luxolus/open-nomad
2
0
Fork 0
Code Issues 1 Pull requests Packages Releases Wiki Activity
open-nomad/nomad/state/state_store_acl.go
James Rasell 0cde3182eb
core: add ACL token expiry state, struct, and RPC handling. (#13718) 
The ACL token state schema has been updated to utilise two new
indexes which track expiration of tokens that are configured with
an expiration TTL or time. A new state function allows listing
ACL expired tokens which will be used by internal garbage
collection.

The ACL endpoint has been modified so that all validation happens
within a single function call. This is easier to understand and
see at a glance. The ACL token validation now also includes logic
for expiry TTL and times. The ACL endpoint upsert tests have been
condensed into a single, table driven test.

There is a new token canonicalize which provides a single place
for token canonicalization, rather than logic spread in the RPC
handler.
2022-07-13 15:40:34 +02:00

60 lines
1.5 KiB
Go
Raw Blame History

package state
import (
"fmt"
"time"
"github.com/hashicorp/nomad/nomad/structs"
)
// ACLTokensByExpired returns an array accessor IDs of expired ACL tokens.
// Their expiration is determined against the passed time.Time value.
//
// The function handles global and local tokens independently as determined by
// the global boolean argument. The number of returned IDs can be limited by
// the max integer, which is useful to limit the number of tokens we attempt to
// delete in a single transaction.
func (s *StateStore) ACLTokensByExpired(global bool, now time.Time, max int) ([]string, error) {
tnx := s.db.ReadTxn()
iter, err := tnx.Get("acl_token", expiresIndexName(global))
if err != nil {
return nil, fmt.Errorf("failed acl token listing: %v", err)
}
var (
accessorIDs []string
num int
)
for raw := iter.Next(); raw != nil; raw = iter.Next() {
token := raw.(*structs.ACLToken)
// The indexes mean if we come across an unexpired token, we can exit
// as we have found all currently expired tokens.
if !token.IsExpired(now) {
return accessorIDs, nil
}
accessorIDs = append(accessorIDs, token.AccessorID)
// Increment the counter. If this is at or above our limit, we return
// what we have so far.
num++
if num >= max {
return accessorIDs, nil
}
}
return accessorIDs, nil
}
// expiresIndexName is a helper function to identify the correct ACL token
// table expiry index to use.
func expiresIndexName(global bool) string {
if global {
return indexExpiresGlobal
}
return indexExpiresLocal
}
Reference in a new issue View git blame Copy permalink