Support for Consul 1.4.0+ ACL system #474
Conversation
| @@ -199,6 +199,45 @@ consul to restart. | |||
|
|
|||
| ## ACL Definitions | |||
|
|
|||
| ### Policy/Token system | |||
|
|
|||
| Starting with version 1.4.0, a new ACL system was introduces separating rules (policies) from tokens. | |||
| @@ -0,0 +1,190 @@ | |||
| require 'json' | |||
| require 'net/http' | |||
| require 'pp' | |||
There was a problem hiding this comment.
Is pp actually required or just a leftover from debugging?
There was a problem hiding this comment.
You are right, dependency has been removed.
manifests/init.pp
Outdated
| @@ -158,6 +179,13 @@ | |||
| # | |||
| class consul ( | |||
| Hash $acls = $consul::params::acls, | |||
| Hash $tokens = $consul::params::tokens, | |||
There was a problem hiding this comment.
can you enforce the datatypes even more? For hashes, you can define the datatypes for the keys and the values. For example:
| Hash $tokens = $consul::params::tokens, | |
| Hash[String[1],String[1]] $tokens = $consul::params::tokens, |
There was a problem hiding this comment.
Good idea. I tried to add some stricter types in the newest version.
manifests/init.pp
Outdated
| @@ -158,6 +179,13 @@ | |||
| # | |||
| class consul ( | |||
| Hash $acls = $consul::params::acls, | |||
| Hash $tokens = $consul::params::tokens, | |||
| Hash $policies = $consul::params::policies, | |||
| String $acl_api_hostname = $consul::params::acl_api_hostname, | |||
There was a problem hiding this comment.
You can enforce the minimal string length like this:
| String $acl_api_hostname = $consul::params::acl_api_hostname, | |
| String[1] $acl_api_hostname = $consul::params::acl_api_hostname, |
Please also look through https://github.com/puppetlabs/puppetlabs-stdlib/tree/master/types, you might find mor strict datatypes that you could use.
manifests/init.pp
Outdated
| Hash $policies = $consul::params::policies, | ||
| String $acl_api_hostname = $consul::params::acl_api_hostname, | ||
| String $acl_api_protocol = $consul::params::acl_api_protocol, | ||
| Integer $acl_api_port = $consul::params::acl_api_port, |
There was a problem hiding this comment.
Probably this type can be used https://github.com/puppetlabs/puppetlabs-stdlib/blob/master/types/port.pp ?
| Integer $acl_api_port = $consul::params::acl_api_port, | |
| Stdlib::Port $acl_api_port = $consul::params::acl_api_port, |
There was a problem hiding this comment.
Good idea from my point of view.
As far as I know this type was added in version 4.25 of stdlib. Is it ok to adjust the current dependencies accordingly?
|
Hey @SkydiveMarius, thanks for the awesome PR! I made some small inline comments. Can you take a look at the current acceptance tests (https://github.com/solarkennedy/puppet-consul/blob/master/spec/acceptance/class_spec.rb) and extend them with tests for the new types/provider? |
|
@SkydiveMarius thanks for the updates! Can you take a look at the failed travis job? |
…ing CentOS6 Travis jobs
|
Branch has been rebased, but some Travis builds are randomly failing with Timeout errors (ACL API requests). So far I was not able to reproduce this behavior locally. In case of failure the content of /var/log/consul would probably help. Does rspec offer possibilities to display this information in case of an error? |
|
PR has been adjusted for the recent Consul 1.5.0 update. |
manifests/init.pp
Outdated
| Boolean $enable_beta_ui = false, | ||
| Boolean $allow_binding_to_root_ports = false, | ||
| Hash $acls = {}, | ||
| Hash[String[1], Struct[{ |
There was a problem hiding this comment.
can you please put those types into a custom datatype? That would make the file more readable.
There was a problem hiding this comment.
Good idea. Replaced by type aliases.
bastelfreak
removed
needs-rebase
needs-tests
needs-work
|
Hi @SkydiveMarius, thanks for the awesome work! @solarkennedy can you please take a look and merge it? In my opinion this is fine. |
|
looking... |
| if @resource[:ensure] == :absent | ||
| if @existing_policy | ||
| @client.delete_policy(@existing_policy.id) | ||
| Puppet.notice(" Deleted Consul ACL policy #{@existing_policy.name} (ID: #{@existing_policy.id})") |
There was a problem hiding this comment.
nit: There is a leading space here in the log line
There was a problem hiding this comment.
Thx, space has been removed.
| @existing_policy.rules = @rules_encoded | ||
|
|
||
| @client.update_policy(@existing_policy) | ||
| Puppet.notice(" Updated Consul ACL policy #{@existing_policy.name} (ID: #{@existing_policy.id})") |
There was a problem hiding this comment.
here too, intentional?
There was a problem hiding this comment.
By far not intended, space is removed.
|
This PR looks really solid @SkydiveMarius! So I say we ship! |
|
Thanks for the positive feedback! |
|
Probably temporary. It really is 404, but I'll check back later in the day to make sure we have a green build and merge. |
|
I restarted the failed CI jobs |
|
The related issue for the broken mirror: https://groups.google.com/forum/#!topic/puppet-users/cCsGWKunBe4 |
|
Build is green. Thanks again @SkydiveMarius for a really great first time contribution! |
Support for Consul 1.4.0+ ACL system
Resolves #471
Example usage:
The current concept treats tokens and policies individually. A token can be assigned both policies managed by puppet (by_name) and external policies (by_id).
The new Consul system does not support any user specified Token ID anymore (s. hashicorp/consul#4977), therefore the mapping is currently done by description.
Due to my limited Ruby or Puppet experience feedback and suggestions for improvements are highly welcome.