Commit graph

23759 commits

Author SHA1 Message Date
James Rasell 9e3f1581fb
core: add ACL role functionality to ACL tokens.
ACL tokens can now utilize ACL roles in order to provide API
authorization. Each ACL token can be created and linked to an
array of policies as well as an array of ACL role links. The link
can be provided via the role name or ID, but internally, is always
resolved to the ID as this is immutable whereas the name can be
changed by operators.

When resolving an ACL token, the policies linked from an ACL role
are unpacked and combined with the policy array to form the
complete auth set for the token.

The ACL token creation endpoint handles deduplicating ACL role
links as well as ensuring they exist within state.

When reading a token, Nomad will also ensure the ACL role link is
current. This handles ACL roles being deleted from under a token
from a UX standpoint.
2022-08-17 14:45:01 +01:00
James Rasell fbc9f8b66c
changelog: add missing entry for #13539 (#14129) 2022-08-17 09:26:45 +02:00
Seth Hoenig c4a060cdd8
Merge pull request #14145 from hashicorp/cleanup-trim-error-output
api: trim space of error response output
2022-08-16 15:38:49 -05:00
Tim Gross f6836869c5
ui: fix ability checking when anon policy is missing namespace (#14144)
ACL Policies aren't required to have any `namespace` blocks, and this is
particularly common with the anonymous policy. If a user visits the web UI
without a token already in their local storage and the anonymous policy has no
`namespace` blocks, the UI will hit unhandled exceptions when rendering the
sidebar or jobs page.

Filter for the case where there's no `namespace` block.
2022-08-16 16:13:36 -04:00
Seth Hoenig bb58b94e15
Merge pull request #14141 from hashicorp/cleanup-slice-sets-2
cleanup: helper func for comparing slices of .Equals types
2022-08-16 15:12:39 -05:00
Seth Hoenig 1caea272f0 build: bump golangci-lint version 2022-08-16 15:06:06 -05:00
Seth Hoenig 0a6497ee1f api: trim space of error response output 2022-08-16 15:00:38 -05:00
Michael Schurter cdf5a74998
core: fix data races in blocked eval chan handling (#14142)
Similar to the deployment watcher fix in #14121 - the server code loves these mutable structs so we need to guard access to the struct fields with locks.

Capturing ch := b.capacityChangeCh is sufficient to satisfy the data race detector, but I noticed it was also possible to leak goroutines:

Since the watchCapacity loop is in charge of receiving from capacityChangeCh and exits when stopCh is closed, senders to capacityChangeCh also must exit when stopCh is closed. Otherwise they may block forever if capacityChangeCh is full because it will never be received on again. I did not find evidence of this occurring in my meager smattering of prod goroutine dumps I have laying around, but this isn't surprising as the chan has a buffer of 8096! I would imagine that is sufficient to handle "late" sends and then just get GC'd away when the last reference to the old chan is dropped. This is just additional safety/correctness.
2022-08-16 12:33:53 -07:00
Seth Hoenig 47f5452825 cleanup: helper funcs for comparing slices of references 2022-08-16 13:47:47 -05:00
Michael Schurter 0c3cfb073a
nomad: fix race in Bootstrapped access (#14120)
* nomad: fix race in Bootstrapped access
2022-08-16 11:22:33 -07:00
Michael Schurter 285979e96c
deployments: fix data races (#14121)
* deployments: fix data races

Both priority and state related fields may be mutated concurrently and
need to be accessed with the lock acquired.
2022-08-16 10:50:40 -07:00
Michael Schurter db97e08163
client: fix race in heartbeat tracker (#14119) 2022-08-16 09:41:08 -07:00
Seth Hoenig 7728cf5a9a
Merge pull request #14132 from hashicorp/build-update-go1.19
build: update to go1.19
2022-08-16 11:20:27 -05:00
Seth Hoenig b3ea68948b build: run gofmt on all go source files
Go 1.19 will forecefully format all your doc strings. To get this
out of the way, here is one big commit with all the changes gofmt
wants to make.
2022-08-16 11:14:11 -05:00
Seth Hoenig 56b0b456dc
Merge pull request #14102 from hashicorp/cleanup-mesh-gateway-value
cleanup: consul mesh gateway type need not be pointer
2022-08-16 10:07:16 -05:00
Jai e5b2171cd0
remove unnecessary query parameters in LinkTo components (#14117)
* chore: remove query param in topology

* chore: remove query param in plugin alloc

* chore: remove query param in parameterized child

* chore: remove query param in periodic child
2022-08-16 09:52:31 -04:00
Seth Hoenig 91e32eec9b build: update to go1.19 2022-08-16 08:40:57 -05:00
Kerim Satirli 614171610f
adds link for Nomad-Pack GitHub action (#14118) 2022-08-16 08:34:26 +02:00
Phil Renaud 8ebaeaac0b
Handle conflict swith a cas qp on save and create (#14100)
* Handle conflict swith a cas qp on save and create

* Notify error and give them refresh or overwrite options

* Merge conflict missed, resolved

* Mirage fixture

* Integration test

* Bracket closed (thx jai)

* Adjust tests to account for number of variables with auto-conflicter
2022-08-15 17:24:34 -04:00
Tim Gross 50e7e5535b
ACL: disallow missing path in secure variable policy (#14123)
The HCL parser allows for labels that aren't needed, which makes it easy to
accidentally write a `secure_variable` block that has the intended path as the
label for that block instead of the innner `path` block. This can result in
silent failure to lock down variables if an incorrectly specified block was used
to reduce the scope of capabilities (for example, if another correctly-written
rule allows access to `*`).

We can't detect the extraneous label in the HCL API, but we can detect if we're
missing `path` blocks entirely. Use this to block obvious user errors.
2022-08-15 17:06:36 -04:00
Tim Gross c38c052ef3
api: document warnings for setting api.ClientConnTimeout (#14122)
HTTP API consumers that have network line-of-sight to client nodes can connect
directly for a small number of APIs. But in environments where the consumer
doesn't have line-of-sight, there's a long pause waiting for the
`api.ClientConnTimeout` to expire. Warn about this in the API docs so that
authors can avoid the extra timeout.
2022-08-15 16:06:02 -04:00
Charlie Voiselle dba6b39815
SV CLI: var init (#13820)
* Nomad dep: add museli/reflow
* SV CLI: var init
2022-08-15 13:43:29 -04:00
Jai 81cac313c5
refact: add parent check to boolean (#14115)
* refact: add parent check to boolean

* chore:  add changelog entry
2022-08-15 13:42:08 -04:00
Phil Renaud d7def242b8
UI variables made to be unique by namespace and path (#14072)
* Starting on namespaced id

* Traversal for variables uniqued by namespace

* Delog

* Basic CRUD complete w namespaces included

* Correct secvar breadcrumb joining and testfix now that namespaces are included

* Testfixes with namespaces in place

* Namespace-aware duplicate path warning

* Duplicate path warning test additions

* Trimpath reimplemented on dupe check

* Solves a bug where slash was not being passed to the can write check

* PR fixes

* variable paths integration test fix now uses store

* Seems far less hacky in retrospect

* PR feedback addressed

* test fixes after inclusion of path as local non-model var

* Prevent confusion by dropping namespace from QPs on PUT, since its already in .data

* Solves a harsh bug where you have namespace access but no secvars access (#14098)

* Solves a harsh bug where you have namespace access but no secvars access

* Lint cleanup

* Remove unneeded condition
2022-08-15 11:56:09 -04:00
Tim Gross a4e89d72a8
secure vars: filter by path in List RPCs (#14036)
The List RPCs only checked the ACL for the Prefix argument of the request. Add
an ACL filter to the paginator for the List RPC.

Extend test coverage of ACLs in the List RPC and in the `acl` package, and add a
"deny" capability so that operators can deny specific paths or prefixes below an
allowed path.
2022-08-15 11:38:20 -04:00
Tim Gross 4005759d28
move secure variable conflict resolution to state store (#13922)
Move conflict resolution implementation into the state store with a new Apply RPC. 
This also makes the RPC for secure variables much more similar to Consul's KV, 
which will help us support soft deletes in a post-1.4.0 version of Nomad.

Reimplement quotas in the state store functions.

Co-authored-by: Charlie Voiselle <464492+angrycub@users.noreply.github.com>
2022-08-15 11:19:53 -04:00
Seth Hoenig 3d2f581b33
Merge pull request #14114 from hashicorp/dependabot/go_modules/oss.indeed.com/go/libtime-1.6.0
build(deps): bump oss.indeed.com/go/libtime from 1.5.0 to 1.6.0
2022-08-15 10:17:44 -05:00
Seth Hoenig 460e78f64b
Merge pull request #14112 from hashicorp/dependabot/go_modules/github.com/fsouza/go-dockerclient-1.8.2
build(deps): bump github.com/fsouza/go-dockerclient from 1.6.5 to 1.8.2
2022-08-15 10:13:41 -05:00
dependabot[bot] bb298856b0
build(deps): bump oss.indeed.com/go/libtime from 1.5.0 to 1.6.0
Bumps [oss.indeed.com/go/libtime](https://github.com/indeedeng/libtime) from 1.5.0 to 1.6.0.
- [Release notes](https://github.com/indeedeng/libtime/releases)
- [Commits](https://github.com/indeedeng/libtime/compare/v1.5.0...v1.6.0)

---
updated-dependencies:
- dependency-name: oss.indeed.com/go/libtime
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-15 15:12:03 +00:00
Seth Hoenig 16c43a3bc7
Merge pull request #14104 from hashicorp/f-consistent-makefile-arrows
build: use consistent arrows in makefile step output
2022-08-15 10:09:04 -05:00
Seth Hoenig 4f72b0ed72 deps: add cl for fsouza/go-dockerclient 2022-08-15 09:59:49 -05:00
dependabot[bot] abe3bfce8e
build(deps): bump github.com/fsouza/go-dockerclient from 1.6.5 to 1.8.2
Bumps [github.com/fsouza/go-dockerclient](https://github.com/fsouza/go-dockerclient) from 1.6.5 to 1.8.2.
- [Release notes](https://github.com/fsouza/go-dockerclient/releases)
- [Changelog](https://github.com/fsouza/go-dockerclient/blob/main/container_changes_test.go)
- [Commits](https://github.com/fsouza/go-dockerclient/compare/v1.6.5...v1.8.2)

---
updated-dependencies:
- dependency-name: github.com/fsouza/go-dockerclient
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-15 14:53:54 +00:00
Seth Hoenig c24ed407c0
Merge pull request #14111 from hashicorp/dependabot/go_modules/github.com/armon/go-metrics-0.4.0
build(deps): bump github.com/armon/go-metrics from 0.3.10 to 0.4.0
2022-08-15 09:52:51 -05:00
Seth Hoenig b103c78f40
Merge pull request #14113 from hashicorp/dependabot/go_modules/github.com/mitchellh/cli-1.1.4
build(deps): bump github.com/mitchellh/cli from 1.1.2 to 1.1.4
2022-08-15 09:51:11 -05:00
Seth Hoenig efeac7e4b8 deps: fixup dependabot go.mod formatting 2022-08-15 09:50:15 -05:00
dependabot[bot] fc218b48dc
build(deps): bump github.com/armon/go-metrics from 0.3.10 to 0.4.0
Bumps [github.com/armon/go-metrics](https://github.com/armon/go-metrics) from 0.3.10 to 0.4.0.
- [Release notes](https://github.com/armon/go-metrics/releases)
- [Commits](https://github.com/armon/go-metrics/compare/v0.3.10...v0.4.0)

---
updated-dependencies:
- dependency-name: github.com/armon/go-metrics
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-15 14:49:29 +00:00
dependabot[bot] 03ff90f02c
build(deps): bump github.com/mitchellh/cli from 1.1.2 to 1.1.4
Bumps [github.com/mitchellh/cli](https://github.com/mitchellh/cli) from 1.1.2 to 1.1.4.
- [Release notes](https://github.com/mitchellh/cli/releases)
- [Commits](https://github.com/mitchellh/cli/compare/v1.1.2...v1.1.4)

---
updated-dependencies:
- dependency-name: github.com/mitchellh/cli
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-15 14:25:31 +00:00
Seth Hoenig 077f46c74a
Merge pull request #14025 from hashicorp/dependabot/go_modules/go.etcd.io/bbolt-1.3.6
build(deps): bump go.etcd.io/bbolt from 1.3.5 to 1.3.6
2022-08-15 09:13:48 -05:00
Seth Hoenig 8a377ece7e deps: update cl for go.etcd.io/bbolt 2022-08-15 09:13:16 -05:00
Seth Hoenig b31eb43af2
Merge pull request #14103 from hashicorp/dependabot/go_modules/google.golang.org/grpc-1.48.0
build(deps): bump google.golang.org/grpc from 1.45.0 to 1.48.0
2022-08-15 09:10:47 -05:00
Seth Hoenig 30d0e55ebb deps: update cl for grpc 2022-08-15 09:10:13 -05:00
Mike Nomitch ce310b350d
Add notes about DAS being prometheus only (#14040) 2022-08-15 10:17:31 +02:00
Seth Hoenig aa1c3cdae2 build: use consistent arrows in makefile step output 2022-08-14 11:20:58 -05:00
dependabot[bot] d3c0e5db04
build(deps): bump google.golang.org/grpc from 1.45.0 to 1.48.0
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.45.0 to 1.48.0.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](https://github.com/grpc/grpc-go/compare/v1.45.0...v1.48.0)

---
updated-dependencies:
- dependency-name: google.golang.org/grpc
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-14 09:09:31 +00:00
Seth Hoenig f9355c29fb cleanup: consul mesh gateway type need not be pointer
This PR changes the use of structs.ConsulMeshGateway to value types
instead of via pointers. This will help in a follow up PR where we
cleanup a lot of custom comparison code with helper functions instead.
2022-08-13 11:26:58 -05:00
Phil Renaud 4f0674806e
Error typed changed to dismissable global toast (#14099) 2022-08-12 17:04:35 -04:00
Seth Hoenig 0125863b45
Merge pull request #14052 from hashicorp/dependabot/go_modules/github.com/containernetworking/cni-1.1.2
build(deps): bump github.com/containernetworking/cni from 1.0.1 to 1.1.2
2022-08-12 09:09:57 -05:00
Seth Hoenig eb966a4ce8
Merge pull request #14086 from Morantron/patch-1
Fix typo in /tools/autoscaling
2022-08-12 09:07:12 -05:00
Seth Hoenig 394aebfbd9
Merge pull request #14088 from hashicorp/b-plan-vault-token
cli: support vault token in plan command
2022-08-12 09:05:34 -05:00
Seth Hoenig 1224fdf60d
Merge pull request #14089 from hashicorp/f-docker-disable-healthchecks
docker: configuration for disable docker healthcheck
2022-08-12 09:00:31 -05:00