New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for Consul 1.4.0+ ACL system #474
Conversation
@@ -199,6 +199,45 @@ consul to restart. | |||
|
|||
## ACL Definitions | |||
|
|||
### Policy/Token system | |||
|
|||
Starting with version 1.4.0, a new ACL system was introduces separating rules (policies) from tokens. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yey doc updates \o/
@@ -0,0 +1,190 @@ | |||
require 'json' | |||
require 'net/http' | |||
require 'pp' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is pp
actually required or just a leftover from debugging?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You are right, dependency has been removed.
manifests/init.pp
Outdated
@@ -158,6 +179,13 @@ | |||
# | |||
class consul ( | |||
Hash $acls = $consul::params::acls, | |||
Hash $tokens = $consul::params::tokens, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can you enforce the datatypes even more? For hashes, you can define the datatypes for the keys and the values. For example:
Hash $tokens = $consul::params::tokens, | |
Hash[String[1],String[1]] $tokens = $consul::params::tokens, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good idea. I tried to add some stricter types in the newest version.
manifests/init.pp
Outdated
@@ -158,6 +179,13 @@ | |||
# | |||
class consul ( | |||
Hash $acls = $consul::params::acls, | |||
Hash $tokens = $consul::params::tokens, | |||
Hash $policies = $consul::params::policies, | |||
String $acl_api_hostname = $consul::params::acl_api_hostname, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can enforce the minimal string length like this:
String $acl_api_hostname = $consul::params::acl_api_hostname, | |
String[1] $acl_api_hostname = $consul::params::acl_api_hostname, |
Please also look through https://github.com/puppetlabs/puppetlabs-stdlib/tree/master/types, you might find mor strict datatypes that you could use.
manifests/init.pp
Outdated
Hash $policies = $consul::params::policies, | ||
String $acl_api_hostname = $consul::params::acl_api_hostname, | ||
String $acl_api_protocol = $consul::params::acl_api_protocol, | ||
Integer $acl_api_port = $consul::params::acl_api_port, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably this type can be used https://github.com/puppetlabs/puppetlabs-stdlib/blob/master/types/port.pp ?
Integer $acl_api_port = $consul::params::acl_api_port, | |
Stdlib::Port $acl_api_port = $consul::params::acl_api_port, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good idea from my point of view.
As far as I know this type was added in version 4.25 of stdlib. Is it ok to adjust the current dependencies accordingly?
Hey @SkydiveMarius, thanks for the awesome PR! I made some small inline comments. Can you take a look at the current acceptance tests (https://github.com/solarkennedy/puppet-consul/blob/master/spec/acceptance/class_spec.rb) and extend them with tests for the new types/provider? |
@SkydiveMarius thanks for the updates! Can you take a look at the failed travis job? |
…ing CentOS6 Travis jobs
Branch has been rebased, but some Travis builds are randomly failing with Timeout errors (ACL API requests). So far I was not able to reproduce this behavior locally. In case of failure the content of /var/log/consul would probably help. Does rspec offer possibilities to display this information in case of an error? |
PR has been adjusted for the recent Consul 1.5.0 update. |
manifests/init.pp
Outdated
Boolean $enable_beta_ui = false, | ||
Boolean $allow_binding_to_root_ports = false, | ||
Hash $acls = {}, | ||
Hash[String[1], Struct[{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can you please put those types into a custom datatype? That would make the file more readable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good idea. Replaced by type aliases.
Hi @SkydiveMarius, thanks for the awesome work! @solarkennedy can you please take a look and merge it? In my opinion this is fine. |
looking... |
if @resource[:ensure] == :absent | ||
if @existing_policy | ||
@client.delete_policy(@existing_policy.id) | ||
Puppet.notice(" Deleted Consul ACL policy #{@existing_policy.name} (ID: #{@existing_policy.id})") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: There is a leading space here in the log line
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thx, space has been removed.
@existing_policy.rules = @rules_encoded | ||
|
||
@client.update_policy(@existing_policy) | ||
Puppet.notice(" Updated Consul ACL policy #{@existing_policy.name} (ID: #{@existing_policy.id})") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
here too, intentional?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
By far not intended, space is removed.
This PR looks really solid @SkydiveMarius! So I say we ship! |
Thanks for the positive feedback!
|
Probably temporary. It really is 404, but I'll check back later in the day to make sure we have a green build and merge. |
I restarted the failed CI jobs |
The related issue for the broken mirror: https://groups.google.com/forum/#!topic/puppet-users/cCsGWKunBe4 |
Build is green. Thanks again @SkydiveMarius for a really great first time contribution! |
Support for Consul 1.4.0+ ACL system
Resolves #471
Example usage:
The current concept treats tokens and policies individually. A token can be assigned both policies managed by puppet (by_name) and external policies (by_id).
The new Consul system does not support any user specified Token ID anymore (s. hashicorp/consul#4977), therefore the mapping is currently done by description.
Due to my limited Ruby or Puppet experience feedback and suggestions for improvements are highly welcome.