2023-03-15 16:00:52 +00:00
|
|
|
// Copyright (c) HashiCorp, Inc.
|
|
|
|
// SPDX-License-Identifier: MPL-2.0
|
|
|
|
|
2017-08-03 17:24:27 +00:00
|
|
|
package zookeeper
|
2015-05-05 20:08:42 +00:00
|
|
|
|
|
|
|
import (
|
2018-01-19 06:44:44 +00:00
|
|
|
"context"
|
2018-10-01 21:12:08 +00:00
|
|
|
"crypto/tls"
|
|
|
|
"crypto/x509"
|
2015-05-05 20:08:42 +00:00
|
|
|
"fmt"
|
2018-10-01 21:12:08 +00:00
|
|
|
"io/ioutil"
|
|
|
|
"net"
|
2015-07-13 09:33:23 +00:00
|
|
|
"path/filepath"
|
2015-05-05 20:08:42 +00:00
|
|
|
"sort"
|
|
|
|
"strings"
|
2015-05-26 02:14:00 +00:00
|
|
|
"sync"
|
2015-05-05 20:08:42 +00:00
|
|
|
"time"
|
|
|
|
|
2023-02-10 16:56:27 +00:00
|
|
|
metrics "github.com/armon/go-metrics"
|
|
|
|
"github.com/go-zookeeper/zk"
|
2018-04-03 00:46:59 +00:00
|
|
|
log "github.com/hashicorp/go-hclog"
|
2021-07-16 00:17:31 +00:00
|
|
|
"github.com/hashicorp/go-secure-stdlib/parseutil"
|
|
|
|
"github.com/hashicorp/go-secure-stdlib/tlsutil"
|
2023-02-10 16:56:27 +00:00
|
|
|
"github.com/hashicorp/vault/sdk/physical"
|
2015-05-05 20:08:42 +00:00
|
|
|
)
|
|
|
|
|
2015-07-13 09:33:23 +00:00
|
|
|
const (
|
|
|
|
// ZKNodeFilePrefix is prefixed to any "files" in ZooKeeper,
|
|
|
|
// so that they do not collide with directory entries. Otherwise,
|
|
|
|
// we cannot delete a file if the path is a full-prefix of another
|
|
|
|
// key.
|
|
|
|
ZKNodeFilePrefix = "_"
|
|
|
|
)
|
|
|
|
|
2018-01-20 01:44:24 +00:00
|
|
|
// Verify ZooKeeperBackend satisfies the correct interfaces
|
2021-04-08 16:43:39 +00:00
|
|
|
var (
|
|
|
|
_ physical.Backend = (*ZooKeeperBackend)(nil)
|
|
|
|
_ physical.HABackend = (*ZooKeeperBackend)(nil)
|
|
|
|
_ physical.Lock = (*ZooKeeperHALock)(nil)
|
|
|
|
)
|
2018-01-20 01:44:24 +00:00
|
|
|
|
2017-08-03 17:24:27 +00:00
|
|
|
// ZooKeeperBackend is a physical backend that stores data at specific
|
|
|
|
// prefix within ZooKeeper. It is used in production situations as
|
2015-05-05 20:08:42 +00:00
|
|
|
// it allows Vault to run on multiple machines in a highly-available manner.
|
2017-08-03 17:24:27 +00:00
|
|
|
type ZooKeeperBackend struct {
|
2015-05-21 03:15:31 +00:00
|
|
|
path string
|
2015-05-05 20:08:42 +00:00
|
|
|
client *zk.Conn
|
2016-02-19 12:19:01 +00:00
|
|
|
acl []zk.ACL
|
2016-08-19 20:45:17 +00:00
|
|
|
logger log.Logger
|
2015-05-05 20:08:42 +00:00
|
|
|
}
|
|
|
|
|
2017-08-03 17:24:27 +00:00
|
|
|
// NewZooKeeperBackend constructs a ZooKeeper backend using the given API client
|
2015-05-05 20:08:42 +00:00
|
|
|
// and the prefix in the KV store.
|
2017-08-03 17:24:27 +00:00
|
|
|
func NewZooKeeperBackend(conf map[string]string, logger log.Logger) (physical.Backend, error) {
|
|
|
|
// Get the path in ZooKeeper
|
2015-05-21 03:15:31 +00:00
|
|
|
path, ok := conf["path"]
|
2015-05-05 20:08:42 +00:00
|
|
|
if !ok {
|
2015-05-21 03:15:31 +00:00
|
|
|
path = "vault/"
|
2015-05-05 20:08:42 +00:00
|
|
|
}
|
|
|
|
|
2015-05-05 21:56:49 +00:00
|
|
|
// Ensure path is suffixed and prefixed (zk requires prefix /)
|
2015-05-21 03:15:31 +00:00
|
|
|
if !strings.HasSuffix(path, "/") {
|
|
|
|
path += "/"
|
2015-05-05 20:08:42 +00:00
|
|
|
}
|
2015-05-21 03:15:31 +00:00
|
|
|
if !strings.HasPrefix(path, "/") {
|
|
|
|
path = "/" + path
|
2015-05-05 20:08:42 +00:00
|
|
|
}
|
|
|
|
|
2015-05-06 18:08:08 +00:00
|
|
|
// Configure the client, default to localhost instance
|
2015-05-05 22:20:38 +00:00
|
|
|
var machines string
|
|
|
|
machines, ok = conf["address"]
|
|
|
|
if !ok {
|
2015-05-06 13:57:24 +00:00
|
|
|
machines = "localhost:2181"
|
2015-05-05 22:20:38 +00:00
|
|
|
}
|
2015-05-05 20:08:42 +00:00
|
|
|
|
2016-02-19 12:19:01 +00:00
|
|
|
// zNode owner and schema.
|
|
|
|
var owner string
|
|
|
|
var schema string
|
|
|
|
var schemaAndOwner string
|
|
|
|
schemaAndOwner, ok = conf["znode_owner"]
|
|
|
|
if !ok {
|
|
|
|
owner = "anyone"
|
|
|
|
schema = "world"
|
|
|
|
} else {
|
|
|
|
parsedSchemaAndOwner := strings.SplitN(schemaAndOwner, ":", 2)
|
|
|
|
if len(parsedSchemaAndOwner) != 2 {
|
|
|
|
return nil, fmt.Errorf("znode_owner expected format is 'schema:owner'")
|
|
|
|
} else {
|
|
|
|
schema = parsedSchemaAndOwner[0]
|
|
|
|
owner = parsedSchemaAndOwner[1]
|
2016-02-19 13:24:57 +00:00
|
|
|
|
|
|
|
// znode_owner is in config and structured correctly - but does it make any sense?
|
|
|
|
// Either 'owner' or 'schema' was set but not both - this seems like a failed attempt
|
2016-02-19 13:28:02 +00:00
|
|
|
// (e.g. ':MyUser' which omit the schema, or ':' omitting both)
|
2016-02-19 13:24:57 +00:00
|
|
|
if owner == "" || schema == "" {
|
|
|
|
return nil, fmt.Errorf("znode_owner expected format is 'schema:auth'")
|
|
|
|
}
|
2016-02-19 12:19:01 +00:00
|
|
|
}
|
|
|
|
}
|
2016-02-15 15:03:12 +00:00
|
|
|
|
2018-02-05 19:26:31 +00:00
|
|
|
acl := []zk.ACL{
|
|
|
|
{
|
|
|
|
Perms: zk.PermAll,
|
|
|
|
Scheme: schema,
|
|
|
|
ID: owner,
|
|
|
|
},
|
|
|
|
}
|
2016-02-15 15:03:12 +00:00
|
|
|
|
2018-03-20 18:54:10 +00:00
|
|
|
// Authentication info
|
2016-02-19 12:19:01 +00:00
|
|
|
var schemaAndUser string
|
2016-02-19 13:24:57 +00:00
|
|
|
var useAddAuth bool
|
|
|
|
schemaAndUser, useAddAuth = conf["auth_info"]
|
|
|
|
if useAddAuth {
|
2016-02-19 12:19:01 +00:00
|
|
|
parsedSchemaAndUser := strings.SplitN(schemaAndUser, ":", 2)
|
|
|
|
if len(parsedSchemaAndUser) != 2 {
|
|
|
|
return nil, fmt.Errorf("auth_info expected format is 'schema:auth'")
|
|
|
|
} else {
|
|
|
|
schema = parsedSchemaAndUser[0]
|
|
|
|
owner = parsedSchemaAndUser[1]
|
2016-02-19 13:24:57 +00:00
|
|
|
|
|
|
|
// auth_info is in config and structured correctly - but does it make any sense?
|
|
|
|
// Either 'owner' or 'schema' was set but not both - this seems like a failed attempt
|
2016-02-19 13:28:02 +00:00
|
|
|
// (e.g. ':MyUser' which omit the schema, or ':' omitting both)
|
2016-02-19 13:24:57 +00:00
|
|
|
if owner == "" || schema == "" {
|
|
|
|
return nil, fmt.Errorf("auth_info expected format is 'schema:auth'")
|
|
|
|
}
|
2016-02-19 12:19:01 +00:00
|
|
|
}
|
|
|
|
}
|
2016-02-15 15:03:12 +00:00
|
|
|
|
2016-02-19 13:24:57 +00:00
|
|
|
// We have all of the configuration in hand - let's try and connect to ZK
|
2018-10-01 21:12:08 +00:00
|
|
|
client, _, err := createClient(conf, machines, time.Second)
|
2015-05-05 20:08:42 +00:00
|
|
|
if err != nil {
|
2021-05-31 16:54:05 +00:00
|
|
|
return nil, fmt.Errorf("client setup failed: %w", err)
|
2015-05-05 20:08:42 +00:00
|
|
|
}
|
|
|
|
|
2016-02-19 13:24:57 +00:00
|
|
|
// ZK AddAuth API if the user asked for it
|
|
|
|
if useAddAuth {
|
2016-02-19 12:19:01 +00:00
|
|
|
err = client.AddAuth(schema, []byte(owner))
|
|
|
|
if err != nil {
|
2021-05-31 16:54:05 +00:00
|
|
|
return nil, fmt.Errorf("ZooKeeper rejected authentication information provided at auth_info: %w", err)
|
2016-02-19 12:19:01 +00:00
|
|
|
}
|
|
|
|
}
|
2016-02-15 15:03:12 +00:00
|
|
|
|
2015-05-05 20:08:42 +00:00
|
|
|
// Setup the backend
|
2017-08-03 17:24:27 +00:00
|
|
|
c := &ZooKeeperBackend{
|
2015-05-21 03:15:31 +00:00
|
|
|
path: path,
|
2015-05-05 20:08:42 +00:00
|
|
|
client: client,
|
2016-02-19 12:19:01 +00:00
|
|
|
acl: acl,
|
2016-04-26 03:10:32 +00:00
|
|
|
logger: logger,
|
2015-05-05 20:08:42 +00:00
|
|
|
}
|
|
|
|
return c, nil
|
|
|
|
}
|
|
|
|
|
2018-10-01 21:12:08 +00:00
|
|
|
func caseInsenstiveContains(superset, val string) bool {
|
|
|
|
return strings.Contains(strings.ToUpper(superset), strings.ToUpper(val))
|
|
|
|
}
|
|
|
|
|
|
|
|
// Returns a client for ZK connection. Config value 'tls_enabled' determines if TLS is enabled or not.
|
|
|
|
func createClient(conf map[string]string, machines string, timeout time.Duration) (*zk.Conn, <-chan zk.Event, error) {
|
|
|
|
// 'tls_enabled' defaults to false
|
|
|
|
isTlsEnabled := false
|
|
|
|
isTlsEnabledStr, ok := conf["tls_enabled"]
|
|
|
|
|
|
|
|
if ok && isTlsEnabledStr != "" {
|
|
|
|
parsedBoolval, err := parseutil.ParseBool(isTlsEnabledStr)
|
|
|
|
if err != nil {
|
2021-05-31 16:54:05 +00:00
|
|
|
return nil, nil, fmt.Errorf("failed parsing tls_enabled parameter: %w", err)
|
2018-10-01 21:12:08 +00:00
|
|
|
}
|
|
|
|
isTlsEnabled = parsedBoolval
|
|
|
|
}
|
|
|
|
|
|
|
|
if isTlsEnabled {
|
|
|
|
// Create a custom Dialer with cert configuration for TLS handshake.
|
|
|
|
tlsDialer := customTLSDial(conf, machines)
|
|
|
|
options := zk.WithDialer(tlsDialer)
|
|
|
|
return zk.Connect(strings.Split(machines, ","), timeout, options)
|
|
|
|
} else {
|
|
|
|
return zk.Connect(strings.Split(machines, ","), timeout)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Vault config file properties:
|
|
|
|
// 1. tls_skip_verify: skip host name verification.
|
|
|
|
// 2. tls_min_version: minimum supported/acceptable tls version
|
|
|
|
// 3. tls_cert_file: Cert file Absolute path
|
|
|
|
// 4. tls_key_file: Key file Absolute path
|
|
|
|
// 5. tls_ca_file: ca file absolute path
|
|
|
|
// 6. tls_verify_ip: If set to true, server's IP is verified in certificate if tls_skip_verify is false.
|
|
|
|
func customTLSDial(conf map[string]string, machines string) zk.Dialer {
|
|
|
|
return func(network, addr string, timeout time.Duration) (net.Conn, error) {
|
|
|
|
// Sets the serverName. *Note* the addr field comes in as an IP address
|
|
|
|
serverName, _, sParseErr := net.SplitHostPort(addr)
|
|
|
|
if sParseErr != nil {
|
|
|
|
// If the address is only missing port, assign the full address anyway
|
|
|
|
if strings.Contains(sParseErr.Error(), "missing port") {
|
|
|
|
serverName = addr
|
|
|
|
} else {
|
2021-05-31 16:54:05 +00:00
|
|
|
return nil, fmt.Errorf("failed parsing the server address for 'serverName' setting %w", sParseErr)
|
2018-10-01 21:12:08 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
insecureSkipVerify := false
|
|
|
|
tlsSkipVerify, ok := conf["tls_skip_verify"]
|
|
|
|
|
|
|
|
if ok && tlsSkipVerify != "" {
|
|
|
|
b, err := parseutil.ParseBool(tlsSkipVerify)
|
|
|
|
if err != nil {
|
2021-05-31 16:54:05 +00:00
|
|
|
return nil, fmt.Errorf("failed parsing tls_skip_verify parameter: %w", err)
|
2018-10-01 21:12:08 +00:00
|
|
|
}
|
|
|
|
insecureSkipVerify = b
|
|
|
|
}
|
|
|
|
|
|
|
|
if !insecureSkipVerify {
|
|
|
|
// If tls_verify_ip is set to false, Server's DNS name is verified in the CN/SAN of the certificate.
|
|
|
|
// if tls_verify_ip is true, Server's IP is verified in the CN/SAN of the certificate.
|
|
|
|
// These checks happen only when tls_skip_verify is set to false.
|
|
|
|
// This value defaults to false
|
|
|
|
ipSanCheck := false
|
|
|
|
configVal, lookupOk := conf["tls_verify_ip"]
|
|
|
|
|
|
|
|
if lookupOk && configVal != "" {
|
|
|
|
parsedIpSanCheck, ipSanErr := parseutil.ParseBool(configVal)
|
|
|
|
if ipSanErr != nil {
|
2021-05-31 16:54:05 +00:00
|
|
|
return nil, fmt.Errorf("failed parsing tls_verify_ip parameter: %w", ipSanErr)
|
2018-10-01 21:12:08 +00:00
|
|
|
}
|
|
|
|
ipSanCheck = parsedIpSanCheck
|
|
|
|
}
|
|
|
|
// The addr/serverName parameter to this method comes in as an IP address.
|
|
|
|
// Here we lookup the DNS name and assign it to serverName if ipSanCheck is set to false
|
|
|
|
if !ipSanCheck {
|
|
|
|
lookupAddressMany, lookupErr := net.LookupAddr(serverName)
|
|
|
|
if lookupErr == nil {
|
|
|
|
for _, lookupAddress := range lookupAddressMany {
|
|
|
|
// strip the trailing '.' from lookupAddr
|
|
|
|
if lookupAddress[len(lookupAddress)-1] == '.' {
|
|
|
|
lookupAddress = lookupAddress[:len(lookupAddress)-1]
|
|
|
|
}
|
|
|
|
// Allow serverName to be replaced only if the lookupname is part of the
|
|
|
|
// supplied machine names
|
|
|
|
// If there is no match, the serverName will continue to be an IP value.
|
|
|
|
if caseInsenstiveContains(machines, lookupAddress) {
|
|
|
|
serverName = lookupAddress
|
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
tlsMinVersionStr, ok := conf["tls_min_version"]
|
|
|
|
if !ok {
|
|
|
|
// Set the default value
|
|
|
|
tlsMinVersionStr = "tls12"
|
|
|
|
}
|
|
|
|
|
|
|
|
tlsMinVersion, ok := tlsutil.TLSLookup[tlsMinVersionStr]
|
|
|
|
if !ok {
|
|
|
|
return nil, fmt.Errorf("invalid 'tls_min_version'")
|
|
|
|
}
|
|
|
|
|
|
|
|
tlsClientConfig := &tls.Config{
|
|
|
|
MinVersion: tlsMinVersion,
|
|
|
|
InsecureSkipVerify: insecureSkipVerify,
|
|
|
|
ServerName: serverName,
|
|
|
|
}
|
|
|
|
|
|
|
|
_, okCert := conf["tls_cert_file"]
|
|
|
|
_, okKey := conf["tls_key_file"]
|
|
|
|
|
|
|
|
if okCert && okKey {
|
|
|
|
tlsCert, err := tls.LoadX509KeyPair(conf["tls_cert_file"], conf["tls_key_file"])
|
|
|
|
if err != nil {
|
2021-05-31 16:54:05 +00:00
|
|
|
return nil, fmt.Errorf("client tls setup failed for ZK: %w", err)
|
2018-10-01 21:12:08 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
tlsClientConfig.Certificates = []tls.Certificate{tlsCert}
|
|
|
|
}
|
|
|
|
|
|
|
|
if tlsCaFile, ok := conf["tls_ca_file"]; ok {
|
|
|
|
caPool := x509.NewCertPool()
|
|
|
|
|
|
|
|
data, err := ioutil.ReadFile(tlsCaFile)
|
|
|
|
if err != nil {
|
2021-05-31 16:54:05 +00:00
|
|
|
return nil, fmt.Errorf("failed to read ZK CA file: %w", err)
|
2018-10-01 21:12:08 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if !caPool.AppendCertsFromPEM(data) {
|
|
|
|
return nil, fmt.Errorf("failed to parse ZK CA certificate")
|
|
|
|
}
|
|
|
|
tlsClientConfig.RootCAs = caPool
|
|
|
|
}
|
|
|
|
|
|
|
|
if network != "tcp" {
|
|
|
|
return nil, fmt.Errorf("unsupported network %q", network)
|
|
|
|
}
|
|
|
|
|
|
|
|
tcpConn, err := net.DialTimeout("tcp", addr, timeout)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
conn := tls.Client(tcpConn, tlsClientConfig)
|
|
|
|
if err := conn.Handshake(); err != nil {
|
|
|
|
return nil, fmt.Errorf("Handshake failed with Zookeeper : %v", err)
|
|
|
|
}
|
|
|
|
return conn, nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-05-06 18:08:08 +00:00
|
|
|
// ensurePath is used to create each node in the path hierarchy.
|
|
|
|
// We avoid calling this optimistically, and invoke it when we get
|
|
|
|
// an error during an operation
|
2017-08-03 17:24:27 +00:00
|
|
|
func (c *ZooKeeperBackend) ensurePath(path string, value []byte) error {
|
2015-05-05 20:08:42 +00:00
|
|
|
nodes := strings.Split(path, "/")
|
|
|
|
fullPath := ""
|
2015-05-06 02:23:24 +00:00
|
|
|
for index, node := range nodes {
|
2015-05-05 20:08:42 +00:00
|
|
|
if strings.TrimSpace(node) != "" {
|
|
|
|
fullPath += "/" + node
|
2015-05-06 02:23:24 +00:00
|
|
|
isLastNode := index+1 == len(nodes)
|
|
|
|
|
|
|
|
// set parent nodes to nil, leaf to value
|
|
|
|
// this block reduces round trips by being smart on the leaf create/set
|
|
|
|
if exists, _, _ := c.client.Exists(fullPath); !isLastNode && !exists {
|
2016-02-15 15:03:12 +00:00
|
|
|
if _, err := c.client.Create(fullPath, nil, int32(0), c.acl); err != nil {
|
2015-05-06 18:08:08 +00:00
|
|
|
return err
|
|
|
|
}
|
2015-05-06 02:23:24 +00:00
|
|
|
} else if isLastNode && !exists {
|
2016-02-15 15:03:12 +00:00
|
|
|
if _, err := c.client.Create(fullPath, value, int32(0), c.acl); err != nil {
|
2015-05-06 18:08:08 +00:00
|
|
|
return err
|
|
|
|
}
|
2015-05-06 02:23:24 +00:00
|
|
|
} else if isLastNode && exists {
|
2015-05-12 14:12:00 +00:00
|
|
|
if _, err := c.client.Set(fullPath, value, int32(-1)); err != nil {
|
2015-05-06 18:08:08 +00:00
|
|
|
return err
|
|
|
|
}
|
2015-05-05 20:08:42 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2015-05-06 18:08:08 +00:00
|
|
|
return nil
|
2015-05-05 20:08:42 +00:00
|
|
|
}
|
|
|
|
|
2018-03-20 18:54:10 +00:00
|
|
|
// cleanupLogicalPath is used to remove all empty nodes, beginning with deepest one,
|
2016-10-04 13:28:48 +00:00
|
|
|
// aborting on first non-empty one, up to top-level node.
|
2017-08-03 17:24:27 +00:00
|
|
|
func (c *ZooKeeperBackend) cleanupLogicalPath(path string) error {
|
2016-10-04 13:28:48 +00:00
|
|
|
nodes := strings.Split(path, "/")
|
|
|
|
for i := len(nodes) - 1; i > 0; i-- {
|
|
|
|
fullPath := c.path + strings.Join(nodes[:i], "/")
|
|
|
|
|
|
|
|
_, stat, err := c.client.Exists(fullPath)
|
|
|
|
if err != nil {
|
2021-05-31 16:54:05 +00:00
|
|
|
return fmt.Errorf("failed to acquire node data: %w", err)
|
2016-10-04 13:28:48 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if stat.DataLength > 0 && stat.NumChildren > 0 {
|
2018-04-05 15:49:21 +00:00
|
|
|
panic(fmt.Sprintf("node %q is both of data and leaf type", fullPath))
|
2016-10-04 13:28:48 +00:00
|
|
|
} else if stat.DataLength > 0 {
|
2018-04-05 15:49:21 +00:00
|
|
|
panic(fmt.Sprintf("node %q is a data node, this is either a bug or backend data is corrupted", fullPath))
|
2016-10-04 13:28:48 +00:00
|
|
|
} else if stat.NumChildren > 0 {
|
|
|
|
return nil
|
|
|
|
} else {
|
|
|
|
// Empty node, lets clean it up!
|
2017-01-11 14:42:30 +00:00
|
|
|
if err := c.client.Delete(fullPath, -1); err != nil && err != zk.ErrNoNode {
|
2021-05-31 16:54:05 +00:00
|
|
|
return fmt.Errorf("removal of node %q failed: %w", fullPath, err)
|
2016-10-04 13:28:48 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// nodePath returns an zk path based on the given key.
|
2017-08-03 17:24:27 +00:00
|
|
|
func (c *ZooKeeperBackend) nodePath(key string) string {
|
2015-07-13 09:33:23 +00:00
|
|
|
return filepath.Join(c.path, filepath.Dir(key), ZKNodeFilePrefix+filepath.Base(key))
|
|
|
|
}
|
|
|
|
|
2015-05-05 20:08:42 +00:00
|
|
|
// Put is used to insert or update an entry
|
2018-01-19 06:44:44 +00:00
|
|
|
func (c *ZooKeeperBackend) Put(ctx context.Context, entry *physical.Entry) error {
|
2015-05-05 20:08:42 +00:00
|
|
|
defer metrics.MeasureSince([]string{"zookeeper", "put"}, time.Now())
|
|
|
|
|
2015-05-06 18:08:08 +00:00
|
|
|
// Attempt to set the full path
|
2015-07-13 09:33:23 +00:00
|
|
|
fullPath := c.nodePath(entry.Key)
|
2015-05-12 14:12:00 +00:00
|
|
|
_, err := c.client.Set(fullPath, entry.Value, -1)
|
2015-05-05 20:08:42 +00:00
|
|
|
|
2015-05-06 18:08:08 +00:00
|
|
|
// If we get ErrNoNode, we need to construct the path hierarchy
|
2015-05-06 02:23:24 +00:00
|
|
|
if err == zk.ErrNoNode {
|
2015-05-06 18:08:08 +00:00
|
|
|
return c.ensurePath(fullPath, entry.Value)
|
2015-05-06 02:23:24 +00:00
|
|
|
}
|
2015-05-06 18:08:08 +00:00
|
|
|
return err
|
2015-05-05 20:08:42 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Get is used to fetch an entry
|
2018-01-19 06:44:44 +00:00
|
|
|
func (c *ZooKeeperBackend) Get(ctx context.Context, key string) (*physical.Entry, error) {
|
2015-05-05 20:08:42 +00:00
|
|
|
defer metrics.MeasureSince([]string{"zookeeper", "get"}, time.Now())
|
|
|
|
|
2015-05-06 18:08:08 +00:00
|
|
|
// Attempt to read the full path
|
2015-07-13 09:33:23 +00:00
|
|
|
fullPath := c.nodePath(key)
|
2015-05-05 20:08:42 +00:00
|
|
|
value, _, err := c.client.Get(fullPath)
|
|
|
|
|
2015-05-06 18:08:08 +00:00
|
|
|
// Ignore if the node does not exist
|
|
|
|
if err == zk.ErrNoNode {
|
|
|
|
err = nil
|
|
|
|
}
|
|
|
|
if err != nil {
|
2015-05-05 20:08:42 +00:00
|
|
|
return nil, err
|
|
|
|
}
|
2015-05-06 18:08:08 +00:00
|
|
|
|
|
|
|
// Handle a non-existing value
|
2015-05-05 20:08:42 +00:00
|
|
|
if value == nil {
|
|
|
|
return nil, nil
|
|
|
|
}
|
2017-08-03 17:24:27 +00:00
|
|
|
ent := &physical.Entry{
|
2015-05-05 20:08:42 +00:00
|
|
|
Key: key,
|
|
|
|
Value: value,
|
|
|
|
}
|
|
|
|
return ent, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Delete is used to permanently delete an entry
|
2018-01-19 06:44:44 +00:00
|
|
|
func (c *ZooKeeperBackend) Delete(ctx context.Context, key string) error {
|
2015-05-05 20:08:42 +00:00
|
|
|
defer metrics.MeasureSince([]string{"zookeeper", "delete"}, time.Now())
|
|
|
|
|
2016-10-05 12:08:00 +00:00
|
|
|
if key == "" {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2015-05-06 18:08:08 +00:00
|
|
|
// Delete the full path
|
2015-07-13 09:33:23 +00:00
|
|
|
fullPath := c.nodePath(key)
|
2015-07-13 09:05:17 +00:00
|
|
|
err := c.client.Delete(fullPath, -1)
|
2015-05-05 20:08:42 +00:00
|
|
|
|
2015-05-06 18:08:08 +00:00
|
|
|
// Mask if the node does not exist
|
2016-10-04 13:28:48 +00:00
|
|
|
if err != nil && err != zk.ErrNoNode {
|
2021-05-31 16:54:05 +00:00
|
|
|
return fmt.Errorf("failed to remove %q: %w", fullPath, err)
|
2015-05-05 20:08:42 +00:00
|
|
|
}
|
2016-10-04 13:28:48 +00:00
|
|
|
|
|
|
|
err = c.cleanupLogicalPath(key)
|
|
|
|
|
2015-05-06 18:08:08 +00:00
|
|
|
return err
|
2015-05-05 20:08:42 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// List is used ot list all the keys under a given
|
|
|
|
// prefix, up to the next prefix.
|
2018-01-19 06:44:44 +00:00
|
|
|
func (c *ZooKeeperBackend) List(ctx context.Context, prefix string) ([]string, error) {
|
2015-05-05 20:08:42 +00:00
|
|
|
defer metrics.MeasureSince([]string{"zookeeper", "list"}, time.Now())
|
|
|
|
|
2015-05-06 18:08:08 +00:00
|
|
|
// Query the children at the full path
|
2015-05-21 03:15:31 +00:00
|
|
|
fullPath := strings.TrimSuffix(c.path+prefix, "/")
|
2015-05-06 02:23:24 +00:00
|
|
|
result, _, err := c.client.Children(fullPath)
|
2015-05-05 20:08:42 +00:00
|
|
|
|
2015-05-06 18:08:08 +00:00
|
|
|
// If the path nodes are missing, no children!
|
2015-05-06 02:23:24 +00:00
|
|
|
if err == zk.ErrNoNode {
|
|
|
|
return []string{}, nil
|
2016-10-04 13:28:48 +00:00
|
|
|
} else if err != nil {
|
|
|
|
return []string{}, err
|
2015-05-06 02:23:24 +00:00
|
|
|
}
|
2015-05-05 20:08:42 +00:00
|
|
|
|
|
|
|
children := []string{}
|
|
|
|
for _, key := range result {
|
2016-10-04 13:28:48 +00:00
|
|
|
childPath := fullPath + "/" + key
|
|
|
|
_, stat, err := c.client.Exists(childPath)
|
|
|
|
if err != nil {
|
|
|
|
// Node is ought to exists, so it must be something different
|
|
|
|
return []string{}, err
|
|
|
|
}
|
|
|
|
|
|
|
|
// Check if this entry is a leaf of a node,
|
2015-05-06 18:08:08 +00:00
|
|
|
// and append the slash which is what Vault depends on
|
|
|
|
// for iteration
|
2016-10-04 13:28:48 +00:00
|
|
|
if stat.DataLength > 0 && stat.NumChildren > 0 {
|
2017-05-22 17:23:28 +00:00
|
|
|
if childPath == c.nodePath("core/lock") {
|
|
|
|
// go-zookeeper Lock() breaks Vault semantics and creates a directory
|
|
|
|
// under the lock file; just treat it like the file Vault expects
|
|
|
|
children = append(children, key[1:])
|
|
|
|
} else {
|
2018-04-05 15:49:21 +00:00
|
|
|
panic(fmt.Sprintf("node %q is both of data and leaf type", childPath))
|
2017-05-22 17:23:28 +00:00
|
|
|
}
|
2016-10-04 13:28:48 +00:00
|
|
|
} else if stat.DataLength == 0 {
|
|
|
|
// No, we cannot differentiate here on number of children as node
|
2018-03-20 18:54:10 +00:00
|
|
|
// can have all it leafs removed, and it still is a node.
|
2015-05-05 20:08:42 +00:00
|
|
|
children = append(children, key+"/")
|
2015-07-13 09:33:23 +00:00
|
|
|
} else {
|
|
|
|
children = append(children, key[1:])
|
2015-05-05 20:08:42 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
sort.Strings(children)
|
|
|
|
return children, nil
|
|
|
|
}
|
2015-05-12 04:37:08 +00:00
|
|
|
|
|
|
|
// LockWith is used for mutual exclusion based on the given key.
|
2017-08-03 17:24:27 +00:00
|
|
|
func (c *ZooKeeperBackend) LockWith(key, value string) (physical.Lock, error) {
|
|
|
|
l := &ZooKeeperHALock{
|
2018-05-17 22:52:50 +00:00
|
|
|
in: c,
|
|
|
|
key: key,
|
|
|
|
value: value,
|
|
|
|
logger: c.logger,
|
2015-05-12 04:37:08 +00:00
|
|
|
}
|
|
|
|
return l, nil
|
|
|
|
}
|
|
|
|
|
2016-07-18 17:19:58 +00:00
|
|
|
// HAEnabled indicates whether the HA functionality should be exposed.
|
|
|
|
// Currently always returns true.
|
2017-08-03 17:24:27 +00:00
|
|
|
func (c *ZooKeeperBackend) HAEnabled() bool {
|
2016-07-18 17:19:58 +00:00
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
2017-08-03 17:24:27 +00:00
|
|
|
// ZooKeeperHALock is a ZooKeeper Lock implementation for the HABackend
|
|
|
|
type ZooKeeperHALock struct {
|
2018-05-17 22:52:50 +00:00
|
|
|
in *ZooKeeperBackend
|
|
|
|
key string
|
|
|
|
value string
|
|
|
|
logger log.Logger
|
2015-05-12 04:37:08 +00:00
|
|
|
|
2015-05-26 02:14:00 +00:00
|
|
|
held bool
|
|
|
|
localLock sync.Mutex
|
|
|
|
leaderCh chan struct{}
|
2018-05-17 22:52:50 +00:00
|
|
|
stopCh <-chan struct{}
|
2015-05-26 02:14:00 +00:00
|
|
|
zkLock *zk.Lock
|
2015-05-12 04:37:08 +00:00
|
|
|
}
|
|
|
|
|
2017-08-03 17:24:27 +00:00
|
|
|
func (i *ZooKeeperHALock) Lock(stopCh <-chan struct{}) (<-chan struct{}, error) {
|
2015-05-26 02:14:00 +00:00
|
|
|
i.localLock.Lock()
|
|
|
|
defer i.localLock.Unlock()
|
2015-05-12 04:37:08 +00:00
|
|
|
if i.held {
|
|
|
|
return nil, fmt.Errorf("lock already held")
|
|
|
|
}
|
|
|
|
|
|
|
|
// Attempt an async acquisition
|
|
|
|
didLock := make(chan struct{})
|
|
|
|
failLock := make(chan error, 1)
|
|
|
|
releaseCh := make(chan bool, 1)
|
2015-07-13 09:33:23 +00:00
|
|
|
lockpath := i.in.nodePath(i.key)
|
2015-05-26 02:14:00 +00:00
|
|
|
go i.attemptLock(lockpath, didLock, failLock, releaseCh)
|
2015-05-12 04:37:08 +00:00
|
|
|
|
|
|
|
// Wait for lock acquisition, failure, or shutdown
|
|
|
|
select {
|
|
|
|
case <-didLock:
|
|
|
|
releaseCh <- false
|
|
|
|
case err := <-failLock:
|
|
|
|
return nil, err
|
|
|
|
case <-stopCh:
|
|
|
|
releaseCh <- true
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Create the leader channel
|
|
|
|
i.held = true
|
|
|
|
i.leaderCh = make(chan struct{})
|
|
|
|
|
2015-05-21 02:54:35 +00:00
|
|
|
// Watch for Events which could result in loss of our zkLock and close(i.leaderCh)
|
2015-05-28 04:39:12 +00:00
|
|
|
currentVal, _, lockeventCh, err := i.in.client.GetW(lockpath)
|
|
|
|
if err != nil {
|
2021-05-31 16:54:05 +00:00
|
|
|
return nil, fmt.Errorf("unable to watch HA lock: %w", err)
|
2015-05-21 02:54:35 +00:00
|
|
|
}
|
|
|
|
if i.value != string(currentVal) {
|
|
|
|
return nil, fmt.Errorf("lost HA lock immediately before watch")
|
|
|
|
}
|
2015-05-28 04:39:12 +00:00
|
|
|
go i.monitorLock(lockeventCh, i.leaderCh)
|
2015-05-12 04:37:08 +00:00
|
|
|
|
2018-05-17 22:52:50 +00:00
|
|
|
i.stopCh = stopCh
|
|
|
|
|
2015-05-12 04:37:08 +00:00
|
|
|
return i.leaderCh, nil
|
|
|
|
}
|
|
|
|
|
2017-08-03 17:24:27 +00:00
|
|
|
func (i *ZooKeeperHALock) attemptLock(lockpath string, didLock chan struct{}, failLock chan error, releaseCh chan bool) {
|
2015-05-26 02:14:00 +00:00
|
|
|
// Wait to acquire the lock in ZK
|
2016-02-15 15:29:08 +00:00
|
|
|
lock := zk.NewLock(i.in.client, lockpath, i.in.acl)
|
2015-05-26 02:14:00 +00:00
|
|
|
err := lock.Lock()
|
|
|
|
if err != nil {
|
|
|
|
failLock <- err
|
|
|
|
return
|
|
|
|
}
|
|
|
|
// Set node value
|
2015-05-26 04:12:16 +00:00
|
|
|
data := []byte(i.value)
|
2015-05-28 04:39:12 +00:00
|
|
|
err = i.in.ensurePath(lockpath, data)
|
|
|
|
if err != nil {
|
|
|
|
failLock <- err
|
2015-05-26 02:14:00 +00:00
|
|
|
lock.Unlock()
|
|
|
|
return
|
|
|
|
}
|
|
|
|
i.zkLock = lock
|
|
|
|
|
|
|
|
// Signal that lock is held
|
|
|
|
close(didLock)
|
|
|
|
|
|
|
|
// Handle an early abort
|
|
|
|
release := <-releaseCh
|
|
|
|
if release {
|
|
|
|
lock.Unlock()
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-08-03 17:24:27 +00:00
|
|
|
func (i *ZooKeeperHALock) monitorLock(lockeventCh <-chan zk.Event, leaderCh chan struct{}) {
|
2015-05-26 02:14:00 +00:00
|
|
|
for {
|
|
|
|
select {
|
2015-07-04 23:03:02 +00:00
|
|
|
case event := <-lockeventCh:
|
2015-05-26 02:14:00 +00:00
|
|
|
// Lost connection?
|
2015-05-28 04:39:12 +00:00
|
|
|
switch event.State {
|
|
|
|
case zk.StateConnected:
|
|
|
|
case zk.StateHasSession:
|
|
|
|
default:
|
|
|
|
close(leaderCh)
|
2015-05-26 04:12:16 +00:00
|
|
|
return
|
2015-05-26 02:14:00 +00:00
|
|
|
}
|
2015-05-28 04:39:12 +00:00
|
|
|
|
|
|
|
// Lost lock?
|
|
|
|
switch event.Type {
|
|
|
|
case zk.EventNodeChildrenChanged:
|
|
|
|
case zk.EventSession:
|
|
|
|
default:
|
|
|
|
close(leaderCh)
|
2015-05-26 04:12:16 +00:00
|
|
|
return
|
2015-05-26 02:14:00 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-05-17 22:52:50 +00:00
|
|
|
func (i *ZooKeeperHALock) unlockInternal() error {
|
2015-05-26 02:14:00 +00:00
|
|
|
i.localLock.Lock()
|
|
|
|
defer i.localLock.Unlock()
|
2015-05-12 04:37:08 +00:00
|
|
|
if !i.held {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2018-05-17 22:52:50 +00:00
|
|
|
err := i.zkLock.Unlock()
|
|
|
|
|
|
|
|
if err == nil {
|
|
|
|
i.held = false
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
func (i *ZooKeeperHALock) Unlock() error {
|
|
|
|
var err error
|
|
|
|
|
|
|
|
if err = i.unlockInternal(); err != nil {
|
2018-10-09 16:43:17 +00:00
|
|
|
i.logger.Error("failed to release distributed lock", "error", err)
|
2018-05-17 22:52:50 +00:00
|
|
|
|
|
|
|
go func(i *ZooKeeperHALock) {
|
|
|
|
attempts := 0
|
2018-10-09 16:43:17 +00:00
|
|
|
i.logger.Info("launching automated distributed lock release")
|
2018-05-17 22:52:50 +00:00
|
|
|
|
|
|
|
for {
|
|
|
|
if err := i.unlockInternal(); err == nil {
|
2018-10-09 16:43:17 +00:00
|
|
|
i.logger.Info("distributed lock released")
|
2018-05-17 22:52:50 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2023-02-06 16:49:01 +00:00
|
|
|
timer := time.NewTimer(time.Second)
|
2018-05-17 22:52:50 +00:00
|
|
|
select {
|
2023-02-06 16:49:01 +00:00
|
|
|
case <-timer.C:
|
2018-05-17 22:52:50 +00:00
|
|
|
attempts := attempts + 1
|
|
|
|
if attempts >= 10 {
|
2018-10-09 16:43:17 +00:00
|
|
|
i.logger.Error("release lock max attempts reached. Lock may not be released", "error", err)
|
2018-05-17 22:52:50 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
continue
|
|
|
|
case <-i.stopCh:
|
2023-02-06 16:49:01 +00:00
|
|
|
timer.Stop()
|
2018-05-17 22:52:50 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}(i)
|
|
|
|
}
|
|
|
|
|
|
|
|
return err
|
2015-05-12 04:37:08 +00:00
|
|
|
}
|
|
|
|
|
2017-08-03 17:24:27 +00:00
|
|
|
func (i *ZooKeeperHALock) Value() (bool, string, error) {
|
2015-07-13 09:33:23 +00:00
|
|
|
lockpath := i.in.nodePath(i.key)
|
2015-05-12 04:37:08 +00:00
|
|
|
value, _, err := i.in.client.Get(lockpath)
|
2015-05-26 02:14:00 +00:00
|
|
|
return (value != nil), string(value), err
|
2015-05-12 04:37:08 +00:00
|
|
|
}
|