Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Auth: Prune pending TLS identities #14261

Open
wants to merge 16 commits into
base: main
Choose a base branch
from
Open

Auth: Prune pending TLS identities #14261

wants to merge 16 commits into from
+257 −132

Conversation

markylaing
Copy link
Contributor

@markylaing markylaing commented Oct 11, 2024
edited
Loading

As part of the TLS fine-grained authorization specification, pending TLS identities must be pruned when their associated token expires. This pull request adds logic to the autoRemoveExpiredTokens task such that the leader will retrieve all the pending TLS identities and delete those that have expired. Non-leaders will continue to cancel "certificate add" and "cluster join" operations in-memory in each member.

There was a lot of duplication of logic to identify the database leader. This PR adds a method to Daemon and State to determine if the member is a leader and refactors existing code to use that method. If the Daemon is standalone it is considered to be the leader. It is the responsibility of the caller to check (*State).ServerClustered before calling (*State).LeaderInfo when necessary.

Marked as draft until #14207 is merged.

@github-actions github-actions bot added Documentation Documentation needs updating API Changes to the REST API labels Oct 11, 2024
@markylaing markylaing marked this pull request as draft October 11, 2024 10:55
@markylaing markylaing self-assigned this Oct 11, 2024
@markylaing markylaing force-pushed the prune-pending-tls-identities branch 2 times, most recently from 6e803ae to c99214a Compare October 15, 2024 16:04
@github-actions github-actions bot removed Documentation Documentation needs updating API Changes to the REST API labels Oct 15, 2024
@markylaing markylaing marked this pull request as ready for review October 15, 2024 16:04
markylaing
markylaing commented Oct 15, 2024
View reviewed changes
lxd/identities.go Outdated Show resolved Hide resolved
tomponline
tomponline reviewed Oct 16, 2024
View reviewed changes
lxd/daemon.go Outdated Show resolved Hide resolved
tomponline
tomponline reviewed Oct 16, 2024
View reviewed changes
lxd/tokens.go Outdated Show resolved Hide resolved
tomponline
tomponline reviewed Oct 16, 2024
View reviewed changes
lxd/daemon.go Outdated Show resolved Hide resolved
hamistao
hamistao reviewed Oct 16, 2024
View reviewed changes
lxd/patches.go Outdated Show resolved Hide resolved
hamistao
hamistao reviewed Oct 16, 2024
View reviewed changes
lxd/tokens.go Outdated Show resolved Hide resolved
lxd/daemon.go Outdated Show resolved Hide resolved
@markylaing markylaing force-pushed the prune-pending-tls-identities branch 2 times, most recently from 21cacd4 to ece5b8d Compare October 23, 2024 09:29
@hamistao hamistao mentioned this pull request Oct 23, 2024
Draft
@markylaing
Copy link
Contributor Author

@tomponline @hamistao third time lucky, it has passed! Unfortunately this is probably bad news as it means we have a racy test that fails intermittently in CI. I'll keep looking but I can't see how my PR is affecting this.

@markylaing
Copy link
Contributor Author

@tomponline @hamistao third time lucky, it has passed! Unfortunately this is probably bad news as it means we have a racy test that fails intermittently in CI. I'll keep looking but I can't see how my PR is affecting this.

I just realised that I posted this comment on the wrong PR. It's meant for #14324

tomponline
tomponline reviewed Oct 24, 2024
View reviewed changes
lxd/api_cluster.go Outdated Show resolved Hide resolved
tomponline
tomponline reviewed Oct 24, 2024
View reviewed changes
lxd/api_cluster.go Outdated Show resolved Hide resolved
tomponline
tomponline reviewed Oct 24, 2024
View reviewed changes
lxd/api_cluster.go Outdated Show resolved Hide resolved
tomponline
tomponline requested changes Oct 24, 2024
View reviewed changes
Copy link
Member

@tomponline tomponline left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please can you review the use of s.ServerClustered and in functions where there is also a call to s.LeaderInfo check leaderInfo.Clustered instead, that way we are keeping checks for cluster state to the leaderInfo struct. Perhaps ultimately we may unexport s.Clustered from State....

tomponline
tomponline reviewed Oct 24, 2024
View reviewed changes
lxd/tokens.go Outdated Show resolved Hide resolved
tomponline
tomponline reviewed Oct 24, 2024
View reviewed changes
test/suites/auth.sh Outdated Show resolved Hide resolved
@markylaing
Copy link
Contributor Author

Please can you review the use of s.ServerClustered and in functions where there is also a call to s.LeaderInfo check leaderInfo.Clustered instead, that way we are keeping checks for cluster state to the leaderInfo struct. Perhaps ultimately we may unexport s.Clustered from State....

I have kept these checks because checking s.Clustered is quick, whereas s.LeaderInfo may call d.gateway.LeaderAddress which may be slow. I think it's fine to keep s.Clustered because sometimes we just need to know if we're clustered, and not necessary get the leader information.

@tomponline
Copy link
Member

tomponline commented Oct 24, 2024
edited
Loading

Please can you review the use of s.ServerClustered and in functions where there is also a call to s.LeaderInfo check leaderInfo.Clustered instead, that way we are keeping checks for cluster state to the leaderInfo struct. Perhaps ultimately we may unexport s.Clustered from State....

I have kept these checks because checking s.Clustered is quick, whereas s.LeaderInfo may call d.gateway.LeaderAddress which may be slow. I think it's fine to keep s.Clustered because sometimes we just need to know if we're clustered, and not necessary get the leader information.

Yeah but wont we do an s.LeaderInfo call if we are clustered in those situations, and s.LeaderInfo is cheap because it tests s.ServerClustered internally first?

If we werent also calling s.LeaderInfo in the same function i would agree testing s.ServerClustered directly is fine.

@markylaing
lxd/state: Add LeaderInfo type and function to state.
be1ec61 
Signed-off-by: Mark Laing <mark.laing@canonical.com>
@markylaing
lxd: Set LeaderInfo function in (*Daemon).State.
2220cde 
Signed-off-by: Mark Laing <mark.laing@canonical.com>
@markylaing
lxd: Update ACME handlers to use (*State).LeaderInfo.
7fe7737 
Signed-off-by: Mark Laing <mark.laing@canonical.com>
@markylaing
lxd: Update cluster handlers to use (*State).LeaderInfo.
afbd115 
Signed-off-by: Mark Laing <mark.laing@canonical.com>
@markylaing
lxd: Update image sync task to use (*State).LeaderInfo.
15591e9 
Signed-off-by: Mark Laing <mark.laing@canonical.com>
@markylaing
lxd: Update instance handlers to use (*State).LeaderInfo.
458e458 
Signed-off-by: Mark Laing <mark.laing@canonical.com>
@markylaing
lxd: Update operation prune task to use (*State).LeaderInfo.
5093829 
Signed-off-by: Mark Laing <mark.laing@canonical.com>
@markylaing
lxd: Update database patch to use (*State).LeaderInfo.
07a7c8f 
Signed-off-by: Mark Laing <mark.laing@canonical.com>
@markylaing
Copy link
Contributor Author

I think I've addressed everything. Let me know if you have any more thoughts on #14261 (comment) but otherwise ready for another round.

@markylaing
lxd/db/cluster: Differentiate errors returned by PendingTLSMetadata.
b2dd68e 
Signed-off-by: Mark Laing <mark.laing@canonical.com>
@markylaing
lxd: Remove expired pending TLS identities in token prune task.
de48dc3 
Signed-off-by: Mark Laing <mark.laing@canonical.com>
@markylaing
lxd: Change log level to 'warn' for the token prune task.
11bc5a3 
Also change "id" to "operation" in the log context.

Signed-off-by: Mark Laing <mark.laing@canonical.com>
@markylaing
lxd: Opportunistically remove invalid/expired pending TLS identities.
effd497 
On `POST /1.0/certificates` with a trust_token, the CertificateAddToken
operation associated with the token is cancelled regardless of where it
is invalid/expired. This commit performs the analogous task for pending
TLS identities and removes them if invalid when the token is received.

Signed-off-by: Mark Laing <mark.laing@canonical.com>
@markylaing
lxd: Add internal testing handler to trigger token prune task.
5792006 
Signed-off-by: Mark Laing <mark.laing@canonical.com>
@markylaing
test/suites: Test that expired pending identities are removed when to…
1feeb85 
…ken is used.

Signed-off-by: Mark Laing <mark.laing@canonical.com>
@markylaing
test/suites: Test the token pruning task removes expired pending TLS …
e66dc6f 
…identities.

Signed-off-by: Mark Laing <mark.laing@canonical.com>
@markylaing
test/suites: Test token prune task for certificate add token operations.
5e95847 
Signed-off-by: Mark Laing <mark.laing@canonical.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hamistao hamistao Awaiting requested review from hamistao

@tomponline tomponline Awaiting requested review from tomponline

Requested changes must be addressed to merge this pull request.

Assignees

@markylaing markylaing

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@markylaing @tomponline @hamistao