open-consul/api
Matt Keeler 99e0a124cb
New ACLs (#4791)
This PR is almost a complete rewrite of the ACL system within Consul. It brings the features more in line with other HashiCorp products. Obviously there is quite a bit left to do here but most of it is related docs, testing and finishing the last few commands in the CLI. I will update the PR description and check off the todos as I finish them over the next few days/week.
Description

At a high level this PR is mainly to split ACL tokens from Policies and to split the concepts of Authorization from Identities. A lot of this PR is mostly just to support CRUD operations on ACLTokens and ACLPolicies. These in and of themselves are not particularly interesting. The bigger conceptual changes are in how tokens get resolved, how backwards compatibility is handled and the separation of policy from identity which could lead the way to allowing for alternative identity providers.

On the surface and with a new cluster the ACL system will look very similar to that of Nomads. Both have tokens and policies. Both have local tokens. The ACL management APIs for both are very similar. I even ripped off Nomad's ACL bootstrap resetting procedure. There are a few key differences though.

    Nomad requires token and policy replication where Consul only requires policy replication with token replication being opt-in. In Consul local tokens only work with token replication being enabled though.
    All policies in Nomad are globally applicable. In Consul all policies are stored and replicated globally but can be scoped to a subset of the datacenters. This allows for more granular access management.
    Unlike Nomad, Consul has legacy baggage in the form of the original ACL system. The ramifications of this are:
        A server running the new system must still support other clients using the legacy system.
        A client running the new system must be able to use the legacy RPCs when the servers in its datacenter are running the legacy system.
        The primary ACL DC's servers running in legacy mode needs to be a gate that keeps everything else in the entire multi-DC cluster running in legacy mode.

So not only does this PR implement the new ACL system but has a legacy mode built in for when the cluster isn't ready for new ACLs. Also detecting that new ACLs can be used is automatic and requires no configuration on the part of administrators. This process is detailed more in the "Transitioning from Legacy to New ACL Mode" section below.
2018-10-19 12:04:07 -04:00
..
acl.go New ACLs (#4791) 2018-10-19 12:04:07 -04:00
acl_test.go New ACLs (#4791) 2018-10-19 12:04:07 -04:00
agent.go New command: consul debug (#4754) 2018-10-19 08:41:03 -07:00
agent_test.go New command: consul debug (#4754) 2018-10-19 08:41:03 -07:00
api.go Connect Envoy Command (#4735) 2018-10-10 16:55:34 +01:00
api_test.go New ACLs (#4791) 2018-10-19 12:04:07 -04:00
catalog.go Support multiple tags for health and catalog http api endpoints (#4717) 2018-10-11 12:50:05 +01:00
catalog_test.go Support multiple tags for health and catalog http api endpoints (#4717) 2018-10-11 12:50:05 +01:00
connect.go api: fix up some comments and rename IssuedCert to LeafCert 2018-06-14 09:41:56 -07:00
connect_ca.go connect/ca: add configurable leaf cert TTL 2018-07-16 13:33:37 -07:00
connect_ca_test.go Merge pull request #4400 from hashicorp/leaf-cert-ttl 2018-07-25 17:53:25 -07:00
connect_intention.go agent: 400 error on invalid UUID format, api handles errors properly 2018-06-27 07:40:06 +02:00
connect_intention_test.go agent: 400 error on invalid UUID format, api handles errors properly 2018-06-27 07:40:06 +02:00
coordinate.go Merge branch 'coordinate-node-endpoint' of github.com:hashicorp/consul into esm-changes 2017-10-26 19:20:24 -07:00
coordinate_test.go Move check definition to a sub-struct 2017-11-01 14:54:46 -07:00
debug.go New command: consul debug (#4754) 2018-10-19 08:41:03 -07:00
debug_test.go New command: consul debug (#4754) 2018-10-19 08:41:03 -07:00
event.go Revert "fixed: body not closed for non HTTP 200 responses" 2015-01-19 11:51:51 +09:00
event_test.go api: refactor: unify naming of API tests 2017-07-07 09:22:34 +02:00
health.go Support multiple tags for health and catalog http api endpoints (#4717) 2018-10-11 12:50:05 +01:00
health_test.go Support multiple tags for health and catalog http api endpoints (#4717) 2018-10-11 12:50:05 +01:00
kv.go Simplify string(buf.Bytes()) to buf.String() (#3590) 2017-10-18 13:26:09 -07:00
kv_test.go api: refactor: unify naming of API tests 2017-07-07 09:22:34 +02:00
lock.go Fix lock and semaphore timeouts 2018-07-06 10:55:25 +01:00
lock_test.go Improve resilience of api pkg tests (#4676) 2018-09-18 17:47:01 +01:00
operator.go Moves operator sub-functions into their own files. 2017-03-30 12:35:50 -07:00
operator_area.go Remove operator_area note from godoc overview (#4603) 2018-08-28 16:02:24 -04:00
operator_autopilot.go Simplify string(buf.Bytes()) to buf.String() (#3590) 2017-10-18 13:26:09 -07:00
operator_autopilot_test.go BUGFIX: Unit test relying on WaitForLeader() did not work due to wrong test (#4472) 2018-08-06 19:46:09 -04:00
operator_keyring.go Shows the segment name in the keyring API and command output. 2017-09-07 12:17:39 -07:00
operator_keyring_test.go New config parser, HCL support, multiple bind addrs (#3480) 2017-09-25 11:40:42 -07:00
operator_raft.go Move Raft protocol version for list peers end point to server side, fix unit tests. This fixes #3449 2017-09-26 09:35:39 -05:00
operator_raft_test.go api: refactor: unify naming of API tests 2017-07-07 09:22:34 +02:00
operator_segment.go Change segment list endpoint in docs/client api 2017-09-01 12:40:07 -07:00
prepared_query.go api: change Connect to a query option 2018-06-25 12:24:14 -07:00
prepared_query_test.go Allow ignoring checks by ID when defining a PreparedQuery. Fixes #3727. 2018-04-10 14:04:16 +01:00
raw.go api: Refactoring into shared write logic 2015-02-18 15:15:02 -08:00
README.md Copy-and-paste Go client example (#4448) 2018-07-30 12:48:19 +01:00
semaphore.go Fix lock and semaphore timeouts 2018-07-06 10:55:25 +01:00
semaphore_test.go Improve resilience of api pkg tests (#4676) 2018-09-18 17:47:01 +01:00
session.go Expands and rework context support in the API client. (#3273) 2017-07-14 17:30:08 -07:00
session_test.go Improve resilience of api pkg tests (#4676) 2018-09-18 17:47:01 +01:00
snapshot.go Adds support for snapshots and restores. (#2396) 2016-10-25 19:20:24 -07:00
snapshot_test.go api: refactor: prefix all API tests with API_ 2017-07-07 09:22:34 +02:00
status.go Revert "fixed: body not closed for non HTTP 200 responses" 2015-01-19 11:51:51 +09:00
status_test.go api: refactor: prefix all API tests with API_ 2017-07-07 09:22:34 +02:00

Consul API client

This package provides the api package which attempts to provide programmatic access to the full Consul API.

Currently, all of the Consul APIs included in version 0.6.0 are supported.

Documentation

The full documentation is available on Godoc

Usage

Below is an example of using the Consul client:

package main

import "github.com/hashicorp/consul/api"
import "fmt"

func main() {
	// Get a new client
	client, err := api.NewClient(api.DefaultConfig())
	if err != nil {
		panic(err)
	}

	// Get a handle to the KV API
	kv := client.KV()

	// PUT a new KV pair
	p := &api.KVPair{Key: "REDIS_MAXCLIENTS", Value: []byte("1000")}
	_, err = kv.Put(p, nil)
	if err != nil {
		panic(err)
	}

	// Lookup the pair
	pair, _, err := kv.Get("REDIS_MAXCLIENTS", nil)
	if err != nil {
		panic(err)
	}
	fmt.Printf("KV: %v %s\n", pair.Key, pair.Value)
}

To run this example, start a Consul server:

consul agent -dev

Copy the code above into a file such as main.go.

Install and run. You'll see a key (REDIS_MAXCLIENTS) and value (1000) printed.

$ go get
$ go run main.go
KV: REDIS_MAXCLIENTS 1000

After running the code, you can also view the values in the Consul UI on your local machine at http://localhost:8500/ui/dc1/kv