Commit graph

3663 commits

Author SHA1 Message Date
James Phillips a8ac27fa49 Refactors docs into a more complete state for prepared query ACLs. 2016-02-23 22:27:44 -08:00
James Phillips 633c231d67 Creates new "prepared-query" ACL type and new token capture behavior.
Prior to this change, prepared queries had the following behavior for
ACLs, which will need to change to support templates:

1. A management token, or a token with read access to the service being
   queried needed to be provided in order to create a prepared query.

2. The token used to create the prepared query was stored with the query
   in the state store and used to execute the query.

3. A management token, or the token used to create the query needed to be
   supplied to perform and CRUD operations on an existing prepared query.

This was pretty subtle and complicated behavior, and won't work for
templates since the service name is computed at execution time. To solve
this, we introduce a new "prepared-query" ACL type, where the prefix
applies to the query name for static prepared query types and to the
prefix for template prepared query types.

With this change, the new behavior is:

1. A management token, or a token with "prepared-query" write access to
   the query name or (soon) the given template prefix is required to do
   any CRUD operations on a prepared query, or to list prepared queries
   (the list is filtered by this ACL).

2. You will no longer need a management token to list prepared queries,
   but you will only be able to see prepared queries that you have access
   to (you get an empty list instead of permission denied).

3. When listing or getting a query, because it was easy to capture
   management tokens given the past behavior, this will always blank out
   the "Token" field (replacing the contents as <hidden>) for all tokens
   unless a management token is supplied. Going forward, we should
   discourage people from binding tokens for execution unless strictly
   necessary.

4. No token will be captured by default when a prepared query is created.
   If the user wishes to supply an execution token then can pass it in via
   the "Token" field in the prepared query definition. Otherwise, this
   field will default to empty.

5. At execution time, we will use the captured token if it exists with the
   prepared query definition, otherwise we will use the token that's passed
   in with the request, just like we do for other RPCs (or you can use the
   agent's configured token for DNS).

6. Prepared queries with no name (accessible only by ID) will not require
   ACLs to create or modify (execution time will depend on the service ACL
   configuration). Our argument here is that these are designed to be
   ephemeral and the IDs are as good as an ACL. Management tokens will be
   able to list all of these.

These changes enable templates, but also enable delegation of authority to
manage the prepared query namespace.
2016-02-23 17:12:43 -08:00
csawyerYumaed 793195b7d8 Update documentation - add Network Ports.
Update security.html.markdown add section on Network Port usage.
TODO: add Atlas port usage.
2016-02-23 11:27:15 -08:00
Stefan Engstrom b20278cadc add accept header */* for agent check 2016-02-19 10:31:00 -06:00
Ryan Breen 425a439187 Merge pull request #1741 from benhinchley/master
Add asia pacific region to list in terraform module
2016-02-19 08:24:16 -05:00
Ben Hinchley f58e051119 Merge pull request #1 from benhinchley/benhinchley-patch-1
add asia pacific region to list for ubuntu
2016-02-19 16:35:48 +11:00
Ben Hinchley d65cc40375 add asia pacific region to list for ubuntu
using these images
ap-northeast-1 => ubuntu/images/hvm-ssd/ubuntu-trusty-14.04-amd64-server-20150528
ap-southeast-1 => ubuntu/images/hvm-ssd/ubuntu-trusty-14.04-amd64-server-20150528
ap-southeast-2 => ubuntu/images/hvm-ssd/ubuntu-trusty-14.04-amd64-server-20150528
2016-02-19 16:35:29 +11:00
James Phillips a4ffc9eab9 Merge pull request #1740 from hashicorp/f-1.6-only-ci
Takes away Go tip build which is failing for odd reasons.
2016-02-18 15:50:12 -08:00
James Phillips 207017d673 Takes away Go tip build which is failing for odd reasons.
This should cut down on build noise. When we get further with 1.6 we can reintroduce the tip build to help spot issues with the next version of Go.
2016-02-18 15:50:04 -08:00
James Phillips a4a24313eb Merge pull request #1736 from hashicorp/f-makefile-cleanup
Refactors dist into a Docker-based build with extra safety checks.
2016-02-18 15:28:46 -08:00
James Phillips e4af2ec5af Sets CGO_ENABLED to 0 in the Dockerfile. 2016-02-18 09:31:04 -08:00
James Phillips 7beec098c8 Moves release build into Docker container and adds web asset check at dist time. 2016-02-17 23:17:39 -08:00
James Phillips 9ccfb68bce Tweaks some of the default makefile targets. 2016-02-17 20:36:48 -08:00
James Phillips 7ec96d2468 Removes from cruft from the makefile. 2016-02-17 20:30:06 -08:00
James Phillips 69cc9bb542 Merge pull request #1735 from hashicorp/f-go-1.6
Starts switch to Go 1.6.
2016-02-17 20:00:34 -08:00
James Phillips bb54771832 Starts switch to Go 1.6. 2016-02-17 19:43:55 -08:00
James Phillips e4c16de0e5 Merge pull request #1726 from hashicorp/f-tag-override-api
Adds support for EnableTagOverride to the API client.
2016-02-17 19:25:40 -08:00
James Phillips 165119b210 Merge pull request #1732 from hashicorp/pr/1716
Don't run `go vet` on vendor/
2016-02-17 16:04:14 -08:00
James Phillips d1925a3fe1 Makes vet check more sure fire now that it's xargs-ed. 2016-02-17 16:02:42 -08:00
James Phillips 0ca8ded74d Adds a note about the new go-cleanhttp behavior to the change log. 2016-02-17 14:49:24 -08:00
James Phillips a6610d354d Merge pull request #1731 from hashicorp/update-cleanhttp
Update go-cleanhttp
2016-02-17 14:24:41 -08:00
Jeff Mitchell 1dfacd8a1e Update go-cleanhttp 2016-02-17 17:03:57 -05:00
Ryan Breen 512298f33a Merge pull request #1729 from xenji/add-new-eu-amis
Add ubuntu AMIs for eu-west-1 and eu-central-1 to the map.
2016-02-17 08:23:04 -05:00
Mario Mueller 79f0135583 Add eu-west-1 and eu-central-1 to the map.
Used image: ubuntu/images/hvm-ssd/ubuntu-trusty-14.04-amd64-server-20150325
2016-02-17 09:16:41 +01:00
Michael Crilly b90e77421a TLS example and correcting error
The example configuration file omits TLS support in the HTTP API. This is fine, but a second example demonstrating how to enable TLS over the HTTP API is harmless and, in fact, should be default practice.

Using the format `ip:port` in the "addresses" block will cause Consul to crash on reload/start. See issue (#1727)[https://github.com/hashicorp/consul/issues/1727#issuecomment-184980751]
2016-02-17 15:24:37 +10:00
James Phillips a29c1ee04e Merge pull request #1703 from alistanis/fix-issue-#1661
fixes issue #1661 and adds supporting test
2016-02-16 20:13:36 -08:00
James Phillips 551a4fc031 Adds support for EnableTagOverride to the API client. 2016-02-16 11:45:29 -08:00
Ryan Breen a168184be3 Merge pull request #1717 from kim-toms/patch-1
Update leader-election.html.markdown
2016-02-14 09:34:39 -05:00
Kim Toms a3f49a1f21 Update leader-election.html.markdown
Remove duplicate 'leader'
2016-02-14 09:32:23 -05:00
Sean Chittenden 3ebd78013c Don't run go vet on vendor/ 2016-02-12 18:52:40 -08:00
James Phillips 2648a21da0 Merge pull request #1715 from hashicorp/b-travis
Removes the obsolete deps target from Travis.
2016-02-12 18:46:13 -08:00
James Phillips c57477deb5 Removes the obsolete deps target from Travis. 2016-02-12 18:41:33 -08:00
Sean Chittenden 87678817f9 Merge pull request #1714 from hashicorp/e-godeps
Manage dependencies via Godep
2016-02-12 17:13:08 -08:00
Sean Chittenden 8cf46fccb9 Remove deps folder, no longer needed 2016-02-12 17:12:15 -08:00
Sean Chittenden 8ae9e06e8d Add a tools target that fetches various build-time tools 2016-02-12 17:09:18 -08:00
Sean Chittenden 333ff22e9a Manage dependencies via Godep
Embrace the future and use Go 1.6's vendor support via Godep.

Go 1.5 users should `export GO15VENDOREXPERIMENT=1`
2016-02-12 16:50:37 -08:00
Ryan Breen 73f700a9a0 Merge pull request #1713 from hashicorp/b-internal-ui-redirect
Fixes redirect from / to /ui when internal UI is enabled.
2016-02-12 19:26:59 -05:00
James Phillips cbdff8296f Fixes redirect from / to /ui when internal UI is enabled. 2016-02-12 16:11:32 -08:00
Ryan Breen bf7d0742ed Merge pull request #1710 from shaneog/master
Fix Consul download links
2016-02-10 11:23:22 -05:00
Shane O'Grady 3443f95fc3 Fix Consul download link in benchmark scripts
Use https://releases.hashicorp.com
2016-02-10 14:18:19 -02:00
Shane O'Grady 77f2241527 Fix Consul download link in Terraform scripts
Use https://releases.hashicorp.com
2016-02-10 14:18:13 -02:00
James Phillips 9c313fb751 Merge pull request #1707 from hashicorp/b-typo
Fixes a typo.
2016-02-09 16:37:14 -08:00
James Phillips 48a29b5a31 Fixes a typo. 2016-02-09 16:37:06 -08:00
Chris Cooper 1327d9eff6 add missing test 2016-02-09 10:49:41 -05:00
Chris Cooper a2533d5d76 fixes issue #1661 and adds supporting test 2016-02-09 10:35:39 -05:00
Robert Goldsmith 6cb5fba792 Included support to override the assumed location of the consul so you can run the UI on a normal web server potentially on a different host to your consul servers. 2016-02-09 13:26:48 +00:00
Ryan Breen 2008082d91 Merge pull request #1700 from michaeldejong/tools-consultant
Added a reference to Consultant in the Community Tools section.
2016-02-08 10:54:33 -05:00
Michael de Jong 8582b33276 Added a reference to Consultant in the Community Tools section. 2016-02-08 16:09:30 +01:00
James Phillips d43cc772f5 Merge pull request #1699 from hashicorp/b-sanity-check
Adds a sanity check to the local node info compare.
2016-02-07 15:07:55 -08:00
James Phillips 968bd6321c Adds a sanity check to the local node info compare. 2016-02-07 15:07:23 -08:00