Commit Graph

3814 Commits

Author SHA1 Message Date
James Phillips 67de77482e Creates new "prepared-query" ACL type and new token capture behavior.
Prior to this change, prepared queries had the following behavior for
ACLs, which will need to change to support templates:

1. A management token, or a token with read access to the service being
   queried needed to be provided in order to create a prepared query.

2. The token used to create the prepared query was stored with the query
   in the state store and used to execute the query.

3. A management token, or the token used to create the query needed to be
   supplied to perform and CRUD operations on an existing prepared query.

This was pretty subtle and complicated behavior, and won't work for
templates since the service name is computed at execution time. To solve
this, we introduce a new "prepared-query" ACL type, where the prefix
applies to the query name for static prepared query types and to the
prefix for template prepared query types.

With this change, the new behavior is:

1. A management token, or a token with "prepared-query" write access to
   the query name or (soon) the given template prefix is required to do
   any CRUD operations on a prepared query, or to list prepared queries
   (the list is filtered by this ACL).

2. You will no longer need a management token to list prepared queries,
   but you will only be able to see prepared queries that you have access
   to (you get an empty list instead of permission denied).

3. When listing or getting a query, because it was easy to capture
   management tokens given the past behavior, this will always blank out
   the "Token" field (replacing the contents as <hidden>) for all tokens
   unless a management token is supplied. Going forward, we should
   discourage people from binding tokens for execution unless strictly
   necessary.

4. No token will be captured by default when a prepared query is created.
   If the user wishes to supply an execution token then can pass it in via
   the "Token" field in the prepared query definition. Otherwise, this
   field will default to empty.

5. At execution time, we will use the captured token if it exists with the
   prepared query definition, otherwise we will use the token that's passed
   in with the request, just like we do for other RPCs (or you can use the
   agent's configured token for DNS).

6. Prepared queries with no name (accessible only by ID) will not require
   ACLs to create or modify (execution time will depend on the service ACL
   configuration). Our argument here is that these are designed to be
   ephemeral and the IDs are as good as an ACL. Management tokens will be
   able to list all of these.

These changes enable templates, but also enable delegation of authority to
manage the prepared query namespace.
2016-02-23 17:12:43 -08:00
csawyerYumaed 5026a40ec1 Update documentation - add Network Ports.
Update security.html.markdown add section on Network Port usage.
TODO: add Atlas port usage.
2016-02-23 11:27:15 -08:00
Stefan Engstrom 525cb0abc1 add accept header */* for agent check 2016-02-19 10:31:00 -06:00
Ryan Breen 05bc9149a5 Merge pull request #1741 from benhinchley/master
Add asia pacific region to list in terraform module
2016-02-19 08:24:16 -05:00
Ben Hinchley d1c8f3b384 Merge pull request #1 from benhinchley/benhinchley-patch-1
add asia pacific region to list for ubuntu
2016-02-19 16:35:48 +11:00
Ben Hinchley 9f903928c3 add asia pacific region to list for ubuntu
using these images
ap-northeast-1 => ubuntu/images/hvm-ssd/ubuntu-trusty-14.04-amd64-server-20150528
ap-southeast-1 => ubuntu/images/hvm-ssd/ubuntu-trusty-14.04-amd64-server-20150528
ap-southeast-2 => ubuntu/images/hvm-ssd/ubuntu-trusty-14.04-amd64-server-20150528
2016-02-19 16:35:29 +11:00
James Phillips 4d5b13f417 Merge pull request #1740 from hashicorp/f-1.6-only-ci
Takes away Go tip build which is failing for odd reasons.
2016-02-18 15:50:12 -08:00
James Phillips aa5806a1df Takes away Go tip build which is failing for odd reasons.
This should cut down on build noise. When we get further with 1.6 we can reintroduce the tip build to help spot issues with the next version of Go.
2016-02-18 15:50:04 -08:00
James Phillips d5735c555d Merge pull request #1736 from hashicorp/f-makefile-cleanup
Refactors dist into a Docker-based build with extra safety checks.
2016-02-18 15:28:46 -08:00
James Phillips f873dda184 Sets CGO_ENABLED to 0 in the Dockerfile. 2016-02-18 09:31:04 -08:00
James Phillips 33829cdc34 Moves release build into Docker container and adds web asset check at dist time. 2016-02-17 23:17:39 -08:00
James Phillips 3f7bd5dec2 Tweaks some of the default makefile targets. 2016-02-17 20:36:48 -08:00
James Phillips baef89a8f6 Removes from cruft from the makefile. 2016-02-17 20:30:06 -08:00
James Phillips 09e60af97c Merge pull request #1735 from hashicorp/f-go-1.6
Starts switch to Go 1.6.
2016-02-17 20:00:34 -08:00
James Phillips a8f8d63460 Starts switch to Go 1.6. 2016-02-17 19:43:55 -08:00
James Phillips aed82bf7d7 Merge pull request #1726 from hashicorp/f-tag-override-api
Adds support for EnableTagOverride to the API client.
2016-02-17 19:25:40 -08:00
James Phillips d31d50c45e Merge pull request #1732 from hashicorp/pr/1716
Don't run `go vet` on vendor/
2016-02-17 16:04:14 -08:00
James Phillips 6643c94b11 Makes vet check more sure fire now that it's xargs-ed. 2016-02-17 16:02:42 -08:00
James Phillips a84e5b8d66 Adds a note about the new go-cleanhttp behavior to the change log. 2016-02-17 14:49:24 -08:00
James Phillips 1bfbe7e918 Merge pull request #1731 from hashicorp/update-cleanhttp
Update go-cleanhttp
2016-02-17 14:24:41 -08:00
Jeff Mitchell 14a3a14543 Update go-cleanhttp 2016-02-17 17:03:57 -05:00
Ryan Breen 628343ea73 Merge pull request #1729 from xenji/add-new-eu-amis
Add ubuntu AMIs for eu-west-1 and eu-central-1 to the map.
2016-02-17 08:23:04 -05:00
Mario Mueller c62c5de185 Add eu-west-1 and eu-central-1 to the map.
Used image: ubuntu/images/hvm-ssd/ubuntu-trusty-14.04-amd64-server-20150325
2016-02-17 09:16:41 +01:00
Michael Crilly 4c8725ef63 TLS example and correcting error
The example configuration file omits TLS support in the HTTP API. This is fine, but a second example demonstrating how to enable TLS over the HTTP API is harmless and, in fact, should be default practice.

Using the format `ip:port` in the "addresses" block will cause Consul to crash on reload/start. See issue (#1727)[https://github.com/hashicorp/consul/issues/1727#issuecomment-184980751]
2016-02-17 15:24:37 +10:00
James Phillips 052140f8a7 Merge pull request #1703 from alistanis/fix-issue-#1661
fixes issue #1661 and adds supporting test
2016-02-16 20:13:36 -08:00
James Phillips afdeb2f1fc Adds support for EnableTagOverride to the API client. 2016-02-16 11:45:29 -08:00
Ryan Breen 0562b95a55 Merge pull request #1717 from kim-toms/patch-1
Update leader-election.html.markdown
2016-02-14 09:34:39 -05:00
Kim Toms 7e8e11aea3 Update leader-election.html.markdown
Remove duplicate 'leader'
2016-02-14 09:32:23 -05:00
Sean Chittenden 0c8b66ddca Don't run `go vet` on vendor/ 2016-02-12 18:52:40 -08:00
James Phillips 62fd17382a Merge pull request #1715 from hashicorp/b-travis
Removes the obsolete deps target from Travis.
2016-02-12 18:46:13 -08:00
James Phillips 5937db50e3 Removes the obsolete deps target from Travis. 2016-02-12 18:41:33 -08:00
Sean Chittenden 8d5555246f Merge pull request #1714 from hashicorp/e-godeps
Manage dependencies via Godep
2016-02-12 17:13:08 -08:00
Sean Chittenden 870cabf0bf Remove deps folder, no longer needed 2016-02-12 17:12:15 -08:00
Sean Chittenden 1071bc271a Add a tools target that fetches various build-time tools 2016-02-12 17:09:18 -08:00
Sean Chittenden 25b09713b9 Manage dependencies via Godep
Embrace the future and use Go 1.6's vendor support via Godep.

Go 1.5 users should `export GO15VENDOREXPERIMENT=1`
2016-02-12 16:50:37 -08:00
Ryan Breen 3eb3087032 Merge pull request #1713 from hashicorp/b-internal-ui-redirect
Fixes redirect from / to /ui when internal UI is enabled.
2016-02-12 19:26:59 -05:00
James Phillips e79dd7c8de Fixes redirect from / to /ui when internal UI is enabled. 2016-02-12 16:11:32 -08:00
Sean Chittenden d2745081f3 Allow adjusting the number of DNS records in a response...
Based on work done by @fusiondog in #1583, extend the concept to use an integer instead of a boolean.

Fixes: #1583 && #1481
2016-02-12 12:18:25 -08:00
Ryan Breen 13bfad9e1b Merge pull request #1710 from shaneog/master
Fix Consul download links
2016-02-10 11:23:22 -05:00
Shane O'Grady f03054a6c2 Fix Consul download link in benchmark scripts
Use https://releases.hashicorp.com
2016-02-10 14:18:19 -02:00
Shane O'Grady ee35581869 Fix Consul download link in Terraform scripts
Use https://releases.hashicorp.com
2016-02-10 14:18:13 -02:00
James Phillips bb4c9d48c0 Merge pull request #1707 from hashicorp/b-typo
Fixes a typo.
2016-02-09 16:37:14 -08:00
James Phillips 03602779c6 Fixes a typo. 2016-02-09 16:37:06 -08:00
Chris Cooper 2c6f873ecd add missing test 2016-02-09 10:49:41 -05:00
Chris Cooper fe0e3aaaa0 fixes issue #1661 and adds supporting test 2016-02-09 10:35:39 -05:00
Robert Goldsmith 795554e7a4 Included support to override the assumed location of the consul so you can run the UI on a normal web server potentially on a different host to your consul servers. 2016-02-09 13:26:48 +00:00
Patrick Feliciano 6b665d3ddb Adding singleton option to DNS for getaddrinfo bug. 2016-02-09 00:26:18 -08:00
Ryan Breen b7b46f9e3a Merge pull request #1700 from michaeldejong/tools-consultant
Added a reference to Consultant in the Community Tools section.
2016-02-08 10:54:33 -05:00
Michael de Jong b99824330d Added a reference to Consultant in the Community Tools section. 2016-02-08 16:09:30 +01:00
James Phillips dca3234c37 Merge pull request #1699 from hashicorp/b-sanity-check
Adds a sanity check to the local node info compare.
2016-02-07 15:07:55 -08:00