Commit Graph

136 Commits

Author SHA1 Message Date
Matt Keeler 0c76a4389f
ACL Token Persistence and Reloading (#5328)
This PR adds two features which will be useful for operators when ACLs are in use.

1. Tokens set in configuration files are now reloadable.
2. If `acl.enable_token_persistence` is set to `true` in the configuration, tokens set via the `v1/agent/token` endpoint are now persisted to disk and loaded when the agent starts (or during configuration reload)

Note that token persistence is opt-in so our users who do not want tokens on the local disk will see no change.

Some other secondary changes:

* Refactored a bunch of places where the replication token is retrieved from the token store. This token isn't just for replicating ACLs and now it is named accordingly.
* Allowed better paths in the `v1/agent/token/` API. Instead of paths like: `v1/agent/token/acl_replication_token` the path can now be just `v1/agent/token/replication`. The old paths remain to be valid. 
* Added a couple new API functions to set tokens via the new paths. Deprecated the old ones and pointed to the new names. The names are also generally better and don't imply that what you are setting is for ACLs but rather are setting ACL tokens. There is a minor semantic difference there especially for the replication token as again, its no longer used only for ACL token/policy replication. The new functions will detect 404s and fallback to using the older token paths when talking to pre-1.4.3 agents.
* Docs updated to reflect the API additions and to show using the new endpoints.
* Updated the ACL CLI set-agent-tokens command to use the non-deprecated APIs.
2019-02-27 14:28:31 -05:00
Paul Banks 1c4dfbcd2e
connect: tame thundering herd of CSRs on CA rotation (#5228)
* Support rate limiting and concurrency limiting CSR requests on servers; handle CA rotations gracefully with jitter and backoff-on-rate-limit in client

* Add CSR rate limiting docs

* Fix config naming and add tests for new CA configs
2019-01-22 17:19:36 +00:00
Matt Keeler 99e0a124cb
New ACLs (#4791)
This PR is almost a complete rewrite of the ACL system within Consul. It brings the features more in line with other HashiCorp products. Obviously there is quite a bit left to do here but most of it is related docs, testing and finishing the last few commands in the CLI. I will update the PR description and check off the todos as I finish them over the next few days/week.
Description

At a high level this PR is mainly to split ACL tokens from Policies and to split the concepts of Authorization from Identities. A lot of this PR is mostly just to support CRUD operations on ACLTokens and ACLPolicies. These in and of themselves are not particularly interesting. The bigger conceptual changes are in how tokens get resolved, how backwards compatibility is handled and the separation of policy from identity which could lead the way to allowing for alternative identity providers.

On the surface and with a new cluster the ACL system will look very similar to that of Nomads. Both have tokens and policies. Both have local tokens. The ACL management APIs for both are very similar. I even ripped off Nomad's ACL bootstrap resetting procedure. There are a few key differences though.

    Nomad requires token and policy replication where Consul only requires policy replication with token replication being opt-in. In Consul local tokens only work with token replication being enabled though.
    All policies in Nomad are globally applicable. In Consul all policies are stored and replicated globally but can be scoped to a subset of the datacenters. This allows for more granular access management.
    Unlike Nomad, Consul has legacy baggage in the form of the original ACL system. The ramifications of this are:
        A server running the new system must still support other clients using the legacy system.
        A client running the new system must be able to use the legacy RPCs when the servers in its datacenter are running the legacy system.
        The primary ACL DC's servers running in legacy mode needs to be a gate that keeps everything else in the entire multi-DC cluster running in legacy mode.

So not only does this PR implement the new ACL system but has a legacy mode built in for when the cluster isn't ready for new ACLs. Also detecting that new ACLs can be used is automatic and requires no configuration on the part of administrators. This process is detailed more in the "Transitioning from Legacy to New ACL Mode" section below.
2018-10-19 12:04:07 -04:00
Paul Banks ca68136ac7 Refactor to use embedded struct. 2018-06-25 12:25:39 -07:00
Paul Banks 23be6ad1c8 StartupTelemetry => InitTelemetry 2018-06-25 12:25:39 -07:00
Paul Banks 93f346431b WIP 2018-06-25 12:25:38 -07:00
Mitchell Hashimoto 1cb9046ad5
lib/file: add tests for WriteAtomic 2018-06-14 09:42:12 -07:00
Mitchell Hashimoto 5e0f0ba178
agent/proxy: write pid file whenever the daemon process changes 2018-06-14 09:42:11 -07:00
Seth Vargo 523bcd5c1e
Add a helper for generating Consul's user-agent string 2018-05-25 15:50:18 -04:00
Paul Banks d35988521e
Go fmt cleanup 2018-05-11 17:05:19 +01:00
Preetha Appan 98a04a0af9
Update serf to pick up clean leave fix 2018-05-04 15:51:55 -05:00
Veselkov Konstantin 05666113a4 remove golint warnings 2018-01-28 22:40:13 +04:00
James Phillips 32b64575d1
Moves Serf helper into lib to fix import cycle in consul-enterprise. 2017-12-07 16:57:58 -08:00
James Phillips 82a22d57e5
Bumps freeport's block size.
We were seeing some rollover artifacts where something would be shut down so
a port could be re-used, but it was still being referenced by some running
thing. This gives more time before rolling over.
2017-11-29 18:33:14 -08:00
Alex Dadgar 4f6e39341c
Update cluster.go 2017-10-30 16:51:28 -07:00
Alex Dadgar e73efda495 Integer division rounding to zero for rate scaling
This fixes an issue in which integer division was scaling down to zero.
2017-10-30 16:46:11 -07:00
Alex Dadgar b5f8a16ea3 Initialize freeport lazily to avoid runtime issues
This PR makes freeport initialize lazily rather than using an init
method.
2017-10-25 15:14:39 -07:00
Alex Dadgar af09d86892 Make freeport testing friendly
This PR allows the caller to decide if they would like to have the
calling test fail, have the caller panic on error, or handle the errors
themselves.
2017-10-23 16:28:02 -07:00
Frank Schroeder 74859ff3c0 test: replace porter tool with freeport lib
This patch removes the porter tool which hands out free ports from a
given range with a library which does the same thing. The challenge for
acquiring free ports in concurrent go test runs is that go packages are
tested concurrently and run in separate processes. There has to be some
inter-process synchronization in preventing processes allocating the
same ports.

freeport allocates blocks of ports from a range expected to be not in
heavy use and implements a system-wide mutex by binding to the first
port of that block for the lifetime of the application. Ports are then
provided sequentially from that block and are tested on localhost before
being returned as available.
2017-10-21 22:01:09 +02:00
James Phillips d1ad538345 Makes RPC handling more robust when rolling servers. (#3561)
* Adds client-side retry for no leader errors.

This paves over the case where the client was connected to the leader
when it loses leadership.

* Adds a configurable server RPC drain time and a fail-fast path for RPCs.

When a server leaves it gets removed from the Raft configuration, so it will
never know who the new leader server ends up being. Without this we'd be
doomed to wait out the RPC hold timeout and then fail. This makes things fail
a little quicker while a sever is draining, and since we added a client retry
AND since the server doing this has already shut down and left the Serf LAN,
clients should retry against some other server.

* Makes the RPC hold timeout configurable.

* Reorders struct members.

* Sets the RPC hold timeout default for test servers.

* Bumps the leave drain time up to 5 seconds.

* Robustifies retries with a simpler client-side RPC hold.

* Reverts untended delete.
2017-10-10 15:19:50 -07:00
James Phillips 6a6eadd8c7
Adds open source side of network segments (feature is Enterprise-only). 2017-08-30 11:58:29 -07:00
Frank Schroeder 9e2332f6a1 golint: Fix existing comments
This needs more work.
2017-04-25 09:26:13 -07:00
James Phillips 8cc06ec10d
Adds missing unit tests and cleans up some router bugs. 2017-03-16 16:42:19 -07:00
James Phillips 28f8aa5559
Removes remoteConsuls in favor of the new router.
This has the next wave of RTT integration with the router and also
factors some common RTT-related helpers out to lib. While we were
in here we also got rid of the coordinate disable config so we don't
need to deal with the complexity in the router (there was never a
user-visible way to disable coordinates).
2017-03-16 16:42:19 -07:00
James Phillips 96bff003b7
Adds basic support for node IDs. 2017-01-17 22:47:59 -08:00
Sean Chittenden 4a0a0b3376 Use a cryptographically secure seed
`SeededSecurely` is present if someone or something wants to query the way the library was seeded.

Obtained from: nomad
2016-05-02 23:52:37 -07:00
Sean Chittenden 882586fd05 Guard against divide by zero in lib.RandomStagger()
While I'm at it, add a DurationMinusBufferDomain() function to calculate the min/max for a given call to DurationMinusBuffer() in order to keep the implementation details self-contained.
2016-04-23 13:11:32 -07:00
Sean Chittenden a4dc389e38 Add a helper function DurationMinusBuffer() to calculate an interval
used to schedule a TTL check.  e.g.

d := lib.DurationMinusBuffer(60 * time.Duration, 10 * time.Second, 16)

will return a duration between 46.875s and 50s.
2016-04-23 09:06:54 -07:00
Sean Chittenden 9f74944f71 Add lib.AbsInt() helper function 2016-03-30 11:47:37 -07:00
Sean Chittenden c0aa155e61 Move lib's tests to lib_test
This suite of tests is only testing the exported functions
2016-03-29 19:51:37 -07:00
Sean Chittenden a29f6e8c8f Allow adjusting the number of DNS records in a response...
Based on work done by @fusiondog in #1583, extend the concept to use an integer instead of a boolean.

Fixes: #1583 && #1481
2016-03-29 19:23:56 -07:00
Sean Chittenden 485b153db2 Guard against very small or negative rates
Pointed out by: slackpad
2016-03-25 13:31:55 -07:00
Sean Chittenden 71fb93c17b Cull unused function and its unit test.
Pointed out by: @slackpad
2016-02-01 22:40:19 -08:00
Sean Chittenden 1b5d8d1341 Cull unused function and its unit test.
Pointed out by: @slackpad
2016-02-01 22:26:57 -08:00
Sean Chittenden 893f91b0d5 Always seed math/rand on consul startup
Required for jitter calcs.  This could be done in consul/agent, but this makes it clear it is done only once process-wide.
2016-01-29 17:00:08 -08:00
Sean Chittenden c470553b6b Factor out duplicate functions into a lib package
Consolidate code duplication and tests into a single lib package.  Most of these functions were from various **/util.go functions that couldn't be imported due to cyclic imports.  The consul/lib package is intended to be a terminal node in an import DAG and a place to stash various consul-only helper functions.  Pulled in hashicorp/go-uuid instead of consolidating UUID access.
2016-01-29 16:57:45 -08:00