github
/
consul
mirror of https://github.com/hashicorp/consul
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Consul is a distributed, highly available, and data center aware solution to connect and configure applications across dynamic, distributed infrastructure.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
17547 Commits
1703 Branches
457 Tags
697 MiB
Branch: CSLC-91-egress-connect-proxy
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'CSLC-91-egress-connect-proxy'
${ noResults }
consul/agent/token/store.go

296 lines
8.3 KiB
Raw Permalink Normal View History Unescape

Adds support for agent-side ACL token management via API instead of config files. (#3324) * Adds token store and removes all runtime use of config for ACL tokens. * Adds a new API for changing agent tokens on the fly.
7 years ago
package token
import (
"sync"
acl: use constant time comparing to check token (#6943)
5 years ago
"crypto/subtle"
Adds support for agent-side ACL token management via API instead of config files. (#3324) * Adds token store and removes all runtime use of config for ACL tokens. * Adds a new API for changing agent tokens on the fly.
7 years ago
)
ACL Token Persistence and Reloading (#5328) This PR adds two features which will be useful for operators when ACLs are in use. 1. Tokens set in configuration files are now reloadable. 2. If `acl.enable_token_persistence` is set to `true` in the configuration, tokens set via the `v1/agent/token` endpoint are now persisted to disk and loaded when the agent starts (or during configuration reload) Note that token persistence is opt-in so our users who do not want tokens on the local disk will see no change. Some other secondary changes: * Refactored a bunch of places where the replication token is retrieved from the token store. This token isn't just for replicating ACLs and now it is named accordingly. * Allowed better paths in the `v1/agent/token/` API. Instead of paths like: `v1/agent/token/acl_replication_token` the path can now be just `v1/agent/token/replication`. The old paths remain to be valid. * Added a couple new API functions to set tokens via the new paths. Deprecated the old ones and pointed to the new names. The names are also generally better and don't imply that what you are setting is for ACLs but rather are setting ACL tokens. There is a minor semantic difference there especially for the replication token as again, its no longer used only for ACL token/policy replication. The new functions will detect 404s and fallback to using the older token paths when talking to pre-1.4.3 agents. * Docs updated to reflect the API additions and to show using the new endpoints. * Updated the ACL CLI set-agent-tokens command to use the non-deprecated APIs.
6 years ago
type TokenSource bool
const (
TokenSourceConfig TokenSource = false
TokenSourceAPI TokenSource = true
)
Add ability for notifications when one of the agent tokens is updated (#8301) Co-authored-by: Chris Piraino <cpiraino@hashicorp.com>
4 years ago
type TokenKind int
const (
TokenKindAgent TokenKind = iota
agent/token: rename `agent_master` to `agent_recovery` (internally) (#11744)
3 years ago
TokenKindAgentRecovery
Add ability for notifications when one of the agent tokens is updated (#8301) Co-authored-by: Chris Piraino <cpiraino@hashicorp.com>
4 years ago
TokenKindUser
TokenKindReplication
)
type watcher struct {
kind TokenKind
ch chan<- struct{}
}
// Notifier holds the channel used to notify a watcher
// of token updates as well as some internal tracking
// information to allow for deregistering the notifier.
type Notifier struct {
id int
Ch <-chan struct{}
}
Adds support for agent-side ACL token management via API instead of config files. (#3324) * Adds token store and removes all runtime use of config for ACL tokens. * Adds a new API for changing agent tokens on the fly.
7 years ago
// Store is used to hold the special ACL tokens used by Consul agents. It is
// designed to update the tokens on the fly, so the token store itself should be
// plumbed around and used to get tokens at runtime, don't save the resulting
// tokens.
type Store struct {
// l synchronizes access to the token store.
l sync.RWMutex
// userToken is passed along for requests when the user didn't supply a
// token, and may be left blank to use the anonymous token. This will
// also be used for agent operations if the agent token isn't set.
userToken string
ACL Token Persistence and Reloading (#5328) This PR adds two features which will be useful for operators when ACLs are in use. 1. Tokens set in configuration files are now reloadable. 2. If `acl.enable_token_persistence` is set to `true` in the configuration, tokens set via the `v1/agent/token` endpoint are now persisted to disk and loaded when the agent starts (or during configuration reload) Note that token persistence is opt-in so our users who do not want tokens on the local disk will see no change. Some other secondary changes: * Refactored a bunch of places where the replication token is retrieved from the token store. This token isn't just for replicating ACLs and now it is named accordingly. * Allowed better paths in the `v1/agent/token/` API. Instead of paths like: `v1/agent/token/acl_replication_token` the path can now be just `v1/agent/token/replication`. The old paths remain to be valid. * Added a couple new API functions to set tokens via the new paths. Deprecated the old ones and pointed to the new names. The names are also generally better and don't imply that what you are setting is for ACLs but rather are setting ACL tokens. There is a minor semantic difference there especially for the replication token as again, its no longer used only for ACL token/policy replication. The new functions will detect 404s and fallback to using the older token paths when talking to pre-1.4.3 agents. * Docs updated to reflect the API additions and to show using the new endpoints. * Updated the ACL CLI set-agent-tokens command to use the non-deprecated APIs.
6 years ago
// userTokenSource indicates where this token originated from
userTokenSource TokenSource
Adds support for agent-side ACL token management via API instead of config files. (#3324) * Adds token store and removes all runtime use of config for ACL tokens. * Adds a new API for changing agent tokens on the fly.
7 years ago
// agentToken is used for internal agent operations like self-registering
// with the catalog and anti-entropy, but should never be used for
// user-initiated operations.
agentToken string
ACL Token Persistence and Reloading (#5328) This PR adds two features which will be useful for operators when ACLs are in use. 1. Tokens set in configuration files are now reloadable. 2. If `acl.enable_token_persistence` is set to `true` in the configuration, tokens set via the `v1/agent/token` endpoint are now persisted to disk and loaded when the agent starts (or during configuration reload) Note that token persistence is opt-in so our users who do not want tokens on the local disk will see no change. Some other secondary changes: * Refactored a bunch of places where the replication token is retrieved from the token store. This token isn't just for replicating ACLs and now it is named accordingly. * Allowed better paths in the `v1/agent/token/` API. Instead of paths like: `v1/agent/token/acl_replication_token` the path can now be just `v1/agent/token/replication`. The old paths remain to be valid. * Added a couple new API functions to set tokens via the new paths. Deprecated the old ones and pointed to the new names. The names are also generally better and don't imply that what you are setting is for ACLs but rather are setting ACL tokens. There is a minor semantic difference there especially for the replication token as again, its no longer used only for ACL token/policy replication. The new functions will detect 404s and fallback to using the older token paths when talking to pre-1.4.3 agents. * Docs updated to reflect the API additions and to show using the new endpoints. * Updated the ACL CLI set-agent-tokens command to use the non-deprecated APIs.
6 years ago
// agentTokenSource indicates where this token originated from
agentTokenSource TokenSource
agent/token: rename `agent_master` to `agent_recovery` (internally) (#11744)
3 years ago
// agentRecoveryToken is a special token that's only used locally for
Adds support for agent-side ACL token management via API instead of config files. (#3324) * Adds token store and removes all runtime use of config for ACL tokens. * Adds a new API for changing agent tokens on the fly.
7 years ago
// access to the /v1/agent utility operations if the servers aren't
// available.
agent/token: rename `agent_master` to `agent_recovery` (internally) (#11744)
3 years ago
agentRecoveryToken string
Adds secure introduction for the ACL replication token. (#3357) Adds secure introduction for the ACL replication token, as well as a separate enable config for ACL replication.
7 years ago
agent/token: rename `agent_master` to `agent_recovery` (internally) (#11744)
3 years ago
// agentRecoveryTokenSource indicates where this token originated from
agentRecoveryTokenSource TokenSource
ACL Token Persistence and Reloading (#5328) This PR adds two features which will be useful for operators when ACLs are in use. 1. Tokens set in configuration files are now reloadable. 2. If `acl.enable_token_persistence` is set to `true` in the configuration, tokens set via the `v1/agent/token` endpoint are now persisted to disk and loaded when the agent starts (or during configuration reload) Note that token persistence is opt-in so our users who do not want tokens on the local disk will see no change. Some other secondary changes: * Refactored a bunch of places where the replication token is retrieved from the token store. This token isn't just for replicating ACLs and now it is named accordingly. * Allowed better paths in the `v1/agent/token/` API. Instead of paths like: `v1/agent/token/acl_replication_token` the path can now be just `v1/agent/token/replication`. The old paths remain to be valid. * Added a couple new API functions to set tokens via the new paths. Deprecated the old ones and pointed to the new names. The names are also generally better and don't imply that what you are setting is for ACLs but rather are setting ACL tokens. There is a minor semantic difference there especially for the replication token as again, its no longer used only for ACL token/policy replication. The new functions will detect 404s and fallback to using the older token paths when talking to pre-1.4.3 agents. * Docs updated to reflect the API additions and to show using the new endpoints. * Updated the ACL CLI set-agent-tokens command to use the non-deprecated APIs.
6 years ago
// replicationToken is a special token that's used by servers to
// replicate data from the primary datacenter.
replicationToken string
re-add Connect multi-dc config changes This reverts commit 8bcfbaffb6588b024cd1a3cf0952e6bfa7d9e900.
6 years ago
ACL Token Persistence and Reloading (#5328) This PR adds two features which will be useful for operators when ACLs are in use. 1. Tokens set in configuration files are now reloadable. 2. If `acl.enable_token_persistence` is set to `true` in the configuration, tokens set via the `v1/agent/token` endpoint are now persisted to disk and loaded when the agent starts (or during configuration reload) Note that token persistence is opt-in so our users who do not want tokens on the local disk will see no change. Some other secondary changes: * Refactored a bunch of places where the replication token is retrieved from the token store. This token isn't just for replicating ACLs and now it is named accordingly. * Allowed better paths in the `v1/agent/token/` API. Instead of paths like: `v1/agent/token/acl_replication_token` the path can now be just `v1/agent/token/replication`. The old paths remain to be valid. * Added a couple new API functions to set tokens via the new paths. Deprecated the old ones and pointed to the new names. The names are also generally better and don't imply that what you are setting is for ACLs but rather are setting ACL tokens. There is a minor semantic difference there especially for the replication token as again, its no longer used only for ACL token/policy replication. The new functions will detect 404s and fallback to using the older token paths when talking to pre-1.4.3 agents. * Docs updated to reflect the API additions and to show using the new endpoints. * Updated the ACL CLI set-agent-tokens command to use the non-deprecated APIs.
6 years ago
// replicationTokenSource indicates where this token originated from
replicationTokenSource TokenSource
Add managed service provider token (#7218) Stubs for enterprise-only ACL token to be used by managed service providers.
5 years ago
Add ability for notifications when one of the agent tokens is updated (#8301) Co-authored-by: Chris Piraino <cpiraino@hashicorp.com>
4 years ago
watchers map[int]watcher
watcherIndex int
agent/token: Move token persistence out of agent And into token.Store. This change isolates any awareness of token persistence in a single place. It is a small step in allowing Agent.New to accept its dependencies.
4 years ago
persistence *fileStore
// persistenceLock is used to synchronize access to the persisted token store
// within the data directory. This will prevent loading while writing as well as
// multiple concurrent writes.
persistenceLock sync.RWMutex
Add managed service provider token (#7218) Stubs for enterprise-only ACL token to be used by managed service providers.
5 years ago
// enterpriseTokens contains tokens only used in consul-enterprise
enterpriseTokens
Adds support for agent-side ACL token management via API instead of config files. (#3324) * Adds token store and removes all runtime use of config for ACL tokens. * Adds a new API for changing agent tokens on the fly.
7 years ago
}
Add ability for notifications when one of the agent tokens is updated (#8301) Co-authored-by: Chris Piraino <cpiraino@hashicorp.com>
4 years ago
// Notify will set up a watch for when tokens of the desired kind is changed
func (t *Store) Notify(kind TokenKind) Notifier {
// buffering ensures that notifications aren't missed if the watcher
// isn't already in a select and that our notifications don't
// block returning from the Update* methods.
ch := make(chan struct{}, 1)
w := watcher{
kind: kind,
ch: ch,
}
t.l.Lock()
defer t.l.Unlock()
if t.watchers == nil {
t.watchers = make(map[int]watcher)
}
// we specifically want to avoid the zero-value to prevent accidental stop-notification requests
t.watcherIndex += 1
t.watchers[t.watcherIndex] = w
return Notifier{id: t.watcherIndex, Ch: ch}
}
// StopNotify stops the token store from sending notifications to the specified notifiers chan
func (t *Store) StopNotify(n Notifier) {
t.l.Lock()
defer t.l.Unlock()
delete(t.watchers, n.id)
}
// anyKindAllowed returns true if any of the kinds in the `check` list are
// set to be allowed in the `allowed` map.
//
// Note: this is mostly just a convenience to simplify the code in
// sendNotificationLocked and prevent more nested looping with breaks/continues
// and other state tracking.
func anyKindAllowed(allowed TokenKind, check []TokenKind) bool {
for _, kind := range check {
if allowed == kind {
return true
}
}
return false
}
// sendNotificationLocked will iterate through all watchers and notify them that a
// token they are watching has been updated.
//
// NOTE: this function explicitly does not attempt to send the kind or new token value
// along through the channel. With that approach watchers could potentially miss updates
// if the buffered chan fills up. Instead with this approach we just notify that any
// token they care about has been udpated and its up to the caller to retrieve the
// new value (after receiving from the chan). With this approach its entirely possible
// for the watcher to be notified twice before actually retrieving the token after the first
// read from the chan. This is better behavior than missing events. It can cause some
// churn temporarily but in common cases its not expected that these tokens would be updated
// frequently enough to cause this to happen.
func (t *Store) sendNotificationLocked(kinds ...TokenKind) {
for _, watcher := range t.watchers {
if !anyKindAllowed(watcher.kind, kinds) {
// ignore this watcher as it doesn't want events for these kinds of token
continue
}
select {
case watcher.ch <- struct{}{}:
default:
// its already pending a notification
}
}
}
Adds support for agent-side ACL token management via API instead of config files. (#3324) * Adds token store and removes all runtime use of config for ACL tokens. * Adds a new API for changing agent tokens on the fly.
7 years ago
// UpdateUserToken replaces the current user token in the store.
agent: updates to the agent token trigger anti-entropy full syncs (#6577)
5 years ago
// Returns true if it was changed.
func (t *Store) UpdateUserToken(token string, source TokenSource) bool {
Adds support for agent-side ACL token management via API instead of config files. (#3324) * Adds token store and removes all runtime use of config for ACL tokens. * Adds a new API for changing agent tokens on the fly.
7 years ago
t.l.Lock()
agent/token: Move token persistence out of agent And into token.Store. This change isolates any awareness of token persistence in a single place. It is a small step in allowing Agent.New to accept its dependencies.
4 years ago
changed := t.userToken != token || t.userTokenSource != source
Adds support for agent-side ACL token management via API instead of config files. (#3324) * Adds token store and removes all runtime use of config for ACL tokens. * Adds a new API for changing agent tokens on the fly.
7 years ago
t.userToken = token
ACL Token Persistence and Reloading (#5328) This PR adds two features which will be useful for operators when ACLs are in use. 1. Tokens set in configuration files are now reloadable. 2. If `acl.enable_token_persistence` is set to `true` in the configuration, tokens set via the `v1/agent/token` endpoint are now persisted to disk and loaded when the agent starts (or during configuration reload) Note that token persistence is opt-in so our users who do not want tokens on the local disk will see no change. Some other secondary changes: * Refactored a bunch of places where the replication token is retrieved from the token store. This token isn't just for replicating ACLs and now it is named accordingly. * Allowed better paths in the `v1/agent/token/` API. Instead of paths like: `v1/agent/token/acl_replication_token` the path can now be just `v1/agent/token/replication`. The old paths remain to be valid. * Added a couple new API functions to set tokens via the new paths. Deprecated the old ones and pointed to the new names. The names are also generally better and don't imply that what you are setting is for ACLs but rather are setting ACL tokens. There is a minor semantic difference there especially for the replication token as again, its no longer used only for ACL token/policy replication. The new functions will detect 404s and fallback to using the older token paths when talking to pre-1.4.3 agents. * Docs updated to reflect the API additions and to show using the new endpoints. * Updated the ACL CLI set-agent-tokens command to use the non-deprecated APIs.
6 years ago
t.userTokenSource = source
Add ability for notifications when one of the agent tokens is updated (#8301) Co-authored-by: Chris Piraino <cpiraino@hashicorp.com>
4 years ago
if changed {
t.sendNotificationLocked(TokenKindUser)
}
Adds support for agent-side ACL token management via API instead of config files. (#3324) * Adds token store and removes all runtime use of config for ACL tokens. * Adds a new API for changing agent tokens on the fly.
7 years ago
t.l.Unlock()
agent: updates to the agent token trigger anti-entropy full syncs (#6577)
5 years ago
return changed
Adds support for agent-side ACL token management via API instead of config files. (#3324) * Adds token store and removes all runtime use of config for ACL tokens. * Adds a new API for changing agent tokens on the fly.
7 years ago
}
// UpdateAgentToken replaces the current agent token in the store.
agent: updates to the agent token trigger anti-entropy full syncs (#6577)
5 years ago
// Returns true if it was changed.
func (t *Store) UpdateAgentToken(token string, source TokenSource) bool {
Adds support for agent-side ACL token management via API instead of config files. (#3324) * Adds token store and removes all runtime use of config for ACL tokens. * Adds a new API for changing agent tokens on the fly.
7 years ago
t.l.Lock()
agent/token: Move token persistence out of agent And into token.Store. This change isolates any awareness of token persistence in a single place. It is a small step in allowing Agent.New to accept its dependencies.
4 years ago
changed := t.agentToken != token || t.agentTokenSource != source
Adds support for agent-side ACL token management via API instead of config files. (#3324) * Adds token store and removes all runtime use of config for ACL tokens. * Adds a new API for changing agent tokens on the fly.
7 years ago
t.agentToken = token
ACL Token Persistence and Reloading (#5328) This PR adds two features which will be useful for operators when ACLs are in use. 1. Tokens set in configuration files are now reloadable. 2. If `acl.enable_token_persistence` is set to `true` in the configuration, tokens set via the `v1/agent/token` endpoint are now persisted to disk and loaded when the agent starts (or during configuration reload) Note that token persistence is opt-in so our users who do not want tokens on the local disk will see no change. Some other secondary changes: * Refactored a bunch of places where the replication token is retrieved from the token store. This token isn't just for replicating ACLs and now it is named accordingly. * Allowed better paths in the `v1/agent/token/` API. Instead of paths like: `v1/agent/token/acl_replication_token` the path can now be just `v1/agent/token/replication`. The old paths remain to be valid. * Added a couple new API functions to set tokens via the new paths. Deprecated the old ones and pointed to the new names. The names are also generally better and don't imply that what you are setting is for ACLs but rather are setting ACL tokens. There is a minor semantic difference there especially for the replication token as again, its no longer used only for ACL token/policy replication. The new functions will detect 404s and fallback to using the older token paths when talking to pre-1.4.3 agents. * Docs updated to reflect the API additions and to show using the new endpoints. * Updated the ACL CLI set-agent-tokens command to use the non-deprecated APIs.
6 years ago
t.agentTokenSource = source
Add ability for notifications when one of the agent tokens is updated (#8301) Co-authored-by: Chris Piraino <cpiraino@hashicorp.com>
4 years ago
if changed {
t.sendNotificationLocked(TokenKindAgent)
}
Adds support for agent-side ACL token management via API instead of config files. (#3324) * Adds token store and removes all runtime use of config for ACL tokens. * Adds a new API for changing agent tokens on the fly.
7 years ago
t.l.Unlock()
agent: updates to the agent token trigger anti-entropy full syncs (#6577)
5 years ago
return changed
Adds support for agent-side ACL token management via API instead of config files. (#3324) * Adds token store and removes all runtime use of config for ACL tokens. * Adds a new API for changing agent tokens on the fly.
7 years ago
}
agent/token: rename `agent_master` to `agent_recovery` (internally) (#11744)
3 years ago
// UpdateAgentRecoveryToken replaces the current agent recovery token in the store.
agent: updates to the agent token trigger anti-entropy full syncs (#6577)
5 years ago
// Returns true if it was changed.
agent/token: rename `agent_master` to `agent_recovery` (internally) (#11744)
3 years ago
func (t *Store) UpdateAgentRecoveryToken(token string, source TokenSource) bool {
Adds support for agent-side ACL token management via API instead of config files. (#3324) * Adds token store and removes all runtime use of config for ACL tokens. * Adds a new API for changing agent tokens on the fly.
7 years ago
t.l.Lock()
agent/token: rename `agent_master` to `agent_recovery` (internally) (#11744)
3 years ago
changed := t.agentRecoveryToken != token || t.agentRecoveryTokenSource != source
t.agentRecoveryToken = token
t.agentRecoveryTokenSource = source
Add ability for notifications when one of the agent tokens is updated (#8301) Co-authored-by: Chris Piraino <cpiraino@hashicorp.com>
4 years ago
if changed {
agent/token: rename `agent_master` to `agent_recovery` (internally) (#11744)
3 years ago
t.sendNotificationLocked(TokenKindAgentRecovery)
Add ability for notifications when one of the agent tokens is updated (#8301) Co-authored-by: Chris Piraino <cpiraino@hashicorp.com>
4 years ago
}
Adds support for agent-side ACL token management via API instead of config files. (#3324) * Adds token store and removes all runtime use of config for ACL tokens. * Adds a new API for changing agent tokens on the fly.
7 years ago
t.l.Unlock()
agent: updates to the agent token trigger anti-entropy full syncs (#6577)
5 years ago
return changed
Adds support for agent-side ACL token management via API instead of config files. (#3324) * Adds token store and removes all runtime use of config for ACL tokens. * Adds a new API for changing agent tokens on the fly.
7 years ago
}
ACL Token Persistence and Reloading (#5328) This PR adds two features which will be useful for operators when ACLs are in use. 1. Tokens set in configuration files are now reloadable. 2. If `acl.enable_token_persistence` is set to `true` in the configuration, tokens set via the `v1/agent/token` endpoint are now persisted to disk and loaded when the agent starts (or during configuration reload) Note that token persistence is opt-in so our users who do not want tokens on the local disk will see no change. Some other secondary changes: * Refactored a bunch of places where the replication token is retrieved from the token store. This token isn't just for replicating ACLs and now it is named accordingly. * Allowed better paths in the `v1/agent/token/` API. Instead of paths like: `v1/agent/token/acl_replication_token` the path can now be just `v1/agent/token/replication`. The old paths remain to be valid. * Added a couple new API functions to set tokens via the new paths. Deprecated the old ones and pointed to the new names. The names are also generally better and don't imply that what you are setting is for ACLs but rather are setting ACL tokens. There is a minor semantic difference there especially for the replication token as again, its no longer used only for ACL token/policy replication. The new functions will detect 404s and fallback to using the older token paths when talking to pre-1.4.3 agents. * Docs updated to reflect the API additions and to show using the new endpoints. * Updated the ACL CLI set-agent-tokens command to use the non-deprecated APIs.
6 years ago
// UpdateReplicationToken replaces the current replication token in the store.
agent: updates to the agent token trigger anti-entropy full syncs (#6577)
5 years ago
// Returns true if it was changed.
func (t *Store) UpdateReplicationToken(token string, source TokenSource) bool {
re-add Connect multi-dc config changes This reverts commit 8bcfbaffb6588b024cd1a3cf0952e6bfa7d9e900.
6 years ago
t.l.Lock()
agent/token: Move token persistence out of agent And into token.Store. This change isolates any awareness of token persistence in a single place. It is a small step in allowing Agent.New to accept its dependencies.
4 years ago
changed := t.replicationToken != token || t.replicationTokenSource != source
ACL Token Persistence and Reloading (#5328) This PR adds two features which will be useful for operators when ACLs are in use. 1. Tokens set in configuration files are now reloadable. 2. If `acl.enable_token_persistence` is set to `true` in the configuration, tokens set via the `v1/agent/token` endpoint are now persisted to disk and loaded when the agent starts (or during configuration reload) Note that token persistence is opt-in so our users who do not want tokens on the local disk will see no change. Some other secondary changes: * Refactored a bunch of places where the replication token is retrieved from the token store. This token isn't just for replicating ACLs and now it is named accordingly. * Allowed better paths in the `v1/agent/token/` API. Instead of paths like: `v1/agent/token/acl_replication_token` the path can now be just `v1/agent/token/replication`. The old paths remain to be valid. * Added a couple new API functions to set tokens via the new paths. Deprecated the old ones and pointed to the new names. The names are also generally better and don't imply that what you are setting is for ACLs but rather are setting ACL tokens. There is a minor semantic difference there especially for the replication token as again, its no longer used only for ACL token/policy replication. The new functions will detect 404s and fallback to using the older token paths when talking to pre-1.4.3 agents. * Docs updated to reflect the API additions and to show using the new endpoints. * Updated the ACL CLI set-agent-tokens command to use the non-deprecated APIs.
6 years ago
t.replicationToken = token
t.replicationTokenSource = source
Add ability for notifications when one of the agent tokens is updated (#8301) Co-authored-by: Chris Piraino <cpiraino@hashicorp.com>
4 years ago
if changed {
t.sendNotificationLocked(TokenKindReplication)
}
re-add Connect multi-dc config changes This reverts commit 8bcfbaffb6588b024cd1a3cf0952e6bfa7d9e900.
6 years ago
t.l.Unlock()
agent: updates to the agent token trigger anti-entropy full syncs (#6577)
5 years ago
return changed
re-add Connect multi-dc config changes This reverts commit 8bcfbaffb6588b024cd1a3cf0952e6bfa7d9e900.
6 years ago
}
Adds support for agent-side ACL token management via API instead of config files. (#3324) * Adds token store and removes all runtime use of config for ACL tokens. * Adds a new API for changing agent tokens on the fly.
7 years ago
// UserToken returns the best token to use for user operations.
func (t *Store) UserToken() string {
t.l.RLock()
defer t.l.RUnlock()
return t.userToken
}
// AgentToken returns the best token to use for internal agent operations.
func (t *Store) AgentToken() string {
t.l.RLock()
defer t.l.RUnlock()
Updates to allow for using an enterprise specific token as the agents token This is needed to allow for managed Consul instances to register themselves in the catalog with one of the managed service provider tokens.
5 years ago
if tok := t.enterpriseAgentToken(); tok != "" {
return tok
}
Adds support for agent-side ACL token management via API instead of config files. (#3324) * Adds token store and removes all runtime use of config for ACL tokens. * Adds a new API for changing agent tokens on the fly.
7 years ago
if t.agentToken != "" {
return t.agentToken
}
return t.userToken
}
agent/token: rename `agent_master` to `agent_recovery` (internally) (#11744)
3 years ago
func (t *Store) AgentRecoveryToken() string {
ACL Token Persistence and Reloading (#5328) This PR adds two features which will be useful for operators when ACLs are in use. 1. Tokens set in configuration files are now reloadable. 2. If `acl.enable_token_persistence` is set to `true` in the configuration, tokens set via the `v1/agent/token` endpoint are now persisted to disk and loaded when the agent starts (or during configuration reload) Note that token persistence is opt-in so our users who do not want tokens on the local disk will see no change. Some other secondary changes: * Refactored a bunch of places where the replication token is retrieved from the token store. This token isn't just for replicating ACLs and now it is named accordingly. * Allowed better paths in the `v1/agent/token/` API. Instead of paths like: `v1/agent/token/acl_replication_token` the path can now be just `v1/agent/token/replication`. The old paths remain to be valid. * Added a couple new API functions to set tokens via the new paths. Deprecated the old ones and pointed to the new names. The names are also generally better and don't imply that what you are setting is for ACLs but rather are setting ACL tokens. There is a minor semantic difference there especially for the replication token as again, its no longer used only for ACL token/policy replication. The new functions will detect 404s and fallback to using the older token paths when talking to pre-1.4.3 agents. * Docs updated to reflect the API additions and to show using the new endpoints. * Updated the ACL CLI set-agent-tokens command to use the non-deprecated APIs.
6 years ago
t.l.RLock()
defer t.l.RUnlock()
agent/token: rename `agent_master` to `agent_recovery` (internally) (#11744)
3 years ago
return t.agentRecoveryToken
ACL Token Persistence and Reloading (#5328) This PR adds two features which will be useful for operators when ACLs are in use. 1. Tokens set in configuration files are now reloadable. 2. If `acl.enable_token_persistence` is set to `true` in the configuration, tokens set via the `v1/agent/token` endpoint are now persisted to disk and loaded when the agent starts (or during configuration reload) Note that token persistence is opt-in so our users who do not want tokens on the local disk will see no change. Some other secondary changes: * Refactored a bunch of places where the replication token is retrieved from the token store. This token isn't just for replicating ACLs and now it is named accordingly. * Allowed better paths in the `v1/agent/token/` API. Instead of paths like: `v1/agent/token/acl_replication_token` the path can now be just `v1/agent/token/replication`. The old paths remain to be valid. * Added a couple new API functions to set tokens via the new paths. Deprecated the old ones and pointed to the new names. The names are also generally better and don't imply that what you are setting is for ACLs but rather are setting ACL tokens. There is a minor semantic difference there especially for the replication token as again, its no longer used only for ACL token/policy replication. The new functions will detect 404s and fallback to using the older token paths when talking to pre-1.4.3 agents. * Docs updated to reflect the API additions and to show using the new endpoints. * Updated the ACL CLI set-agent-tokens command to use the non-deprecated APIs.
6 years ago
}
// ReplicationToken returns the replication token.
func (t *Store) ReplicationToken() string {
t.l.RLock()
defer t.l.RUnlock()
return t.replicationToken
}
// UserToken returns the best token to use for user operations.
func (t *Store) UserTokenAndSource() (string, TokenSource) {
t.l.RLock()
defer t.l.RUnlock()
return t.userToken, t.userTokenSource
}
// AgentToken returns the best token to use for internal agent operations.
func (t *Store) AgentTokenAndSource() (string, TokenSource) {
t.l.RLock()
defer t.l.RUnlock()
return t.agentToken, t.agentTokenSource
}
agent/token: rename `agent_master` to `agent_recovery` (internally) (#11744)
3 years ago
func (t *Store) AgentRecoveryTokenAndSource() (string, TokenSource) {
Adds secure introduction for the ACL replication token. (#3357) Adds secure introduction for the ACL replication token, as well as a separate enable config for ACL replication.
7 years ago
t.l.RLock()
defer t.l.RUnlock()
agent/token: rename `agent_master` to `agent_recovery` (internally) (#11744)
3 years ago
return t.agentRecoveryToken, t.agentRecoveryTokenSource
Adds secure introduction for the ACL replication token. (#3357) Adds secure introduction for the ACL replication token, as well as a separate enable config for ACL replication.
7 years ago
}
ACL Token Persistence and Reloading (#5328) This PR adds two features which will be useful for operators when ACLs are in use. 1. Tokens set in configuration files are now reloadable. 2. If `acl.enable_token_persistence` is set to `true` in the configuration, tokens set via the `v1/agent/token` endpoint are now persisted to disk and loaded when the agent starts (or during configuration reload) Note that token persistence is opt-in so our users who do not want tokens on the local disk will see no change. Some other secondary changes: * Refactored a bunch of places where the replication token is retrieved from the token store. This token isn't just for replicating ACLs and now it is named accordingly. * Allowed better paths in the `v1/agent/token/` API. Instead of paths like: `v1/agent/token/acl_replication_token` the path can now be just `v1/agent/token/replication`. The old paths remain to be valid. * Added a couple new API functions to set tokens via the new paths. Deprecated the old ones and pointed to the new names. The names are also generally better and don't imply that what you are setting is for ACLs but rather are setting ACL tokens. There is a minor semantic difference there especially for the replication token as again, its no longer used only for ACL token/policy replication. The new functions will detect 404s and fallback to using the older token paths when talking to pre-1.4.3 agents. * Docs updated to reflect the API additions and to show using the new endpoints. * Updated the ACL CLI set-agent-tokens command to use the non-deprecated APIs.
6 years ago
// ReplicationToken returns the replication token.
func (t *Store) ReplicationTokenAndSource() (string, TokenSource) {
re-add Connect multi-dc config changes This reverts commit 8bcfbaffb6588b024cd1a3cf0952e6bfa7d9e900.
6 years ago
t.l.RLock()
defer t.l.RUnlock()
ACL Token Persistence and Reloading (#5328) This PR adds two features which will be useful for operators when ACLs are in use. 1. Tokens set in configuration files are now reloadable. 2. If `acl.enable_token_persistence` is set to `true` in the configuration, tokens set via the `v1/agent/token` endpoint are now persisted to disk and loaded when the agent starts (or during configuration reload) Note that token persistence is opt-in so our users who do not want tokens on the local disk will see no change. Some other secondary changes: * Refactored a bunch of places where the replication token is retrieved from the token store. This token isn't just for replicating ACLs and now it is named accordingly. * Allowed better paths in the `v1/agent/token/` API. Instead of paths like: `v1/agent/token/acl_replication_token` the path can now be just `v1/agent/token/replication`. The old paths remain to be valid. * Added a couple new API functions to set tokens via the new paths. Deprecated the old ones and pointed to the new names. The names are also generally better and don't imply that what you are setting is for ACLs but rather are setting ACL tokens. There is a minor semantic difference there especially for the replication token as again, its no longer used only for ACL token/policy replication. The new functions will detect 404s and fallback to using the older token paths when talking to pre-1.4.3 agents. * Docs updated to reflect the API additions and to show using the new endpoints. * Updated the ACL CLI set-agent-tokens command to use the non-deprecated APIs.
6 years ago
return t.replicationToken, t.replicationTokenSource
re-add Connect multi-dc config changes This reverts commit 8bcfbaffb6588b024cd1a3cf0952e6bfa7d9e900.
6 years ago
}
agent/token: rename `agent_master` to `agent_recovery` (internally) (#11744)
3 years ago
// IsAgentRecoveryToken checks to see if a given token is the agent recovery token.
Adds support for agent-side ACL token management via API instead of config files. (#3324) * Adds token store and removes all runtime use of config for ACL tokens. * Adds a new API for changing agent tokens on the fly.
7 years ago
// This will never match an empty token for safety.
agent/token: rename `agent_master` to `agent_recovery` (internally) (#11744)
3 years ago
func (t *Store) IsAgentRecoveryToken(token string) bool {
Adds support for agent-side ACL token management via API instead of config files. (#3324) * Adds token store and removes all runtime use of config for ACL tokens. * Adds a new API for changing agent tokens on the fly.
7 years ago
t.l.RLock()
defer t.l.RUnlock()
agent/token: rename `agent_master` to `agent_recovery` (internally) (#11744)
3 years ago
return (token != "") && (subtle.ConstantTimeCompare([]byte(token), []byte(t.agentRecoveryToken)) == 1)
Adds support for agent-side ACL token management via API instead of config files. (#3324) * Adds token store and removes all runtime use of config for ACL tokens. * Adds a new API for changing agent tokens on the fly.
7 years ago
}