diff options
author | Andrew Newdigate <andrew@gitlab.com> | 2017-07-11 17:28:25 +0300 |
---|---|---|
committer | Andrew Newdigate <andrew@gitlab.com> | 2017-07-11 17:28:25 +0300 |
commit | f03c975073bb0eba5082e150daeb58196c4e819b (patch) | |
tree | 49f6d6df6fc93b6fef56f7f7e931ac8a24794c94 | |
parent | f5af3a717ae775493273a159b75c8222f01b8f66 (diff) | |
parent | cbeb5f9a156c083a117f0f95604c994eae19d2b8 (diff) |
Merge branch 'rename-auth-unenforced' into 'master'
Rename auth 'unenforced' to 'transitioning'
See merge request !209
-rw-r--r-- | CHANGELOG.md | 2 | ||||
-rw-r--r-- | doc/configuration/README.md | 8 | ||||
-rw-r--r-- | internal/config/auth.go | 8 | ||||
-rw-r--r-- | internal/server/auth.go | 14 | ||||
-rw-r--r-- | internal/server/auth_test.go | 2 |
5 files changed, 18 insertions, 16 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 6f2552619..359d55251 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,8 @@ UNRELEASED +- Rename auth 'unenforced' to 'transitioning' + https://gitlab.com/gitlab-org/gitaly/merge_requests/209 - Also check for "refs" folder for repo existence https://gitlab.com/gitlab-org/gitaly/merge_requests/207 diff --git a/doc/configuration/README.md b/doc/configuration/README.md index 02688b470..9803565e1 100644 --- a/doc/configuration/README.md +++ b/doc/configuration/README.md @@ -24,7 +24,7 @@ listen_addr = ":8081" prometheus_listen_addr = ":9236" [auth] -# unenforced = false +# transitioning = false # token = "abc123def456......." [[storage]] @@ -58,18 +58,18 @@ Authentication is disabled when the token setting in config.toml is absent or th token = "the secret token" ``` -It is possible to temporarily disable authentication with the 'unenforced' +It is possible to temporarily disable authentication with the 'transitioning' setting. This allows you to monitor (see below) if all clients are authenticating correctly without causing a service outage for clients that are not configured correctly yet. -> **Warning:** Remember to disable 'unenforced' when you are done +> **Warning:** Remember to disable 'transitioning' when you are done changing your token settings. ```toml [auth] token = "the secret token" -unenforced = true +transitioning = true ``` All authentication attempts are counted in Prometheus under diff --git a/internal/config/auth.go b/internal/config/auth.go index c7a57e5a7..6e3bce81a 100644 --- a/internal/config/auth.go +++ b/internal/config/auth.go @@ -8,8 +8,8 @@ import ( // Auth contains the authentication settings for this Gitaly process. type Auth struct { - Unenforced bool `toml:"unenforced"` - Token Token `toml:"token"` + Transitioning bool `toml:"transitioning"` + Token Token `toml:"token"` } // Token is a string of the form "name:secret". It specifies a Gitaly @@ -22,10 +22,10 @@ func (t Token) Equal(other string) bool { } func validateToken() error { - if !Config.Auth.Unenforced || len(Config.Auth.Token) == 0 { + if !Config.Auth.Transitioning || len(Config.Auth.Token) == 0 { return nil } - log.Warn("Authentication is enabled but not enforced. Gitaly will accept unauthenticated requests.") + log.Warn("Authentication is enabled but not enforced because transitioning=true. Gitaly will accept unauthenticated requests.") return nil } diff --git a/internal/server/auth.go b/internal/server/auth.go index 32c6a8fc6..d59abc5bc 100644 --- a/internal/server/auth.go +++ b/internal/server/auth.go @@ -18,7 +18,7 @@ var ( Name: "gitaly_authentications", Help: "Counts of of Gitaly request authentication attempts", }, - []string{"unenforced", "status"}, + []string{"enforced", "status"}, ) ) @@ -65,14 +65,14 @@ func check(ctx context.Context) (context.Context, error) { } func ifEnforced(err error) error { - if config.Config.Auth.Unenforced { + if config.Config.Auth.Transitioning { return nil } return err } func okLabel() string { - if config.Config.Auth.Unenforced { + if config.Config.Auth.Transitioning { // This special value is an extra warning sign to administrators that // authentication is currently not enforced. return "would be ok" @@ -81,9 +81,9 @@ func okLabel() string { } func countStatus(status string) prometheus.Counter { - unenforced := "false" - if config.Config.Auth.Unenforced { - unenforced = "true" + enforced := "true" + if config.Config.Auth.Transitioning { + enforced = "false" } - return authCount.WithLabelValues(unenforced, status) + return authCount.WithLabelValues(enforced, status) } diff --git a/internal/server/auth_test.go b/internal/server/auth_test.go index ad279b2e8..f2ce4a9dd 100644 --- a/internal/server/auth_test.go +++ b/internal/server/auth_test.go @@ -110,7 +110,7 @@ func TestAuthSuccess(t *testing.T) { } for _, tc := range testCases { config.Config.Auth.Token = tc.token - config.Config.Auth.Unenforced = !tc.required + config.Config.Auth.Transitioning = !tc.required t.Logf("%+v", config.Config.Auth) connOpts := append(tc.opts, grpc.WithInsecure()) func() { |