package state import ( "fmt" "github.com/hashicorp/consul/agent/structs" "github.com/hashicorp/go-memdb" ) // aclsTableSchema returns a new table schema used for storing ACL tokens. func aclsTableSchema() *memdb.TableSchema { return &memdb.TableSchema{ Name: "acls", Indexes: map[string]*memdb.IndexSchema{ "id": &memdb.IndexSchema{ Name: "id", AllowMissing: false, Unique: true, Indexer: &memdb.StringFieldIndex{ Field: "ID", Lowercase: false, }, }, }, } } // aclsBootstrapTableSchema returns a new schema used for tracking the ACL // bootstrap status for a cluster. This is designed to have only a single // row, so it has a somewhat unusual no-op indexer. func aclsBootstrapTableSchema() *memdb.TableSchema { return &memdb.TableSchema{ Name: "acls-bootstrap", Indexes: map[string]*memdb.IndexSchema{ "id": &memdb.IndexSchema{ Name: "id", AllowMissing: true, Unique: true, Indexer: &memdb.ConditionalIndex{ Conditional: func(obj interface{}) (bool, error) { return true, nil }, }, }, }, } } func init() { registerSchema(aclsTableSchema) registerSchema(aclsBootstrapTableSchema) } // ACLs is used to pull all the ACLs from the snapshot. func (s *Snapshot) ACLs() (memdb.ResultIterator, error) { iter, err := s.tx.Get("acls", "id") if err != nil { return nil, err } return iter, nil } // ACL is used when restoring from a snapshot. For general inserts, use ACLSet. func (s *Restore) ACL(acl *structs.ACL) error { if err := s.tx.Insert("acls", acl); err != nil { return fmt.Errorf("failed restoring acl: %s", err) } if err := indexUpdateMaxTxn(s.tx, acl.ModifyIndex, "acls"); err != nil { return fmt.Errorf("failed updating index: %s", err) } return nil } // ACLBootstrap is used to pull the ACL bootstrap info from the snapshot. This // might return nil, in which case nothing should be saved to the snapshot. func (s *Snapshot) ACLBootstrap() (*structs.ACLBootstrap, error) { existing, err := s.tx.First("acls-bootstrap", "id") if err != nil { return nil, fmt.Errorf("failed acl bootstrap lookup: %s", err) } if existing != nil { return existing.(*structs.ACLBootstrap), nil } return nil, nil } // ACLBootstrap is used to restore the ACL bootstrap info from the snapshot. func (s *Restore) ACLBootstrap(bs *structs.ACLBootstrap) error { if err := s.tx.Insert("acls-bootstrap", bs); err != nil { return fmt.Errorf("failed updating acl bootstrap: %v", err) } return nil } // ACLBootstrapInit is used to perform a scan for existing tokens which will // decide whether bootstrapping is allowed for a cluster. This is initiated by // the leader when it steps up, if necessary. This is because the state store // snapshots would become incompatible with older agents if we added this on // the fly, so we rely on the leader to determine a safe time to add this so // we can start tracking whether bootstrap is enabled. This will return an // error if bootstrap is already initialized. // // This returns a boolean indicating if ACL boostrapping is enabled. func (s *Store) ACLBootstrapInit(idx uint64) (bool, error) { tx := s.db.Txn(true) defer tx.Abort() // Don't allow this to happen more than once. existing, err := tx.First("acls-bootstrap", "id") if err != nil { return false, fmt.Errorf("failed acl bootstrap lookup: %s", err) } if existing != nil { return false, fmt.Errorf("acl bootstrap init already done") } // See if there are any management tokens, which means we shouldn't // allow bootstrapping. foundMgmt, err := s.aclHasManagementTokensTxn(tx) if err != nil { return false, fmt.Errorf("failed checking for management tokens: %v", err) } allowBootstrap := !foundMgmt // Create a new bootstrap record. bs := structs.ACLBootstrap{ AllowBootstrap: allowBootstrap, RaftIndex: structs.RaftIndex{ CreateIndex: idx, ModifyIndex: idx, }, } if err := tx.Insert("acls-bootstrap", &bs); err != nil { return false, fmt.Errorf("failed creating acl bootstrap: %v", err) } tx.Commit() return allowBootstrap, nil } // ACLBootstrap is used to perform a one-time ACL bootstrap operation on a // cluster to get the first management token. func (s *Store) ACLBootstrap(idx uint64, acl *structs.ACL) error { tx := s.db.Txn(true) defer tx.Abort() // We must have initialized before this will ever be possible. existing, err := tx.First("acls-bootstrap", "id") if err != nil { return fmt.Errorf("failed acl bootstrap lookup: %s", err) } if existing == nil { return structs.ACLBootstrapNotInitializedErr } // See if this cluster has already been bootstrapped. bs := *existing.(*structs.ACLBootstrap) if !bs.AllowBootstrap { return structs.ACLBootstrapNotAllowedErr } // This should not be required since we keep the boolean above in sync // with any new management tokens that are added, but since this is such // a critical thing for correct operation we perform a sanity check. foundMgmt, err := s.aclHasManagementTokensTxn(tx) if err != nil { return fmt.Errorf("failed checking for management tokens: %v", err) } if foundMgmt { return fmt.Errorf("internal error: acl bootstrap enabled but existing management tokens were found") } // Bootstrap and then make sure we disable bootstrapping forever. The // set will also disable this as a side effect but we want to be super // explicit here. if err := s.aclSetTxn(tx, idx, acl); err != nil { return fmt.Errorf("failed inserting bootstrap token: %v", err) } if disabled, err := s.aclDisableBootstrapTxn(tx, idx); err != nil || !disabled { return fmt.Errorf("failed to disable acl bootstrap (disabled=%v): %v", disabled, err) } tx.Commit() return nil } // aclDisableBootstrapTxn will disable ACL bootstrapping if the bootstrap init // has been completed and bootstrap is currently enabled. This will return true // if bootstrap is disabled. func (s *Store) aclDisableBootstrapTxn(tx *memdb.Txn, idx uint64) (bool, error) { // If the init hasn't been done then we aren't tracking this yet, so we // can bail out. When the init is done for the first time it will scan // for management tokens to set the initial state correctly. existing, err := tx.First("acls-bootstrap", "id") if err != nil { return false, fmt.Errorf("failed acl bootstrap lookup: %s", err) } if existing == nil { // Not yet init-ed, nothing to do. return false, nil } // See if bootstrap is already disabled, which is the common case, so we // can avoid a spurious write. We do a copy here in case we need to write // down below, though. bs := *existing.(*structs.ACLBootstrap) if !bs.AllowBootstrap { return true, nil } // Need to disable bootstrap! bs.AllowBootstrap = false bs.ModifyIndex = idx if err := tx.Insert("acls-bootstrap", &bs); err != nil { return false, fmt.Errorf("failed updating acl bootstrap: %v", err) } return true, nil } // aclHasManagementTokensTxn returns true if any management tokens are present // in the state store. func (s *Store) aclHasManagementTokensTxn(tx *memdb.Txn) (bool, error) { iter, err := tx.Get("acls", "id") if err != nil { return false, fmt.Errorf("failed acl lookup: %s", err) } for acl := iter.Next(); acl != nil; acl = iter.Next() { if acl.(*structs.ACL).Type == structs.ACLTypeManagement { return true, nil } } return false, nil } // ACLGetBootstrap returns the ACL bootstrap status for the cluster, which might // be nil if it hasn't yet been initialized. func (s *Store) ACLGetBootstrap() (*structs.ACLBootstrap, error) { tx := s.db.Txn(false) defer tx.Abort() existing, err := tx.First("acls-bootstrap", "id") if err != nil { return nil, fmt.Errorf("failed acl bootstrap lookup: %s", err) } if existing != nil { return existing.(*structs.ACLBootstrap), nil } return nil, nil } // ACLSet is used to insert an ACL rule into the state store. func (s *Store) ACLSet(idx uint64, acl *structs.ACL) error { tx := s.db.Txn(true) defer tx.Abort() // Call set on the ACL if err := s.aclSetTxn(tx, idx, acl); err != nil { return err } tx.Commit() return nil } // aclSetTxn is the inner method used to insert an ACL rule with the // proper indexes into the state store. func (s *Store) aclSetTxn(tx *memdb.Txn, idx uint64, acl *structs.ACL) error { // Check that the ID is set if acl.ID == "" { return ErrMissingACLID } // Check for an existing ACL existing, err := tx.First("acls", "id", acl.ID) if err != nil { return fmt.Errorf("failed acl lookup: %s", err) } // Set the indexes if existing != nil { acl.CreateIndex = existing.(*structs.ACL).CreateIndex acl.ModifyIndex = idx } else { acl.CreateIndex = idx acl.ModifyIndex = idx } // Insert the ACL if err := tx.Insert("acls", acl); err != nil { return fmt.Errorf("failed inserting acl: %s", err) } if err := tx.Insert("index", &IndexEntry{"acls", idx}); err != nil { return fmt.Errorf("failed updating index: %s", err) } // If this is a management token, make sure bootstrapping gets disabled. if acl.Type == structs.ACLTypeManagement { if _, err := s.aclDisableBootstrapTxn(tx, idx); err != nil { return fmt.Errorf("failed disabling acl bootstrapping: %v", err) } } return nil } // ACLGet is used to look up an existing ACL by ID. func (s *Store) ACLGet(ws memdb.WatchSet, aclID string) (uint64, *structs.ACL, error) { tx := s.db.Txn(false) defer tx.Abort() // Get the table index. idx := maxIndexTxn(tx, "acls") // Query for the existing ACL watchCh, acl, err := tx.FirstWatch("acls", "id", aclID) if err != nil { return 0, nil, fmt.Errorf("failed acl lookup: %s", err) } ws.Add(watchCh) if acl != nil { return idx, acl.(*structs.ACL), nil } return idx, nil, nil } // ACLList is used to list out all of the ACLs in the state store. func (s *Store) ACLList(ws memdb.WatchSet) (uint64, structs.ACLs, error) { tx := s.db.Txn(false) defer tx.Abort() // Get the table index. idx := maxIndexTxn(tx, "acls") // Return the ACLs. acls, err := s.aclListTxn(tx, ws) if err != nil { return 0, nil, fmt.Errorf("failed acl lookup: %s", err) } return idx, acls, nil } // aclListTxn is used to list out all of the ACLs in the state store. This is a // function vs. a method so it can be called from the snapshotter. func (s *Store) aclListTxn(tx *memdb.Txn, ws memdb.WatchSet) (structs.ACLs, error) { // Query all of the ACLs in the state store iter, err := tx.Get("acls", "id") if err != nil { return nil, fmt.Errorf("failed acl lookup: %s", err) } ws.Add(iter.WatchCh()) // Go over all of the ACLs and build the response var result structs.ACLs for acl := iter.Next(); acl != nil; acl = iter.Next() { a := acl.(*structs.ACL) result = append(result, a) } return result, nil } // ACLDelete is used to remove an existing ACL from the state store. If // the ACL does not exist this is a no-op and no error is returned. func (s *Store) ACLDelete(idx uint64, aclID string) error { tx := s.db.Txn(true) defer tx.Abort() // Call the ACL delete if err := s.aclDeleteTxn(tx, idx, aclID); err != nil { return err } tx.Commit() return nil } // aclDeleteTxn is used to delete an ACL from the state store within // an existing transaction. func (s *Store) aclDeleteTxn(tx *memdb.Txn, idx uint64, aclID string) error { // Look up the existing ACL acl, err := tx.First("acls", "id", aclID) if err != nil { return fmt.Errorf("failed acl lookup: %s", err) } if acl == nil { return nil } // Delete the ACL from the state store and update indexes if err := tx.Delete("acls", acl); err != nil { return fmt.Errorf("failed deleting acl: %s", err) } if err := tx.Insert("index", &IndexEntry{"acls", idx}); err != nil { return fmt.Errorf("failed updating index: %s", err) } return nil }