Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Auth: Prune pending TLS identities #14261

Merged
merged 16 commits into from
Oct 31, 2024
Merged

Auth: Prune pending TLS identities #14261

merged 16 commits into from
Oct 31, 2024

Conversation

markylaing
Copy link
Contributor

@markylaing markylaing commented Oct 11, 2024
edited
Loading

As part of the TLS fine-grained authorization specification, pending TLS identities must be pruned when their associated token expires. This pull request adds logic to the autoRemoveExpiredTokens task such that the leader will retrieve all the pending TLS identities and delete those that have expired. Non-leaders will continue to cancel "certificate add" and "cluster join" operations in-memory in each member.

There was a lot of duplication of logic to identify the database leader. This PR adds a method to Daemon and State to determine if the member is a leader and refactors existing code to use that method. If the Daemon is standalone it is considered to be the leader. It is the responsibility of the caller to check (*State).ServerClustered before calling (*State).LeaderInfo when necessary.

Marked as draft until #14207 is merged.

@github-actions github-actions bot added Documentation Documentation needs updating API Changes to the REST API labels Oct 11, 2024
@markylaing markylaing marked this pull request as draft October 11, 2024 10:55
@markylaing markylaing self-assigned this Oct 11, 2024
@markylaing markylaing force-pushed the prune-pending-tls-identities branch 2 times, most recently from 6e803ae to c99214a Compare October 15, 2024 16:04
@github-actions github-actions bot removed Documentation Documentation needs updating API Changes to the REST API labels Oct 15, 2024
@markylaing markylaing marked this pull request as ready for review October 15, 2024 16:04
markylaing
markylaing commented Oct 15, 2024
View reviewed changes
lxd/identities.go Outdated Show resolved Hide resolved
tomponline
tomponline reviewed Oct 16, 2024
View reviewed changes
lxd/daemon.go Outdated Show resolved Hide resolved
tomponline
tomponline reviewed Oct 16, 2024
View reviewed changes
lxd/tokens.go Outdated Show resolved Hide resolved
tomponline
tomponline reviewed Oct 16, 2024
View reviewed changes
lxd/daemon.go Outdated Show resolved Hide resolved
hamistao
hamistao reviewed Oct 16, 2024
View reviewed changes
lxd/patches.go Outdated Show resolved Hide resolved
hamistao
hamistao reviewed Oct 16, 2024
View reviewed changes
lxd/tokens.go Outdated Show resolved Hide resolved
lxd/daemon.go Outdated Show resolved Hide resolved
@markylaing markylaing force-pushed the prune-pending-tls-identities branch 2 times, most recently from 21cacd4 to ece5b8d Compare October 23, 2024 09:29
@hamistao hamistao mentioned this pull request Oct 23, 2024
Open
@markylaing
Copy link
Contributor Author

@tomponline @hamistao third time lucky, it has passed! Unfortunately this is probably bad news as it means we have a racy test that fails intermittently in CI. I'll keep looking but I can't see how my PR is affecting this.

@markylaing
Copy link
Contributor Author

@tomponline @hamistao third time lucky, it has passed! Unfortunately this is probably bad news as it means we have a racy test that fails intermittently in CI. I'll keep looking but I can't see how my PR is affecting this.

I just realised that I posted this comment on the wrong PR. It's meant for #14324

tomponline
tomponline reviewed Oct 24, 2024
View reviewed changes
lxd/api_cluster.go Outdated Show resolved Hide resolved
tomponline
tomponline reviewed Oct 24, 2024
View reviewed changes
lxd/api_cluster.go Outdated Show resolved Hide resolved
tomponline
tomponline reviewed Oct 24, 2024
View reviewed changes
test/suites/auth.sh Outdated Show resolved Hide resolved
@markylaing
Copy link
Contributor Author

Please can you review the use of s.ServerClustered and in functions where there is also a call to s.LeaderInfo check leaderInfo.Clustered instead, that way we are keeping checks for cluster state to the leaderInfo struct. Perhaps ultimately we may unexport s.Clustered from State....

I have kept these checks because checking s.Clustered is quick, whereas s.LeaderInfo may call d.gateway.LeaderAddress which may be slow. I think it's fine to keep s.Clustered because sometimes we just need to know if we're clustered, and not necessary get the leader information.

@tomponline
Copy link
Member

tomponline commented Oct 24, 2024
edited
Loading

Please can you review the use of s.ServerClustered and in functions where there is also a call to s.LeaderInfo check leaderInfo.Clustered instead, that way we are keeping checks for cluster state to the leaderInfo struct. Perhaps ultimately we may unexport s.Clustered from State....

I have kept these checks because checking s.Clustered is quick, whereas s.LeaderInfo may call d.gateway.LeaderAddress which may be slow. I think it's fine to keep s.Clustered because sometimes we just need to know if we're clustered, and not necessary get the leader information.

Yeah but wont we do an s.LeaderInfo call if we are clustered in those situations, and s.LeaderInfo is cheap because it tests s.ServerClustered internally first?

If we werent also calling s.LeaderInfo in the same function i would agree testing s.ServerClustered directly is fine.

@markylaing
lxd/state: Add LeaderInfo type and function to state.
be1ec61 
Signed-off-by: Mark Laing <[email protected]>
@markylaing
lxd: Set LeaderInfo function in (*Daemon).State.
2220cde 
Signed-off-by: Mark Laing <[email protected]>
@markylaing
lxd: Update ACME handlers to use (*State).LeaderInfo.
7fe7737 
Signed-off-by: Mark Laing <[email protected]>
@markylaing
lxd: Update cluster handlers to use (*State).LeaderInfo.
afbd115 
Signed-off-by: Mark Laing <[email protected]>
@markylaing
lxd: Update image sync task to use (*State).LeaderInfo.
15591e9 
Signed-off-by: Mark Laing <[email protected]>
@markylaing
lxd: Update instance handlers to use (*State).LeaderInfo.
458e458 
Signed-off-by: Mark Laing <[email protected]>
@markylaing
lxd: Update operation prune task to use (*State).LeaderInfo.
5093829 
Signed-off-by: Mark Laing <[email protected]>
@markylaing
lxd: Update database patch to use (*State).LeaderInfo.
07a7c8f 
Signed-off-by: Mark Laing <[email protected]>
@markylaing
Copy link
Contributor Author

I think I've addressed everything. Let me know if you have any more thoughts on #14261 (comment) but otherwise ready for another round.

@markylaing
lxd/db/cluster: Differentiate errors returned by PendingTLSMetadata.
b2dd68e 
Signed-off-by: Mark Laing <[email protected]>
@markylaing
lxd: Remove expired pending TLS identities in token prune task.
de48dc3 
Signed-off-by: Mark Laing <[email protected]>
@markylaing
lxd: Change log level to 'warn' for the token prune task.
11bc5a3 
Also change "id" to "operation" in the log context.

Signed-off-by: Mark Laing <[email protected]>
@markylaing
lxd: Opportunistically remove invalid/expired pending TLS identities.
effd497 
On `POST /1.0/certificates` with a trust_token, the CertificateAddToken
operation associated with the token is cancelled regardless of where it
is invalid/expired. This commit performs the analogous task for pending
TLS identities and removes them if invalid when the token is received.

Signed-off-by: Mark Laing <[email protected]>
tomponline
tomponline reviewed Oct 31, 2024
View reviewed changes
lxd/tokens.go Outdated Show resolved Hide resolved
tomponline
tomponline previously approved these changes Oct 31, 2024
View reviewed changes
Copy link
Member

@tomponline tomponline left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, just that Debug log line query?

hamistao
hamistao reviewed Oct 31, 2024
View reviewed changes
lxd/api_cluster.go
}

if !leaderInfo.Clustered {
return response.InternalError(cluster.ErrNodeIsNotClustered)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would this be better classified as a BadRequest?
This does impact the metrics so just making sure we are getting this right.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought that but I didn't want to change the existing HTTP code as that's technically an API change

hamistao
hamistao approved these changes Oct 31, 2024
View reviewed changes
Copy link
Contributor

@hamistao hamistao left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@tomponline tomponline merged commit 9bbe4d7 into canonical:main Oct 31, 2024
25 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hamistao hamistao hamistao approved these changes

@tomponline tomponline tomponline left review comments

Assignees

@markylaing markylaing

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@markylaing @tomponline @hamistao