Documentation ¶
Index ¶
- Constants
- func NoCache(clt auth.ClientI, cacheName []string) (auth.AccessPoint, error)
- type CachingAuditLog
- func (ll *CachingAuditLog) Close() error
- func (ll *CachingAuditLog) EmitAuditEvent(eventType string, fields events.EventFields) error
- func (ll *CachingAuditLog) GetSessionChunk(string, session.ID, int, int) ([]byte, error)
- func (ll *CachingAuditLog) GetSessionEvents(string, session.ID, int, bool) ([]events.EventFields, error)
- func (ll *CachingAuditLog) PostSessionChunk(namespace string, sid session.ID, reader io.Reader) error
- func (ll *CachingAuditLog) PostSessionSlice(slice events.SessionSlice) error
- func (ll *CachingAuditLog) SearchEvents(time.Time, time.Time, string, int) ([]events.EventFields, error)
- func (ll *CachingAuditLog) SearchSessionEvents(time.Time, time.Time, int) ([]events.EventFields, error)
- func (ll *CachingAuditLog) WaitForDelivery(ctx context.Context) error
- type CachingAuditLogConfig
- type CachingAuthClient
- func (cs *CachingAuthClient) DeleteTunnelConnection(clusterName, connName string) error
- func (cs *CachingAuthClient) GetAllTunnelConnections() (conns []services.TunnelConnection, err error)
- func (cs *CachingAuthClient) GetCertAuthorities(ct services.CertAuthType, loadKeys bool) (cas []services.CertAuthority, err error)
- func (cs *CachingAuthClient) GetCertAuthority(id services.CertAuthID, loadKeys bool) (ca services.CertAuthority, err error)
- func (cs *CachingAuthClient) GetClusterConfig() (clusterConfig services.ClusterConfig, err error)
- func (cs *CachingAuthClient) GetDomainName() (clusterName string, err error)
- func (cs *CachingAuthClient) GetNamespace(name string) (namespace *services.Namespace, err error)
- func (cs *CachingAuthClient) GetNamespaces() (namespaces []services.Namespace, err error)
- func (cs *CachingAuthClient) GetNodes(namespace string) (nodes []services.Server, err error)
- func (cs *CachingAuthClient) GetProxies() (proxies []services.Server, err error)
- func (cs *CachingAuthClient) GetReverseTunnels() (tunnels []services.ReverseTunnel, err error)
- func (cs *CachingAuthClient) GetRole(name string) (role services.Role, err error)
- func (cs *CachingAuthClient) GetRoles() (roles []services.Role, err error)
- func (cs *CachingAuthClient) GetTunnelConnections(clusterName string) (conns []services.TunnelConnection, err error)
- func (cs *CachingAuthClient) GetUsers() (users []services.User, err error)
- func (cs *CachingAuthClient) UpsertNode(s services.Server) error
- func (cs *CachingAuthClient) UpsertProxy(s services.Server) error
- func (cs *CachingAuthClient) UpsertTunnelConnection(conn services.TunnelConnection) error
- type Config
- type NewCachingAccessPoint
Constants ¶
const ( // DefaultQueueLen determines how many logging events to queue in-memory // before start dropping them (probably because logging server is down) DefaultQueueLen = 300 // DefaultFlushTimeout is a period to flush after no other events have been received DefaultFlushTimeout = time.Second // DefaultFlushChunks is a max chunks accumulated over period to flush DefaultFlushChunks = 250 // DefaultFlushBytes is a max bytes of the chunks before the flush will be triggered DefaultFlushBytes = 100000 // DefaultThrottleTimeout is a latency after we will DefaultThrottleTimeout = 500 * time.Millisecond // DefaultThrottleDuration is a period that we will throttle the slow network for // before trying to send again DefaultThrottleDuration = 10 * time.Second // DefaultBackoffInitialInterval is initial interval for backoff DefaultBackoffInitialInterval = 100 * time.Millisecond // DefaultBackoffMaxInterval is maximum interval for backoff DefaultBackoffMaxInterval = DefaultThrottleDuration )
Variables ¶
This section is empty.
Functions ¶
Types ¶
type CachingAuditLog ¶
type CachingAuditLog struct { CachingAuditLogConfig // contains filtered or unexported fields }
CachingAuditLog implements events.IAuditLog on the recording machine (SSH server) It captures the local recording and forwards it to the AuditLog network server Some important properties of this implementation:
- Without back pressure on posting session chunks, audit log was loosing events because produce was much faster than consume and buffer was oveflowing
- Throttle is important to continue the session in case if audit log slowness, as the session output will block and timeout on every request
- It is important to pack chunnks, because ls -laR / would otherwise generate about 10K requests per second. With this packing approach we reduced this number to about 40-50 requests per second, we can now tweak this parameter now by setting queue size and flush buffers.
* Current implementation attaches audit log forwarder per session
func NewCachingAuditLog ¶
func NewCachingAuditLog(cfg CachingAuditLogConfig) (*CachingAuditLog, error)
NewCachingAuditLog creaets a new & fully initialized instance of the alog
func (*CachingAuditLog) Close ¶
func (ll *CachingAuditLog) Close() error
func (*CachingAuditLog) EmitAuditEvent ¶
func (ll *CachingAuditLog) EmitAuditEvent(eventType string, fields events.EventFields) error
func (*CachingAuditLog) GetSessionChunk ¶
func (*CachingAuditLog) GetSessionEvents ¶
func (ll *CachingAuditLog) GetSessionEvents(string, session.ID, int, bool) ([]events.EventFields, error)
func (*CachingAuditLog) PostSessionChunk ¶
func (*CachingAuditLog) PostSessionSlice ¶
func (ll *CachingAuditLog) PostSessionSlice(slice events.SessionSlice) error
func (*CachingAuditLog) SearchEvents ¶
func (ll *CachingAuditLog) SearchEvents(time.Time, time.Time, string, int) ([]events.EventFields, error)
func (*CachingAuditLog) SearchSessionEvents ¶
func (ll *CachingAuditLog) SearchSessionEvents(time.Time, time.Time, int) ([]events.EventFields, error)
func (*CachingAuditLog) WaitForDelivery ¶
func (ll *CachingAuditLog) WaitForDelivery(ctx context.Context) error
WaitForDelivery waits until all operations of the caching audit log complete after Close has been called, e.g. flushing remaining items
type CachingAuditLogConfig ¶
type CachingAuditLogConfig struct { // Namespace is session namespace Namespace string // SessionID is session ID this log forwards for SessionID string // Server is the server receiving audit events Server events.IAuditLog // QueueLen is length of the caching queue QueueLen int // FlushChunks controls how many chunks to aggregate before submit FlushChunks int // Context is an optional context Context context.Context // ThrottleTimeout is a timeout that triggers throttling ThrottleTimeout time.Duration // ThrottleDuration is a duration for throttling ThrottleDuration time.Duration // FlushTimeout is a period to flush buffered chunks if the queue // has not filled up yet FlushTimeout time.Duration // FlushBytes sets amount of bytes per slice that triggers // the flush to the server FlushBytes int64 // BackoffInitialInterval is initial interval for backoff BackoffInitialInterval time.Duration // BackoffMaxInterval is maximum interval for backoff BackoffMaxInterval time.Duration }
CachingAuditLogConifig sets configuration for caching audit log
func (*CachingAuditLogConfig) CheckAndSetDefaults ¶
func (c *CachingAuditLogConfig) CheckAndSetDefaults() error
CheckAndSetDefaults checks and sets defaults
type CachingAuthClient ¶
type CachingAuthClient struct { Config *log.Entry // mutex is to check access to ttl map sync.RWMutex // contains filtered or unexported fields }
CachingAuthClient implements auth.AccessPoint interface and remembers the previously returned upstream value for each API call.
This which can be used if the upstream AccessPoint goes offline
func NewCachingAuthClient ¶
func NewCachingAuthClient(config Config) (*CachingAuthClient, error)
NewCachingAuthClient creates a new instance of CachingAuthClient using a live connection to the auth server (ap)
func (*CachingAuthClient) DeleteTunnelConnection ¶
func (cs *CachingAuthClient) DeleteTunnelConnection(clusterName, connName string) error
DeleteTunnelConnection is a part of auth.AccessPoint implementation
func (*CachingAuthClient) GetAllTunnelConnections ¶
func (cs *CachingAuthClient) GetAllTunnelConnections() (conns []services.TunnelConnection, err error)
GetAllTunnelConnections is a part of auth.AccessPoint implementation GetAllTunnelConnections are not using recent cache, as they are designed to be called periodically and always return fresh data
func (*CachingAuthClient) GetCertAuthorities ¶
func (cs *CachingAuthClient) GetCertAuthorities(ct services.CertAuthType, loadKeys bool) (cas []services.CertAuthority, err error)
GetCertAuthorities is a part of auth.AccessPoint implementation
func (*CachingAuthClient) GetCertAuthority ¶
func (cs *CachingAuthClient) GetCertAuthority(id services.CertAuthID, loadKeys bool) (ca services.CertAuthority, err error)
GetCertAuthority is a part of auth.AccessPoint implementation
func (*CachingAuthClient) GetClusterConfig ¶
func (cs *CachingAuthClient) GetClusterConfig() (clusterConfig services.ClusterConfig, err error)
func (*CachingAuthClient) GetDomainName ¶
func (cs *CachingAuthClient) GetDomainName() (clusterName string, err error)
GetDomainName is a part of auth.AccessPoint implementation
func (*CachingAuthClient) GetNamespace ¶
func (cs *CachingAuthClient) GetNamespace(name string) (namespace *services.Namespace, err error)
GetNamespace returns namespace
func (*CachingAuthClient) GetNamespaces ¶
func (cs *CachingAuthClient) GetNamespaces() (namespaces []services.Namespace, err error)
GetNamespaces is a part of auth.AccessPoint implementation
func (*CachingAuthClient) GetNodes ¶
func (cs *CachingAuthClient) GetNodes(namespace string) (nodes []services.Server, err error)
GetNodes is a part of auth.AccessPoint implementation
func (*CachingAuthClient) GetProxies ¶
func (cs *CachingAuthClient) GetProxies() (proxies []services.Server, err error)
GetProxies is a part of auth.AccessPoint implementation
func (*CachingAuthClient) GetReverseTunnels ¶
func (cs *CachingAuthClient) GetReverseTunnels() (tunnels []services.ReverseTunnel, err error)
GetReverseTunnels is not using recent cache on purpose as it's designed to be called periodically and return fresh data at all times when possible
func (*CachingAuthClient) GetRole ¶
func (cs *CachingAuthClient) GetRole(name string) (role services.Role, err error)
GetRole is a part of auth.AccessPoint implementation
func (*CachingAuthClient) GetRoles ¶
func (cs *CachingAuthClient) GetRoles() (roles []services.Role, err error)
GetRoles is a part of auth.AccessPoint implementation
func (*CachingAuthClient) GetTunnelConnections ¶
func (cs *CachingAuthClient) GetTunnelConnections(clusterName string) (conns []services.TunnelConnection, err error)
GetTunnelConnections is a part of auth.AccessPoint implementation GetTunnelConnections are not using recent cache as they are designed to be called periodically and always return fresh data
func (*CachingAuthClient) GetUsers ¶
func (cs *CachingAuthClient) GetUsers() (users []services.User, err error)
GetUsers is a part of auth.AccessPoint implementation
func (*CachingAuthClient) UpsertNode ¶
func (cs *CachingAuthClient) UpsertNode(s services.Server) error
UpsertNode is part of auth.AccessPoint implementation
func (*CachingAuthClient) UpsertProxy ¶
func (cs *CachingAuthClient) UpsertProxy(s services.Server) error
UpsertProxy is part of auth.AccessPoint implementation
func (*CachingAuthClient) UpsertTunnelConnection ¶
func (cs *CachingAuthClient) UpsertTunnelConnection(conn services.TunnelConnection) error
UpsertTunnelConnection is a part of auth.AccessPoint implementation
type Config ¶
type Config struct { // CacheMaxTTL sets maximum TTL the cache keeps the value // in case if there is no connection to auth servers CacheMaxTTL time.Duration // RecentCacheMinTTL sets TTL for items // that were recently retrieved from auth servers // if set to 0, not turned on, if set to 1 second, // it means that value accessed within last 1 second or NotFound error // will be returned instead of using auth server RecentCacheTTL time.Duration // NeverExpires if set, never expire cache values NeverExpires bool // AccessPoint is access point for this AccessPoint auth.AccessPoint // Backend is cache backend Backend backend.Backend // Clock can be set to control time Clock clockwork.Clock // SkipPreload turns off preloading on start SkipPreload bool }
Config is CachingAuthClient config
func (*Config) CheckAndSetDefaults ¶
CheckAndSetDefaults checks parameters and sets default values
type NewCachingAccessPoint ¶
NewCachingAcessPoint returns new caching access point using access point policy