Commit Graph

33 Commits

Author SHA1 Message Date
Drew Bailey 9adca240f8
Event Stream: Track ACL changes, unsubscribe on invalidating changes (#9447)
* upsertaclpolicies

* delete acl policies msgtype

* upsert acl policies msgtype

* delete acl tokens msgtype

* acl bootstrap msgtype

wip unsubscribe on token delete

test that subscriptions are closed after an ACL token has been deleted

Start writing policyupdated test

* update test to use before/after policy

* add SubscribeWithACLCheck to run acl checks on subscribe

* update rpc endpoint to use broker acl check

* Add and use subscriptions.closeSubscriptionFunc

This fixes the issue of not being able to defer unlocking the mutex on
the event broker in the for loop.

handle acl policy updates

* rpc endpoint test for terminating acl change

* add comments

Co-authored-by: Kris Hicks <khicks@hashicorp.com>
2020-12-01 11:11:34 -05:00
Mahmood Ali acbfeb5815 Simplify Bootstrap logic in tests
This change updates tests to honor `BootstrapExpect` exclusively when
forming test clusters and removes test only knobs, e.g.
`config.DevDisableBootstrap`.

Background:

Test cluster creation is fragile.  Test servers don't follow the
BootstapExpected route like production clusters.  Instead they start as
single node clusters and then get rejoin and may risk causing brain
split or other test flakiness.

The test framework expose few knobs to control those (e.g.
`config.DevDisableBootstrap` and `config.Bootstrap`) that control
whether a server should bootstrap the cluster.  These flags are
confusing and it's unclear when to use: their usage in multi-node
cluster isn't properly documented.  Furthermore, they have some bad
side-effects as they don't control Raft library: If
`config.DevDisableBootstrap` is true, the test server may not
immediately attempt to bootstrap a cluster, but after an election
timeout (~50ms), Raft may force a leadership election and win it (with
only one vote) and cause a split brain.

The knobs are also confusing as Bootstrap is an overloaded term.  In
BootstrapExpect, we refer to bootstrapping the cluster only after N
servers are connected.  But in tests and the knobs above, it refers to
whether the server is a single node cluster and shouldn't wait for any
other server.

Changes:

This commit makes two changes:

First, it relies on `BootstrapExpected` instead of `Bootstrap` and/or
`DevMode` flags.  This change is relatively trivial.

Introduce a `Bootstrapped` flag to track if the cluster is bootstrapped.
This allows us to keep `BootstrapExpected` immutable.  Previously, the
flag was a config value but it gets set to 0 after cluster bootstrap
completes.
2020-03-02 13:47:43 -05:00
Seth Hoenig f0c3dca49c tests: swap lib/freeport for tweaked helper/freeport
Copy the updated version of freeport (sdk/freeport), and tweak it for use
in Nomad tests. This means staying below port 10000 to avoid conflicts with
the lib/freeport that is still transitively used by the old version of
consul that we vendor. Also provide implementations to find ephemeral ports
of macOS and Windows environments.

Ports acquired through freeport are supposed to be returned to freeport,
which this change now also introduces. Many tests are modified to include
calls to a cleanup function for Server objects.

This should help quite a bit with some flakey tests, but not all of them.
Our port problems will not go away completely until we upgrade our vendor
version of consul. With Go modules, we'll probably do a 'replace' to swap
out other copies of freeport with the one now in 'nomad/helper/freeport'.
2019-12-09 08:37:32 -06:00
Mahmood Ali 02e20c720b acl_endpoint: permission denied for unauthenticated requests
If ACL Request is unauthenticated, we should honor the anonymous token.
This PR makes few changes:

* `GetPolicy` endpoints may return policy if anonymous policy allows it,
or return permission denied otherwise.
* `ListPolicies` returns an empty policy list, or one with anonymous
policy if one exists.

Without this PR, the we return an incomprehensible error.

Before:
```
$ curl http://localhost:4646/v1/acl/policy/doesntexist; echo
acl token lookup failed: index error: UUID must be 36 characters
$ curl http://localhost:4646/v1/acl/policies; echo
acl token lookup failed: index error: UUID must be 36 characters
```

After:
```
$ curl http://localhost:4646/v1/acl/policy/doesntexist; echo
Permission denied
$ curl http://localhost:4646/v1/acl/policies; echo
[]
```
2019-11-22 08:43:09 -05:00
Michael Schurter 4b6762511d
Merge pull request #6021 from hashicorp/f-anonymous-policy-access
api: Update policy endpoint to permit anonymous access
2019-11-20 15:33:45 -08:00
Mahmood Ali 6f8bb5e90b api: acl bootstrap errors aren't 500
Noticed that ACL endpoints return 500 status code for user errors.  This
is confusing and can lead to false monitoring alerts.

Here, I introduce a concept of RPCCoded errors to be returned by RPC
that signal a code in addition to error message.  Codes for now match
HTTP codes to ease reasoning.

```
$ nomad acl bootstrap
Error bootstrapping: Unexpected response code: 500 (ACL bootstrap already done (reset index: 9))

$ nomad acl bootstrap
Error bootstrapping: Unexpected response code: 400 (ACL bootstrap already done (reset index: 9))
```
2019-11-19 15:51:57 -05:00
Buck Doyle 0a082c1e5e Update assertion to use better failure-reporting 2019-07-29 10:35:07 -05:00
Buck Doyle c3deb7703d Update policy endpoint to permit anonymous access 2019-07-26 13:07:42 -05:00
Michael Schurter 7dd7fbcda2 non-Existent -> nonexistent
Reverting from #3963

https://www.merriam-webster.com/dictionary/existent
2018-03-12 11:59:33 -07:00
Josh Soref 7f6e4012a0 spelling: existent 2018-03-11 18:30:37 +00:00
Alex Dadgar a6dfffa4fa Add testing interfaces 2018-02-15 13:59:00 -08:00
Chelsea Holland Komlo a8becb96c0 review feedback 2017-10-16 17:14:48 -04:00
Chelsea Holland Komlo 2377d97d51 return error if tokens cannot be deleted because they do not exist 2017-10-16 17:14:48 -04:00
Alex Dadgar 5d4f467519 ListPolicies and GetPolicy work w/o management token 2017-10-13 13:12:20 -07:00
Michael Schurter 84d8a51be1 SecretID -> AuthToken 2017-10-12 15:16:33 -07:00
Michael Schurter efcc61a253 Merge pull request #3302 from hashicorp/b-remove-structs-from-api
Remove `structs` import from `api`
2017-09-29 11:39:43 -07:00
Michael Schurter a66c53d45a Remove `structs` import from `api`
Goes a step further and removes structs import from api's tests as well
by moving GenerateUUID to its own package.
2017-09-29 10:36:08 -07:00
Alex Dadgar 14e6026938 Allow querying self token
This PR allows querying self ACL token when the SecretID is for the
AccessorID in question.
2017-09-27 13:00:58 -07:00
Armon Dadgar 20a8e590a0 nomad: support ACL bootstrap reset 2017-09-10 16:03:30 -07:00
Armon Dadgar 6f5150a227 nomad: allow getting policies which are subset of token, fixes client resolution 2017-09-04 13:05:53 -07:00
Armon Dadgar 855240b1b5 nomad: ACL endpoints enforce permissions 2017-09-04 13:05:53 -07:00
Armon Dadgar 4bda2fa9e9 nomad: ACL endpoints check support enabled and redirect to authority 2017-09-04 13:05:53 -07:00
Armon Dadgar e24a4abf2c nomad: adding ACL bootstrap endpoints 2017-09-04 13:05:53 -07:00
Armon Dadgar edc38185cc noamd: Adding batch fetch endpoints for ACL tokens and policies 2017-09-04 13:05:36 -07:00
Armon Dadgar 6a9d4e2dc3 nomad: Adding token resolution endpoint 2017-09-04 13:05:36 -07:00
Armon Dadgar 583a11cebd nomad: Adding ability to filter list of tokens to global only 2017-09-04 13:04:45 -07:00
Armon Dadgar 30b607987e nomad: generate accessor/secret ID server side 2017-09-04 13:04:45 -07:00
Armon Dadgar f91d2608cb nomad: renambe PublicID to AccessorID for consistency 2017-09-04 13:04:45 -07:00
Armon Dadgar e5c69f162c nomad: implement ACL token endpoints 2017-09-04 13:04:45 -07:00
Armon Dadgar 11672e4e01 nomad: adding validation of policy name and rules 2017-09-04 13:03:15 -07:00
Armon Dadgar afdde24799 nomad: adding upsert policy endpoint 2017-09-04 13:03:15 -07:00
Armon Dadgar e3e243f433 nomad: implement policy delete endpoint 2017-09-04 13:03:15 -07:00
Armon Dadgar e4f5f305ea nomad: adding Get/List endpoints for ACL policies 2017-09-04 13:03:15 -07:00