Armon Dadgar
43a7a20868
consul: Ensure authoritative cache is purged after update
2014-08-18 15:46:59 -07:00
Armon Dadgar
e56007753d
consul: Provide ETag to avoid expensive policy fetch
2014-08-18 15:46:59 -07:00
Armon Dadgar
25855b2362
consul: ACL enforcement for KV updates
2014-08-18 15:46:24 -07:00
Armon Dadgar
c7cb1f562b
consul: ACL enforcement for key reads
2014-08-18 15:46:24 -07:00
Armon Dadgar
f49d34d0e3
consul: Filter keys, refactor to interface
2014-08-18 15:46:24 -07:00
Armon Dadgar
614b0a1414
consul: Helpers to filter on ACL rules
2014-08-18 15:46:24 -07:00
Armon Dadgar
84488ed1f0
consul: Starting token enforcement
2014-08-18 15:46:23 -07:00
Armon Dadgar
2d5e869e69
consul: Prevent resolution of root policy
2014-08-18 15:46:23 -07:00
Armon Dadgar
10db4c7c8f
consul: Resolve parent ACLs
2014-08-18 15:46:23 -07:00
Armon Dadgar
ef171ca344
consul: Support management tokens
2014-08-18 15:46:23 -07:00
Armon Dadgar
a82439c713
consul: Adding some metrics for ACL usage
2014-08-18 15:46:23 -07:00
Armon Dadgar
827e7c9efa
consul: Create anonymous and master tokens
2014-08-18 15:46:22 -07:00
Armon Dadgar
01beaa60cc
consul: Testing down policies and multi-DC
2014-08-18 15:46:22 -07:00
Armon Dadgar
fe86c8c5ee
consul: Testing ACL resolution
2014-08-18 15:46:22 -07:00
Armon Dadgar
0c912f2c98
consul: Use Etag for policy caching
2014-08-18 15:46:22 -07:00
Armon Dadgar
b5e22203fc
consul: Support conditional policy fetch
2014-08-18 15:46:22 -07:00
Armon Dadgar
b5c9e65175
consul: Verify compilation of rules
2014-08-18 15:46:22 -07:00
Armon Dadgar
338f11c6cf
consul: Enable ACL lookup
2014-08-18 15:46:22 -07:00
Armon Dadgar
97a737b1ee
consul: Pulling in ACLs
2014-08-18 15:46:21 -07:00
Armon Dadgar
78049ad240
agent: ACL endpoint tests
2014-08-18 15:46:21 -07:00
Armon Dadgar
1b6806872d
consul: ACL Endpoint tests
2014-08-18 15:46:21 -07:00
Armon Dadgar
7cbb2225af
consul: Adding ACL endpoint
2014-08-18 15:46:21 -07:00
Armon Dadgar
b53ee80acd
consul: register the ACL queries
2014-08-18 15:46:21 -07:00
Armon Dadgar
70b84e44c9
consul: FSM support for ACLsg
2014-08-18 15:46:21 -07:00
Armon Dadgar
fea61d629b
consul: Adding ACLs to the state store
2014-08-18 15:46:21 -07:00
Armon Dadgar
3b4d8d5805
consul: ACL structs
2014-08-18 15:46:21 -07:00
Armon Dadgar
cae4b421a3
agent: Adding ACL master token
2014-08-18 15:46:20 -07:00
Armon Dadgar
a8063457f8
consul: ACL setting passthrough
2014-08-18 15:46:20 -07:00
William Tisäter
6b52d410b3
Run go fmt
2014-07-24 01:09:55 +02:00
William Tisäter
945e19e139
Don't override ServiceTags
2014-07-23 23:42:22 +02:00
William Tisäter
57d62eb492
Change order of fixtures
2014-07-23 23:42:22 +02:00
William Tisäter
37426f7410
Make service tag filter case-insensitive
2014-07-23 23:42:22 +02:00
William Tisäter
9ad8b9ff19
Make service index case-insensitive
2014-07-23 23:42:22 +02:00
William Tisäter
9359f899f5
Lowercase index key and lookup value if flag is set
2014-07-23 23:42:22 +02:00
William Tisäter
ee4de11741
Add case-insensitive flag to MDBIndex
2014-07-23 23:42:21 +02:00
William Tisäter
e5798c74d2
Add helper for lowercase list of strings
2014-07-23 23:42:21 +02:00
Armon Dadgar
ce9de56469
consul: Defer serf handler until initialized. Fixes #254 .
2014-07-22 09:36:58 -04:00
Armon Dadgar
746449ffed
Merge pull request #233 from nelhage/tls-no-subjname
...
Restore the 0.2 TLS verification behavior.
2014-07-01 13:41:00 -07:00
Nelson Elhage
12a7f765b6
Add some basic smoke tests for wrapTLSclient.
...
Check the success case, and check that we reject a self-signed
certificate.
2014-06-29 18:11:32 -07:00
Nelson Elhage
d174cbe7f4
Restore the 0.2 TLS verification behavior.
...
Namely, don't check the DNS names in TLS certificates when connecting to
other servers.
As of golang 1.3, crypto/tls no longer natively supports doing partial
verification (verifying the cert issuer but not the hostname), so we
have to disable verification entirely and then do the issuer
verification ourselves. Fortunately, crypto/x509 makes this relatively
straightforward.
If the "server_name" configuration option is passed, we preserve the
existing behavior of checking that server name everywhere.
No option is provided to retain the current behavior of checking the
remote certificate against the local node name, since that behavior
seems clearly buggy and unintentional, and I have difficulty imagining
it is actually being used anywhere. It would be relatively
straightforward to restore if desired, however.
2014-06-28 13:32:42 -07:00
Armon Dadgar
924e4bc7f1
Rename Expect to BootstrapExpect. Fixes #223 .
2014-06-19 17:08:55 -07:00
Armon Dadgar
92b6e947dd
consul: Minor cleanups
2014-06-18 16:15:28 -07:00
Robert Xu
7b456a6d6d
Minor cleanup to logic and testsuite.
...
Signed-off-by: Robert Xu <robxu9@gmail.com>
2014-06-18 18:47:05 -04:00
Robert Xu
bc4a4fe09b
Utilise new raft.SetPeers() method, move expect logic to leader.go.
...
This way, we don't use EnableSingleMode, nor cause chaos adding peers.
Signed-off-by: Robert Xu <robxu9@gmail.com>
2014-06-18 12:03:30 -04:00
Robert Xu
c60fd0542a
Add expect bootstrap '-expect=n' mode.
...
This allows for us to automatically bootstrap a cluster of nodes after
'n' number of server nodes join. All servers must have the same 'n' set, or
they will fail to join the cluster; all servers will not join the peer set
until they hit 'n' server nodes.
If the raft commit index is not empty, '-expect=n' does nothing because it
thinks you've already bootstrapped.
Signed-off-by: Robert Xu <robxu9@gmail.com>
2014-06-16 17:40:33 -04:00
Armon Dadgar
961a00c496
Adding server_name configuration for TLS
2014-06-13 11:10:27 -07:00
Robert B Gordon
470d0f1e58
Seems like we should actually check the reference count.
2014-06-13 11:25:01 -05:00
Armon Dadgar
93f4eb0a0f
consul: Start RPC before Raft, wait to accept connecitons
2014-06-11 10:17:58 -07:00
Armon Dadgar
938371ee40
consul: start RPC after fully initialized. Fixes #160
2014-06-11 09:46:44 -07:00
Armon Dadgar
ab4e3de185
consul: Avoid network for server RPC. Fixes #148 .
2014-06-10 19:12:36 -07:00
