mirror of
https://github.com/status-im/consul.git
synced 2025-01-25 13:10:32 +00:00
d4c435856b
Adds automation for generating the map of `gRPC Method Name → Rate Limit Type` used by the middleware introduced in #15550, and will ensure we don't forget to add new endpoints. Engineers must annotate their RPCs in the proto file like so: ``` rpc Foo(FooRequest) returns (FooResponse) { option (consul.internal.ratelimit.spec) = { operation_type: READ, }; } ``` When they run `make proto` a protoc plugin `protoc-gen-consul-rate-limit` will be installed that writes rate-limit specs as a JSON array to a file called `.ratelimit.tmp` (one per protobuf package/directory). After running Buf, `make proto` will execute a post-process script that will ingest all of the `.ratelimit.tmp` files and generate a Go file containing the mappings in the `agent/grpc-middleware` package. In the enterprise repository, it will write an additional file with the enterprise-only endpoints. If an engineer forgets to add the annotation to a new RPC, the plugin will return an error like so: ``` RPC Foo is missing rate-limit specification, fix it with: import "proto-public/annotations/ratelimit/ratelimit.proto"; service Bar { rpc Foo(...) returns (...) { option (hashicorp.consul.internal.ratelimit.spec) = { operation_type: OPERATION_READ | OPERATION_WRITE | OPERATION_EXEMPT, }; } } ``` In the future, this annotation can be extended to support rate-limit category (e.g. KV vs Catalog) and to determine the retry policy.
71 lines
1.9 KiB
Protocol Buffer
71 lines
1.9 KiB
Protocol Buffer
syntax = "proto3";
|
|
|
|
package hashicorp.consul.acl;
|
|
|
|
import "proto-public/annotations/ratelimit/ratelimit.proto";
|
|
|
|
service ACLService {
|
|
// Login exchanges the presented bearer token for a Consul ACL token using a
|
|
// configured auth method.
|
|
rpc Login(LoginRequest) returns (LoginResponse) {
|
|
option (hashicorp.consul.internal.ratelimit.spec) = {
|
|
operation_type: OPERATION_TYPE_WRITE,
|
|
};
|
|
}
|
|
|
|
// Logout destroys the given ACL token once the caller is done with it.
|
|
rpc Logout(LogoutRequest) returns (LogoutResponse) {
|
|
option (hashicorp.consul.internal.ratelimit.spec) = {
|
|
operation_type: OPERATION_TYPE_WRITE,
|
|
};
|
|
}
|
|
}
|
|
|
|
message LogoutResponse {}
|
|
|
|
message LoginRequest {
|
|
// auth_method is the name of the configured auth method that will be used to
|
|
// validate the presented bearer token.
|
|
string auth_method = 1;
|
|
|
|
// bearer_token is a token produced by a trusted identity provider as
|
|
// configured by the auth method.
|
|
string bearer_token = 2;
|
|
|
|
// meta is a collection of arbitrary key-value pairs associated to the token,
|
|
// it is useful for tracking the origin of tokens.
|
|
map<string, string> meta = 3;
|
|
|
|
// namespace (enterprise only) is the namespace in which the auth method
|
|
// resides.
|
|
string namespace = 4;
|
|
|
|
// partition (enterprise only) is the partition in which the auth method
|
|
// resides.
|
|
string partition = 5;
|
|
|
|
// datacenter is the target datacenter in which the request will be processed.
|
|
string datacenter = 6;
|
|
}
|
|
|
|
message LoginResponse {
|
|
// token is the generated ACL token.
|
|
LoginToken token = 1;
|
|
}
|
|
|
|
message LoginToken {
|
|
// accessor_id is a UUID used to identify the ACL token.
|
|
string accessor_id = 1;
|
|
|
|
// secret_id is a UUID presented as a credential by clients.
|
|
string secret_id = 2;
|
|
}
|
|
|
|
message LogoutRequest {
|
|
// token is the ACL token's secret ID.
|
|
string token = 1;
|
|
|
|
// datacenter is the target datacenter in which the request will be processed.
|
|
string datacenter = 2;
|
|
}
|