Merge branch 'master' of github.com:BTrDB/smartgridstore

acl/acl.go

@@ -7,20 +7,25 @@ import (
 	"errors"
 	"fmt"
 	"regexp"
+	"sync"
 	"time"
 
 	"golang.org/x/crypto/bcrypt"
 
 	etcd "github.com/coreos/etcd/clientv3"
 )
 
+const DefaultPrefix = "btrdb"
+
 type ACLEngine struct {
-	c      *etcd.Client
-	prefix string
+	c             *etcd.Client
+	prefix        string
+	cachedUsers   map[CachedUserKey]CachedUser
+	cachedUsersMu sync.Mutex
 }
 
 func NewACLEngine(prefix string, c *etcd.Client) *ACLEngine {
-	return &ACLEngine{c: c, prefix: prefix}
+	return &ACLEngine{c: c, prefix: prefix, cachedUsers: make(map[CachedUserKey]CachedUser)}
 }
 
 type IdentityProvider string
@@ -38,6 +43,7 @@ var KnownCapabilities = map[string]bool{
 	"read":       true,
 	"delete":     true,
 	"obliterate": true,
+	"admin":      true,
 }
 
 func (e *ACLEngine) set(key string, val string) error {
@@ -308,6 +314,15 @@ type User struct {
 	Capabilities []string
 }
 
+func (u *User) HasCapability(c string) bool {
+	for _, cap := range u.Capabilities {
+		if cap == c {
+			return true
+		}
+	}
+	return false
+}
+
 func (e *ACLEngine) WatchForAuthChanges(ctx context.Context) (chan struct{}, error) {
 	rv := make(chan struct{}, 10)
 	go func() {
@@ -320,8 +335,29 @@ func (e *ACLEngine) WatchForAuthChanges(ctx context.Context) (chan struct{}, err
 	return rv, nil
 }
 
+type CachedUser struct {
+	User   *User
+	Expiry time.Time
+}
+type CachedUserKey struct {
+	Name     string
+	Password string
+}
+
+const UserCacheTime = 3 * time.Minute
+
 //Returns false, nil, nil if password is incorrect or user does not exist
 func (e *ACLEngine) AuthenticateUser(name string, password string) (bool, *User, error) {
+	ck := CachedUserKey{
+		Name:     name,
+		Password: password,
+	}
+	e.cachedUsersMu.Lock()
+	cached, ok := e.cachedUsers[ck]
+	e.cachedUsersMu.Unlock()
+	if ok && cached.Expiry.Before(time.Now()) {
+		return ok, cached.User, nil
+	}
 	idp, err := e.GetIDP()
 	if err != nil {
 		return false, nil, err
@@ -338,6 +374,12 @@ func (e *ACLEngine) AuthenticateUser(name string, password string) (bool, *User,
 		if err != nil {
 			return false, nil, nil
 		}
+		e.cachedUsersMu.Lock()
+		e.cachedUsers[ck] = CachedUser{
+			User:   u,
+			Expiry: time.Now().Add(UserCacheTime),
+		}
+		e.cachedUsersMu.Unlock()
 		return true, u, nil
 	}
 	return false, nil, fmt.Errorf("unsupported identity provider")

containers/kcm-ceph/Dockerfile

@@ -3,7 +3,7 @@ FROM ubuntu:xenial
 ENV ETCDCTL_VERSION v3.1.7
 ENV ETCDCTL_ARCH linux-amd64
 ENV CEPH_VERSION luminous
-ENV KUBE_VERSION v1.9.3
+ENV KUBE_VERSION v1.10.0
 ENV GO_VERSION 1.9.2
 RUN apt-get update && apt-get install -y net-tools git build-essential wget
 RUN wget -q -O- 'https://download.ceph.com/keys/release.asc' | apt-key add - && \

containers/kcm-ceph/rebuild.sh

@@ -1,4 +1,4 @@
 #!/bin/bash
 set -ex
-docker build --no-cache -t btrdb/kubernetes-controller-manager-rbd:1.9.3 .
-docker push btrdb/kubernetes-controller-manager-rbd:1.9.3
+docker build --no-cache -t btrdb/kubernetes-controller-manager-rbd:1.10.0 .
+docker push btrdb/kubernetes-controller-manager-rbd:1.10.0

devmachine/environment.sh

@@ -10,7 +10,7 @@ export OSDBASE=$DEVMACHINE_BASE/ceph
 export ETCDBASE=$DEVMACHINE_BASE/etcd
 
 # which version of BTrDB and tools to install
-export VERSION=4.10.1
+export VERSION=4.11.0
 
 # pick which branch to use
 export PREFIX=""

devmachine/just_make_tls_work.sh

@@ -0,0 +1,93 @@
+#!/bin/bash
+
+cat >devmachine-localhost.ca.pem << EOF
+-----BEGIN CERTIFICATE-----
+MIIDnzCCAoegAwIBAgIJAPRK/R59kVNbMA0GCSqGSIb3DQEBCwUAMGYxCzAJBgNV
+BAYTAlVTMREwDwYDVQQIDAhEZXZUb3BpYTEXMBUGA1UEBwwOTXlMb2NhbE1hY2hp
+bmUxGTAXBgNVBAoMEEJUckRCIERldk1hY2hpbmUxEDAOBgNVBAMMB1JPT1QgQ0Ew
+HhcNMTgwNjA0MjM1NjI3WhcNMjgwNjAxMjM1NjI3WjBmMQswCQYDVQQGEwJVUzER
+MA8GA1UECAwIRGV2VG9waWExFzAVBgNVBAcMDk15TG9jYWxNYWNoaW5lMRkwFwYD
+VQQKDBBCVHJEQiBEZXZNYWNoaW5lMRAwDgYDVQQDDAdST09UIENBMIIBIjANBgkq
+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwC/3taEZyDyatrH6ESGqVU4Kb4TAjWdZ
+0b0EscohLhTsAxUPufUYKsuH6AroUqlidYFnLsiHW2AqIyQhX3agYKB9wCcfm3Qb
+D6n/Z8zUULJ/YFpTTaUPY9ex9EvnlINc+sXwyOEojsL+Yq20Vz4NvjqR7GtE1GEr
+fv36Y+hd2nanU2dlVcsv1dO7zKw+ttPRi6qTYXQ4WT+nz2Mk1xWhK8NqqPsQWL3X
+p0lMaJXFzsQpr84ZbkfRjczLlO2gft4b96iBbC6lseuhWniE69Z48ZtZQR73vDCH
+ZCvscG7ZuXcaW0r4nLsNaVS1WjuC3baD6SWKFiQvVNt49NXf4CxG1QIDAQABo1Aw
+TjAdBgNVHQ4EFgQUaXMsIjbpaboHIT41m01rJyDA+r8wHwYDVR0jBBgwFoAUaXMs
+IjbpaboHIT41m01rJyDA+r8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
+AQEAiyOdswyRDCmVlOICOjQGHNLDEOI4gbs6tN8KvfpJ5uZp7xorNKkV3peaTVpW
+az97mrKRUdAZYEDoBY9oAvxX7enYheszG3vfgc1BXf+i3YdNKCUexhBZtetvkBFa
+rg6Wi0nambU3tuZSmuUUCfskQVDSCRgnTsyMPYHfF7lOa8qJaqSpFYmhQAgdPMpe
+piFhLHrAxqzMZXCfRSMP3Ji3lnjnXo2NwKu/GqIEXAIHxYZh7QnTA022Ws1FB0E4
+alL9IOoTaR7TQRYf4TOATCw1m4nYe61pfXB1J/CQ0cLVPS5qnbs9m8heynn7066q
+HRNq0S1ryc6KVDR6FaxnN2bcuQ==
+-----END CERTIFICATE-----
+EOF
+
+docker exec -i devmachine-etcd /bin/bash << EOSCRIPT
+
+export ETCDCTL_API=3
+
+etcdctl --endpoints 172.29.0.20:2379 put api/hardcoded_pub << EOF
+-----BEGIN CERTIFICATE-----
+MIIDqzCCApOgAwIBAgIJAI2ZCK3cIv9tMA0GCSqGSIb3DQEBCwUAMGYxCzAJBgNV
+BAYTAlVTMREwDwYDVQQIDAhEZXZUb3BpYTEXMBUGA1UEBwwOTXlMb2NhbE1hY2hp
+bmUxGTAXBgNVBAoMEEJUckRCIERldk1hY2hpbmUxEDAOBgNVBAMMB1JPT1QgQ0Ew
+HhcNMTgwNjA1MDAwMTA1WhcNMjgwNjAyMDAwMTA1WjB9MQswCQYDVQQGEwJVUzER
+MA8GA1UECAwIRGV2VG9waWExFzAVBgNVBAcMDk15TG9jYWxNYWNoaW5lMRkwFwYD
+VQQKDBBCVHJEQiBEZXZNYWNoaW5lMRMwEQYDVQQLDApEZXZNYWNoaW5lMRIwEAYD
+VQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCy
+/w3AztG1VRYnGxYowEOHhlyC0Z5eu5avFozftsKv16hB9WkrkQyyicbv5+bSfeiJ
+0EIEDXk7MMkuqhtkk3SOqgusLQUK05SCVKjtoBlagujds1W/X1E6kezjjSmOtnuc
++7uxo3VG4UNxphjKpXNCegWa0gw3A3QaF0ZCub7XdAPSbpwNaGB9TyB7HEP1GctB
+0rqVnP7dG46bMSEfBs3UUHsUBEfv4akpf5i8Rk+igW2BUxHtbeQ+sLGvzpzAdLJF
+kGceOuIUDkt4ZBCTv7mhx4u+W+A9eXEvGBEglDKPI//+gsdpU279QWwVSjhcxySW
+iz61k43ao27CO/A0w0JbAgMBAAGjRTBDMAsGA1UdDwQEAwIEMDATBgNVHSUEDDAK
+BggrBgEFBQcDATAfBgNVHREEGDAWgglsb2NhbGhvc3SCCTEyNy4wLjAuMTANBgkq
+hkiG9w0BAQsFAAOCAQEAU40YmF7QcW8Z4UG9JRRHmMz1u4k8Vwb9pbsAeK1Yb6NO
+PCtvv0s3jF5ZEDdGMVwmOvD4VloSrs4TPtA4GE49KDhHJ7eFNZSeCA3bin52vxhH
+bSyqOnaMcDNqAY/nPwh262TCuCIWNG7MOXTWDYW+dXZ0uIqacrdx+xXBh5X3wFNA
+HrRCbMsy4aWGvwN18uHcMPDC3gclk5RB+MbvmzIEyer1po5Ekiu4V1CHLGbVXdOE
+o6Kir1OpmqtrxjhgtvwT4kC5TycE0FOAsh/v69dEIXT84pH7zvEYMBRNlmDbuz1u
+oHuLW0nt3rUNKzpHIOYd8xJXhvI5N3ChfAh4MuBSKA==
+-----END CERTIFICATE-----
+EOF
+
+etcdctl --endpoints 172.29.0.20:2379 put api/hardcoded_priv << EOF
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAsv8NwM7RtVUWJxsWKMBDh4ZcgtGeXruWrxaM37bCr9eoQfVp
+K5EMsonG7+fm0n3oidBCBA15OzDJLqobZJN0jqoLrC0FCtOUglSo7aAZWoLo3bNV
+v19ROpHs440pjrZ7nPu7saN1RuFDcaYYyqVzQnoFmtIMNwN0GhdGQrm+13QD0m6c
+DWhgfU8gexxD9RnLQdK6lZz+3RuOmzEhHwbN1FB7FARH7+GpKX+YvEZPooFtgVMR
+7W3kPrCxr86cwHSyRZBnHjriFA5LeGQQk7+5oceLvlvgPXlxLxgRIJQyjyP//oLH
+aVNu/UFsFUo4XMcklos+tZON2qNuwjvwNMNCWwIDAQABAoIBAQCFrVVoGQ0kj1br
+/Z6e8Hd+TynnyQStWws912l96c+b40MVf2H712fULnET2ezYZo+z3IRw4l8XhWe6
+IfAzPKxfnz74ZubNHxZZ/z/ptxc4MWwXpkbzlQvk4fY4OsQ+gKnwo0+Zaqm7NaBY
+z+LT9JwPmXF2HkhhDYM3uQoP6whLfmiijZxTmigM/HQySiDYfXrCfcoh80xZZ9nh
+tdOYpsww9/PQ1XwuFvW+spX2FxTyriRrv3XCpDuJBZ4gzsppS7Hn2biiNEl0utj7
+FMyxvXVoRGPGjCPKLZqOPAdffD6grnC8QR2OS7y+veNNmlthFsy3oUw0A8Dhry/Q
+gE4/GdUBAoGBAOUgePAMR5lYIQ1rU+0zJywSEgABtHX+XIkIv87TJYZh0GGnhvDI
+9FUfCTvIQznoZeC59yL0/fxFWKGb4y15tOG5a9/a4NCP76Qlc77EybRFvF7kFNOr
+R6EOVNEcCWk3WtcF+ec/kgcXJ+ZiZDlH2YMf2kd/FOcWQXPdTmryVaJzAoGBAMf9
+acCVzokt3CNjJOF/bMneB3Zfs2bpBIyCiyc0j324Rimc+s238OgjW48JXimtXvcC
+luzeBfejTqcEM9lu+JRw95XuAbeWrQSawRRDkXmSTjrFcJZ0em3RJDbrVVHv3HwE
+PcG0Nax3vnWnh3ddTnf2fhBKlHffqhxe8YtJwB55AoGAJRAIoAPMfSCFUC9hRwg0
+OOu/X6Lm9wMrIrt4k1MSSdd+pp07ta074J0BmFr/jNlryVsrf8sTXoA1IwcdS1jZ
+in281lwIa5Qs1md8fopEelWhb9QDDm4xSvsPezfGye87UXbVArQEwgLb4GdgAOf/
+Zjd7zn7e+bZe5ggRTDlg4sMCgYBQ77sLyNUEaX3tCGPVqvdBH01P191IKcfAgdiF
+Ll1gGOK0Vqad+PJTUHPuiHEGVvbW6sJf7F7n4LylFStStPl/QdTBZchmH2G4OlUn
+uUy3scFdQaiWC1+87+ZDH6yw82z8985yhVcvjGqVPQ6y/R0TqbtNJpG9jdRPlREW
+OOu6qQKBgHfVG3gtHt1nLPgjErQGy2PeMrDZn9Ac5bOuXZ5WlR5G7lLzcK4Ew7rR
+SjMiAAkzJMUfacx7USkOfONx6VT1ZfQeUbqW3v7ZqA9C6vt+oCl8ji60HBEZ6Bx6
+llPVnHF+J/lkQsB8FCCKd8tOBZuHE0uuwlmstgg4/Ce5DFqte3uo
+-----END RSA PRIVATE KEY-----
+EOF
+
+etcdctl --endpoints 172.29.0.20:2379 put api/certsrc hardcoded
+EOSCRIPT
+
+set -x
+docker restart devmachine-console
+set +x
+echo "We have created a 'devmachine-localhost.ca.pem' file. Add this to your browser's Certificate Authorities and everything will just work"

devmachine/start_devmachine.sh

@@ -245,6 +245,8 @@ OPUT=$(docker run -d \
   --name ${CONTAINER_PREFIX}console \
   --net ${DOCKERNET} \
   -p ${CONSOLE_PORT}:2222 \
+  -p 2223:2223 \
+  -p 2224:2224 \
   --ip ${SUB24}.26 \
   --restart always \
   -v ${OSDBASE}/etc/ceph:/etc/ceph \

manifest_templates/adminconsole.deployment.yaml

@@ -31,6 +31,12 @@ spec:
           - containerPort: 2222
             protocol: TCP
             name: adminport
+          - containerPort: 2223
+            name: admin-grpc-api
+            protocol: TCP
+          - containerPort: 2224
+            name: admin-http-api
+            protocol: TCP
       volumes:
         - name: ceph-keyring
           secret:
@@ -51,6 +57,12 @@ spec:
   - port: 2222
     targetPort: adminport
     name: console
+  - port: 2223
+    targetPort: admin-grpc-api
+    name: admin-grpc-api
+  - port: 2224
+    targetPort: admin-http-api
+    name: admin-http-api
   externalIPs:{{range .SiteInfo.ExternalIPs}}
   - {{.}}{{end}}
   selector:

mfgen/main.go

@@ -10,7 +10,7 @@ import (
 
 //go:generate go-bindata -o templates.go -prefix ../manifest_templates ../manifest_templates/
 
-const PackageVersion = "4.10.2"
+const PackageVersion = "4.11.0"
 
 func main() {
 	app := cli.NewApp()