mirror of
https://github.com/status-im/consul.git
synced 2025-02-23 02:48:19 +00:00
agent: read-level keyring ACLs work
This commit is contained in:
Ryan Uber
parent
1b8051a783
commit
bffc0861cc
@ -121,8 +121,9 @@ func (a *Agent) keyringProcess(args *structs.KeyringRequest) (*structs.KeyringRe
|
|||||||
|
|
||||||
// ListKeys lists out all keys installed on the collective Consul cluster. This
|
// ListKeys lists out all keys installed on the collective Consul cluster. This
|
||||||
// includes both servers and clients in all DC's.
|
// includes both servers and clients in all DC's.
|
||||||
func (a *Agent) ListKeys() (*structs.KeyringResponses, error) {
|
func (a *Agent) ListKeys(token string) (*structs.KeyringResponses, error) {
|
||||||
args := structs.KeyringRequest{Operation: structs.KeyringList}
|
args := structs.KeyringRequest{Operation: structs.KeyringList}
|
||||||
|
args.Token = token
|
||||||
return a.keyringProcess(&args)
|
return a.keyringProcess(&args)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -78,6 +78,7 @@ var msgpackHandle = &codec.MsgpackHandle{
|
|||||||
type requestHeader struct {
|
type requestHeader struct {
|
||||||
Command string
|
Command string
|
||||||
Seq uint64
|
Seq uint64
|
||||||
|
Token string
|
||||||
}
|
}
|
||||||
|
|
||||||
// Response header is sent before each response
|
// Response header is sent before each response
|
||||||
@ -365,6 +366,7 @@ func (i *AgentRPC) handleRequest(client *rpcClient, reqHeader *requestHeader) er
|
|||||||
// Look for a command field
|
// Look for a command field
|
||||||
command := reqHeader.Command
|
command := reqHeader.Command
|
||||||
seq := reqHeader.Seq
|
seq := reqHeader.Seq
|
||||||
|
token := reqHeader.Token
|
||||||
|
|
||||||
// Ensure the handshake is performed before other commands
|
// Ensure the handshake is performed before other commands
|
||||||
if command != handshakeCommand && client.version == 0 {
|
if command != handshakeCommand && client.version == 0 {
|
||||||
@ -406,7 +408,7 @@ func (i *AgentRPC) handleRequest(client *rpcClient, reqHeader *requestHeader) er
|
|||||||
return i.handleReload(client, seq)
|
return i.handleReload(client, seq)
|
||||||
|
|
||||||
case installKeyCommand, useKeyCommand, removeKeyCommand, listKeysCommand:
|
case installKeyCommand, useKeyCommand, removeKeyCommand, listKeysCommand:
|
||||||
return i.handleKeyring(client, seq, command)
|
return i.handleKeyring(client, seq, command, token)
|
||||||
|
|
||||||
default:
|
default:
|
||||||
respHeader := responseHeader{Seq: seq, Error: unsupportedCommand}
|
respHeader := responseHeader{Seq: seq, Error: unsupportedCommand}
|
||||||
@ -618,7 +620,7 @@ func (i *AgentRPC) handleReload(client *rpcClient, seq uint64) error {
|
|||||||
return client.Send(&resp, nil)
|
return client.Send(&resp, nil)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (i *AgentRPC) handleKeyring(client *rpcClient, seq uint64, cmd string) error {
|
func (i *AgentRPC) handleKeyring(client *rpcClient, seq uint64, cmd, token string) error {
|
||||||
var req keyringRequest
|
var req keyringRequest
|
||||||
var queryResp *structs.KeyringResponses
|
var queryResp *structs.KeyringResponses
|
||||||
var r keyringResponse
|
var r keyringResponse
|
||||||
@ -632,7 +634,7 @@ func (i *AgentRPC) handleKeyring(client *rpcClient, seq uint64, cmd string) erro
|
|||||||
|
|
||||||
switch cmd {
|
switch cmd {
|
||||||
case listKeysCommand:
|
case listKeysCommand:
|
||||||
queryResp, err = i.agent.ListKeys()
|
queryResp, err = i.agent.ListKeys(token)
|
||||||
case installKeyCommand:
|
case installKeyCommand:
|
||||||
queryResp, err = i.agent.InstallKey(req.Key)
|
queryResp, err = i.agent.InstallKey(req.Key)
|
||||||
case useKeyCommand:
|
case useKeyCommand:
|
||||||
|
|||||||
@ -188,10 +188,11 @@ func (c *RPCClient) WANMembers() ([]Member, error) {
|
|||||||
return resp.Members, err
|
return resp.Members, err
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *RPCClient) ListKeys() (keyringResponse, error) {
|
func (c *RPCClient) ListKeys(token string) (keyringResponse, error) {
|
||||||
header := requestHeader{
|
header := requestHeader{
|
||||||
Command: listKeysCommand,
|
Command: listKeysCommand,
|
||||||
Seq: c.getSeq(),
|
Seq: c.getSeq(),
|
||||||
|
Token: token,
|
||||||
}
|
}
|
||||||
var resp keyringResponse
|
var resp keyringResponse
|
||||||
err := c.genericRPC(&header, nil, &resp)
|
err := c.genericRPC(&header, nil, &resp)
|
||||||
|
|||||||
@ -16,7 +16,7 @@ type KeyringCommand struct {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (c *KeyringCommand) Run(args []string) int {
|
func (c *KeyringCommand) Run(args []string) int {
|
||||||
var installKey, useKey, removeKey string
|
var installKey, useKey, removeKey, token string
|
||||||
var listKeys bool
|
var listKeys bool
|
||||||
|
|
||||||
cmdFlags := flag.NewFlagSet("keys", flag.ContinueOnError)
|
cmdFlags := flag.NewFlagSet("keys", flag.ContinueOnError)
|
||||||
@ -26,6 +26,7 @@ func (c *KeyringCommand) Run(args []string) int {
|
|||||||
cmdFlags.StringVar(&useKey, "use", "", "use key")
|
cmdFlags.StringVar(&useKey, "use", "", "use key")
|
||||||
cmdFlags.StringVar(&removeKey, "remove", "", "remove key")
|
cmdFlags.StringVar(&removeKey, "remove", "", "remove key")
|
||||||
cmdFlags.BoolVar(&listKeys, "list", false, "list keys")
|
cmdFlags.BoolVar(&listKeys, "list", false, "list keys")
|
||||||
|
cmdFlags.StringVar(&token, "token", "", "acl token")
|
||||||
|
|
||||||
rpcAddr := RPCAddrFlag(cmdFlags)
|
rpcAddr := RPCAddrFlag(cmdFlags)
|
||||||
if err := cmdFlags.Parse(args); err != nil {
|
if err := cmdFlags.Parse(args); err != nil {
|
||||||
@ -65,7 +66,7 @@ func (c *KeyringCommand) Run(args []string) int {
|
|||||||
|
|
||||||
if listKeys {
|
if listKeys {
|
||||||
c.Ui.Info("Gathering installed encryption keys...")
|
c.Ui.Info("Gathering installed encryption keys...")
|
||||||
r, err := client.ListKeys()
|
r, err := client.ListKeys(token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
c.Ui.Error(fmt.Sprintf("error: %s", err))
|
c.Ui.Error(fmt.Sprintf("error: %s", err))
|
||||||
return 1
|
return 1
|
||||||
@ -199,13 +200,15 @@ Options:
|
|||||||
|
|
||||||
-install=<key> Install a new encryption key. This will broadcast
|
-install=<key> Install a new encryption key. This will broadcast
|
||||||
the new key to all members in the cluster.
|
the new key to all members in the cluster.
|
||||||
-use=<key> Change the primary encryption key, which is used to
|
-list List all keys currently in use within the cluster.
|
||||||
encrypt messages. The key must already be installed
|
|
||||||
before this operation can succeed.
|
|
||||||
-remove=<key> Remove the given key from the cluster. This
|
-remove=<key> Remove the given key from the cluster. This
|
||||||
operation may only be performed on keys which are
|
operation may only be performed on keys which are
|
||||||
not currently the primary key.
|
not currently the primary key.
|
||||||
-list List all keys currently in use within the cluster.
|
-token="" ACL token to use during requests. Defaults to that
|
||||||
|
of the agent.
|
||||||
|
-use=<key> Change the primary encryption key, which is used to
|
||||||
|
encrypt messages. The key must already be installed
|
||||||
|
before this operation can succeed.
|
||||||
-rpc-addr=127.0.0.1:8400 RPC address of the Consul agent.
|
-rpc-addr=127.0.0.1:8400 RPC address of the Consul agent.
|
||||||
`
|
`
|
||||||
return strings.TrimSpace(helpText)
|
return strings.TrimSpace(helpText)
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user