Output user-friendly name for anonymous token #15884
Conversation
github-actions
bot
added
theme/acls
kisunji
added
the
theme/operator-usability
kisunji
force-pushed
the
kisunji/NET-1766-user-friendly-anonymous-token-oss
branch
from
f1839c2 to
1f5f294
Compare
kisunji
force-pushed
the
kisunji/NET-1766-user-friendly-anonymous-token-oss
branch
from
1f5f294 to
c087380
Compare
…15564) Adds automation for generating the map of `gRPC Method Name → Rate Limit Type` used by the middleware introduced in #15550, and will ensure we don't forget to add new endpoints. Engineers must annotate their RPCs in the proto file like so: ``` rpc Foo(FooRequest) returns (FooResponse) { option (consul.internal.ratelimit.spec) = { operation_type: READ, }; } ``` When they run `make proto` a protoc plugin `protoc-gen-consul-rate-limit` will be installed that writes rate-limit specs as a JSON array to a file called `.ratelimit.tmp` (one per protobuf package/directory). After running Buf, `make proto` will execute a post-process script that will ingest all of the `.ratelimit.tmp` files and generate a Go file containing the mappings in the `agent/grpc-middleware` package. In the enterprise repository, it will write an additional file with the enterprise-only endpoints. If an engineer forgets to add the annotation to a new RPC, the plugin will return an error like so: ``` RPC Foo is missing rate-limit specification, fix it with: import "proto-public/annotations/ratelimit/ratelimit.proto"; service Bar { rpc Foo(...) returns (...) { option (hashicorp.consul.internal.ratelimit.spec) = { operation_type: OPERATION_READ | OPERATION_WRITE | OPERATION_EXEMPT, }; } } ``` In the future, this annotation can be extended to support rate-limit category (e.g. KV vs Catalog) and to determine the retry policy.
Add support to provide an initial token via the bootstrap HTTP API, similar to hashicorp/nomad#12520
#15885) * Refactoring the peering integ test to accommodate coming changes of other upgrade scenarios. - Add a utils package under test that contains methods to set up various test scenarios. - Deduplication: have a single CreatingPeeringClusterAndSetup replace CreatingAcceptingClusterAndSetup and CreateDialingClusterAndSetup. - Separate peering cluster creation and server registration. * Apply suggestions from code review Co-authored-by: Dan Stough <dan.stough@hashicorp.com>
* Update api gateway version to latest * Update website/content/docs/api-gateway/install.mdx * update to latest apigw version 0.5.1 * update consul and helm version
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
acl/acl.go
Outdated
| // CheckAnonymous returns the string "anonymous token" if | ||
| // accessorID is acl.AnonymousTokenID. Used for better | ||
| // UX when logging the accessorID. | ||
| func CheckAnonymous(accessorID string) string { |
There was a problem hiding this comment.
What do you think about making the name of this func more generic and using a LUT to find the name for the token ID? I could envision that in the future we may want to use this mechanism for other well-known tokens. Something like:
// maybe this could have package scope?
wellKnownTokens := map[string]string{AnonymousTokenID: "anonymous token"}
func ResolveToken(accessorID string) string {
if name, ok := wellKnownTokens[accessorID]; ok {
return name
}
return accessorID
}There was a problem hiding this comment.
I agree that this UX improvement would be useful for other well-known tokens but my understanding based on this doc is that the anonymous token is the only static one in our system.
Every other "well-known" token is configured and generated at runtime, making it harder to maintain a lookup table.
Not impossible, but I'd like to consider it out of scope for this PR.
There was a problem hiding this comment.
I agree with deferring that generalization (YAGNI principle). Once we have >1 such token (if ever), we can make it more general as suggested.
| @@ -72,10 +72,6 @@ session_prefix "" { | |||
| policy = "write" | |||
| }` + EnterpriseACLPolicyGlobalManagement | |||
|
|
|||
| // This is the policy ID for anonymous access. This is configurable by the | |||
| // user. | |||
| ACLTokenAnonymousID = "00000000-0000-0000-0000-000000000002" | |||
There was a problem hiding this comment.
This PR only migrates the anonymous token definition for ACLs.. I don't disagree with this at all but just want to point out that now we have ACL definitions in two places, acl/ and structs/.. Is it worth adding a note in the code indicating that we intend to move the rest of the ACL defs to the acl/ package at some point?
There was a problem hiding this comment.
Yeah it was originally an initiative started in core before Mark A left; the intent had always been to migrate things over. I'll add a todo
There was a problem hiding this comment.
As I was looking over the file I realized that there are some import cycles that might make a general migration difficult. Unsure if a general TODO would be helpful (or if it will grow stale and unaddressed). I think just an ad-hoc refactoring over time might be better?
There was a problem hiding this comment.
Ya, I'm fine with whatever you think is best. I suspect that we will be thinking about and revisiting the ACLs system over the coming months and this is not likely to fall off our radar.
| @@ -161,7 +161,7 @@ func TestACLEndpoint_TokenRead(t *testing.T) { | |||
|
|
|||
| waitForLeaderEstablishment(t, srv) | |||
|
|
|||
| acl := ACL{srv: srv} | |||
| aclEp := ACL{srv: srv} | |||
There was a problem hiding this comment.
This change creates a lot of noise in this file, but I think this is the right thing to do given that the consul/acl package was already imported and these acl vars where hiding that package in the tests. I really like the disambiguation here.
|
@kisunji : My understanding is that most ACL permission denied error messages are centrally defined here: Lines 85 to 111 in ee2d47d I don't see that error message currently modified in this PR. And when we do modify that error message, we might want to take a different approach than is done here. Currently, the error message is:
I'm not sure that replacing the accessor ID with "accessor ID" is the clearest way to communicate what's happening in this case (though I agree it's a good solution for structured logging entries like those currently included in this PR). That would look like:
Perhaps it could instead be something like...
Or ...
... I feel a bit weird about saying that the accessor ID is "anonymous token" when that isn't actually accurate, though I think it's preferable to the alternative in the case of structure logging (leaving as ID ....002). It's not like we want to encourage the lookup and modification of the anonymous token to have broader privileges ... What we want to communicate is: you didn't specify a token, but probably should. And I think making the accessor ID display as "anonymous token" is a reasonable way to accomplish that. |
Description
When ACLs are enabled but an operator forgets to pass a token, a potential ACL error may refer to the anonymous token which appears in the logs as
00000000-0000-0000-0000-000000000002.We should avoid the accessorID being a source of confusion for users by simply aliasing it to
anonymous tokenwhenever we output it in logs.structs.ACLTokenAnonymousID -> acl.AnonymousTokenIDrefactor was done partly to resolve an import cycle but a broader objective is to fold more ACL-related domain objects intoaclpackage.Testing & Reproduction steps
PR Checklist