Frank Schroeder
0c3534cbf7
agent: use http.StatusNotFound instead of 404
2017-08-23 22:36:23 +02:00
Frank Schroeder
970a7f97ec
agent: use http.StatusForbidden instead of 403
2017-08-23 22:36:23 +02:00
Frank Schroeder
2e586be5aa
agent: use http.StatusUnauthorized instead of 401
2017-08-23 22:36:23 +02:00
Frank Schroeder
923f8e2364
agent: use http.StatusBadRequest instead of 400
2017-08-23 22:36:23 +02:00
Frank Schroeder
a32eab5923
agent: support go-discover retry-join for wan
2017-08-23 21:23:34 +02:00
Frank Schröder
44e6b8122d
acl: consolidate error handling ( #3401 )
...
The error handling of the ACL code relies on the presence of certain
magic error messages. Since the error values are sent via RPC between
older and newer consul agents we cannot just replace the magic values
with typed errors and switch to type checks since this would break
compatibility with older clients.
Therefore, this patch moves all magic ACL error messages into the acl
package and provides default error values and helper functions which
determine the type of error.
2017-08-23 16:52:48 +02:00
Frank Schroeder
d9e2a51887
agent: drop unused code
...
This code from http://github.com/hashicorp/consul/pull/3353 is no longer
required.
2017-08-22 00:02:46 +02:00
Frank Schroeder
4bfcf7b613
dns: replace nameserver lookup with consistent rpc call
...
This patch replaces the code which determines the list of servers in the
current cluster with an RPC call to get the list of active consul
service instances which only run on servers.
This replaces the previous implementation which was more complex and
relied on serf messages which can provide a different view than the
consistent response from the raft log.
As a side effect it makes the implementation independent of the server
and the agent which means it works consistently across both. Different
behavior for server and agent was the root cause for the bug in
http://github.com/hashicorp/consul/issue/3047 .
Fixes #3407
2017-08-22 00:02:46 +02:00
Frank Schroeder
8e1f9b9b68
dns: split node lookup from request handling
2017-08-22 00:02:46 +02:00
Frank Schroeder
db8ad8922e
dns: refactor label by unrolling loop
2017-08-22 00:02:46 +02:00
Frank Schroeder
c35206db07
dns: move ttl closer to usage
2017-08-22 00:02:46 +02:00
James Phillips
738ac55d96
Switches to using a read lock for the agent's RPC dispatcher.
...
This prevents RPC calls from getting serialized in this spot.
Fixes #3376
2017-08-09 18:51:55 -07:00
Frank Schröder
32d4eecc1a
agent: honor deprecated flags for retry-join-{ec2,azure,gce} ( #3384 )
2017-08-09 16:18:30 -07:00
James Phillips
3518e27a76
Revert "Return 403 rather than a 404 when acls cause all results to be filter…"
2017-08-09 15:06:57 -07:00
James Phillips
91205b2cd6
Revert "Ensure that we return a permission denied only if the list of keys/en…"
2017-08-09 15:06:20 -07:00
Preetha Appan
121326161e
Added unit test case to kvs_endpointtest
2017-08-09 15:50:22 -05:00
Preetha Appan
d06002dc62
Ensure that we return a permission denied only if the list of keys/entries prior to filtering by ACL is non empty
2017-08-09 15:32:18 -05:00
Frank Schroeder
c38dcf2d17
agent: move agent/consul/agent to agent/metadata
2017-08-09 14:36:52 +02:00
Frank Schroeder
85bdb77d90
agent: move agent/consul/servers to agent/router
2017-08-09 14:36:37 +02:00
Frank Schroeder
1d0bbfed9c
agent: move agent/consul/structs to agent/structs
2017-08-09 14:32:12 +02:00
James Phillips
a600f681d6
Cleans up some go fmt issues.
2017-08-08 21:52:50 -07:00
James Phillips
7b4d3d5576
Fixes a vet error.
2017-08-08 16:00:18 -07:00
Kyle Havlovitz
8c2e422074
Merge pull request #3369 from hashicorp/metrics-enhancements
...
Add support for labels/filters from go-metrics
2017-08-08 13:55:30 -07:00
Kyle Havlovitz
160395d3c7
Add doc links for metrics endpoint
2017-08-08 13:05:38 -07:00
Kyle Havlovitz
308d7b785d
Update docs for metrics endpoint
2017-08-08 12:33:30 -07:00
Frank Schroeder
0f4986dcc7
dns: minor cleanups
2017-08-08 13:55:58 +02:00
Kyle Havlovitz
975ded2714
Add support for labels/filters from go-metrics
2017-08-08 01:45:10 -07:00
Preetha Appan
2df084968c
Go back to using <nodename>.node.dc.consul as the name of the ns record being returned.
2017-08-07 16:02:33 -05:00
Frank Schroeder
b571cb8097
dns: keep NS names in consul domain
2017-08-07 11:11:55 +02:00
Frank Schroeder
7b39af2b2d
dns: postmaster -> hostmaster
2017-08-07 11:11:55 +02:00
Frank Schroeder
98de22e13e
dns: we do not support zone transfers
2017-08-07 11:11:55 +02:00
Frank Schroeder
e1bcbc6832
dns: drop CNAME for primary name server
2017-08-07 11:11:55 +02:00
Preetha Appan
393a0eae93
Added test case with IPV6 bind address for NS records, rewrote tests to use verify library and other code review feedback
2017-08-07 11:11:55 +02:00
Preetha Appan
52075bda1c
Added back glue records in NS response, expanded unit test. Also reused same function used in node lookup for adding A/AAAA records in the extra section of the NS response
2017-08-07 11:11:55 +02:00
Preetha Appan
c7c4100503
Don't add A records for NS requests, because the record being returned already resolves correctly. Also fixed all the unit tests, and ignored hostnames that don't meet valid dns hostname criteria
2017-08-07 11:11:55 +02:00
Frank Schroeder
450d8a69b5
dns: provide correct SOA and NS responses
...
This patch changes the behavior of the DNS server as follows:
* The SOA response contains the SOA record in the Answer section instead
of the Authority section. It also contains NS records in the Authority
and the corresponding A glue records in the Extra section.
In addition, CNAMEs are added to the Extra section to make the
MNAME of the SOA record resolvable.
AAAA glue records are not yet supported.
* The NS response returns up to three random servers from the
consul cluster in the Answer section and the glue A
records in the Extra section.
AAAA glue records are not yet supported.
2017-08-07 11:11:55 +02:00
Preetha Appan
bff45ee1da
Unify regex used to identify invalid dns characters
2017-08-07 11:11:55 +02:00
Preetha Appan
6bac9355fd
Use sanitized version of node name of server in NS record, and start with "server" rather than "ns"
2017-08-07 11:11:55 +02:00
Preetha Appan
7e9d683ab1
Removed a copy pasted irrelevant comment, and other code review feedback
2017-08-07 11:11:54 +02:00
Preetha Appan
c38906daad
Add NS records and A records for each server. Constructs ns host names using the advertise address of the server.
2017-08-07 11:11:54 +02:00
James Phillips
803ed9a245
Adds secure introduction for the ACL replication token. ( #3357 )
...
Adds secure introduction for the ACL replication token, as well as a separate enable config for ACL replication.
2017-08-03 15:39:31 -07:00
Frank Schroeder
1cb602e085
agent: fix code for updated go-discover signature
...
Closes #3351
2017-08-03 21:32:11 +02:00
James Phillips
c31b56a03e
Adds a new /v1/acl/bootstrap API ( #3349 )
2017-08-02 17:05:18 -07:00
Miguel Prokop
ea6d610dee
agent: Fix script quoting on windows ( #1875 )
...
This patch fixes the quoting for executing scripts on windows
and splits the platform dependent code.
Fixes #1875
2017-08-02 17:01:21 +02:00
Frank Schroeder
68e8f3d0f7
agent: use github.com/hashicorp/go-discover
...
Replace the provider specific node discovery code
with go-discover to support AWS, Azure and GCE.
Fixes #3282
2017-08-01 11:41:43 +02:00
Preetha Appan
307049e17f
Return nil instead of empty list when returning a PermissionDenied error, updated unit test
2017-07-31 17:23:20 -05:00
Preetha Appan
da29b74d03
Return 403 rather than a 404 when acls cause all results to be filtered out. This fixes #2637
2017-07-31 13:50:29 -05:00
preetapan
677949b14d
Merge pull request #3332 from hashicorp/issue_3322
...
This fixes #3322
2017-07-28 17:54:30 -05:00
Preetha Appan
3b12545844
Tweaked parsing error message to quote properly
2017-07-28 17:52:35 -05:00
James Phillips
8f1f762ddd
Adds missing autopilot snapshot test and avoids snapshotting nil. ( #3333 )
2017-07-28 15:48:42 -07:00
Preetha Appan
86b9e3c5f3
Validate unix sockets and ip addresses as needed, more test cases
2017-07-28 17:18:10 -05:00
Preetha Appan
ac068de336
Modify ResolveTmplAddrs to parse advertise IPs, added test cases that fail to parse correctly
2017-07-28 15:01:32 -05:00
Preetha Appan
4b82d09df0
Removed extra newlines
2017-07-28 10:51:11 -05:00
Preetha Appan
7b99f7ca08
Fix comments, and remove redundant TestConfig init from a couple of unit tests
2017-07-28 10:40:43 -05:00
Frank Schroeder
f27202b608
add tests for go-sockaddr template parsing
2017-07-28 15:40:22 +02:00
Frank Schroeder
5ee498cbc5
agent: unix sockets are not ip addrs
2017-07-28 14:53:21 +02:00
Frank Schroeder
0b13a38d90
config: refactor tmpl resolution fn
2017-07-28 12:20:49 +02:00
Preetha Appan
28016190e0
Moved handling advertise address to readConfig and out of the agent's constructor, plus unit test fixes
2017-07-27 22:06:31 -05:00
Preetha Appan
398c1e450c
Move go-socketaddr template parsing into config package to make it happen before creating a new agent. Also removed redundant parsetemplate calls from agent.go.
2017-07-27 16:17:35 -05:00
James Phillips
6b51744ddf
Adds option to prepared queries to remove empty tags. ( #3330 )
2017-07-26 22:46:43 -07:00
James Phillips
6e794ea1b3
Adds support for agent-side ACL token management via API instead of config files. ( #3324 )
...
* Adds token store and removes all runtime use of config for ACL tokens.
* Adds a new API for changing agent tokens on the fly.
2017-07-26 11:03:43 -07:00
Preetha Appan
4692b1478e
Add extra test case for deleting entire tree with empty prefix
2017-07-26 09:42:07 -05:00
Preetha Appan
74ba4c3c6b
Don't insert tombstone for empty prefix delete. Other minor unit test fixes
2017-07-25 21:54:11 -05:00
Preetha Appan
a6b7e66e9a
Removed redundant comments and unit test
2017-07-25 20:39:33 -05:00
Preetha Appan
1503d63595
Removed redundant call to reap tombstone from unit test
2017-07-25 19:39:05 -05:00
Preetha Appan
996302c085
Improved unit test per code review
2017-07-25 19:17:40 -05:00
Preetha Appan
f4cccf44e3
Use new DeletePrefixMethod for implementing KVSDeleteTree operation. This makes deletes on sub trees larger than one million nodes about 100 times faster. Added unit tests.
2017-07-25 17:21:18 -05:00
James Phillips
cf7b1aaf04
Removes an unnecessary close.
2017-07-24 21:41:18 -07:00
Preetha Appan
213af3650f
Removed redundant logging
2017-07-24 21:07:48 -05:00
Preetha Appan
c08ff6c8ae
Clean up temporary files on write errors, and ignore any temporary service files on load with a warning. This fixes #3207
2017-07-24 12:42:51 -05:00
James Phillips
a0867b5d49
Tweaks the error when scripts are disabled.
...
This will hopefully help people self-serve if they upgrade without accounting
for this.
2017-07-19 22:15:04 -07:00
Kyle Havlovitz
c74d7558a5
Fix UpgradeVersionTag field not being passed correctly ( #3304 )
2017-07-19 17:39:48 -07:00
Preetha Appan
9116186b4c
Made unit test for AddCheck error check the actual error string
2017-07-19 11:00:56 -05:00
Preetha Appan
f790c7279a
Unit test for failure case of AddCheck
2017-07-19 10:28:52 -05:00
Frank Schroeder
e6e711a401
fix spelling in filenames
...
Fixes #3301
2017-07-19 13:16:38 +02:00
Frank Schroeder
6d0bd1faaf
agent: make docker client work on windows
2017-07-19 12:03:59 +02:00
Frank Schroeder
e195d592be
build: add missing build tags
2017-07-19 05:17:01 +02:00
preetapan
efae3cccc0
Merge pull request #3296 from hashicorp/ensure_registration_race
...
Fix race condition between removing a service and adding a check for …
2017-07-18 18:36:47 -05:00
Preetha Appan
db1d477592
Clean up any watch monitors associated with a failed AddCheck
2017-07-18 16:54:20 -05:00
Preetha Appan
4b8958b35b
Removed unit test, added clarifying comment and returned a friendlier error message similar to the one in agent's AddService method
...
Fixes #3297
2017-07-18 16:15:47 -05:00
Preetha Appan
530e87eab0
Fix race condition between removing a service and adding a check for the same service, which was causing orphaned checks
2017-07-18 16:15:47 -05:00
Kyle Havlovitz
1ffd2ec05b
Add UpgradeVersionTag to autopilot config
2017-07-18 13:35:41 -07:00
Frank Schroeder
8bcbb7b827
agent: stop docker checks on shutdown
2017-07-18 20:59:24 +02:00
Frank Schroeder
c8ae94b688
agent: stop and remove docker checks
...
Note that there is no test since the correct way to solve (and test)
this is to replace the different maps with a single one or to hide
that functionality behind a separate data structure. This will be
addressed in #3294 .
Fixes #3265
2017-07-18 20:59:24 +02:00
Frank Schroeder
b4e5c0647b
agent: replace docker check
...
This patch replaces the Docker client which is used
for health checks with a simplified version tailored
for that purpose.
See #3254
See #3257
Fixes #3270
2017-07-18 20:24:38 +02:00
James Phillips
42472e8bb5
Prevents disabling gossip keyring file from disabling gossip encryption. ( #3278 )
2017-07-17 12:48:45 -07:00
James Phillips
788dd255a1
Adds new config to make script checks opt-in, updates documentation. ( #3284 )
2017-07-17 11:20:35 -07:00
James Phillips
838591c916
Changes remote exec KV read to call GetTokenForAgent(). ( #3283 )
...
* Changes remote exec KV read to call GetTokenForAgent(), which can use
the acl_agent_token instead of the acl_token.
Fixes #3160 .
* Fixes remote exec unit test with ACLs.
* Adds unhappy ACL path to unit tests for remote exec.
2017-07-16 21:12:16 -07:00
James Phillips
5876b81896
Adds node read privileges to the acl_agent_master_token. ( #3277 )
...
Fixes #3113 .
2017-07-16 20:08:26 -07:00
Frank Schröder
de97fb0670
azure: tag map can return nil ( #3280 )
...
Fixes #3193
2017-07-16 14:29:43 -07:00
James Phillips
ac7c48c3ea
Obfuscates ACL tokens appearing in /v1/acl/<verb>/<token> APIs. ( #3276 )
...
* Obfuscates ACL tokens appearing in /v1/acl APIs.
* Makes test positively identify the desired strings.
* Adds an example and explanation of the regular expression.
2017-07-15 00:07:08 -07:00
James Phillips
759be97635
Changes ACL clone response to 403 if not authorized, or if token doesn't exist. ( #3275 )
...
Fixes #1113
2017-07-14 20:43:30 -07:00
Kyle Havlovitz
d985dbc36b
Add TLS setting to router areas
2017-07-14 17:38:08 -07:00
James Phillips
8572931afe
Cleans up version 8 ACLs in the agent and the docs. ( #3248 )
...
* Moves magic check and service constants into shared structs package.
* Removes the "consul" service from local state.
Since this service is added by the leader, it doesn't really make sense to
also keep it in local state (which requires special ACLs to configure), and
requires a bunch of special cases in the local state logic. This requires
fewer special cases and makes ACL bootstrapping cleaner.
* Makes coordinate update ACL log message a warning, similar to other AE warnings.
* Adds much more detailed examples for bootstrapping ACLs.
This can hopefully replace https://gist.github.com/slackpad/d89ce0e1cc0802c3c4f2d84932fa3234 .
2017-07-13 22:33:47 -07:00
Frank Schroeder
3fcf1bc9e2
agent: fix go vet issue
2017-07-11 07:13:46 -07:00
James Phillips
68991da95f
Adds the ability to blacklist specific HTTP endpoints. ( #3252 )
2017-07-10 13:51:25 -07:00
James Phillips
219fb6dd70
UI cleanup follow up from #3245 . ( #3251 )
...
* Removes unnecessary set for model component which will be null.
* Returns a 404 for a missing node, not a 200 with an empty response.
* Updates built-in web assets.
2017-07-10 09:40:00 -07:00
James Phillips
c849458d9b
Changes the default ACL token type to "client" in web UI. ( #3246 )
...
* Changes the default ACL token type to "client".
* Updates built-in web assets.
2017-07-08 17:28:04 -07:00
James Phillips
0a17a8284f
Cleans up web UI and fixes ACL token "stuckness" issue. ( #3245 )
...
* Removes GitHub reference.
* Doesn't display ACL token on the unauthorized page.
* Removes useless fetch for nodes and cleans up comments.
* Provides a path to reset the ACL token when it's invalid.
This included making the settings page global so it's reachable, and adding
some more information about an error on the error page.
* Updates built-in web assets.
2017-07-08 17:16:05 -07:00
Frank Schroeder
75cd1828b8
address review comments
2017-07-07 09:22:34 +02:00