Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

acl: tokens can be created with an optional expiration time #5353

Merged
merged 3 commits into from Apr 8, 2019
Merged

acl: tokens can be created with an optional expiration time #5353

merged 3 commits into from Apr 8, 2019

Conversation

rboyer
Copy link
Member

@rboyer rboyer commented Feb 15, 2019
edited

Note: this is merging into a long lived feature branch, not master. Future PRs in this series may adjust the contents here slightly as needed. These are separated out for digestibility.

I'm mostly looking for early feedback on portions of the overall changeset. The final product that merges into master may end up with small adjustments in further PRs as issues arise.

There are a pair of new memdb indexes used to to keep track of upcoming tokens to expire (one for local tokens and one for global tokens). I would have preferred a single composite index of (local, expirationTime) but I could not figure out how to find the min/max elements of a composite index when presented with an exact match for one portion of the composite index.

  • expiration time takes immediate effect and lazily deleted
  • figure out if any of the magic numbers should move to config
  • api updates
  • cli updates
  • write tests
  • website updates
  • UI updates

@rboyer rboyer requested a review from a team February 15, 2019 16:17
rboyer
rboyer commented Feb 15, 2019
View reviewed changes
agent/consul/server.go Outdated Show resolved Hide resolved
rboyer
rboyer commented Feb 15, 2019
View reviewed changes
agent/consul/acl_endpoint_test.go
for _, v := range resp.Tokens {
retrievedTokens = append(retrievedTokens, v.AccessorID)
}
require.Subset(t, retrievedTokens, tokens)
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I removed use of require.Subset in this whole file because it has the potential (as I encountered legitimately) to mask bugs in returning data the function should not.

mkeeler
mkeeler reviewed Feb 15, 2019
View reviewed changes
agent/acl_endpoint.go Outdated Show resolved Hide resolved
agent/consul/leader.go Outdated Show resolved Hide resolved
agent/consul/acl_endpoint.go Outdated Show resolved Hide resolved
agent/consul/acl_endpoint_test.go Outdated Show resolved Hide resolved
agent/consul/acl_replication.go Show resolved Hide resolved
agent/consul/acl_token_exp.go Show resolved Hide resolved
agent/structs/acl.go Outdated Show resolved Hide resolved
agent/structs/acl.go Outdated Show resolved Hide resolved
agent/structs/acl.go Outdated Show resolved Hide resolved
api/acl.go Outdated Show resolved Hide resolved
@rboyer
Copy link
Member Author

rboyer commented Feb 19, 2019

@mkeeler I think I've addressed the points you raised.

@rboyer rboyer added the theme/acls ACL and token generation label Feb 21, 2019
@rboyer rboyer mentioned this pull request Feb 21, 2019
Closed
banks
banks reviewed Feb 25, 2019
View reviewed changes
Copy link
Member

@banks banks left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is looking good to me.

I think we should think about the possible downsides of a fake time test abstraction where they've been intentionally avoided in our projects until now.

agent/consul/acl_endpoint.go Outdated Show resolved Hide resolved
agent/consul/acl_endpoint_test.go Outdated Show resolved Hide resolved
agent/consul/acl_server.go Show resolved Hide resolved
agent/consul/state/acl.go Show resolved Hide resolved
@rboyer rboyer mentioned this pull request Feb 26, 2019
Merged
3 tasks
@rboyer rboyer force-pushed the f-token-expiration branch 2 times, most recently from 4079224 to 8e9b063 Compare March 1, 2019 20:51
@rboyer rboyer requested review from banks and mkeeler March 4, 2019 16:25
@banks
Copy link
Member

banks commented Mar 6, 2019

Not sure where this is at but I think it's looking good to me from a not-in-depth view. The TODO items remaining seem important do you intend to do those in this PR or a later one?

Would be good to have Matt look closer at the subtleties in the ACL stuff - I can't say I'm confident there are no bugs I've missed there from higher level skimming!

but I could not figure out how to find the min/max elements of a composite index when presented with an exact match for one portion of the composite index.

Yeah MemDB (and iradix) is pretty limited - I found this recently we can't do "lower bound" queries in general and so no range scans semantics unless you happen to know the exact value of the first key you care about or want to scan from the start of the index (luckily you do want that in case of next token to expire). One day maybe I'll change that if I ever finish my rewrite of iradix/memdb 😄 .

@rboyer
Copy link
Member Author

rboyer commented Mar 6, 2019

The TODO items remaining seem important do you intend to do those in this PR or a later one?

If you're referring to the checkboxes at the top, I was considering having a long-lived draft PR of f-acl-ux -> master where I was going to collect all of the stuff like that as I generate it. Then when things settle down on this long lived feature branch there's a record of the overall todos related to documentation etc.

Mostly with these incremental feature branches I'm looking for correctness/performance issues and figure that the final cleanup for the whole overall ACL UX feature set can be handled before it goes into master.

@rboyer
Copy link
Member Author

rboyer commented Mar 18, 2019

I believe I've addressed the outstanding commentary.

mkeeler
mkeeler approved these changes Apr 1, 2019
View reviewed changes
Copy link
Member

@mkeeler mkeeler left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks for the updates.

@rboyer rboyer added this to the 1.5.0 milestone Apr 8, 2019
@rboyer rboyer merged this pull request into f-acl-ux Apr 8, 2019
@rboyer rboyer mentioned this pull request Apr 8, 2019
Merged
rboyer added a commit that referenced this pull request Apr 8, 2019
@rboyer
acl: tokens can be created with an optional expiration time (#5353)
ddee47c
@rboyer rboyer deleted the f-token-expiration branch April 8, 2019 18:19
rboyer added a commit that referenced this pull request Apr 24, 2019
@rboyer
acl: tokens can be created with an optional expiration time (#5353)
a848026
rboyer added a commit that referenced this pull request Apr 26, 2019
@rboyer
acl: tokens can be created with an optional expiration time (#5353)
2144bd7
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@banks banks banks left review comments

@mkeeler mkeeler mkeeler approved these changes

Assignees
No one assigned
Labels
theme/acls ACL and token generation
Projects
None yet
Milestone
1.5.0
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@rboyer @banks @mkeeler