Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow storage adapters optionally specify delimiters #204

Open
fititnt opened this issue Dec 1, 2019 · 0 comments
Open

Allow storage adapters optionally specify delimiters #204

fititnt opened this issue Dec 1, 2019 · 0 comments

Comments

@fititnt
Copy link

fititnt commented Dec 1, 2019

Related #203

When developing storage_adapters for lua-resty-auto-ssl, the only part that is possible to customize the separator on prefixed_key inside the redis.lua. This is how I'm implementing on consul.lua.

But for both file and redis adapter, the other separators are hardcoded on on storage.lua to :

Example:

return self.adapter:get(domain .. ":challenge:" .. path)
--- ...
local json, err = self.adapter:get(domain .. ":latest")

--- ...
local key = domain .. ":issue_cert_lock"

--- ...
local key = domain .. ":issue_cert_lock"

So, as cited here fititnt/ap-application-load-balancer#25 (comment),

69834723-fbbae280-121a-11ea-8cd4-48371a662279

At this moment, at least is possible to enforce a prefix for all lua-resty-auto-ssl concent, but all other content (for each domain) are keep on the same folder.

Does the lack of specifying a delimiter affect the basic funcionality of Consul adapter?

No. It works. The #203 does not require this.

This only would affect usage with Consul on "more enterprise" or places with huge number of keys managed by a single data storage with strong ACL.

Strong cases for make it flexible

  • Consul can allow Access Control List based on key prefixes (but this requires change : to /
    • See https://www.consul.io/docs/acl/acl-rules.html
    • At this moment, is only possible to give entire access to all keys or none key
    • If this feature is implemented, could be possible, for example, to give not only difference betwen write and reads, but also give the oportunity to deny or allow based on specific domain
      • Even if a centralized storage contain all keys, some Consul clients (and by extension a node running OpenResty) could write and/or read only some domains

There is not so strong cases for this, but just to mention:

  • One lazy way to implement what domain could be accepted or not (at least for Consul adapter) could be just deny writes. for some paths
    • Not that I would implement this way, but is one way.
    • Maybe this could be implemented at another layer or method before consul.lua is called. I will think this later
  • If for some reason too much keys are created and not deleted, at least on Consul there is no "batch delete" without prefixed keys with "/". Much less clicks on the UI using this way.
    • Note: the screenshot was from an older version of consul.lua. The new one is already deleting the locks and challanges.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@fititnt