Added curl support for ACLs, pinning ACL predicates to group 1 etc (#…

…2951)
dgraph-io · Feb 13, 2019 · c8281f1 · c8281f1
1 parent 3db2c82
commit c8281f1
Show file tree

Hide file tree

Showing 22 changed files with 1,149 additions and 270 deletions.
diff --git a/dgraph/cmd/alpha/http.go b/dgraph/cmd/alpha/http.go
@@ -156,7 +156,7 @@ func queryHandler(w http.ResponseWriter, r *http.Request) {
 
 	d := r.URL.Query().Get("debug")
 	ctx := context.WithValue(context.Background(), query.DebugKey, d)
-
+	ctx = attachAccessJwt(ctx, r)
 	// If ro is set, run this as a readonly query.
 	if ro := r.URL.Query().Get("ro"); len(ro) > 0 && req.StartTs == 0 {
 		if ro == "true" || ro == "1" {
@@ -252,6 +252,7 @@ func mutationHandler(w http.ResponseWriter, r *http.Request) {
 		}
 		mu.CommitNow = c
 	}
+	ctx := attachAccessJwt(context.Background(), r)
 
 	ts, err := extractStartTs(r.URL.Path)
 	if err != nil {
@@ -260,7 +261,7 @@ func mutationHandler(w http.ResponseWriter, r *http.Request) {
 	}
 	mu.StartTs = ts
 
-	resp, err := (&edgraph.Server{}).Mutate(context.Background(), mu)
+	resp, err := (&edgraph.Server{}).Mutate(ctx, mu)
 	if err != nil {
 		x.SetStatusWithData(w, x.ErrorInvalidRequest, err.Error())
 		return
@@ -400,6 +401,19 @@ func abortHandler(w http.ResponseWriter, r *http.Request) {
 	writeResponse(w, r, js)
 }
 
+func attachAccessJwt(ctx context.Context, r *http.Request) context.Context {
+	if accessJwt := r.Header.Get("X-Dgraph-AccessJWT"); accessJwt != "" {
+		md, ok := metadata.FromIncomingContext(ctx)
+		if !ok {
+			md = metadata.New(nil)
+		}
+
+		md.Append("accessJwt", accessJwt)
+		ctx = metadata.NewIncomingContext(ctx, md)
+	}
+	return ctx
+}
+
 func alterHandler(w http.ResponseWriter, r *http.Request) {
 	if commonHandler(w, r) {
 		return
@@ -427,6 +441,7 @@ func alterHandler(w http.ResponseWriter, r *http.Request) {
 	// Pass in an auth token, if present.
 	md.Append("auth-token", r.Header.Get("X-Dgraph-AuthToken"))
 	ctx := metadata.NewIncomingContext(context.Background(), md)
+	ctx = attachAccessJwt(ctx, r)
 	if _, err = (&edgraph.Server{}).Alter(ctx, op); err != nil {
 		x.SetStatus(w, x.Error, err.Error())
 		return

diff --git a/dgraph/cmd/alpha/login_ee.go b/dgraph/cmd/alpha/login_ee.go
@@ -0,0 +1,76 @@
+// +build !oss
+
+/*
+ * Copyright 2018 Dgraph Labs, Inc. and Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package alpha
+
+import (
+	"context"
+	"encoding/json"
+	"net/http"
+
+	"github.com/dgraph-io/dgo/protos/api"
+	"github.com/dgraph-io/dgraph/edgraph"
+	"github.com/dgraph-io/dgraph/x"
+	"github.com/golang/glog"
+)
+
+func loginHandler(w http.ResponseWriter, r *http.Request) {
+	if commonHandler(w, r) {
+		return
+	}
+
+	user := r.Header.Get("X-Dgraph-User")
+	password := r.Header.Get("X-Dgraph-Password")
+	refreshJwt := r.Header.Get("X-Dgraph-RefreshJWT")
+	ctx := context.Background()
+	resp, err := (&edgraph.Server{}).Login(ctx, &api.LoginRequest{
+		Userid:       user,
+		Password:     password,
+		RefreshToken: refreshJwt,
+	})
+
+	if err != nil {
+		x.SetStatusWithData(w, x.ErrorInvalidRequest, err.Error())
+		return
+	}
+
+	jwt := &api.Jwt{}
+	if err := jwt.Unmarshal(resp.Json); err != nil {
+		x.SetStatusWithData(w, x.Error, err.Error())
+	}
+
+	response := map[string]interface{}{}
+	mp := make(map[string]string)
+	mp["accessJWT"] = jwt.AccessJwt
+	mp["refreshJWT"] = jwt.RefreshJwt
+	response["data"] = mp
+
+	js, err := json.Marshal(response)
+	if err != nil {
+		x.SetStatusWithData(w, x.Error, err.Error())
+		return
+	}
+
+	if _, err := writeResponse(w, r, js); err != nil {
+		glog.Errorf("Error while writing response: %v", err)
+	}
+}
+
+func init() {
+	http.HandleFunc("/login", loginHandler)
+}
diff --git a/dgraph/cmd/alpha/run.go b/dgraph/cmd/alpha/run.go
@@ -89,6 +89,8 @@ they form a Raft group and provide synchronous replication.
 	// with the flag name so that the values are picked up by Cobra/Viper's various config inputs
 	// (e.g, config file, env vars, cli flags, etc.)
 	flag := Alpha.Cmd.Flags()
+	flag.Bool("enterprise_features", false, "Enable Dgraph enterprise features. "+
+		"If you set this to true, you agree to the Dgraph Community License.")
 	flag.StringP("postings", "p", "p", "Directory to store posting lists.")
 
 	// Options around how to set up Badger.
@@ -128,8 +130,9 @@ they form a Raft group and provide synchronous replication.
 			" The token can be passed as follows: For HTTP requests, in X-Dgraph-AuthToken header."+
 			" For Grpc, in auth-token key in the context.")
 
-	flag.String("hmac_secret_file", "", "The file storing the HMAC secret"+
-		" that is used for signing the JWT. Enterprise feature.")
+	flag.String("acl_secret_file", "", "The file that stores the HMAC secret, "+
+		"which is used for signing the JWT and should have at least 32 ASCII characters. "+
+		"Enterprise feature.")
 	flag.Duration("acl_access_ttl", 6*time.Hour, "The TTL for the access jwt. "+
 		"Enterprise feature.")
 	flag.Duration("acl_refresh_ttl", 30*24*time.Hour, "The TTL for the refresh jwt. "+
@@ -440,21 +443,19 @@ func run() {
 		AllottedMemory: Alpha.Conf.GetFloat64("lru_mb"),
 	}
 
-	secretFile := Alpha.Conf.GetString("hmac_secret_file")
+	secretFile := Alpha.Conf.GetString("acl_secret_file")
 	if secretFile != "" {
 		if !Alpha.Conf.GetBool("enterprise_features") {
-			glog.Errorf("You must enable Dgraph enterprise features with the " +
+			glog.Fatalf("You must enable Dgraph enterprise features with the " +
 				"--enterprise_features option in order to use ACL.")
-			os.Exit(1)
 		}
 
 		hmacSecret, err := ioutil.ReadFile(secretFile)
 		if err != nil {
 			glog.Fatalf("Unable to read HMAC secret from file: %v", secretFile)
 		}
 		if len(hmacSecret) < 32 {
-			glog.Errorf("The HMAC secret file should contain at least 256 bits (32 ascii chars)")
-			os.Exit(1)
+			glog.Fatalf("The HMAC secret file should contain at least 256 bits (32 ascii chars)")
 		}
 
 		opts.HmacSecret = hmacSecret

diff --git a/dgraph/cmd/alpha/run_test.go b/dgraph/cmd/alpha/run_test.go
@@ -141,7 +141,14 @@ func alterSchema(s string) error {
 	if err != nil {
 		return err
 	}
-	_, _, err = runRequest(req)
+	for {
+		// keep retrying until we succeed or receive a non-retriable error
+		_, _, err = runRequest(req)
+		if err == nil || !strings.Contains(err.Error(), "Please retry operation") {
+			break
+		}
+	}
+
 	return err
 }
 

diff --git a/dgraph/cmd/root.go b/dgraph/cmd/root.go
@@ -85,8 +85,6 @@ func initCmds() {
 		"Use 0.0.0.0 instead of localhost to bind to all addresses on local machine.")
 	RootCmd.PersistentFlags().Bool("expose_trace", false,
 		"Allow trace endpoint to be accessible from remote")
-	RootCmd.PersistentFlags().Bool("enterprise_features", false,
-		"Enable Dgraph enterprise features. If you set this to true, you agree to the Dgraph Community License.")
 	rootConf.BindPFlags(RootCmd.PersistentFlags())
 
 	flag.CommandLine.AddGoFlagSet(goflag.CommandLine)

diff --git a/dgraph/cmd/zero/zero.go b/dgraph/cmd/zero/zero.go
@@ -551,6 +551,12 @@ func (s *Server) ShouldServe(
 	var proposal pb.ZeroProposal
 	// Multiple Groups might be assigned to same tablet, so during proposal we will check again.
 	tablet.Force = false
+	if x.IsAclPredicate(tablet.Predicate) {
+		// force all the acl predicates to be allocated to group 1
+		// this is to make it eaiser to stream ACL updates to all alpha servers
+		// since they only need to open one pipeline to receive updates for all ACL predicates
+		tablet.GroupId = 1
+	}
 	proposal.Tablet = tablet
 	if err := s.Node.proposeAndWait(ctx, &proposal); err != nil && err != errTabletAlreadyServed {
 		span.Annotatef(nil, "While proposing tablet: %v", err)

diff --git a/dgraph/docker-compose.yml b/dgraph/docker-compose.yml
@@ -19,7 +19,7 @@ services:
         source: $GOPATH/bin
         target: /gobin
         read_only: true
-    command: /gobin/dgraph zero -o 0 --my=zero1:5080 --replicas 3 --idx 1 --logtostderr -v=2 --enterprise_features --bindall --expose_trace --profile_mode block --block_rate 10
+    command: /gobin/dgraph zero -o 0 --my=zero1:5080 --replicas 3 --idx 1 --logtostderr -v=2 --bindall --expose_trace --profile_mode block --block_rate 10
 
   zero2:
     image: dgraph/dgraph:latest
@@ -38,7 +38,7 @@ services:
         source: $GOPATH/bin
         target: /gobin
         read_only: true
-    command: /gobin/dgraph zero -o 2 --my=zero2:5082 --replicas 3 --idx 2 --logtostderr -v=2 --enterprise_features --peer=zero1:5080
+    command: /gobin/dgraph zero -o 2 --my=zero2:5082 --replicas 3 --idx 2 --logtostderr -v=2 --peer=zero1:5080
 
   zero3:
     image: dgraph/dgraph:latest
@@ -57,7 +57,7 @@ services:
         source: $GOPATH/bin
         target: /gobin
         read_only: true
-    command: /gobin/dgraph zero -o 3 --my=zero3:5083 --replicas 3 --idx 3 --logtostderr -v=2 --enterprise_features --peer=zero1:5080
+    command: /gobin/dgraph zero -o 3 --my=zero3:5083 --replicas 3 --idx 3 --logtostderr -v=2 --peer=zero1:5080
 
   dg1:
     image: dgraph/dgraph:latest
@@ -74,7 +74,7 @@ services:
     labels:
       cluster: test
       service: alpha
-    command: /gobin/dgraph alpha --my=dg1:7180 --lru_mb=1024 --zero=zero1:5080 -o 100 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2 --enterprise_features --whitelist 10.0.0.0:10.255.255.255,172.16.0.0:172.31.255.255,192.168.0.0:192.168.255.255
+    command: /gobin/dgraph alpha --my=dg1:7180 --lru_mb=1024 --zero=zero1:5080 -o 100 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2 --whitelist 10.0.0.0:10.255.255.255,172.16.0.0:172.31.255.255,192.168.0.0:192.168.255.255
 
   dg2:
     image: dgraph/dgraph:latest
@@ -93,7 +93,7 @@ services:
     labels:
       cluster: test
       service: alpha
-    command: /gobin/dgraph alpha --my=dg2:7182 --lru_mb=1024 --zero=zero1:5080 -o 102 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2 --enterprise_features --whitelist 10.0.0.0:10.255.255.255,172.16.0.0:172.31.255.255,192.168.0.0:192.168.255.255
+    command: /gobin/dgraph alpha --my=dg2:7182 --lru_mb=1024 --zero=zero1:5080 -o 102 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2 --whitelist 10.0.0.0:10.255.255.255,172.16.0.0:172.31.255.255,192.168.0.0:192.168.255.255
 
   dg3:
     image: dgraph/dgraph:latest
@@ -112,4 +112,4 @@ services:
     labels:
       cluster: test
       service: alpha
-    command: /gobin/dgraph alpha --my=dg3:7183 --lru_mb=1024 --zero=zero1:5080 -o 103 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2 --enterprise_features --whitelist 10.0.0.0:10.255.255.255,172.16.0.0:172.31.255.255,192.168.0.0:192.168.255.255
+    command: /gobin/dgraph alpha --my=dg3:7183 --lru_mb=1024 --zero=zero1:5080 -o 103 --expose_trace --trace 1.0 --profile_mode block --block_rate 10 --logtostderr -v=2 --whitelist 10.0.0.0:10.255.255.255,172.16.0.0:172.31.255.255,192.168.0.0:192.168.255.255