dynamo

package
v1.2.3-fred.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 18, 2022 License: Apache-2.0 Imports: 29 Imported by: 26

README

DynamoDB backend implementation for Teleport.

Introduction

This package enables Teleport auth server to store secrets in DynamoDB on AWS.

WARNING: Using DynamoDB involves recurring charge from AWS.

The table created by the backend will provision 5/5 R/W capacity. It should be covered by the free tier.

Running tests

The DynamodDB tests are not run by default. To run them locally, try:

go test -tags dynamodb -v  ./lib/backend/dynamo

NOTE: you will need to provide a AWS credentials & a default region (e.g. in your ~/.aws/credentials & ~/.aws/config files, or via environment vars) for the tests to work.

Quick Start

Add this storage configuration in teleport section of the config file (by default it's /etc/teleport.yaml):

teleport:
  storage:
    type: dynamodb
    region: eu-west-1
    table_name: teleport.state
    access_key: XXXXXXXXXXXXXXXXXXXXX
    secret_key: YYYYYYYYYYYYYYYYYYYYY

Replace region and table_name with your own settings. Teleport will create the table automatically.

AWS IAM Role

You can use IAM role instead of hard coded access and secret key (IAM role is recommended). You must apply correct policy in order to the auth to create/get/update K/V in DynamoDB.

Example of a typical policy (change region and account ID):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllAPIActionsOnTeleportAuth",
            "Effect": "Allow",
            "Action": "dynamodb:*",
            "Resource": "arn:aws:dynamodb:eu-west-1:123456789012:table/prod.teleport.auth"
        }
    ]
}

Get Help

This backend has been contributed by https://github.com/apestel

Documentation

Overview

Package dynamo implements DynamoDB storage backend for Teleport auth service, similar to etcd backend.

dynamo package implements the DynamoDB storage back-end for the auth server. Originally contributed by https://github.com/apestel

limitations:

  • Paging is not implemented, hence all range operations are limited to 1MB result set

Index

Constants

View Source
const (

	// BackendName is the name of this backend
	BackendName = "dynamodb"

	// DefaultReadCapacityUnits specifies default value for read capacity units
	DefaultReadCapacityUnits = 10

	// DefaultWriteCapacityUnits specifies default value for write capacity units
	DefaultWriteCapacityUnits = 10
)

Variables

This section is empty.

Functions

func GetIndexID

func GetIndexID(tableName, indexName string) string

GetIndexID returns the resourceID of an index, based on the table & index name

func GetName

func GetName() string

GetName is a part of backend API and it returns DynamoDB backend type as it appears in `storage/type` section of Teleport YAML

func GetTableID

func GetTableID(tableName string) string

GetTableID returns the resourceID of a table based on its table name

func SetAutoScaling

func SetAutoScaling(ctx context.Context, svc *applicationautoscaling.ApplicationAutoScaling, resourceID string, params AutoScalingParams) error

SetAutoScaling enables auto-scaling for the specified table with given configuration.

func SetContinuousBackups

func SetContinuousBackups(ctx context.Context, svc dynamodbiface.DynamoDBAPI, tableName string) error

SetContinuousBackups enables continuous backups.

func TurnOnStreams

func TurnOnStreams(ctx context.Context, svc dynamodbiface.DynamoDBAPI, tableName string) error

func TurnOnTimeToLive

func TurnOnTimeToLive(ctx context.Context, svc dynamodbiface.DynamoDBAPI, tableName string, ttlKey string) error

Types

type AutoScalingParams

type AutoScalingParams struct {
	// ReadMaxCapacity is the maximum provisioned read capacity.
	ReadMaxCapacity int64
	// ReadMinCapacity is the minimum provisioned read capacity.
	ReadMinCapacity int64
	// ReadTargetValue is the ratio of consumed read to provisioned capacity.
	ReadTargetValue float64
	// WriteMaxCapacity is the maximum provisioned write capacity.
	WriteMaxCapacity int64
	// WriteMinCapacity is the minimum provisioned write capacity.
	WriteMinCapacity int64
	// WriteTargetValue is the ratio of consumed write to provisioned capacity.
	WriteTargetValue float64
}

AutoScalingParams defines auto scaling parameters for DynamoDB.

type Backend

type Backend struct {
	*log.Entry
	Config
	// contains filtered or unexported fields
}

Backend is a DynamoDB-backed key value backend implementation.

func New

func New(ctx context.Context, params backend.Params) (*Backend, error)

New returns new instance of DynamoDB backend. It's an implementation of backend API's NewFunc

func (*Backend) Clock

func (b *Backend) Clock() clockwork.Clock

Clock returns wall clock

func (*Backend) Close

func (b *Backend) Close() error

Close closes the DynamoDB driver and releases associated resources

func (*Backend) CloseWatchers

func (b *Backend) CloseWatchers()

CloseWatchers closes all the watchers without closing the backend

func (*Backend) CompareAndSwap

func (b *Backend) CompareAndSwap(ctx context.Context, expected backend.Item, replaceWith backend.Item) (*backend.Lease, error)

CompareAndSwap compares and swap values in atomic operation CompareAndSwap compares item with existing item and replaces is with replaceWith item

func (*Backend) Create

func (b *Backend) Create(ctx context.Context, item backend.Item) (*backend.Lease, error)

Create creates item if it does not exist

func (*Backend) Delete

func (b *Backend) Delete(ctx context.Context, key []byte) error

Delete deletes item by key

func (*Backend) DeleteRange

func (b *Backend) DeleteRange(ctx context.Context, startKey, endKey []byte) error

DeleteRange deletes range of items with keys between startKey and endKey

func (*Backend) Get

func (b *Backend) Get(ctx context.Context, key []byte) (*backend.Item, error)

Get returns a single item or not found error

func (*Backend) GetRange

func (b *Backend) GetRange(ctx context.Context, startKey []byte, endKey []byte, limit int) (*backend.GetResult, error)

GetRange returns range of elements

func (*Backend) KeepAlive

func (b *Backend) KeepAlive(ctx context.Context, lease backend.Lease, expires time.Time) error

KeepAlive keeps object from expiring, updates lease on the existing object, expires contains the new expiry to set on the lease, some backends may ignore expires based on the implementation in case if the lease managed server side

func (*Backend) NewWatcher

func (b *Backend) NewWatcher(ctx context.Context, watch backend.Watch) (backend.Watcher, error)

NewWatcher returns a new event watcher

func (*Backend) Put

func (b *Backend) Put(ctx context.Context, item backend.Item) (*backend.Lease, error)

Put puts value into backend (creates if it does not exists, updates it otherwise)

func (*Backend) Update

func (b *Backend) Update(ctx context.Context, item backend.Item) (*backend.Lease, error)

Update updates value in the backend

type Config

type Config struct {
	// Region is where DynamoDB Table will be used to store k/v
	Region string `json:"region,omitempty"`
	// AWS AccessKey used to authenticate DynamoDB queries (prefer IAM role instead of hardcoded value)
	AccessKey string `json:"access_key,omitempty"`
	// AWS SecretKey used to authenticate DynamoDB queries (prefer IAM role instead of hardcoded value)
	SecretKey string `json:"secret_key,omitempty"`
	// TableName where to store K/V in DynamoDB
	TableName string `json:"table_name,omitempty"`
	// ReadCapacityUnits is Dynamodb read capacity units
	ReadCapacityUnits int64 `json:"read_capacity_units"`
	// WriteCapacityUnits is Dynamodb write capacity units
	WriteCapacityUnits int64 `json:"write_capacity_units"`
	// BufferSize is a default buffer size
	// used to pull events
	BufferSize int `json:"buffer_size,omitempty"`
	// PollStreamPeriod is a polling period for event stream
	PollStreamPeriod time.Duration `json:"poll_stream_period,omitempty"`
	// RetryPeriod is a period between dynamo backend retries on failures
	RetryPeriod time.Duration `json:"retry_period"`

	// EnableContinuousBackups is used to enables PITR (Point-In-Time Recovery).
	EnableContinuousBackups bool `json:"continuous_backups,omitempty"`

	// EnableAutoScaling is used to enable auto scaling policy.
	EnableAutoScaling bool `json:"auto_scaling,omitempty"`
	// ReadMaxCapacity is the maximum provisioned read capacity. Required to be
	// set if auto scaling is enabled.
	ReadMaxCapacity int64 `json:"read_max_capacity,omitempty"`
	// ReadMinCapacity is the minimum provisioned read capacity. Required to be
	// set if auto scaling is enabled.
	ReadMinCapacity int64 `json:"read_min_capacity,omitempty"`
	// ReadTargetValue is the ratio of consumed read capacity to provisioned
	// capacity. Required to be set if auto scaling is enabled.
	ReadTargetValue float64 `json:"read_target_value,omitempty"`
	// WriteMaxCapacity is the maximum provisioned write capacity. Required to
	// be set if auto scaling is enabled.
	WriteMaxCapacity int64 `json:"write_max_capacity,omitempty"`
	// WriteMinCapacity is the minimum provisioned write capacity. Required to
	// be set if auto scaling is enabled.
	WriteMinCapacity int64 `json:"write_min_capacity,omitempty"`
	// WriteTargetValue is the ratio of consumed write capacity to provisioned
	// capacity. Required to be set if auto scaling is enabled.
	WriteTargetValue float64 `json:"write_target_value,omitempty"`
}

Config structure represents DynamoDB configuration as appears in `storage` section of Teleport YAML

func (*Config) CheckAndSetDefaults

func (cfg *Config) CheckAndSetDefaults() error

CheckAndSetDefaults is a helper returns an error if the supplied configuration is not enough to connect to DynamoDB

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL