402 lines
11 KiB
Go
402 lines
11 KiB
Go
// Copyright (c) HashiCorp, Inc.
|
|
// SPDX-License-Identifier: MPL-2.0
|
|
|
|
package nomad
|
|
|
|
import (
|
|
"fmt"
|
|
"time"
|
|
|
|
"github.com/armon/go-metrics"
|
|
"github.com/hashicorp/go-memdb"
|
|
"github.com/hashicorp/go-multierror"
|
|
|
|
"github.com/hashicorp/nomad/nomad/state"
|
|
"github.com/hashicorp/nomad/nomad/structs"
|
|
)
|
|
|
|
// Namespace endpoint is used for manipulating namespaces
|
|
type Namespace struct {
|
|
srv *Server
|
|
ctx *RPCContext
|
|
}
|
|
|
|
func NewNamespaceEndpoint(srv *Server, ctx *RPCContext) *Namespace {
|
|
return &Namespace{srv: srv, ctx: ctx}
|
|
}
|
|
|
|
// UpsertNamespaces is used to upsert a set of namespaces
|
|
func (n *Namespace) UpsertNamespaces(args *structs.NamespaceUpsertRequest,
|
|
reply *structs.GenericResponse) error {
|
|
|
|
authErr := n.srv.Authenticate(n.ctx, args)
|
|
args.Region = n.srv.config.AuthoritativeRegion
|
|
if done, err := n.srv.forward("Namespace.UpsertNamespaces", args, args, reply); done {
|
|
return err
|
|
}
|
|
n.srv.MeasureRPCRate("namespace", structs.RateMetricWrite, args)
|
|
if authErr != nil {
|
|
return structs.ErrPermissionDenied
|
|
}
|
|
|
|
defer metrics.MeasureSince([]string{"nomad", "namespace", "upsert_namespaces"}, time.Now())
|
|
|
|
// Check management permissions
|
|
if aclObj, err := n.srv.ResolveACL(args); err != nil {
|
|
return err
|
|
} else if aclObj != nil && !aclObj.IsManagement() {
|
|
return structs.ErrPermissionDenied
|
|
}
|
|
|
|
// Validate there is at least one namespace
|
|
if len(args.Namespaces) == 0 {
|
|
return fmt.Errorf("must specify at least one namespace")
|
|
}
|
|
|
|
// Validate the namespaces and set the hash
|
|
for _, ns := range args.Namespaces {
|
|
if err := ns.Validate(); err != nil {
|
|
return fmt.Errorf("Invalid namespace %q: %v", ns.Name, err)
|
|
}
|
|
|
|
ns.SetHash()
|
|
}
|
|
|
|
// Update via Raft
|
|
_, index, err := n.srv.raftApply(structs.NamespaceUpsertRequestType, args)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// Update the index
|
|
reply.Index = index
|
|
return nil
|
|
}
|
|
|
|
// DeleteNamespaces is used to delete a namespace
|
|
func (n *Namespace) DeleteNamespaces(args *structs.NamespaceDeleteRequest, reply *structs.GenericResponse) error {
|
|
|
|
authErr := n.srv.Authenticate(n.ctx, args)
|
|
args.Region = n.srv.config.AuthoritativeRegion
|
|
if done, err := n.srv.forward("Namespace.DeleteNamespaces", args, args, reply); done {
|
|
return err
|
|
}
|
|
n.srv.MeasureRPCRate("namespace", structs.RateMetricWrite, args)
|
|
if authErr != nil {
|
|
return structs.ErrPermissionDenied
|
|
}
|
|
defer metrics.MeasureSince([]string{"nomad", "namespace", "delete_namespaces"}, time.Now())
|
|
|
|
// Check management permissions
|
|
if aclObj, err := n.srv.ResolveACL(args); err != nil {
|
|
return err
|
|
} else if aclObj != nil && !aclObj.IsManagement() {
|
|
return structs.ErrPermissionDenied
|
|
}
|
|
|
|
// Validate at least one namespace
|
|
if len(args.Namespaces) == 0 {
|
|
return fmt.Errorf("must specify at least one namespace to delete")
|
|
}
|
|
|
|
for _, ns := range args.Namespaces {
|
|
if ns == structs.DefaultNamespace {
|
|
return fmt.Errorf("can not delete default namespace")
|
|
}
|
|
}
|
|
|
|
// Check that the deleting namespaces do not have non-terminal jobs in both
|
|
// this region and all federated regions
|
|
var mErr multierror.Error
|
|
for _, ns := range args.Namespaces {
|
|
nonTerminal, err := n.nonTerminalNamespaces(args.AuthToken, ns)
|
|
if err != nil {
|
|
_ = multierror.Append(&mErr, err)
|
|
} else if len(nonTerminal) != 0 {
|
|
_ = multierror.Append(&mErr, fmt.Errorf("namespace %q has non-terminal jobs in regions: %v", ns, nonTerminal))
|
|
}
|
|
}
|
|
|
|
if err := mErr.ErrorOrNil(); err != nil {
|
|
return err
|
|
}
|
|
|
|
// Update via Raft
|
|
_, index, err := n.srv.raftApply(structs.NamespaceDeleteRequestType, args)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// Update the index
|
|
reply.Index = index
|
|
return nil
|
|
}
|
|
|
|
// nonTerminalNamespaces returns whether the set of regions in which the
|
|
// namespaces contains non-terminal jobs, checking all federated regions
|
|
// including this one.
|
|
func (n *Namespace) nonTerminalNamespaces(authToken, namespace string) ([]string, error) {
|
|
regions := n.srv.Regions()
|
|
thisRegion := n.srv.Region()
|
|
terminal := make([]string, 0, len(regions))
|
|
|
|
// Check if this region is terminal
|
|
localTerminal, err := n.namespaceTerminalLocally(namespace)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if !localTerminal {
|
|
terminal = append(terminal, thisRegion)
|
|
}
|
|
|
|
for _, region := range regions {
|
|
if region == thisRegion {
|
|
continue
|
|
}
|
|
|
|
remoteTerminal, err := n.namespaceTerminalInRegion(authToken, namespace, region)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if !remoteTerminal {
|
|
terminal = append(terminal, region)
|
|
}
|
|
}
|
|
|
|
return terminal, nil
|
|
}
|
|
|
|
// namespaceTerminalLocally returns if the namespace contains only terminal jobs
|
|
// in the local region .
|
|
func (n *Namespace) namespaceTerminalLocally(namespace string) (bool, error) {
|
|
snap, err := n.srv.fsm.State().Snapshot()
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
|
|
iter, err := snap.JobsByNamespace(nil, namespace)
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
|
|
for {
|
|
raw := iter.Next()
|
|
if raw == nil {
|
|
break
|
|
}
|
|
|
|
job := raw.(*structs.Job)
|
|
if job.Status != structs.JobStatusDead {
|
|
return false, nil
|
|
}
|
|
}
|
|
|
|
return true, nil
|
|
}
|
|
|
|
// namespaceTerminalInRegion returns if the namespace contains only terminal
|
|
// jobs in the given region .
|
|
func (n *Namespace) namespaceTerminalInRegion(authToken, namespace, region string) (bool, error) {
|
|
req := &structs.JobListRequest{
|
|
QueryOptions: structs.QueryOptions{
|
|
Region: region,
|
|
Namespace: namespace,
|
|
AllowStale: false,
|
|
AuthToken: authToken,
|
|
},
|
|
}
|
|
|
|
var resp structs.JobListResponse
|
|
done, err := n.srv.forward("Job.List", req, req, &resp)
|
|
if !done {
|
|
return false, fmt.Errorf("unexpectedly did not forward Job.List to region %q", region)
|
|
} else if err != nil {
|
|
return false, err
|
|
}
|
|
|
|
for _, job := range resp.Jobs {
|
|
if job.Status != structs.JobStatusDead {
|
|
return false, nil
|
|
}
|
|
}
|
|
|
|
return true, nil
|
|
}
|
|
|
|
// ListNamespaces is used to list the namespaces
|
|
func (n *Namespace) ListNamespaces(args *structs.NamespaceListRequest, reply *structs.NamespaceListResponse) error {
|
|
|
|
authErr := n.srv.Authenticate(n.ctx, args)
|
|
if done, err := n.srv.forward("Namespace.ListNamespaces", args, args, reply); done {
|
|
return err
|
|
}
|
|
n.srv.MeasureRPCRate("namespace", structs.RateMetricList, args)
|
|
if authErr != nil {
|
|
return structs.ErrPermissionDenied
|
|
}
|
|
defer metrics.MeasureSince([]string{"nomad", "namespace", "list_namespace"}, time.Now())
|
|
|
|
// Resolve token to acl to filter namespace list
|
|
aclObj, err := n.srv.ResolveACL(args)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// Setup the blocking query
|
|
opts := blockingOptions{
|
|
queryOpts: &args.QueryOptions,
|
|
queryMeta: &reply.QueryMeta,
|
|
run: func(ws memdb.WatchSet, s *state.StateStore) error {
|
|
// Iterate over all the namespaces
|
|
var err error
|
|
var iter memdb.ResultIterator
|
|
if prefix := args.QueryOptions.Prefix; prefix != "" {
|
|
iter, err = s.NamespacesByNamePrefix(ws, prefix)
|
|
} else {
|
|
iter, err = s.Namespaces(ws)
|
|
}
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
reply.Namespaces = nil
|
|
for {
|
|
raw := iter.Next()
|
|
if raw == nil {
|
|
break
|
|
}
|
|
ns := raw.(*structs.Namespace)
|
|
|
|
// Only return namespaces allowed by acl
|
|
if aclObj == nil || aclObj.AllowNamespace(ns.Name) {
|
|
reply.Namespaces = append(reply.Namespaces, ns)
|
|
}
|
|
}
|
|
|
|
// Use the last index that affected the namespace table
|
|
index, err := s.Index(state.TableNamespaces)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// Ensure we never set the index to zero, otherwise a blocking query cannot be used.
|
|
// We floor the index at one, since realistically the first write must have a higher index.
|
|
if index == 0 {
|
|
index = 1
|
|
}
|
|
reply.Index = index
|
|
return nil
|
|
}}
|
|
return n.srv.blockingRPC(&opts)
|
|
}
|
|
|
|
// GetNamespace is used to get a specific namespace
|
|
func (n *Namespace) GetNamespace(args *structs.NamespaceSpecificRequest, reply *structs.SingleNamespaceResponse) error {
|
|
|
|
authErr := n.srv.Authenticate(n.ctx, args)
|
|
if done, err := n.srv.forward("Namespace.GetNamespace", args, args, reply); done {
|
|
return err
|
|
}
|
|
n.srv.MeasureRPCRate("namespace", structs.RateMetricRead, args)
|
|
if authErr != nil {
|
|
return structs.ErrPermissionDenied
|
|
}
|
|
defer metrics.MeasureSince([]string{"nomad", "namespace", "get_namespace"}, time.Now())
|
|
|
|
// Check capabilities for the given namespace permissions
|
|
if aclObj, err := n.srv.ResolveACL(args); err != nil {
|
|
return err
|
|
} else if aclObj != nil && !aclObj.AllowNamespace(args.Name) {
|
|
return structs.ErrPermissionDenied
|
|
}
|
|
|
|
// Setup the blocking query
|
|
opts := blockingOptions{
|
|
queryOpts: &args.QueryOptions,
|
|
queryMeta: &reply.QueryMeta,
|
|
run: func(ws memdb.WatchSet, s *state.StateStore) error {
|
|
// Look for the namespace
|
|
out, err := s.NamespaceByName(ws, args.Name)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// Setup the output
|
|
reply.Namespace = out
|
|
if out != nil {
|
|
reply.Index = out.ModifyIndex
|
|
} else {
|
|
// Use the last index that affected the namespace table
|
|
index, err := s.Index(state.TableNamespaces)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// Ensure we never set the index to zero, otherwise a blocking query cannot be used.
|
|
// We floor the index at one, since realistically the first write must have a higher index.
|
|
if index == 0 {
|
|
index = 1
|
|
}
|
|
reply.Index = index
|
|
}
|
|
return nil
|
|
}}
|
|
return n.srv.blockingRPC(&opts)
|
|
}
|
|
|
|
// GetNamespaces is used to get a set of namespaces
|
|
func (n *Namespace) GetNamespaces(args *structs.NamespaceSetRequest, reply *structs.NamespaceSetResponse) error {
|
|
|
|
authErr := n.srv.Authenticate(n.ctx, args)
|
|
if done, err := n.srv.forward("Namespace.GetNamespaces", args, args, reply); done {
|
|
return err
|
|
}
|
|
n.srv.MeasureRPCRate("namespace", structs.RateMetricList, args)
|
|
if authErr != nil {
|
|
return structs.ErrPermissionDenied
|
|
}
|
|
defer metrics.MeasureSince([]string{"nomad", "namespace", "get_namespaces"}, time.Now())
|
|
|
|
// Check management permissions
|
|
if aclObj, err := n.srv.ResolveACL(args); err != nil {
|
|
return err
|
|
} else if aclObj != nil && !aclObj.IsManagement() {
|
|
return structs.ErrPermissionDenied
|
|
}
|
|
|
|
// Setup the blocking query
|
|
opts := blockingOptions{
|
|
queryOpts: &args.QueryOptions,
|
|
queryMeta: &reply.QueryMeta,
|
|
run: func(ws memdb.WatchSet, s *state.StateStore) error {
|
|
// Setup the output
|
|
reply.Namespaces = make(map[string]*structs.Namespace, len(args.Namespaces))
|
|
|
|
// Look for the namespace
|
|
for _, namespace := range args.Namespaces {
|
|
out, err := s.NamespaceByName(ws, namespace)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if out != nil {
|
|
reply.Namespaces[namespace] = out
|
|
}
|
|
}
|
|
|
|
// Use the last index that affected the policy table
|
|
index, err := s.Index(state.TableNamespaces)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// Ensure we never set the index to zero, otherwise a blocking query cannot be used.
|
|
// We floor the index at one, since realistically the first write must have a higher index.
|
|
if index == 0 {
|
|
index = 1
|
|
}
|
|
reply.Index = index
|
|
return nil
|
|
}}
|
|
return n.srv.blockingRPC(&opts)
|
|
}
|