From 5d80f2124b1507796183b55ab138e4f21add8ee3 Mon Sep 17 00:00:00 2001 From: Paul Lorenz Date: Mon, 6 Jan 2020 13:30:57 -0500 Subject: [PATCH 01/11] Add service policies, replacing appwans --- etc/ctrl.with.edge.yml | 164 +++++++++--------- etc/edge.router.yml | 8 +- go.mod | 8 +- go.sum | 20 ++- ziti/cmd/ziti/cmd/cmd.go | 9 +- ziti/cmd/ziti/cmd/common_commands.go | 7 +- ziti/cmd/ziti/cmd/edge_controller/create.go | 4 +- .../cmd/edge_controller/create_edge_router.go | 7 +- .../create_edge_router_policy.go | 4 +- .../cmd/edge_controller/create_identity.go | 11 +- .../cmd/edge_controller/create_service.go | 40 ++--- .../edge_controller/create_service_policy.go | 94 ++++++++++ ziti/cmd/ziti/cmd/edge_controller/delete.go | 8 +- ziti/cmd/ziti/cmd/edge_controller/list.go | 70 +++++--- ziti/cmd/ziti/cmd/edge_controller/root.go | 11 +- ziti/cmd/ziti/cmd/execute_controller.go | 5 +- 16 files changed, 301 insertions(+), 169 deletions(-) create mode 100644 ziti/cmd/ziti/cmd/edge_controller/create_service_policy.go diff --git a/etc/ctrl.with.edge.yml b/etc/ctrl.with.edge.yml index 32c6337af..3dc03326b 100644 --- a/etc/ctrl.with.edge.yml +++ b/etc/ctrl.with.edge.yml @@ -1,82 +1,82 @@ -v: 3 - -#trace: -# path: ctrl.trace - -#profile: -# memory: -# path: ctrl.memprof - -db: ${ZITI_DATA}db/ctrl.db - -identity: - cert: ${ZITI_SOURCE}etc/ca/intermediate/certs/ctrl-client.cert.pem - server_cert: ${ZITI_SOURCE}etc/ca/intermediate/certs/ctrl-server.cert.pem - key: ${ZITI_SOURCE}etc/ca/intermediate/private/ctrl.key.pem - ca: ${ZITI_SOURCE}etc/ca/intermediate/certs/ca-chain.cert.pem - -# the endpoint that routers will connect to the controller over. -ctrl: - listener: tls:127.0.0.1:6262 - -# the endpoint that management tools connect to the controller over. -mgmt: - listener: tls:127.0.0.1:10000 - -#metrics: -# influxdb: -# url: http://localhost:8086 -# database: ziti - -# xctrl_example -# -#example: -# enabled: false -# delay: 5 - -# By having an 'edge' section defined, the ziti-controller will attempt to parse the edge configuration. Removing this -# section, commenting out, or altering the name of the section will cause the edge to not run. -edge: - # This section represents the configuration of the Edge API that is served over HTTPS - api: - # (required) The interface and port that the Edge API should be served on. - listener: 127.0.0.1:1280 - # (required) The host/port combination that is reported as publicly accessible for the Edge API - advertise: localhost:1280 - # (optional, defaults to 10) The number of minutes before an Edge API session will timeout. Timeouts are reset by - # API requests and connections that are maintained to Edge Routers - sessionTimeoutMinutes: 30 - #(optional, defaults to the root identity) An alternate "identity" to use for the Edge API. If this section is not - # defined the root identity section will be used. This is useful for situations where Edge API will present a - # publicly signed certificate instead of one generated by a private PKI created by ziti pki create -# identity: -# server_cert: edge/tests/pki/ziti-dev-controller01.external.cert.pem -# server_key: edge/tests/pki/ziti-dev-controller01.external.key.pem -# ca: edge/tests/pki/ziti-dev-controller01.external.chain.cert.pem - # This section is used to define option that are used during enrollment of Edge Routers, Ziti Edge Identities. - enrollment: - # (required) A Ziti Identity configuration section that specifically makes use of the cert and key fields to define - # a signing certificate from the PKI that the Ziti environment is using to sign certificates. The signingCert.cert - # will be added to the /.well-known CA store that is used to bootstrap trust with the Ziti Controller. - signingCert: - cert: ${ZITI_SOURCE}etc/ca/intermediate/certs/intermediate.cert.pem - key: ${ZITI_SOURCE}etc/ca/intermediate/private/intermediate.key.decrypted.pem - edgeIdentity: - # (optional, defaults to 5) The length of time that a Ziti Edge Identity enrollment should remain valid. After - # this duration, the enrollment will expire and not longer be usable. - durationMinutes: 5 - edgeRouter: - # (optional, defaults to 5) The length of time that a Ziti Edge Router enrollment should remain valid. After - # this duration, the enrollment will expire and not longer be usable. - durationMinutes: 5 - -# Only specify the persistence config if you want to migrate data from a PG database to the new bbolt datastore -# -# persistence: -# # See documentation: -# # - https://godoc.org/github.com/lib/pq -# # - https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING -# # (required) A Postgres connection string used to connect to a database -# connectionUrl: postgres://postgres:ztpassword@localhost/postgres?sslmode=disable -# # (required) The Postgres database name to use -# dbName: postgres +v: 3 + +#trace: +# path: ctrl.trace + +#profile: +# memory: +# path: ctrl.memprof + +db: ${ZITI_DATA}/db/ctrl.db + +identity: + cert: ${ZITI_SOURCE}/ziti-cmd/etc/ca/intermediate/certs/ctrl-client.cert.pem + server_cert: ${ZITI_SOURCE}/ziti-cmd/etc/ca/intermediate/certs/ctrl-server.cert.pem + key: ${ZITI_SOURCE}/ziti-cmd/etc/ca/intermediate/private/ctrl.key.pem + ca: ${ZITI_SOURCE}/ziti-cmd/etc/ca/intermediate/certs/ca-chain.cert.pem + +# the endpoint that routers will connect to the controller over. +ctrl: + listener: tls:127.0.0.1:6262 + +# the endpoint that management tools connect to the controller over. +mgmt: + listener: tls:127.0.0.1:10000 + +#metrics: +# influxdb: +# url: http://localhost:8086 +# database: ziti + +# xctrl_example +# +#example: +# enabled: false +# delay: 5 + +# By having an 'edge' section defined, the ziti-controller will attempt to parse the edge configuration. Removing this +# section, commenting out, or altering the name of the section will cause the edge to not run. +edge: + # This section represents the configuration of the Edge API that is served over HTTPS + api: + # (required) The interface and port that the Edge API should be served on. + listener: 127.0.0.1:1280 + # (required) The host/port combination that is reported as publicly accessible for the Edge API + advertise: localhost:1280 + # (optional, defaults to 10) The number of minutes before an Edge API session will timeout. Timeouts are reset by + # API requests and connections that are maintained to Edge Routers + sessionTimeoutMinutes: 30 + #(optional, defaults to the root identity) An alternate "identity" to use for the Edge API. If this section is not + # defined the root identity section will be used. This is useful for situations where Edge API will present a + # publicly signed certificate instead of one generated by a private PKI created by ziti pki create +# identity: +# server_cert: edge/tests/pki/ziti-dev-controller01.external.cert.pem +# server_key: edge/tests/pki/ziti-dev-controller01.external.key.pem +# ca: edge/tests/pki/ziti-dev-controller01.external.chain.cert.pem + # This section is used to define option that are used during enrollment of Edge Routers, Ziti Edge Identities. + enrollment: + # (required) A Ziti Identity configuration section that specifically makes use of the cert and key fields to define + # a signing certificate from the PKI that the Ziti environment is using to sign certificates. The signingCert.cert + # will be added to the /.well-known CA store that is used to bootstrap trust with the Ziti Controller. + signingCert: + cert: ${ZITI_SOURCE}/ziti-cmd/etc/ca/intermediate/certs/intermediate.cert.pem + key: ${ZITI_SOURCE}/ziti-cmd/etc/ca/intermediate/private/intermediate.key.decrypted.pem + edgeIdentity: + # (optional, defaults to 5) The length of time that a Ziti Edge Identity enrollment should remain valid. After + # this duration, the enrollment will expire and not longer be usable. + durationMinutes: 5 + edgeRouter: + # (optional, defaults to 5) The length of time that a Ziti Edge Router enrollment should remain valid. After + # this duration, the enrollment will expire and not longer be usable. + durationMinutes: 5 + +# Only specify the persistence config if you want to migrate data from a PG database to the new bbolt datastore +# +# persistence: +# # See documentation: +# # - https://godoc.org/github.com/lib/pq +# # - https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING +# # (required) A Postgres connection string used to connect to a database +# connectionUrl: postgres://postgres:ztpassword@localhost/postgres?sslmode=disable +# # (required) The Postgres database name to use +# dbName: postgres diff --git a/etc/edge.router.yml b/etc/edge.router.yml index 3ba588d4f..018e49528 100644 --- a/etc/edge.router.yml +++ b/etc/edge.router.yml @@ -15,10 +15,10 @@ v: 2 # as the client certificate to connect to the controller. The 'server_cert' is used for all servers/listeners. The # 'ca' value is used to populate an internally Trusted CA pool. identity: - cert: ${ZITI_SOURCE}etc/ca/intermediate/certs/ignore.gw001-client.cert.pem - server_cert: ${ZITI_SOURCE}etc/ca/intermediate/certs/ignore.gw001-server.cert.pem - key: ${ZITI_SOURCE}etc/ca/intermediate/private/ignore.gw001.key.pem - ca: ${ZITI_SOURCE}etc/ca/intermediate/certs/ignore.gw001-ca-chain.cert.pem + cert: ${ZITI_DATA}/edge-router-client.cert.pem + server_cert: ${ZITI_DATA}/edge-router-server.cert.pem + key: ${ZITI_DATA}/edge-router.key.pem + ca: ${ZITI_DATA}/edge-router-ca-chain.cert.pem #trace: # path: 001.trace diff --git a/go.mod b/go.mod index 730441bb4..a2ae01078 100644 --- a/go.mod +++ b/go.mod @@ -21,10 +21,10 @@ require ( github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0 github.com/keybase/go-ps v0.0.0-20190827175125-91aafc93ba19 github.com/michaelquigley/pfxlog v0.0.0-20190813191113-2be43bd0dccc - github.com/netfoundry/ziti-edge v0.0.0-20200103214637-bf4df591383e - github.com/netfoundry/ziti-fabric v0.0.0-20191213215600-dcc209b66c31 - github.com/netfoundry/ziti-foundation v0.0.0-20191213201903-e68267fe89e6 - github.com/netfoundry/ziti-sdk-golang v0.0.0-20191217143926-85a9668710ec + github.com/netfoundry/ziti-edge v0.0.0-20200106182528-84b239b9cbec + github.com/netfoundry/ziti-fabric v0.0.0-20200106180846-61266f3e696d + github.com/netfoundry/ziti-foundation v0.0.0-20200106153940-3df3c2afba3b + github.com/netfoundry/ziti-sdk-golang v0.0.0-20200106180923-91c7e169586a github.com/pborman/uuid v1.2.0 github.com/pkg/errors v0.8.1 github.com/rcrowley/go-metrics v0.0.0-20190826022208-cac0b30c2563 diff --git a/go.sum b/go.sum index 18a2c4451..972dc2aa9 100644 --- a/go.sum +++ b/go.sum @@ -218,14 +218,18 @@ github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrk github.com/mitchellh/mapstructure v1.1.2 h1:fmNYVwqnSfB9mZU6OS2O6GsXM+wcskZDuKQzvN1EDeE= github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= -github.com/netfoundry/ziti-edge v0.0.0-20200103214637-bf4df591383e h1:iNX2N/tIKG1Rx+O0MZBrC2XcgNrIiP06VUMTMtLrzjc= -github.com/netfoundry/ziti-edge v0.0.0-20200103214637-bf4df591383e/go.mod h1:FX9trIPUzsrwzahTLWD+v3kc6HLAK4chRQ9xQgNt1PU= -github.com/netfoundry/ziti-fabric v0.0.0-20191213215600-dcc209b66c31 h1:qlh09aBS5mmi6gWxsn6peSrrpZYfHCaOReBNMq8P6Lg= -github.com/netfoundry/ziti-fabric v0.0.0-20191213215600-dcc209b66c31/go.mod h1:C06MeM/NC8eIDHWnhisFzEcneMx+dyrewB3wu/KzSn4= -github.com/netfoundry/ziti-foundation v0.0.0-20191213201903-e68267fe89e6 h1:6mEfpYgZurDpmv/uTRbTWS9AXc+CBDjyoLM5ugijYn4= -github.com/netfoundry/ziti-foundation v0.0.0-20191213201903-e68267fe89e6/go.mod h1:27kvN9RZk7cpt2xba6owuXktNphq5hPK62CAiKnIS10= -github.com/netfoundry/ziti-sdk-golang v0.0.0-20191217143926-85a9668710ec h1:3xvlOZqkT9PS6/DH2VKF2mrvgVLxPYIuDfKMt9BSiSc= -github.com/netfoundry/ziti-sdk-golang v0.0.0-20191217143926-85a9668710ec/go.mod h1:swcAExEHVuvgvtf6zPO+v9gHww8GpYt4GBVFu6ZHxQI= +github.com/netfoundry/ziti-edge v0.0.0-20200106182528-84b239b9cbec h1:gUmXrsWq0BJvMYPBfEHYWHRxV6KWkE/9t+eCBciQH2Q= +github.com/netfoundry/ziti-edge v0.0.0-20200106182528-84b239b9cbec/go.mod h1:/m8XpW1y817515jqyZj7AGfjyg7aDq2bl2bbSJmRSSY= +github.com/netfoundry/ziti-fabric v0.0.0-20200106161907-ec24d58cea25/go.mod h1:c2KuMFw3zzANlJHELDH9ejldg2k5W9k3NwQBPYnDpQw= +github.com/netfoundry/ziti-fabric v0.0.0-20200106180846-61266f3e696d h1:WzuJk+CGxkWiLbG29UVwrAWcw/M2o0qjK69YFzrfY3I= +github.com/netfoundry/ziti-fabric v0.0.0-20200106180846-61266f3e696d/go.mod h1:c2KuMFw3zzANlJHELDH9ejldg2k5W9k3NwQBPYnDpQw= +github.com/netfoundry/ziti-foundation v0.0.0-20200104011655-295bb307246b h1:IuzZd4AWMpPc9h22JxwsO70yhD/Vu0Z9BnW43VeL114= +github.com/netfoundry/ziti-foundation v0.0.0-20200104011655-295bb307246b/go.mod h1:27kvN9RZk7cpt2xba6owuXktNphq5hPK62CAiKnIS10= +github.com/netfoundry/ziti-foundation v0.0.0-20200106153940-3df3c2afba3b h1:aWeeVBDrgBHzax+g1j1n4aT3ghIzPsu+7qnCpq0WPWc= +github.com/netfoundry/ziti-foundation v0.0.0-20200106153940-3df3c2afba3b/go.mod h1:27kvN9RZk7cpt2xba6owuXktNphq5hPK62CAiKnIS10= +github.com/netfoundry/ziti-sdk-golang v0.0.0-20200106153041-5f45429a4fcd/go.mod h1:CR4r2yLPic5h9Vh2wNJkwNWBeYXFYEjwzDWrckuj3rQ= +github.com/netfoundry/ziti-sdk-golang v0.0.0-20200106180923-91c7e169586a h1:4GxslLTr/wCB6dK3I8Zpy8AYNwSd6h2nLfs2yVc8g6U= +github.com/netfoundry/ziti-sdk-golang v0.0.0-20200106180923-91c7e169586a/go.mod h1:CR4r2yLPic5h9Vh2wNJkwNWBeYXFYEjwzDWrckuj3rQ= github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= github.com/oleiade/reflections v1.0.0 h1:0ir4pc6v8/PJ0yw5AEtMddfXpWBXg9cnG7SgSoJuCgY= github.com/oleiade/reflections v1.0.0/go.mod h1:RbATFBbKYkVdqmSFtx13Bb/tVhR0lgOBXunWTZKeL4w= diff --git a/ziti/cmd/ziti/cmd/cmd.go b/ziti/cmd/ziti/cmd/cmd.go index e2e474b15..6bfbef246 100644 --- a/ziti/cmd/ziti/cmd/cmd.go +++ b/ziti/cmd/ziti/cmd/cmd.go @@ -17,7 +17,6 @@ package cmd import ( - "github.com/netfoundry/ziti-cmd/ziti/cmd/ziti/cmd/edge_controller" goflag "flag" "fmt" "io" @@ -25,13 +24,15 @@ import ( "path/filepath" "strings" + "github.com/netfoundry/ziti-cmd/ziti/cmd/ziti/cmd/edge_controller" + cmdutil "github.com/netfoundry/ziti-cmd/ziti/cmd/ziti/cmd/factory" c "github.com/netfoundry/ziti-cmd/ziti/cmd/ziti/constants" "github.com/netfoundry/ziti-cmd/ziti/cmd/ziti/internal/log" "github.com/netfoundry/ziti-cmd/ziti/cmd/ziti/util" - "github.com/netfoundry/ziti-cmd/ziti/cmd/ziti/cmd/templates" "github.com/netfoundry/ziti-cmd/common/version" + "github.com/netfoundry/ziti-cmd/ziti/cmd/ziti/cmd/templates" "github.com/spf13/cobra" "github.com/spf13/viper" ) @@ -53,8 +54,6 @@ type RootCmd struct { cobraCommand *cobra.Command } -var cliAgentEnabled bool - var rootCommand = RootCmd{ cobraCommand: &cobra.Command{ Use: "ziti", @@ -124,8 +123,6 @@ func NewCmdRoot(f cmdutil.Factory, in io.Reader, out, err io.Writer) *cobra.Comm // defaultClusterName := os.Getenv("ZITI_CLUSTER_NAME") // cmd.PersistentFlags().StringVarP(&rootCommand.clusterName, "name", "", defaultClusterName, "Name of cluster. Overrides ZITI_CLUSTER_NAME environment variable") - cmd.PersistentFlags().BoolVarP(&cliAgentEnabled, "cliagent", "a", false, "Enable CLI Agent (use in dev only)") - initCommands := NewCmdInit(f, out, err) createCommands := NewCmdCreate(f, out, err) updateCommands := NewCmdUpdate(f, out, err) diff --git a/ziti/cmd/ziti/cmd/common_commands.go b/ziti/cmd/ziti/cmd/common_commands.go index dc9452e9c..ba8f8f4e7 100644 --- a/ziti/cmd/ziti/cmd/common_commands.go +++ b/ziti/cmd/ziti/cmd/common_commands.go @@ -17,15 +17,18 @@ package cmd import ( - "github.com/netfoundry/ziti-cmd/ziti/cmd/ziti/internal/log" - "github.com/netfoundry/ziti-cmd/ziti/cmd/ziti/util" "fmt" "io/ioutil" "os" "os/exec" "strings" + + "github.com/netfoundry/ziti-cmd/ziti/cmd/ziti/internal/log" + "github.com/netfoundry/ziti-cmd/ziti/cmd/ziti/util" ) +var cliAgentEnabled bool + func (o *CommonOptions) startCommandFromDir(dir, name string, args ...string) error { if cliAgentEnabled { args = append(args, "--cliagent") diff --git a/ziti/cmd/ziti/cmd/edge_controller/create.go b/ziti/cmd/ziti/cmd/edge_controller/create.go index e45840743..40e20c32d 100644 --- a/ziti/cmd/ziti/cmd/edge_controller/create.go +++ b/ziti/cmd/ziti/cmd/edge_controller/create.go @@ -18,12 +18,13 @@ package edge_controller import ( "fmt" + "io" + "github.com/Jeffail/gabs" cmdutil "github.com/netfoundry/ziti-cmd/ziti/cmd/ziti/cmd/factory" cmdhelper "github.com/netfoundry/ziti-cmd/ziti/cmd/ziti/cmd/helpers" "github.com/netfoundry/ziti-cmd/ziti/cmd/ziti/util" "github.com/spf13/cobra" - "io" ) // newListCmd creates a command object for the "controller list" command @@ -43,6 +44,7 @@ func newCreateCmd(f cmdutil.Factory, out io.Writer, errOut io.Writer) *cobra.Com cmd.AddCommand(newCreateEdgeRouterPolicyCmd(f, out, errOut)) cmd.AddCommand(newCreateIdentityCmd(f, out, errOut)) cmd.AddCommand(newCreateServiceCmd(f, out, errOut)) + cmd.AddCommand(newCreateServicePolicyCmd(f, out, errOut)) cmd.AddCommand(newCreateAuthenticatorCmd(f, out, errOut)) cmd.AddCommand(newCreateCaCmd(f, out, errOut)) diff --git a/ziti/cmd/ziti/cmd/edge_controller/create_edge_router.go b/ziti/cmd/ziti/cmd/edge_controller/create_edge_router.go index 9bb32de14..608fe3780 100644 --- a/ziti/cmd/ziti/cmd/edge_controller/create_edge_router.go +++ b/ziti/cmd/ziti/cmd/edge_controller/create_edge_router.go @@ -18,13 +18,14 @@ package edge_controller import ( "fmt" + "io" + "io/ioutil" + "github.com/Jeffail/gabs" "github.com/netfoundry/ziti-cmd/ziti/cmd/ziti/cmd/common" cmdutil "github.com/netfoundry/ziti-cmd/ziti/cmd/ziti/cmd/factory" cmdhelper "github.com/netfoundry/ziti-cmd/ziti/cmd/ziti/cmd/helpers" "github.com/spf13/cobra" - "io" - "io/ioutil" ) type createEdgeRouterOptions struct { @@ -57,7 +58,7 @@ func newCreateEdgeRouterCmd(f cmdutil.Factory, out io.Writer, errOut io.Writer) // allow interspersing positional args and flags cmd.Flags().SetInterspersed(true) - cmd.Flags().StringSliceVarP(&options.roleAttributes, "role-attributes", "r", nil, "Role attributes of the new edge router") + cmd.Flags().StringSliceVarP(&options.roleAttributes, "role-attributes", "a", nil, "Role attributes of the new edge router") cmd.Flags().BoolVarP(&options.OutputJSONResponse, "output-json", "j", false, "Output the full JSON response from the Ziti Edge Controller") cmd.Flags().StringVarP(&options.jwtOutputFile, "jwt-output-file", "o", "", "File to which to output the JWT used for enrolling the edge router") return cmd diff --git a/ziti/cmd/ziti/cmd/edge_controller/create_edge_router_policy.go b/ziti/cmd/ziti/cmd/edge_controller/create_edge_router_policy.go index 782c6cb5f..48117ad54 100644 --- a/ziti/cmd/ziti/cmd/edge_controller/create_edge_router_policy.go +++ b/ziti/cmd/ziti/cmd/edge_controller/create_edge_router_policy.go @@ -18,19 +18,19 @@ package edge_controller import ( "fmt" + "io" + "github.com/Jeffail/gabs" "github.com/netfoundry/ziti-cmd/ziti/cmd/ziti/cmd/common" cmdutil "github.com/netfoundry/ziti-cmd/ziti/cmd/ziti/cmd/factory" cmdhelper "github.com/netfoundry/ziti-cmd/ziti/cmd/ziti/cmd/helpers" "github.com/spf13/cobra" - "io" ) type createEdgeRouterPolicyOptions struct { commonOptions edgeRouterRoles []string identityRoles []string - jwtOutputFile string } // newCreateEdgeRouterPolicyCmd creates the 'edge controller create edge-router-policy' command diff --git a/ziti/cmd/ziti/cmd/edge_controller/create_identity.go b/ziti/cmd/ziti/cmd/edge_controller/create_identity.go index 3d3533bd0..9dc8d8562 100644 --- a/ziti/cmd/ziti/cmd/edge_controller/create_identity.go +++ b/ziti/cmd/ziti/cmd/edge_controller/create_identity.go @@ -18,15 +18,16 @@ package edge_controller import ( "fmt" + "io" + "io/ioutil" + "reflect" + "strings" + "github.com/Jeffail/gabs" "github.com/netfoundry/ziti-cmd/ziti/cmd/ziti/cmd/common" cmdutil "github.com/netfoundry/ziti-cmd/ziti/cmd/ziti/cmd/factory" cmdhelper "github.com/netfoundry/ziti-cmd/ziti/cmd/ziti/cmd/helpers" "github.com/spf13/cobra" - "io" - "io/ioutil" - "reflect" - "strings" ) type createIdentityOptions struct { @@ -79,7 +80,7 @@ func newCreateIdentityOfTypeCmd(idType string, options *createIdentityOptions) * cmd.Flags().BoolVarP(&options.OutputJSONResponse, "output-json", "j", false, "Output the full JSON response from the Ziti Edge Controller") cmd.Flags().BoolVarP(&options.isAdmin, "admin", "A", false, "Give the new identity admin privileges") - cmd.Flags().StringSliceVarP(&options.roleAttributes, "role-attributes", "r", nil, "Role attributes of the new identity") + cmd.Flags().StringSliceVarP(&options.roleAttributes, "role-attributes", "a", nil, "Role attributes of the new identity") cmd.Flags().StringVarP(&options.jwtOutputFile, "jwt-output-file", "o", "", "File to which to output the JWT used for enrolling the identity") return cmd diff --git a/ziti/cmd/ziti/cmd/edge_controller/create_service.go b/ziti/cmd/ziti/cmd/edge_controller/create_service.go index dd23ed9ea..c1a190a80 100644 --- a/ziti/cmd/ziti/cmd/edge_controller/create_service.go +++ b/ziti/cmd/ziti/cmd/edge_controller/create_service.go @@ -18,13 +18,14 @@ package edge_controller import ( "fmt" + "io" + "strconv" + "github.com/Jeffail/gabs" "github.com/netfoundry/ziti-cmd/ziti/cmd/ziti/cmd/common" cmdutil "github.com/netfoundry/ziti-cmd/ziti/cmd/ziti/cmd/factory" cmdhelper "github.com/netfoundry/ziti-cmd/ziti/cmd/ziti/cmd/helpers" "github.com/spf13/cobra" - "io" - "strconv" ) type createServiceOptions struct { @@ -32,7 +33,7 @@ type createServiceOptions struct { hostedService bool tags map[string]string edgeRouterRoles []string - hostIds []string + roleAttributes []string } // newCreateServiceCmd creates the 'edge controller create service local' command for the given entity type @@ -68,7 +69,7 @@ func newCreateServiceCmd(f cmdutil.Factory, out io.Writer, errOut io.Writer) *co cmd.Flags().BoolVarP(&options.OutputJSONResponse, "output-json", "j", false, "Output the full JSON response from the Ziti Edge Controller") cmd.Flags().BoolVar(&options.hostedService, "hosted", false, "Indicates that this is a hosted service") cmd.Flags().StringSliceVarP(&options.edgeRouterRoles, "edge-router-roles", "r", nil, "Edge router roles of the new service") - cmd.Flags().StringSliceVarP(&options.hostIds, "host-ids", "i", nil, "Identities allowed to host this service") + cmd.Flags().StringSliceVarP(&options.roleAttributes, "role-attributes", "a", nil, "Role attributes of the new identity") return cmd } @@ -80,31 +81,24 @@ func runCreateService(o *createServiceOptions) (err error) { return err } - serviceData := gabs.New() - setJSONValue(serviceData, o.Args[0], "name") - setJSONValue(serviceData, o.edgeRouterRoles, "edgeRouterRoles") - setJSONValue(serviceData, o.Args[1], "dns", "hostname") - setJSONValue(serviceData, port, "dns", "port") + entityData := gabs.New() + setJSONValue(entityData, o.Args[0], "name") + setJSONValue(entityData, o.edgeRouterRoles, "edgeRouterRoles") + setJSONValue(entityData, o.Args[1], "dns", "hostname") + setJSONValue(entityData, port, "dns", "port") + setJSONValue(entityData, o.roleAttributes, "roleAttributes") if o.hostedService { - setJSONValue(serviceData, "unclaimed", "egressRouter") - setJSONValue(serviceData, "hosted:unclaimed", "endpointAddress") + setJSONValue(entityData, "unclaimed", "egressRouter") + setJSONValue(entityData, "hosted:unclaimed", "endpointAddress") } else { - setJSONValue(serviceData, o.Args[3], "egressRouter") - setJSONValue(serviceData, o.Args[4], "endpointAddress") - } - - if len(o.hostIds) > 0 { - hostIds, err := mapNamesToIDs("identities", o.hostIds...) - if err != nil { - return err - } - setJSONValue(serviceData, hostIds, "hostIds") + setJSONValue(entityData, o.Args[3], "egressRouter") + setJSONValue(entityData, o.Args[4], "endpointAddress") } - setJSONValue(serviceData, o.tags, "tags") + setJSONValue(entityData, o.tags, "tags") - result, err := createEntityOfType("services", serviceData.String(), &o.commonOptions) + result, err := createEntityOfType("services", entityData.String(), &o.commonOptions) if err != nil { panic(err) diff --git a/ziti/cmd/ziti/cmd/edge_controller/create_service_policy.go b/ziti/cmd/ziti/cmd/edge_controller/create_service_policy.go new file mode 100644 index 000000000..8011b1747 --- /dev/null +++ b/ziti/cmd/ziti/cmd/edge_controller/create_service_policy.go @@ -0,0 +1,94 @@ +/* + Copyright 2019 Netfoundry, Inc. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + https://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package edge_controller + +import ( + "fmt" + "io" + + "github.com/pkg/errors" + + "github.com/Jeffail/gabs" + "github.com/netfoundry/ziti-cmd/ziti/cmd/ziti/cmd/common" + cmdutil "github.com/netfoundry/ziti-cmd/ziti/cmd/ziti/cmd/factory" + cmdhelper "github.com/netfoundry/ziti-cmd/ziti/cmd/ziti/cmd/helpers" + "github.com/spf13/cobra" +) + +type createServicePolicyOptions struct { + commonOptions + serviceRoles []string + identityRoles []string +} + +// newCreateServicePolicyCmd creates the 'edge controller create service-policy' command +func newCreateServicePolicyCmd(f cmdutil.Factory, out io.Writer, errOut io.Writer) *cobra.Command { + options := &createServicePolicyOptions{ + commonOptions: commonOptions{ + CommonOptions: common.CommonOptions{Factory: f, Out: out, Err: errOut}, + }, + } + + cmd := &cobra.Command{ + Use: "service-policy ", + Short: "creates an service-policy managed by the Ziti Edge Controller", + Long: "creates an service-policy managed by the Ziti Edge Controller", + Args: cobra.ExactArgs(2), + Run: func(cmd *cobra.Command, args []string) { + options.Cmd = cmd + options.Args = args + err := runCreateServicePolicy(options) + cmdhelper.CheckErr(err) + }, + SuggestFor: []string{}, + } + + // allow interspersing positional args and flags + cmd.Flags().SetInterspersed(true) + cmd.Flags().StringSliceVarP(&options.serviceRoles, "service-roles", "r", nil, "Service roles of the new service policy") + cmd.Flags().StringSliceVarP(&options.identityRoles, "identity-roles", "i", nil, "Identity roles of the new service policy") + cmd.Flags().BoolVarP(&options.OutputJSONResponse, "output-json", "j", false, "Output the full JSON response from the Ziti Edge Controller") + + return cmd +} + +// runCreateServicePolicy create a new servicePolicy on the Ziti Edge Controller +func runCreateServicePolicy(o *createServicePolicyOptions) error { + policyType := o.Args[1] + if policyType != "Bind" && policyType != "Dial" { + return errors.Errorf("Invalid policy type '%v'. Valid values: [Bind, Dial]", policyType) + } + + entityData := gabs.New() + setJSONValue(entityData, o.Args[0], "name") + setJSONValue(entityData, o.Args[1], "type") + setJSONValue(entityData, o.serviceRoles, "serviceRoles") + setJSONValue(entityData, o.identityRoles, "identityRoles") + result, err := createEntityOfType("service-policies", entityData.String(), &o.commonOptions) + + if err != nil { + panic(err) + } + + servicePolicyId := result.S("data", "id").Data() + + if _, err := fmt.Fprintf(o.Out, "%v\n", servicePolicyId); err != nil { + panic(err) + } + + return err +} diff --git a/ziti/cmd/ziti/cmd/edge_controller/delete.go b/ziti/cmd/ziti/cmd/edge_controller/delete.go index d131bf00d..42762b8c8 100644 --- a/ziti/cmd/ziti/cmd/edge_controller/delete.go +++ b/ziti/cmd/ziti/cmd/edge_controller/delete.go @@ -18,14 +18,15 @@ package edge_controller import ( "fmt" + "io" + "strings" + "github.com/Jeffail/gabs" "github.com/netfoundry/ziti-cmd/ziti/cmd/ziti/cmd/common" cmdutil "github.com/netfoundry/ziti-cmd/ziti/cmd/ziti/cmd/factory" cmdhelper "github.com/netfoundry/ziti-cmd/ziti/cmd/ziti/cmd/helpers" "github.com/netfoundry/ziti-cmd/ziti/cmd/ziti/util" "github.com/spf13/cobra" - "io" - "strings" ) // newDeleteCmd creates a command object for the "edge controller delete" command @@ -50,14 +51,13 @@ func newDeleteCmd(f cmdutil.Factory, out io.Writer, errOut io.Writer) *cobra.Com } } - cmd.AddCommand(newDeleteCmdForEntityType("app-wan", runDeleteEntityOfType, newOptions())) cmd.AddCommand(newDeleteCmdForEntityType("ca", runDeleteEntityOfType, newOptions())) cmd.AddCommand(newDeleteCmdForEntityType("edge-router", runDeleteEntityOfType, newOptions())) cmd.AddCommand(newDeleteCmdForEntityType("edge-router-policy", runDeleteEntityOfType, newOptions())) - cmd.AddCommand(newDeleteCmdForEntityType("gateway", runDeleteEntityOfType, newOptions())) cmd.AddCommand(newDeleteCmdForEntityType("identity", runDeleteEntityOfType, newOptions())) cmd.AddCommand(newDeleteCmdForEntityType("network-session", runDeleteEntityOfType, newOptions())) cmd.AddCommand(newDeleteCmdForEntityType("service", runDeleteEntityOfType, newOptions())) + cmd.AddCommand(newDeleteCmdForEntityType("service-policy", runDeleteEntityOfType, newOptions())) cmd.AddCommand(newDeleteCmdForEntityType("session", runDeleteEntityOfType, newOptions())) cmd.AddCommand(newDeleteAuthenticatorCmd("authenticator", newOptions())) diff --git a/ziti/cmd/ziti/cmd/edge_controller/list.go b/ziti/cmd/ziti/cmd/edge_controller/list.go index 9e2854f57..bdad4b654 100644 --- a/ziti/cmd/ziti/cmd/edge_controller/list.go +++ b/ziti/cmd/ziti/cmd/edge_controller/list.go @@ -18,13 +18,14 @@ package edge_controller import ( "fmt" + "io" + "github.com/Jeffail/gabs" "github.com/netfoundry/ziti-cmd/ziti/cmd/ziti/cmd/common" cmdutil "github.com/netfoundry/ziti-cmd/ziti/cmd/ziti/cmd/factory" cmdhelper "github.com/netfoundry/ziti-cmd/ziti/cmd/ziti/cmd/helpers" "github.com/netfoundry/ziti-cmd/ziti/cmd/ziti/util" "github.com/spf13/cobra" - "io" ) // newListCmd creates a command object for the "controller list" command @@ -49,14 +50,13 @@ func newListCmd(f cmdutil.Factory, out io.Writer, errOut io.Writer) *cobra.Comma } } - cmd.AddCommand(newListCmdForEntityType("app-wans", runListAppWans, newOptions())) cmd.AddCommand(newListCmdForEntityType("cas", runListCAs, newOptions())) cmd.AddCommand(newListCmdForEntityType("edge-routers", runListEdgeRouters, newOptions())) cmd.AddCommand(newListCmdForEntityType("edge-router-policies", runListEdgeRouterPolicies, newOptions())) cmd.AddCommand(newListCmdForEntityType("gateways", runListEdgeRouters, newOptions())) cmd.AddCommand(newListCmdForEntityType("identities", runListIdentities, newOptions())) cmd.AddCommand(newListCmdForEntityType("services", runListServices, newOptions())) - cmd.AddCommand(newListCmdForEntityType("services", runListServices, newOptions())) + cmd.AddCommand(newListCmdForEntityType("service-policies", runListServicePolices, newOptions())) cmd.AddCommand(newListCmdForEntityType("sessions", runListApiSessions, newOptions())) cmd.AddCommand(newListCmdForEntityType("network-sessions", runListNetworkSessions, newOptions())) @@ -70,11 +70,17 @@ func newListCmd(f cmdutil.Factory, out io.Writer, errOut io.Writer) *cobra.Comma identityListRootCmd := newEntityListRootCmd("identity") identityListRootCmd.AddCommand(newSubListCmdForEntityType("identities", "edge-router-policies", runListIdentityEdgeRouterPolicies, newOptions())) + identityListRootCmd.AddCommand(newSubListCmdForEntityType("identities", "service-policies", runListIdentityServicePolicies, newOptions())) serviceListRootCmd := newEntityListRootCmd("service") serviceListRootCmd.AddCommand(newSubListCmdForEntityType("services", "edge-routers", runListServiceEdgeRouters, newOptions())) + serviceListRootCmd.AddCommand(newSubListCmdForEntityType("services", "service-policies", runListServiceServicePolicies, newOptions())) + + servicePolicyListRootCmd := newEntityListRootCmd("service-policy") + servicePolicyListRootCmd.AddCommand(newSubListCmdForEntityType("service-policies", "services", runListServicePolicyServices, newOptions())) + servicePolicyListRootCmd.AddCommand(newSubListCmdForEntityType("service-policies", "identities", runListServicePolicyIdentities, newOptions())) - cmd.AddCommand(edgeRouterListRootCmd, edgeRouterPolicyListRootCmd, identityListRootCmd, serviceListRootCmd) + cmd.AddCommand(edgeRouterListRootCmd, edgeRouterPolicyListRootCmd, identityListRootCmd, serviceListRootCmd, servicePolicyListRootCmd) return cmd } @@ -264,40 +270,46 @@ func outputServices(o *commonOptions, children []*gabs.Container) error { return nil } -// runListIdentities implements the command to list identities -func runListIdentities(o *commonOptions) error { - children, err := listEntitiesOfTypeWithOptionalFilter("identities", o) +func runListServicePolices(o *commonOptions) error { + children, err := listEntitiesOfTypeWithOptionalFilter("service-polices", o) if err != nil { return err } - return outputIdentities(o, children) + return outputServicePolicies(o, children) } -// outputIdentities implements the command to list identities -func outputIdentities(o *commonOptions, children []*gabs.Container) error { +func outputServicePolicies(o *commonOptions, children []*gabs.Container) error { for _, entity := range children { id, _ := entity.Path("id").Data().(string) name, _ := entity.Path("name").Data().(string) - typeName, _ := entity.Path("type.name").Data().(string) - roleAttributes := entity.Path("roleAttributes").String() - if _, err := fmt.Fprintf(o.Out, "id: %v name: %v type: %v role attributes: %v\n", id, name, typeName, roleAttributes); err != nil { + policyType, _ := entity.Path("type").Data().(string) + identityRoles := entity.Path("identityRoles").String() + serviceRoles := entity.Path("serviceRoles").String() + _, err := fmt.Fprintf(o.Out, "id: %v name: %v type: %v service roles: %v identity roles: %v\n", id, name, policyType, serviceRoles, identityRoles) + if err != nil { return err } } - return nil } -func runListAppWans(o *commonOptions) error { - children, err := listEntitiesOfTypeWithOptionalFilter("app-wans", o) +// runListIdentities implements the command to list identities +func runListIdentities(o *commonOptions) error { + children, err := listEntitiesOfTypeWithOptionalFilter("identities", o) if err != nil { return err } + return outputIdentities(o, children) +} +// outputIdentities implements the command to list identities +func outputIdentities(o *commonOptions, children []*gabs.Container) error { for _, entity := range children { id, _ := entity.Path("id").Data().(string) name, _ := entity.Path("name").Data().(string) - if _, err := fmt.Fprintf(o.Out, "id: %v name: %v\n", id, name); err != nil { + typeName, _ := entity.Path("type.name").Data().(string) + roleAttributes := entity.Path("roleAttributes").String() + if _, err := fmt.Fprintf(o.Out, "id: %v name: %v type: %v role attributes: %v\n", id, name, typeName, roleAttributes); err != nil { return err } } @@ -333,7 +345,9 @@ func runListApiSessions(o *commonOptions) error { id, _ := entity.Path("id").Data().(string) sessionToken, _ := entity.Path("token").Data().(string) identityName, _ := entity.Path("identity.name").Data().(string) - fmt.Fprintf(o.Out, "id: %v token: %v identity: %v\n", id, sessionToken, identityName) + if _, err = fmt.Fprintf(o.Out, "id: %v token: %v identity: %v\n", id, sessionToken, identityName); err != nil { + return err + } } return err @@ -363,6 +377,10 @@ func runListServiceEdgeRouters(o *commonOptions) error { return runListChilden("services", "edge-routers", o, outputEdgeRouters) } +func runListServiceServicePolicies(o *commonOptions) error { + return runListChilden("services", "service-polices", o, outputServicePolicies) +} + func runListEdgeRouterEdgeRouterPolicies(o *commonOptions) error { return runListChilden("edge-routers", "edge-router-policies", o, outputEdgeRouterPolicies) } @@ -376,11 +394,23 @@ func runListEdgeRouterPolicyEdgeRouters(o *commonOptions) error { } func runListEdgeRouterPolicyIdentities(o *commonOptions) error { - return runListChilden("edge-router-policies", "identities", o, outputEdgeRouters) + return runListChilden("edge-router-policies", "identities", o, outputIdentities) } func runListIdentityEdgeRouterPolicies(o *commonOptions) error { - return runListChilden("identities", "edge-router-policies", o, outputIdentities) + return runListChilden("identities", "edge-router-policies", o, outputEdgeRouterPolicies) +} + +func runListIdentityServicePolicies(o *commonOptions) error { + return runListChilden("identities", "service-policies", o, outputServicePolicies) +} + +func runListServicePolicyServices(o *commonOptions) error { + return runListChilden("service-polices", "services", o, outputServices) +} + +func runListServicePolicyIdentities(o *commonOptions) error { + return runListChilden("service-polices", "identities", o, outputIdentities) } func runListChilden(parentType, childType string, o *commonOptions, outputFunc func(*commonOptions, []*gabs.Container) error) error { diff --git a/ziti/cmd/ziti/cmd/edge_controller/root.go b/ziti/cmd/ziti/cmd/edge_controller/root.go index fe69e9863..8db8385a9 100644 --- a/ziti/cmd/ziti/cmd/edge_controller/root.go +++ b/ziti/cmd/ziti/cmd/edge_controller/root.go @@ -17,12 +17,13 @@ package edge_controller import ( + "io" + + "github.com/Jeffail/gabs" "github.com/netfoundry/ziti-cmd/ziti/cmd/ziti/cmd/common" cmdutil "github.com/netfoundry/ziti-cmd/ziti/cmd/ziti/cmd/factory" "github.com/netfoundry/ziti-cmd/ziti/cmd/ziti/util" - "github.com/Jeffail/gabs" "github.com/spf13/cobra" - "io" ) // NewCmdEdge creates a command object for the "controller" command @@ -50,7 +51,9 @@ func newCmdEdgeController(f cmdutil.Factory, out io.Writer, errOut io.Writer) *c } func setJSONValue(container *gabs.Container, value interface{}, path ...string) { - if _, err := container.Set(value, path...); err != nil { - panic(err) + if value != nil { + if _, err := container.Set(value, path...); err != nil { + panic(err) + } } } diff --git a/ziti/cmd/ziti/cmd/execute_controller.go b/ziti/cmd/ziti/cmd/execute_controller.go index 4687bef0b..731864c43 100644 --- a/ziti/cmd/ziti/cmd/execute_controller.go +++ b/ziti/cmd/ziti/cmd/execute_controller.go @@ -17,10 +17,11 @@ package cmd import ( - "github.com/spf13/cobra" "io" "path/filepath" + "github.com/spf13/cobra" + cmdutil "github.com/netfoundry/ziti-cmd/ziti/cmd/ziti/cmd/factory" cmdhelper "github.com/netfoundry/ziti-cmd/ziti/cmd/ziti/cmd/helpers" "github.com/netfoundry/ziti-cmd/ziti/cmd/ziti/cmd/templates" @@ -74,6 +75,8 @@ func NewCmdExecuteController(f cmdutil.Factory, out io.Writer, errOut io.Writer) }, } + cmd.PersistentFlags().BoolVarP(&cliAgentEnabled, "cliagent", "a", false, "Enable CLI Agent (use in dev only)") + options.addCommonFlags(cmd) return cmd From 7f16cb5d736c81df384150ca306350f285374bf5 Mon Sep 17 00:00:00 2001 From: Paul Lorenz Date: Mon, 6 Jan 2020 14:58:57 -0500 Subject: [PATCH 02/11] Limit ziti controller builds to 64 bit environments --- Makefile | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index cb5e47abc..16dd36052 100644 --- a/Makefile +++ b/Makefile @@ -165,6 +165,28 @@ $(if $(filter $(strip $(BRANCH_NAME)),$(strip $(RELEASE_BRANCH))),$(call publish endef +define make-target-64-bit-only +$(info ============ make-target starting for: $1 ============) + +mv release/$1_darwin_amd64 release/amd64/darwin/$1 +cd release/amd64/darwin; chmod +x $1 +cd release/amd64/darwin; tar -zcvf $1.tar.gz $1 +cd release/amd64/darwin; rm $1 +$(if $(filter $(strip $(BRANCH_NAME)),$(strip $(RELEASE_BRANCH))),$(call publish-target-as-release,$1,amd64,darwin,$1.tar.gz),$(call publish-target-as-snapshot,$1,$(BRANCH_NAME),amd64,darwin,$1.tar.gz)) + +mv release/$1_linux_amd64 release/amd64/linux/$1 +cd release/amd64/linux; chmod +x $1 +cd release/amd64/linux; tar -zcvf $1.tar.gz $1 +cd release/amd64/linux; rm $1 +$(if $(filter $(strip $(BRANCH_NAME)),$(strip $(RELEASE_BRANCH))),$(call publish-target-as-release,$1,amd64,linux,$1.tar.gz),$(call publish-target-as-snapshot,$1,$(BRANCH_NAME),amd64,linux,$1.tar.gz)) + +mv release/$1_windows_amd64.exe release/amd64/windows/$1.exe +cd release/amd64/windows; tar -zcvf $1.tar.gz $1.exe +cd release/amd64/windows; rm $1.exe +$(if $(filter $(strip $(BRANCH_NAME)),$(strip $(RELEASE_BRANCH))),$(call publish-target-as-release,$1,amd64,windows,$1.tar.gz),$(call publish-target-as-snapshot,$1,$(BRANCH_NAME),amd64,windows,$1.tar.gz)) + +endef + define make-target-linux-only $(info ============ make-target-linux-only starting for: $1 ============) @@ -193,7 +215,7 @@ ziti-cli: cd ziti; $(call make-target,ziti) cmd-ziti-controller: - cd ziti-controller; $(call make-target,ziti-controller) + cd ziti-controller; $(call make-target-64-bit-only,ziti-controller) cmd-ziti-enroller: cd ziti-enroller; $(call make-target,ziti-enroller) From f7c20dec221aee8759d726e8b86bd2f14a14c480 Mon Sep 17 00:00:00 2001 From: Paul Lorenz Date: Mon, 6 Jan 2020 22:55:05 -0500 Subject: [PATCH 03/11] Pull in fixes --- Makefile | 24 +----------------------- go.mod | 2 +- go.sum | 2 ++ 3 files changed, 4 insertions(+), 24 deletions(-) diff --git a/Makefile b/Makefile index 16dd36052..cb5e47abc 100644 --- a/Makefile +++ b/Makefile @@ -165,28 +165,6 @@ $(if $(filter $(strip $(BRANCH_NAME)),$(strip $(RELEASE_BRANCH))),$(call publish endef -define make-target-64-bit-only -$(info ============ make-target starting for: $1 ============) - -mv release/$1_darwin_amd64 release/amd64/darwin/$1 -cd release/amd64/darwin; chmod +x $1 -cd release/amd64/darwin; tar -zcvf $1.tar.gz $1 -cd release/amd64/darwin; rm $1 -$(if $(filter $(strip $(BRANCH_NAME)),$(strip $(RELEASE_BRANCH))),$(call publish-target-as-release,$1,amd64,darwin,$1.tar.gz),$(call publish-target-as-snapshot,$1,$(BRANCH_NAME),amd64,darwin,$1.tar.gz)) - -mv release/$1_linux_amd64 release/amd64/linux/$1 -cd release/amd64/linux; chmod +x $1 -cd release/amd64/linux; tar -zcvf $1.tar.gz $1 -cd release/amd64/linux; rm $1 -$(if $(filter $(strip $(BRANCH_NAME)),$(strip $(RELEASE_BRANCH))),$(call publish-target-as-release,$1,amd64,linux,$1.tar.gz),$(call publish-target-as-snapshot,$1,$(BRANCH_NAME),amd64,linux,$1.tar.gz)) - -mv release/$1_windows_amd64.exe release/amd64/windows/$1.exe -cd release/amd64/windows; tar -zcvf $1.tar.gz $1.exe -cd release/amd64/windows; rm $1.exe -$(if $(filter $(strip $(BRANCH_NAME)),$(strip $(RELEASE_BRANCH))),$(call publish-target-as-release,$1,amd64,windows,$1.tar.gz),$(call publish-target-as-snapshot,$1,$(BRANCH_NAME),amd64,windows,$1.tar.gz)) - -endef - define make-target-linux-only $(info ============ make-target-linux-only starting for: $1 ============) @@ -215,7 +193,7 @@ ziti-cli: cd ziti; $(call make-target,ziti) cmd-ziti-controller: - cd ziti-controller; $(call make-target-64-bit-only,ziti-controller) + cd ziti-controller; $(call make-target,ziti-controller) cmd-ziti-enroller: cd ziti-enroller; $(call make-target,ziti-enroller) diff --git a/go.mod b/go.mod index a2ae01078..554b8a66e 100644 --- a/go.mod +++ b/go.mod @@ -23,7 +23,7 @@ require ( github.com/michaelquigley/pfxlog v0.0.0-20190813191113-2be43bd0dccc github.com/netfoundry/ziti-edge v0.0.0-20200106182528-84b239b9cbec github.com/netfoundry/ziti-fabric v0.0.0-20200106180846-61266f3e696d - github.com/netfoundry/ziti-foundation v0.0.0-20200106153940-3df3c2afba3b + github.com/netfoundry/ziti-foundation v0.0.0-20200107034851-d46345742d80 github.com/netfoundry/ziti-sdk-golang v0.0.0-20200106180923-91c7e169586a github.com/pborman/uuid v1.2.0 github.com/pkg/errors v0.8.1 diff --git a/go.sum b/go.sum index 972dc2aa9..18f207199 100644 --- a/go.sum +++ b/go.sum @@ -227,6 +227,8 @@ github.com/netfoundry/ziti-foundation v0.0.0-20200104011655-295bb307246b h1:IuzZ github.com/netfoundry/ziti-foundation v0.0.0-20200104011655-295bb307246b/go.mod h1:27kvN9RZk7cpt2xba6owuXktNphq5hPK62CAiKnIS10= github.com/netfoundry/ziti-foundation v0.0.0-20200106153940-3df3c2afba3b h1:aWeeVBDrgBHzax+g1j1n4aT3ghIzPsu+7qnCpq0WPWc= github.com/netfoundry/ziti-foundation v0.0.0-20200106153940-3df3c2afba3b/go.mod h1:27kvN9RZk7cpt2xba6owuXktNphq5hPK62CAiKnIS10= +github.com/netfoundry/ziti-foundation v0.0.0-20200107034851-d46345742d80 h1:Xc37PiynsTQGKGbZEjx+EKxxOYpO4Mu6VCJM/whTxws= +github.com/netfoundry/ziti-foundation v0.0.0-20200107034851-d46345742d80/go.mod h1:27kvN9RZk7cpt2xba6owuXktNphq5hPK62CAiKnIS10= github.com/netfoundry/ziti-sdk-golang v0.0.0-20200106153041-5f45429a4fcd/go.mod h1:CR4r2yLPic5h9Vh2wNJkwNWBeYXFYEjwzDWrckuj3rQ= github.com/netfoundry/ziti-sdk-golang v0.0.0-20200106180923-91c7e169586a h1:4GxslLTr/wCB6dK3I8Zpy8AYNwSd6h2nLfs2yVc8g6U= github.com/netfoundry/ziti-sdk-golang v0.0.0-20200106180923-91c7e169586a/go.mod h1:CR4r2yLPic5h9Vh2wNJkwNWBeYXFYEjwzDWrckuj3rQ= From f09be608430cc60dd08ddce4d049a52c3d0b70dc Mon Sep 17 00:00:00 2001 From: Paul Lorenz Date: Mon, 6 Jan 2020 23:23:58 -0500 Subject: [PATCH 04/11] Bump version to 0.8.0 --- common/version/VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common/version/VERSION b/common/version/VERSION index faef31a43..a3df0a695 100644 --- a/common/version/VERSION +++ b/common/version/VERSION @@ -1 +1 @@ -0.7.0 +0.8.0 From 43eb3837a70d2bc9e87e483410c38a7896442a51 Mon Sep 17 00:00:00 2001 From: Paul Lorenz Date: Tue, 7 Jan 2020 10:14:28 -0500 Subject: [PATCH 05/11] Update deps --- go.mod | 8 ++++---- go.sum | 20 ++++++++------------ 2 files changed, 12 insertions(+), 16 deletions(-) diff --git a/go.mod b/go.mod index 554b8a66e..b228b7c5b 100644 --- a/go.mod +++ b/go.mod @@ -21,10 +21,10 @@ require ( github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0 github.com/keybase/go-ps v0.0.0-20190827175125-91aafc93ba19 github.com/michaelquigley/pfxlog v0.0.0-20190813191113-2be43bd0dccc - github.com/netfoundry/ziti-edge v0.0.0-20200106182528-84b239b9cbec - github.com/netfoundry/ziti-fabric v0.0.0-20200106180846-61266f3e696d - github.com/netfoundry/ziti-foundation v0.0.0-20200107034851-d46345742d80 - github.com/netfoundry/ziti-sdk-golang v0.0.0-20200106180923-91c7e169586a + github.com/netfoundry/ziti-edge v0.0.0-20200107151015-c1cd0987658e + github.com/netfoundry/ziti-fabric v0.0.0-20200107150510-362caff8cf43 + github.com/netfoundry/ziti-foundation v0.0.0-20200107143132-d54269e96d45 + github.com/netfoundry/ziti-sdk-golang v0.0.0-20200107150440-7d6faf6bae91 github.com/pborman/uuid v1.2.0 github.com/pkg/errors v0.8.1 github.com/rcrowley/go-metrics v0.0.0-20190826022208-cac0b30c2563 diff --git a/go.sum b/go.sum index 18f207199..b2fe7554f 100644 --- a/go.sum +++ b/go.sum @@ -218,20 +218,16 @@ github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrk github.com/mitchellh/mapstructure v1.1.2 h1:fmNYVwqnSfB9mZU6OS2O6GsXM+wcskZDuKQzvN1EDeE= github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= -github.com/netfoundry/ziti-edge v0.0.0-20200106182528-84b239b9cbec h1:gUmXrsWq0BJvMYPBfEHYWHRxV6KWkE/9t+eCBciQH2Q= -github.com/netfoundry/ziti-edge v0.0.0-20200106182528-84b239b9cbec/go.mod h1:/m8XpW1y817515jqyZj7AGfjyg7aDq2bl2bbSJmRSSY= -github.com/netfoundry/ziti-fabric v0.0.0-20200106161907-ec24d58cea25/go.mod h1:c2KuMFw3zzANlJHELDH9ejldg2k5W9k3NwQBPYnDpQw= -github.com/netfoundry/ziti-fabric v0.0.0-20200106180846-61266f3e696d h1:WzuJk+CGxkWiLbG29UVwrAWcw/M2o0qjK69YFzrfY3I= -github.com/netfoundry/ziti-fabric v0.0.0-20200106180846-61266f3e696d/go.mod h1:c2KuMFw3zzANlJHELDH9ejldg2k5W9k3NwQBPYnDpQw= -github.com/netfoundry/ziti-foundation v0.0.0-20200104011655-295bb307246b h1:IuzZd4AWMpPc9h22JxwsO70yhD/Vu0Z9BnW43VeL114= -github.com/netfoundry/ziti-foundation v0.0.0-20200104011655-295bb307246b/go.mod h1:27kvN9RZk7cpt2xba6owuXktNphq5hPK62CAiKnIS10= +github.com/netfoundry/ziti-edge v0.0.0-20200107151015-c1cd0987658e h1:2U6AIvuRu5ImuhcbkWqQENgzbHZzJcy9fDGTN8icqEQ= +github.com/netfoundry/ziti-edge v0.0.0-20200107151015-c1cd0987658e/go.mod h1:bbvBCSlDaN3RdWah0zRZYBtZDIJ8akCJoEuqHS39AZ0= +github.com/netfoundry/ziti-fabric v0.0.0-20200107150510-362caff8cf43 h1:lynyfXiT3TtGIdZjWgaIWC6H3C4g99rmH1ibG1i8zSg= +github.com/netfoundry/ziti-fabric v0.0.0-20200107150510-362caff8cf43/go.mod h1:sa4+2juaDdJwLFCWOkcfLqL1I6pn+cPfKpU0VCDC0bg= github.com/netfoundry/ziti-foundation v0.0.0-20200106153940-3df3c2afba3b h1:aWeeVBDrgBHzax+g1j1n4aT3ghIzPsu+7qnCpq0WPWc= github.com/netfoundry/ziti-foundation v0.0.0-20200106153940-3df3c2afba3b/go.mod h1:27kvN9RZk7cpt2xba6owuXktNphq5hPK62CAiKnIS10= -github.com/netfoundry/ziti-foundation v0.0.0-20200107034851-d46345742d80 h1:Xc37PiynsTQGKGbZEjx+EKxxOYpO4Mu6VCJM/whTxws= -github.com/netfoundry/ziti-foundation v0.0.0-20200107034851-d46345742d80/go.mod h1:27kvN9RZk7cpt2xba6owuXktNphq5hPK62CAiKnIS10= -github.com/netfoundry/ziti-sdk-golang v0.0.0-20200106153041-5f45429a4fcd/go.mod h1:CR4r2yLPic5h9Vh2wNJkwNWBeYXFYEjwzDWrckuj3rQ= -github.com/netfoundry/ziti-sdk-golang v0.0.0-20200106180923-91c7e169586a h1:4GxslLTr/wCB6dK3I8Zpy8AYNwSd6h2nLfs2yVc8g6U= -github.com/netfoundry/ziti-sdk-golang v0.0.0-20200106180923-91c7e169586a/go.mod h1:CR4r2yLPic5h9Vh2wNJkwNWBeYXFYEjwzDWrckuj3rQ= +github.com/netfoundry/ziti-foundation v0.0.0-20200107143132-d54269e96d45 h1:ZZxJIqJS/jto/TC8XB8Oo3CqFqERDYAH6wDU+Zg9Vlw= +github.com/netfoundry/ziti-foundation v0.0.0-20200107143132-d54269e96d45/go.mod h1:27kvN9RZk7cpt2xba6owuXktNphq5hPK62CAiKnIS10= +github.com/netfoundry/ziti-sdk-golang v0.0.0-20200107150440-7d6faf6bae91 h1:fli8cuvevrs4SsugunFTiIWqyboyqYaKSz05EwHcM34= +github.com/netfoundry/ziti-sdk-golang v0.0.0-20200107150440-7d6faf6bae91/go.mod h1:hTJBiXHz5G+aoatNPFphiiNMAxDKYmcVtza1n7wz0xs= github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= github.com/oleiade/reflections v1.0.0 h1:0ir4pc6v8/PJ0yw5AEtMddfXpWBXg9cnG7SgSoJuCgY= github.com/oleiade/reflections v1.0.0/go.mod h1:RbATFBbKYkVdqmSFtx13Bb/tVhR0lgOBXunWTZKeL4w= From a3ad95a95f23e7ef8c793178a5be076fa23a1518 Mon Sep 17 00:00:00 2001 From: Paul Lorenz Date: Wed, 8 Jan 2020 11:19:53 -0500 Subject: [PATCH 06/11] Update for network-session -> sessions change. Update deps --- go.mod | 8 ++++---- go.sum | 16 ++++++++-------- ziti/cmd/ziti/cmd/edge_controller/delete.go | 2 +- ziti/cmd/ziti/cmd/edge_controller/list.go | 12 ++++++------ 4 files changed, 19 insertions(+), 19 deletions(-) diff --git a/go.mod b/go.mod index b228b7c5b..9064be0e9 100644 --- a/go.mod +++ b/go.mod @@ -21,10 +21,10 @@ require ( github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0 github.com/keybase/go-ps v0.0.0-20190827175125-91aafc93ba19 github.com/michaelquigley/pfxlog v0.0.0-20190813191113-2be43bd0dccc - github.com/netfoundry/ziti-edge v0.0.0-20200107151015-c1cd0987658e - github.com/netfoundry/ziti-fabric v0.0.0-20200107150510-362caff8cf43 - github.com/netfoundry/ziti-foundation v0.0.0-20200107143132-d54269e96d45 - github.com/netfoundry/ziti-sdk-golang v0.0.0-20200107150440-7d6faf6bae91 + github.com/netfoundry/ziti-edge v0.0.0-20200108161847-4ae736f79a67 + github.com/netfoundry/ziti-fabric v0.0.0-20200108161318-6480d5c48a74 + github.com/netfoundry/ziti-foundation v0.0.0-20200108154541-e614e4e75acd + github.com/netfoundry/ziti-sdk-golang v0.0.0-20200108160734-8bc089148c01 github.com/pborman/uuid v1.2.0 github.com/pkg/errors v0.8.1 github.com/rcrowley/go-metrics v0.0.0-20190826022208-cac0b30c2563 diff --git a/go.sum b/go.sum index b2fe7554f..e9a237746 100644 --- a/go.sum +++ b/go.sum @@ -218,16 +218,16 @@ github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrk github.com/mitchellh/mapstructure v1.1.2 h1:fmNYVwqnSfB9mZU6OS2O6GsXM+wcskZDuKQzvN1EDeE= github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= -github.com/netfoundry/ziti-edge v0.0.0-20200107151015-c1cd0987658e h1:2U6AIvuRu5ImuhcbkWqQENgzbHZzJcy9fDGTN8icqEQ= -github.com/netfoundry/ziti-edge v0.0.0-20200107151015-c1cd0987658e/go.mod h1:bbvBCSlDaN3RdWah0zRZYBtZDIJ8akCJoEuqHS39AZ0= -github.com/netfoundry/ziti-fabric v0.0.0-20200107150510-362caff8cf43 h1:lynyfXiT3TtGIdZjWgaIWC6H3C4g99rmH1ibG1i8zSg= -github.com/netfoundry/ziti-fabric v0.0.0-20200107150510-362caff8cf43/go.mod h1:sa4+2juaDdJwLFCWOkcfLqL1I6pn+cPfKpU0VCDC0bg= -github.com/netfoundry/ziti-foundation v0.0.0-20200106153940-3df3c2afba3b h1:aWeeVBDrgBHzax+g1j1n4aT3ghIzPsu+7qnCpq0WPWc= -github.com/netfoundry/ziti-foundation v0.0.0-20200106153940-3df3c2afba3b/go.mod h1:27kvN9RZk7cpt2xba6owuXktNphq5hPK62CAiKnIS10= +github.com/netfoundry/ziti-edge v0.0.0-20200108161847-4ae736f79a67 h1:k5cK3+vobta9+YMxIPHakC2u08zz6EsO6iGhYTmxHrw= +github.com/netfoundry/ziti-edge v0.0.0-20200108161847-4ae736f79a67/go.mod h1:0dvjhekMWmqzXkFssfg8PAQ8Ok3f0YL56h5b8c51NiE= +github.com/netfoundry/ziti-fabric v0.0.0-20200108161318-6480d5c48a74 h1:womrylowO9OYQtuXC113ba2w5oE5WX7k4YYuWhxzBvY= +github.com/netfoundry/ziti-fabric v0.0.0-20200108161318-6480d5c48a74/go.mod h1:pj5sWlqvzI6uY8x/qsJB9tgqjXqDfZa2HomPxKMurVc= github.com/netfoundry/ziti-foundation v0.0.0-20200107143132-d54269e96d45 h1:ZZxJIqJS/jto/TC8XB8Oo3CqFqERDYAH6wDU+Zg9Vlw= github.com/netfoundry/ziti-foundation v0.0.0-20200107143132-d54269e96d45/go.mod h1:27kvN9RZk7cpt2xba6owuXktNphq5hPK62CAiKnIS10= -github.com/netfoundry/ziti-sdk-golang v0.0.0-20200107150440-7d6faf6bae91 h1:fli8cuvevrs4SsugunFTiIWqyboyqYaKSz05EwHcM34= -github.com/netfoundry/ziti-sdk-golang v0.0.0-20200107150440-7d6faf6bae91/go.mod h1:hTJBiXHz5G+aoatNPFphiiNMAxDKYmcVtza1n7wz0xs= +github.com/netfoundry/ziti-foundation v0.0.0-20200108154541-e614e4e75acd h1:DiGZT6mBjt5S38v8PZZsNin208sbJZsEdYmYYkkgIJA= +github.com/netfoundry/ziti-foundation v0.0.0-20200108154541-e614e4e75acd/go.mod h1:27kvN9RZk7cpt2xba6owuXktNphq5hPK62CAiKnIS10= +github.com/netfoundry/ziti-sdk-golang v0.0.0-20200108160734-8bc089148c01 h1:5sA0w6wcT+GX71Eyqsuly1YvLqiQEVr07O6ZY6kj4WU= +github.com/netfoundry/ziti-sdk-golang v0.0.0-20200108160734-8bc089148c01/go.mod h1:zdBrVmQLctojcR2hOsbvUMdYR9dvByQrDjocQVDWLRQ= github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= github.com/oleiade/reflections v1.0.0 h1:0ir4pc6v8/PJ0yw5AEtMddfXpWBXg9cnG7SgSoJuCgY= github.com/oleiade/reflections v1.0.0/go.mod h1:RbATFBbKYkVdqmSFtx13Bb/tVhR0lgOBXunWTZKeL4w= diff --git a/ziti/cmd/ziti/cmd/edge_controller/delete.go b/ziti/cmd/ziti/cmd/edge_controller/delete.go index 42762b8c8..be3c8aff8 100644 --- a/ziti/cmd/ziti/cmd/edge_controller/delete.go +++ b/ziti/cmd/ziti/cmd/edge_controller/delete.go @@ -51,11 +51,11 @@ func newDeleteCmd(f cmdutil.Factory, out io.Writer, errOut io.Writer) *cobra.Com } } + cmd.AddCommand(newDeleteCmdForEntityType("api-session", runDeleteEntityOfType, newOptions())) cmd.AddCommand(newDeleteCmdForEntityType("ca", runDeleteEntityOfType, newOptions())) cmd.AddCommand(newDeleteCmdForEntityType("edge-router", runDeleteEntityOfType, newOptions())) cmd.AddCommand(newDeleteCmdForEntityType("edge-router-policy", runDeleteEntityOfType, newOptions())) cmd.AddCommand(newDeleteCmdForEntityType("identity", runDeleteEntityOfType, newOptions())) - cmd.AddCommand(newDeleteCmdForEntityType("network-session", runDeleteEntityOfType, newOptions())) cmd.AddCommand(newDeleteCmdForEntityType("service", runDeleteEntityOfType, newOptions())) cmd.AddCommand(newDeleteCmdForEntityType("service-policy", runDeleteEntityOfType, newOptions())) cmd.AddCommand(newDeleteCmdForEntityType("session", runDeleteEntityOfType, newOptions())) diff --git a/ziti/cmd/ziti/cmd/edge_controller/list.go b/ziti/cmd/ziti/cmd/edge_controller/list.go index bdad4b654..9eeec623f 100644 --- a/ziti/cmd/ziti/cmd/edge_controller/list.go +++ b/ziti/cmd/ziti/cmd/edge_controller/list.go @@ -50,6 +50,7 @@ func newListCmd(f cmdutil.Factory, out io.Writer, errOut io.Writer) *cobra.Comma } } + cmd.AddCommand(newListCmdForEntityType("api-sessions", runListApiSessions, newOptions())) cmd.AddCommand(newListCmdForEntityType("cas", runListCAs, newOptions())) cmd.AddCommand(newListCmdForEntityType("edge-routers", runListEdgeRouters, newOptions())) cmd.AddCommand(newListCmdForEntityType("edge-router-policies", runListEdgeRouterPolicies, newOptions())) @@ -57,8 +58,7 @@ func newListCmd(f cmdutil.Factory, out io.Writer, errOut io.Writer) *cobra.Comma cmd.AddCommand(newListCmdForEntityType("identities", runListIdentities, newOptions())) cmd.AddCommand(newListCmdForEntityType("services", runListServices, newOptions())) cmd.AddCommand(newListCmdForEntityType("service-policies", runListServicePolices, newOptions())) - cmd.AddCommand(newListCmdForEntityType("sessions", runListApiSessions, newOptions())) - cmd.AddCommand(newListCmdForEntityType("network-sessions", runListNetworkSessions, newOptions())) + cmd.AddCommand(newListCmdForEntityType("sessions", runListSessions, newOptions())) edgeRouterListRootCmd := newEntityListRootCmd("edge-router") edgeRouterListRootCmd.AddCommand(newSubListCmdForEntityType("edge-router", "edge-router-policies", runListEdgeRouterEdgeRouterPolicies, newOptions())) @@ -336,7 +336,7 @@ func runListCAs(o *commonOptions) error { } func runListApiSessions(o *commonOptions) error { - children, err := listEntitiesOfTypeWithOptionalFilter("sessions", o) + children, err := listEntitiesOfTypeWithOptionalFilter("api-sessions", o) if err != nil { return err } @@ -353,8 +353,8 @@ func runListApiSessions(o *commonOptions) error { return err } -func runListNetworkSessions(o *commonOptions) error { - children, err := listEntitiesOfTypeWithOptionalFilter("network-sessions", o) +func runListSessions(o *commonOptions) error { + children, err := listEntitiesOfTypeWithOptionalFilter("sessions", o) if err != nil { return err @@ -362,7 +362,7 @@ func runListNetworkSessions(o *commonOptions) error { for _, entity := range children { id, _ := entity.Path("id").Data().(string) - sessionId, _ := entity.Path("session.id").Data().(string) + sessionId, _ := entity.Path("apiSession.id").Data().(string) serviceName, _ := entity.Path("service.name").Data().(string) hosting, _ := entity.Path("hosting").Data().(bool) if _, err := fmt.Fprintf(o.Out, "id: %v sessionId: %v serviceName: %v hosting: %v\n", id, sessionId, serviceName, hosting); err != nil { From 0f6319941d35caeb15d319b997c4fd01ed20f7cb Mon Sep 17 00:00:00 2001 From: Paul Lorenz Date: Wed, 8 Jan 2020 11:32:14 -0500 Subject: [PATCH 07/11] Fix copyright --- ziti/cmd/ziti/cmd/edge_controller/create_service_policy.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ziti/cmd/ziti/cmd/edge_controller/create_service_policy.go b/ziti/cmd/ziti/cmd/edge_controller/create_service_policy.go index 8011b1747..b3531ca1e 100644 --- a/ziti/cmd/ziti/cmd/edge_controller/create_service_policy.go +++ b/ziti/cmd/ziti/cmd/edge_controller/create_service_policy.go @@ -1,5 +1,5 @@ /* - Copyright 2019 Netfoundry, Inc. + Copyright 2020 Netfoundry, Inc. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. From 4c3f9e2ada2f9291c681558ac2e0484f19bc03ad Mon Sep 17 00:00:00 2001 From: Paul Lorenz Date: Wed, 8 Jan 2020 15:11:10 -0500 Subject: [PATCH 08/11] Update deps --- go.mod | 2 +- go.sum | 7 +++++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 9064be0e9..c56786b00 100644 --- a/go.mod +++ b/go.mod @@ -21,7 +21,7 @@ require ( github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0 github.com/keybase/go-ps v0.0.0-20190827175125-91aafc93ba19 github.com/michaelquigley/pfxlog v0.0.0-20190813191113-2be43bd0dccc - github.com/netfoundry/ziti-edge v0.0.0-20200108161847-4ae736f79a67 + github.com/netfoundry/ziti-edge v0.0.0-20200106144700-3646ee35513a github.com/netfoundry/ziti-fabric v0.0.0-20200108161318-6480d5c48a74 github.com/netfoundry/ziti-foundation v0.0.0-20200108154541-e614e4e75acd github.com/netfoundry/ziti-sdk-golang v0.0.0-20200108160734-8bc089148c01 diff --git a/go.sum b/go.sum index e9a237746..e39da30c9 100644 --- a/go.sum +++ b/go.sum @@ -218,14 +218,17 @@ github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrk github.com/mitchellh/mapstructure v1.1.2 h1:fmNYVwqnSfB9mZU6OS2O6GsXM+wcskZDuKQzvN1EDeE= github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= -github.com/netfoundry/ziti-edge v0.0.0-20200108161847-4ae736f79a67 h1:k5cK3+vobta9+YMxIPHakC2u08zz6EsO6iGhYTmxHrw= -github.com/netfoundry/ziti-edge v0.0.0-20200108161847-4ae736f79a67/go.mod h1:0dvjhekMWmqzXkFssfg8PAQ8Ok3f0YL56h5b8c51NiE= +github.com/netfoundry/ziti-edge v0.0.0-20200106144700-3646ee35513a h1:Pz/54ZU5asaSfCzn8tZ0grBYjJu9oLcT06JoisO6mPk= +github.com/netfoundry/ziti-edge v0.0.0-20200106144700-3646ee35513a/go.mod h1:FX9trIPUzsrwzahTLWD+v3kc6HLAK4chRQ9xQgNt1PU= +github.com/netfoundry/ziti-fabric v0.0.0-20191213215600-dcc209b66c31/go.mod h1:C06MeM/NC8eIDHWnhisFzEcneMx+dyrewB3wu/KzSn4= github.com/netfoundry/ziti-fabric v0.0.0-20200108161318-6480d5c48a74 h1:womrylowO9OYQtuXC113ba2w5oE5WX7k4YYuWhxzBvY= github.com/netfoundry/ziti-fabric v0.0.0-20200108161318-6480d5c48a74/go.mod h1:pj5sWlqvzI6uY8x/qsJB9tgqjXqDfZa2HomPxKMurVc= +github.com/netfoundry/ziti-foundation v0.0.0-20191213201903-e68267fe89e6/go.mod h1:27kvN9RZk7cpt2xba6owuXktNphq5hPK62CAiKnIS10= github.com/netfoundry/ziti-foundation v0.0.0-20200107143132-d54269e96d45 h1:ZZxJIqJS/jto/TC8XB8Oo3CqFqERDYAH6wDU+Zg9Vlw= github.com/netfoundry/ziti-foundation v0.0.0-20200107143132-d54269e96d45/go.mod h1:27kvN9RZk7cpt2xba6owuXktNphq5hPK62CAiKnIS10= github.com/netfoundry/ziti-foundation v0.0.0-20200108154541-e614e4e75acd h1:DiGZT6mBjt5S38v8PZZsNin208sbJZsEdYmYYkkgIJA= github.com/netfoundry/ziti-foundation v0.0.0-20200108154541-e614e4e75acd/go.mod h1:27kvN9RZk7cpt2xba6owuXktNphq5hPK62CAiKnIS10= +github.com/netfoundry/ziti-sdk-golang v0.0.0-20191217143926-85a9668710ec/go.mod h1:swcAExEHVuvgvtf6zPO+v9gHww8GpYt4GBVFu6ZHxQI= github.com/netfoundry/ziti-sdk-golang v0.0.0-20200108160734-8bc089148c01 h1:5sA0w6wcT+GX71Eyqsuly1YvLqiQEVr07O6ZY6kj4WU= github.com/netfoundry/ziti-sdk-golang v0.0.0-20200108160734-8bc089148c01/go.mod h1:zdBrVmQLctojcR2hOsbvUMdYR9dvByQrDjocQVDWLRQ= github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= From dffbf27aa84ea8c88a743958c061e2357e00dbac Mon Sep 17 00:00:00 2001 From: Paul Lorenz Date: Wed, 8 Jan 2020 15:54:17 -0500 Subject: [PATCH 09/11] Remove nil check --- ziti/cmd/ziti/cmd/edge_controller/root.go | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/ziti/cmd/ziti/cmd/edge_controller/root.go b/ziti/cmd/ziti/cmd/edge_controller/root.go index 8db8385a9..094827fdb 100644 --- a/ziti/cmd/ziti/cmd/edge_controller/root.go +++ b/ziti/cmd/ziti/cmd/edge_controller/root.go @@ -51,9 +51,7 @@ func newCmdEdgeController(f cmdutil.Factory, out io.Writer, errOut io.Writer) *c } func setJSONValue(container *gabs.Container, value interface{}, path ...string) { - if value != nil { - if _, err := container.Set(value, path...); err != nil { - panic(err) - } + if _, err := container.Set(value, path...); err != nil { + panic(err) } } From 3bfb9267cc96d7a877bfdec7ad2dbd1bdc136d11 Mon Sep 17 00:00:00 2001 From: Paul Lorenz Date: Wed, 8 Jan 2020 16:01:26 -0500 Subject: [PATCH 10/11] Update deps --- go.mod | 4 ++-- go.sum | 11 ++++------- 2 files changed, 6 insertions(+), 9 deletions(-) diff --git a/go.mod b/go.mod index c56786b00..e4d7ed9a8 100644 --- a/go.mod +++ b/go.mod @@ -21,8 +21,8 @@ require ( github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0 github.com/keybase/go-ps v0.0.0-20190827175125-91aafc93ba19 github.com/michaelquigley/pfxlog v0.0.0-20190813191113-2be43bd0dccc - github.com/netfoundry/ziti-edge v0.0.0-20200106144700-3646ee35513a - github.com/netfoundry/ziti-fabric v0.0.0-20200108161318-6480d5c48a74 + github.com/netfoundry/ziti-edge v0.0.0-20200108200858-55eaa157b9ea + github.com/netfoundry/ziti-fabric v0.0.0-20200108200335-8a3b0b19d2e6 github.com/netfoundry/ziti-foundation v0.0.0-20200108154541-e614e4e75acd github.com/netfoundry/ziti-sdk-golang v0.0.0-20200108160734-8bc089148c01 github.com/pborman/uuid v1.2.0 diff --git a/go.sum b/go.sum index e39da30c9..4dd26ccb3 100644 --- a/go.sum +++ b/go.sum @@ -218,17 +218,14 @@ github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrk github.com/mitchellh/mapstructure v1.1.2 h1:fmNYVwqnSfB9mZU6OS2O6GsXM+wcskZDuKQzvN1EDeE= github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= -github.com/netfoundry/ziti-edge v0.0.0-20200106144700-3646ee35513a h1:Pz/54ZU5asaSfCzn8tZ0grBYjJu9oLcT06JoisO6mPk= -github.com/netfoundry/ziti-edge v0.0.0-20200106144700-3646ee35513a/go.mod h1:FX9trIPUzsrwzahTLWD+v3kc6HLAK4chRQ9xQgNt1PU= -github.com/netfoundry/ziti-fabric v0.0.0-20191213215600-dcc209b66c31/go.mod h1:C06MeM/NC8eIDHWnhisFzEcneMx+dyrewB3wu/KzSn4= -github.com/netfoundry/ziti-fabric v0.0.0-20200108161318-6480d5c48a74 h1:womrylowO9OYQtuXC113ba2w5oE5WX7k4YYuWhxzBvY= -github.com/netfoundry/ziti-fabric v0.0.0-20200108161318-6480d5c48a74/go.mod h1:pj5sWlqvzI6uY8x/qsJB9tgqjXqDfZa2HomPxKMurVc= -github.com/netfoundry/ziti-foundation v0.0.0-20191213201903-e68267fe89e6/go.mod h1:27kvN9RZk7cpt2xba6owuXktNphq5hPK62CAiKnIS10= +github.com/netfoundry/ziti-edge v0.0.0-20200108200858-55eaa157b9ea h1:wHY5XU7IIcZ6QI03HdTi9dT82+UC49XRhs7Kzv5vQOg= +github.com/netfoundry/ziti-edge v0.0.0-20200108200858-55eaa157b9ea/go.mod h1:Z56jhag4epkWmt1SarB78ZIZaZWAZomZMxeSac26KnU= +github.com/netfoundry/ziti-fabric v0.0.0-20200108200335-8a3b0b19d2e6 h1:zR95MZtLIbuUqr/5LNj1unXuw0gz5WBTlWTv9pJ7+Ow= +github.com/netfoundry/ziti-fabric v0.0.0-20200108200335-8a3b0b19d2e6/go.mod h1:pj5sWlqvzI6uY8x/qsJB9tgqjXqDfZa2HomPxKMurVc= github.com/netfoundry/ziti-foundation v0.0.0-20200107143132-d54269e96d45 h1:ZZxJIqJS/jto/TC8XB8Oo3CqFqERDYAH6wDU+Zg9Vlw= github.com/netfoundry/ziti-foundation v0.0.0-20200107143132-d54269e96d45/go.mod h1:27kvN9RZk7cpt2xba6owuXktNphq5hPK62CAiKnIS10= github.com/netfoundry/ziti-foundation v0.0.0-20200108154541-e614e4e75acd h1:DiGZT6mBjt5S38v8PZZsNin208sbJZsEdYmYYkkgIJA= github.com/netfoundry/ziti-foundation v0.0.0-20200108154541-e614e4e75acd/go.mod h1:27kvN9RZk7cpt2xba6owuXktNphq5hPK62CAiKnIS10= -github.com/netfoundry/ziti-sdk-golang v0.0.0-20191217143926-85a9668710ec/go.mod h1:swcAExEHVuvgvtf6zPO+v9gHww8GpYt4GBVFu6ZHxQI= github.com/netfoundry/ziti-sdk-golang v0.0.0-20200108160734-8bc089148c01 h1:5sA0w6wcT+GX71Eyqsuly1YvLqiQEVr07O6ZY6kj4WU= github.com/netfoundry/ziti-sdk-golang v0.0.0-20200108160734-8bc089148c01/go.mod h1:zdBrVmQLctojcR2hOsbvUMdYR9dvByQrDjocQVDWLRQ= github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= From 6c3f3ea2f7700cb5cf3af16cfe9aeacbb3245048 Mon Sep 17 00:00:00 2001 From: Paul Lorenz Date: Thu, 9 Jan 2020 12:06:51 -0500 Subject: [PATCH 11/11] Move release notes from ziti-edge to ziti-cmd --- doc/release-notes-0.6.md | 165 +++++++++++++++++++++++++++++++++++++ doc/release-notes-0.7.md | 99 ++++++++++++++++++++++ doc/release-notes-0.8.md | 173 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 437 insertions(+) create mode 100644 doc/release-notes-0.6.md create mode 100644 doc/release-notes-0.7.md create mode 100644 doc/release-notes-0.8.md diff --git a/doc/release-notes-0.6.md b/doc/release-notes-0.6.md new file mode 100644 index 000000000..b575c0dc9 --- /dev/null +++ b/doc/release-notes-0.6.md @@ -0,0 +1,165 @@ + + +This page discusses the changes that you need to be aware of when migrating your Ziti deployment from version 0.5.x to version 0.6.x + +# Theme +Ziti 0.6.0 move the back-end persistence model of Ziti Edge and Ziti Fabric into the same repository based on Bbolt (an in memory data store that is backed by a memory mapped file). The changes remove the requirement for PostgresSQL. + +# UPDB Enrollment JWTs +Enrollments that are for UPDB (username password database) are now consistent with all other enrollment and use JWTs for processing. Prior to this a naked URL was provided. + +## What This Breaks +Any UPDB enrollment processing that relied upon the URL for the enrollment. + + + +Ziti 0.5.x UPDB enrolling entity + +``` +{ + "meta": {}, + "data": { + "id": "612843ae-6ac8-48ac-a737-bfc2d28ab9ea", + "createdAt": "2019-11-21T17:23:00.316631Z", + "updatedAt": "2019-11-21T17:23:00.316631Z", + "_links": { + "self": { + "href": "./identities/612843ae-6ac8-48ac-a737-bfc2d28ab9ea" + } + }, + "tags": {}, + "name": "updb--5badbdc5-e8dd-4877-82df-c06aea7f1197", + "type": { + "id": "577104f2-1e3a-4947-a927-7383baefbc9a", + "name": "User" + }, + "isDefaultAdmin": false, + "isAdmin": false, + "authenticators": {}, + "enrollment": { + "updb": { + "username": "asdf", + "url": "https://demo.ziti.netfoundry.io:1080/enroll?method=updb&token=911e6562-0c83-11ea-a81a-000d3a1b4b17&username=asdf" + } + }, + "permissions": [] + } +} +``` + +Ziti 0.6.x UPDB enrolling entity (note the changes in the enrollment.updb object): + +``` +{ + "meta": {}, + "data": { + "id": "39f11c10-0693-41ed-9bec-8011e2721562", + "createdAt": "2019-11-21T17:28:18.2855234Z", + "updatedAt": "2019-11-21T17:28:18.2855234Z", + "_links": { + "self": { + "href": "./identities/39f11c10-0693-41ed-9bec-8011e2721562" + } + }, + "tags": {}, + "name": "updb--b55f5372-3993-40f5-b534-126e0dd2f1be", + "type": { + "entity": "identity-types", + "id": "577104f2-1e3a-4947-a927-7383baefbc9a", + "name": "User", + "_links": { + "self": { + "href": "./identity-types/577104f2-1e3a-4947-a927-7383baefbc9a" + } + } + }, + "isDefaultAdmin": false, + "isAdmin": false, + "authenticators": {}, + "enrollment": { + "updb": { + "expiresAt": "2019-11-21T17:33:18.2855234Z", + "issuedAt": "2019-11-21T17:28:18.2855234Z", + "jwt": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbSI6InVwZGIiLCJleHAiOjE1NzQzNTc1OTgsImlzcyI6Imh0dHBzOi8vbG9jYWxob3N0OjEyODAiLCJqdGkiOiJiYzBlY2NlOC05ZGY0LTQzZDYtYTVhMC0wMjI1MzY2YmM4M2EiLCJzdWIiOiIzOWYxMWMxMC0wNjkzLTQxZWQtOWJlYy04MDExZTI3MjE1NjIifQ.PUcnACCdwqfWRGRzF8lG6xDTgHKAwKV6eTw8tHFuNBXaUNbqExBwUQEW0-cCHsV-nLEyhxyjhXmVCkIDgz-ukKfS0xStiDrJQbiq8m0auodkArmJSsYzElXkKdv37FHu0t-CGoXptdLyuo9eCnzzmci3ev18zMR5HjYMCQEclELV6OEICNr_0EwhAGJa1yX6ODYrLMZ3SdEd6fj-ZGX7j9owTs6iEsqCB_TORfnGGg6lEINE5GlYsyp7JUxolS6H4lPeN5h2mxk2_OkJY8GX3ydv75LsIZ-jjL3xC5XncCESrefgDabib1fudJ4038D0EzqTcOREPAqmjWhnDhTulQ", + "token": "bc0ecce8-9df4-43d6-a5a0-0225366bc83a" + } + }, + "permissions": [] + } +} +``` + + + +## What To Do +Use the new JWT format to: + +verify the signature of the JWT to match the iss URL's TSL presented certificates +construct the enrollment url from the JWTs properties in the following format: + +``` + + "/enroll?token=" + +``` + +# Multiple Invalid Value Error Handling +Errors where there is the potential to report about multiple invalid field values for a given field used to report as a separate error for each value. Now there will be one error, but the values field will hold the invalid values. + +## Old Format +``` +{ + "error": { + "args": { + "urlVars": { + "id": "097018b6-108e-42b3-869b-deb9e1814594" + } + }, + "cause": { + "errors": [ + { + "message": "entity not found for id [06ecf930-3a9f-4a6c-98b5-8f0be1bde9e2]", + "field": "ids[0]", + "value": "06ecf930-3a9f-4a6c-98b5-8f0be1bde9e2" + } + ] + }, + "causeMessage": "There were multiple field errors: the value '06ecf930-3a9f-4a6c-9...' for 'ids[0]' is invalid: entity not found for id [06ecf930-3a9f-4a6c-98b5-8f0be1bde9e2]", + "code": "INVALID_FIELD", + "message": "The field contains an invalid value", + "requestId": "48ea4bce-f233-410e-a062-5dbceee20223" + }, + "meta": { + "apiEnrolmentVersion": "0.0.1", + "apiVersion": "0.0.1" + } +} +``` + +## New Format +``` +{ + "error": { + "args": { + "urlVars": { + "id": "5b15c442-5590-4c58-8bc7-0da788e0cfcf" + } + }, + "cause": { + "message": "clusters(s) not found", + "field": "clusters", + "value": [ + "68f8739f-cf52-4d51-9553-dfe7cf9c6a03" + ] + }, + "causeMessage": "the value '[68f8739f-cf52-4d51-9553-dfe7cf9c6a03]' for 'clusters' is invalid: clusters(s) not found", + "code": "INVALID_FIELD", + "message": "The field contains an invalid value", + "requestId": "ab6553e8-e9b1-408c-9fed-11cc627cfd84" + }, + "meta": { + "apiEnrolmentVersion": "0.0.1", + "apiVersion": "0.0.1" + } +} +``` + + \ No newline at end of file diff --git a/doc/release-notes-0.7.md b/doc/release-notes-0.7.md new file mode 100644 index 000000000..e1982cc2f --- /dev/null +++ b/doc/release-notes-0.7.md @@ -0,0 +1,99 @@ + + +This page discusses the changes that you need to be aware of when migrating your Ziti deployment from version 0.6.x to version 0.7.x + +# Theme + * Ziti 0.7.0 replaces clusters with role attribute based policies + * Ziti 0.7.0 takes steps towards consistent terminology for sessions + +# Edge Router Policy +In 0.6.0 access to edge routers was controlled by clusters and services. + + * Every edge router was assigned to a cluster + * Services belonged to 1 or more clusters + * Dial/bind request would results would include a list of edge routers which were + * in clusters linked to the dialed/bound service and + * were online when the request was made + +Release 0.7.0 replaces this model with something new. It has the following goals: + + * Allow grouping edge routers and other entities dynamically using role attributes rather than hard-coded lists + * Allow restricting access to edge router by identity in addition to by service + +It includes the following new concepts: + + * Role attributes + * Role attributes are just a set of strings associated to a model entity + * The semantics of the role attributes are determined by the system administrator + * Ex: an edge router might have the role attributes `["us-east", "new-york", "omnicorp"]` + * These tags might indicate that this edge router is located on the east coast of the USA, specifically in New York and should be dedicated to use by a customer named OmniCorp + * Currently role attributes are supported on edge routers and identities + * Roles + * Roles specify a set of entities + * Roles may include role attributes as well as entity ids + * A role will match all entities which either: + * Have **_all_** role attributes in the role OR + * Have an ID which is listed explicitly + * Role attributes are prefixed with `@`. Role elements not prefixed with `@` are assumed to be ids + * There is a special role attribute `@all` which will match all entities + * A role may have only role attributes or only ids or may have both + +## Role Example + * Edge router with id 1 has role attributes `["us-east", "New York City"]` + * Edge router with id 2 has role attributes `["us-east", "Albany"]` + * Edge router with id 3 has role attributes `["us-west", "Los Angeles"]` + * An edge router role of `["@us-east", "@New York City", "3"]` would evaluate as follows + * Edge router 1 would match because it has all listed role attributes + * Edge router 2 would not match, because it doesn't have all listed role attributes + * Edge router 3 would match because its ID is listed explicitly + +## Model Changes +### Role Attributes +Edge routers and identities now have roleAttributes fields. Edge routers no longer have an associated cluster. + +### Edge Router Policies +0.7.0 introduces a new model construct, the Edge Router Policy. This entity allows restricting which edge routers identities are allowed to use. An edge router policy has three attributes: + + * Name + * Identity Roles + * Edge Router Roles + +An identity can be a member of multiple policies and will have access to the union of all edge routers linked to from those policies. + +There is a new `/edge-router-policies` endpoint which can be used for creating/updating/deleting/querying edge router policies. Edge router policies PUT/POST/PATCH all take the following properties: + + * name + * edgeRouterRoles + * identityRoles + * tags + +### Service Edge Router Roles +Services now have a new edgeRouterRoles field. If set, this specifies which edge routers may be used for a service. This replaces the old cluster functionality. + +### Edge Router Access +When a service is dialed or bound, which edge routers will be returned? + + * If the service edgeRouterRoles are NOT set, then it will be the set of edge routers to which the dialing/binding identity has access + * If the service edgeRouterRoles ARE set, then it will be the intersection of the edge routers to which the service has access and the set of edge routers to which the identity has access + +### Cluster Removal and Migration +The `/clusters` endpoint has been removed. The bbolt schema version has been bumped to 2. If starting a fresh controller no action will be taken. However, if coming from an existing 0.6 or earlier bbolt database, the following will be done: + + 1. An edge router policy will be created with `@all` for both identityRoles and edgeRouterRoles, allowing access to all edge routers from all identities. This will allow the current identities to continue using the system. Otherwise, no identities would be able to connect to any edge routers. + 2. Each edge router will get a role attribute of `cluster-` for the cluster it belonged to + 3. If a service belongs to 1 or more clusters it will get a role attribute corresponding to the first cluster. Any edge routers assigned to additional clusters will be added to edge router roles field by ID. + 1. Noe: If we were to add additional role clusters for the other clusts we'd get the intersection, not the union and would end up with access to 0 edge routers + +# Session changes +Terminology related to sessions is being made consistent between the edge and fabric. + +There are two types of sessions: + + 1. Sessions between edge clients the edge controller, which allowed clients to manage controller state as well as dial and bind services + 1. These were referred to as sessions in the edge and have no fabric equivalent + 1. Sessions which establish routing and allow data flow to/from/within the edge and fabric + 1. These were referred to as network sessions in the edge and sessions in the fabric + +Going forward, what was called a session in the edge will now be referred to as an API session. What was called a network session will be now just be called session in both the edge and fabric. + +As a first step, in 0.7.0 API sessions will be available at both the `/sessions` and `/api-sessions` endpoints. Use of the `/sessions` endpoint is deprecated. In later releases the `/sessions` endpoint will be used for sessions instead of API sessions. diff --git a/doc/release-notes-0.8.md b/doc/release-notes-0.8.md new file mode 100644 index 000000000..692eb32e9 --- /dev/null +++ b/doc/release-notes-0.8.md @@ -0,0 +1,173 @@ + + +This page discusses the changes that you need to be aware of when migrating your Ziti deployment from version 0.7.x to version 0.8.x + +# Theme + * Ziti 0.8.0 replaces appwans with role attribute based service policies + * Ziti 0.8.0 consolidates dial and bind permissions into service policies + +# Service Policy +In 0.7.0 and prior access to services was controlled by appwans. + + * Appwans had lists of identities and services + * Identities and services could be associated with 0-n appwans + * Services had explicit lists of identities that could bind the service + * In order to dial a service, the identity had to be an admin or be in at least one appwan with that service + * In order to bind a serivice, the identity had to be able to dial the service and be in the list of identities allowed to bind the service + +Release 0.8.0 replaces this model with something new. It has the following goals: + + * Allow grouping identities and services dynamically using role attributes rather than hard-coded lists + * Consolidate dial and bind permissions into the same model + +The following concepts were introduced in 0.7 for edge router policies. They are now used for service policies as well. + + * Role attributes + * Role attributes are just a set of strings associated to a model entity + * The semantics of the role attributes are determined by the system administrator + * Ex: an edge router might have the role attributes `["us-east", "new-york", "omnicorp"]` + * These tags might indicate that this edge router is located on the east coast of the USA, specifically in New York and should be dedicated to use by a customer named OmniCorp + * Currently role attributes are supported on edge routers and identities + * Roles + * Roles specify a set of entities + * Roles may include role attributes as well as entity ids + * A role will match all entities which either: + * Have **_all_** role attributes in the role OR + * Have an ID which is listed explicitly + * Role attributes are prefixed with `@`. Role elements not prefixed with `@` are assumed to be ids + * There is a special role attribute `@all` which will match all entities + * A role may have only role attributes or only ids or may have both + +## Role Example + * Service with id 1 has role attributes `["sales", "New York City"]` + * Service with id 2 has role attributes `["sales", "Albany"]` + * Service with id 3 has role attributes `["support", "Los Angeles"]` + * A service role of `["@sales", "@New York City", "3"]` would evaluate as follows + * Service 1 would match because it has all listed role attributes + * Service 2 would not match, because it doesn't have all listed role attributes + * Service 3 would match because its ID is listed explicitly + +## Model Changes +### Session Names + 1. api sessions had two endpoints in 0.7, `/api-sessions` and `/sessions` which was deprecated. `/sessions` is now no longer valid for api sessions + 2. sessions used the `/network-sessions` endpoint. In this release, `/network-sessions` has been deprecated and `/sessions` should be used instead. + 3. `/current-session` is now `/current-api-session` + +### Session Format + 1. When creating a session, the returned JSON has the same base format as when listing sessions, so it now includes the service and api-session information. The only difference is that the session token is also returned from session create, but not when listing sessions. + 1. The gateways attribute of session has been renamed to edgeRouters. + +### Role Attributes +Services now have a roleAttributes field. Identities already had a roleAttributes field, for used with edge router policies. + +### Service Policies +0.8.0 introduces a new model construct, the Service Policy. This entity allows restricting which services identities are allowed to dial or bind. A service policy has four attributes: + + * Name + * Policy Type ("Bind" or "Dial") + * Identity Roles + * Service Roles + +An identity can be a member of multiple policies and will have access to the union of all services linked to from those policies. + +There is a new `/service-policies` endpoint which can be used for creating/updating/deleting/querying service policies. Service policies PUT/POST/PATCH all take the following properties: + + * name + * type + * valid values are "Bind" and "Dial" + * identityRoles + * serviceRoles + * tags + +There are also new association endpoints allowing the listing of services and identities associated with service policies and vice-versa. + + * /service-policies//services + * /service-policies//identities + * /identities//service-policies + * /services//service-policies + +### Service Access + * An admin may dial or bind any service + * A non-admin identity may dial any service it has access to via service policies of type "Dial" + * A non-admin identity may bind any service it has access to via service policies of type "Bind" + +When listing services, the controller used to provide a hostable flag with each service to indicate if the service could be bound in addition to being dialed. Now, the service will have a permissions block which will indicate if the service may be dialed, bound or both. + +Ex: +```json + { + "meta": {}, + "data": { + "id": "1012d4d7-3ab3-4722-8fa3-ae9f4da3c8ba", + "createdAt": "2020-01-04T02:34:00.788444359Z", + "updatedAt": "2020-01-04T02:34:00.788444359Z", + "_links": { + "edge-routers": { + "href": "./services/1012d4d7-3ab3-4722-8fa3-ae9f4da3c8ba/edge-routers" + }, + "self": { + "href": "./services/1012d4d7-3ab3-4722-8fa3-ae9f4da3c8ba" + }, + "service-policies": { + "href": "./services/1012d4d7-3ab3-4722-8fa3-ae9f4da3c8ba/identities" + } + }, + "tags": {}, + "name": "cac9593c-0494-4800-9f70-c258ff28a702", + "dns": { + "hostname": "0bf71754-ed5b-4b2d-9adf-a542f1284275", + "port": 0 + }, + "endpointAddress": "4662d564-3fc3-4f10-b8cd-ee0e3629ad24", + "egressRouter": "aedab92f-2ddf-445a-9194-73d428322a34", + "edgeRouterRoles": null, + "roleAttributes": [ + "2c68789a-fe71-4d25-a483-43e54ee4fd98" + ], + "permissions": [ + "Bind" + ] + } + } +``` + +### Appwan Removal and Migration +The `/app-wans` endpoint has been removed. The bbolt schema version has been bumped to 3. If starting a fresh controller no action will be taken. However, if coming from an existing 0.7 or earlier bbolt database, the following will be done: + + 1. For each existing appwan, a service policy with type "Dial" will be created + 1. The new service policy will have the same name as the appwan it replaces + 1. The new service policy will have the same identities and services as the appwan it replaces + 1. Identities and services will be specified explicitly by ID rather as opposed to by creating new role attributes + +NOTE: Service hosting identities will not be migrated into equivalent Bind service policies, as binds are not yet used in any production scenarios. + +# Go SDK changes +Several types have been renamed to conform to standard nomenclature + + * Session is now ApiSession + * NetworkSession is now Session + * The SessionId field is now ApiSessionId + * The Gateways field is now EdgeRouters + * Gateway is now EdgeRouter + * On the Service type the Hostable flag has been removed and replaced with a Permissions string array + * It may be nil, empty or contain either or both of "Dial" and "Bind" + * On the Context type + * GetNetworkSession is now GetSession + * GetNetworkHostSession is now GetBindSession + +# ziti command line changes + 1. The `ziti edge controller create/delete gateway` commands have been removed. Use `ziti edge controller create/delete edge-router` instead. + 2. There are new `ziti edge controller create/delete service-policy` commands + +# Ziti Proxy changes +ziti-proxy has been incorporated into the ziti-tunnel command. Where previously one would have run + +``` +ZITI_SDK_CONFIG=./config.json ziti-proxy run +``` + +now one should use + +``` +ziti-tunnel proxy -i ./config.json +```