},
+			},
+			"expires-local": {
+				Name:         "expires-local",
+				AllowMissing: true,
+				Unique:       false,
+				Indexer:      &TokenExpirationIndex{LocalFilter: true},
+			},
+
+			//DEPRECATED (ACL-Legacy-Compat) - This index is only needed while we support upgrading v1 to v2 acls
+			// This table indexes all the ACL tokens that do not have an AccessorID
+			"needs-upgrade": {
+				Name:         "needs-upgrade",
+				AllowMissing: false,
+				Unique:       false,
+				Indexer: &memdb.ConditionalIndex{
+					Conditional: func(obj interface{}) (bool, error) {
+						if token, ok := obj.(*structs.ACLToken); ok {
+							return token.AccessorID == "", nil
+						}
+						return false, nil
+					},
+				},
+			},
+		},
+	}
+}
+
+func policiesTableSchema() *memdb.TableSchema {
+	return &memdb.TableSchema{
+		Name: tableACLPolicies,
+		Indexes: map[string]*memdb.IndexSchema{
+			indexID: {
+				Name:         indexID,
+				AllowMissing: false,
+				Unique:       true,
+				Indexer: &memdb.UUIDFieldIndex{
+					Field: "ID",
+				},
+			},
+			indexName: {
+				Name:         indexName,
+				AllowMissing: false,
+				Unique:       true,
+				Indexer: &memdb.StringFieldIndex{
+					Field: "Name",
+					// TODO (ACL-V2) - should we coerce to lowercase?
+					Lowercase: true,
+				},
+			},
+		},
+	}
+}
+
+func rolesTableSchema() *memdb.TableSchema {
+	return &memdb.TableSchema{
+		Name: tableACLRoles,
+		Indexes: map[string]*memdb.IndexSchema{
+			indexID: {
+				Name:         indexID,
+				AllowMissing: false,
+				Unique:       true,
+				Indexer: &memdb.UUIDFieldIndex{
+					Field: "ID",
+				},
+			},
+			indexName: {
+				Name:         indexName,
+				AllowMissing: false,
+				Unique:       true,
+				Indexer: &memdb.StringFieldIndex{
+					Field:     "Name",
+					Lowercase: true,
+				},
+			},
+			indexPolicies: {
+				Name: indexPolicies,
+				// Need to allow missing for the anonymous token
+				AllowMissing: true,
+				Unique:       false,
+				Indexer:      &RolePoliciesIndex{},
+			},
+		},
+	}
+}
+
+func bindingRulesTableSchema() *memdb.TableSchema {
+	return &memdb.TableSchema{
+		Name: tableACLBindingRules,
+		Indexes: map[string]*memdb.IndexSchema{
+			indexID: {
+				Name:         indexID,
+				AllowMissing: false,
+				Unique:       true,
+				Indexer: &memdb.UUIDFieldIndex{
+					Field: "ID",
+				},
+			},
+			indexAuthMethod: {
+				Name:         indexAuthMethod,
+				AllowMissing: false,
+				Unique:       false,
+				Indexer: &memdb.StringFieldIndex{
+					Field:     "AuthMethod",
+					Lowercase: true,
+				},
+			},
+		},
+	}
+}
+
+func authMethodsTableSchema() *memdb.TableSchema {
+	return &memdb.TableSchema{
+		Name: tableACLAuthMethods,
+		Indexes: map[string]*memdb.IndexSchema{
+			indexID: {
+				Name:         indexID,
+				AllowMissing: false,
+				Unique:       true,
+				Indexer: &memdb.StringFieldIndex{
+					Field:     "Name",
+					Lowercase: true,
+				},
+			},
+		},
+	}
+}
--- a/agent/consul/state/catalog_schema.go
+++ b/agent/consul/state/catalog_schema.go
@ -30,8 +30,8 @@ func nodesTableSchema() *memdb.TableSchema {
 	return &memdb.TableSchema{
 		Name: tableNodes,
 		Indexes: map[string]*memdb.IndexSchema{
-			"id": {
-				Name:         "id",
+			indexID: {
+				Name:         indexID,
 				AllowMissing: false,
 				Unique:       true,
 				Indexer: &memdb.StringFieldIndex{
@ -211,8 +211,8 @@ func gatewayServicesTableNameSchema() *memdb.TableSchema {
 	return &memdb.TableSchema{
 		Name: gatewayServicesTableName,
 		Indexes: map[string]*memdb.IndexSchema{
-			"id": {
-				Name:         "id",
+			indexID: {
+				Name:         indexID,
 				AllowMissing: false,
 				Unique:       true,
 				Indexer: &memdb.CompoundIndex{
@ -255,8 +255,8 @@ func topologyTableNameSchema() *memdb.TableSchema {
 	return &memdb.TableSchema{
 		Name: topologyTableName,
 		Indexes: map[string]*memdb.IndexSchema{
-			"id": {
-				Name:         "id",
+			indexID: {
+				Name:         indexID,
 				AllowMissing: false,
 				Unique:       true,
 				Indexer: &memdb.CompoundIndex{