Add NamespaceStore to the namespace branch #896
Conversation
| } | ||
|
|
||
| func (c *Core) ListNamespaces(includePath bool) []*namespace.Namespace { | ||
| return []*namespace.Namespace{namespace.RootNamespace} |
There was a problem hiding this comment.
Function should return all namespaces, not only root namespace
| return namespaceByID(ctx, nsID, c) | ||
| } | ||
|
|
||
| func (c *Core) ListNamespaces(includePath bool) []*namespace.Namespace { |
There was a problem hiding this comment.
Function should remain in namespaces_oss.go with copyright HashiCorp
| "github.com/openbao/openbao/sdk/v2/logical" | ||
| ) | ||
|
|
||
| func (c *Core) NamespaceByID(ctx context.Context, nsID string) (*namespace.Namespace, error) { |
There was a problem hiding this comment.
Function should remain in namespaces_oss.go with copyright HashiCorp
| @@ -0,0 +1,475 @@ | |||
| // Copyright (c) HashiCorp, Inc. | |||
There was a problem hiding this comment.
New files should have copyright OpenBao, right?
There was a problem hiding this comment.
Correct:
| // Copyright (c) HashiCorp, Inc. | |
| // Copyright (c) 2025 OpenBao a Series of LF Projects, LLC |
| ) | ||
|
|
||
| func (c *Core) NamespaceByID(ctx context.Context, nsID string) (*namespace.Namespace, error) { | ||
| return namespaceByID(ctx, nsID, c) |
There was a problem hiding this comment.
Implementation of namespaceByID in namespaces.go should be fixed (returns root namespace or error)
| "identity", | ||
| } | ||
|
|
||
| func (b *SystemBackend) namespacePaths() []*framework.Path { |
There was a problem hiding this comment.
I think these would best go in logical_system_namespaces.go to separate them from the store implementation and for consistency with the existing code layout.
There was a problem hiding this comment.
Shouldn't we rename the file namespaces_openbao.go to namespaces_store.go? The suffix openbao does not indicate the purpose of the file
There was a problem hiding this comment.
@klaus-sap I agree, but just NamespaceStore (the struct) should be in that new file named namespace_store.go; the API handlers should follow the naming convention of that subsystem (and thus be logical_system_namespaces). My 2c.
There was a problem hiding this comment.
@cipherboy I agree. The API handlers should be in logical_system, but the struct and functions like NewNamespaceStore, setupNamespaceStore, teardownNamespaceStore, SetNamespace, GetNamespace, ListNamespaces, DeleteNamespace should be in namespace_store.go (in the same way as in policy_store.go)
| } | ||
|
|
||
| // handleNamespaceSet handles the "/sys/namespaces/<path>" endpoint to set a namespace | ||
| func (b *SystemBackend) handleNamespacesSet() framework.OperationFunc { |
| @@ -21,7 +22,88 @@ import ( | |||
| ) | |||
|
|
|||
| var ( | |||
| restrictedAPIs = []string{ | |||
| "sys/activation-flags/secrets-sync/activate", | |||
There was a problem hiding this comment.
This path does not exist in OpenBao:
| "sys/activation-flags/secrets-sync/activate", |
| "sys/audit", | ||
| "sys/audit-hash", | ||
| "sys/config/cors", | ||
| "sys/config/group-policy-application", |
There was a problem hiding this comment.
As above:
| "sys/config/group-policy-application", |
There was a problem hiding this comment.
What is the suggested change? :-)
There was a problem hiding this comment.
@klaus-sap Ah, ty, looks like that one didn't apply. I've fixed it (remove this line).
| "sys/config/state", | ||
| "sys/config/ui", | ||
| "sys/decode-token", | ||
| "sys/experiments", |
There was a problem hiding this comment.
As above:
| "sys/experiments", |
| "/sys/replication/dr/primary/", | ||
| "/sys/replication/dr/secondary/", | ||
| "/sys/replication/performance/primary/", | ||
| "/sys/replication/performance/secondary/", |
There was a problem hiding this comment.
These will likely never be in OpenBao:
| "/sys/replication/dr/primary/", | |
| "/sys/replication/dr/secondary/", | |
| "/sys/replication/performance/primary/", | |
| "/sys/replication/performance/secondary/", |
| @@ -0,0 +1,475 @@ | |||
| // Copyright (c) HashiCorp, Inc. | |||
There was a problem hiding this comment.
Correct:
| // Copyright (c) HashiCorp, Inc. | |
| // Copyright (c) 2025 OpenBao a Series of LF Projects, LLC |
|
|
||
| // NewNamespaceStore creates a new NamespaceStore that is backed | ||
| // using a given view. It used used to durable store and manage named namespace. | ||
| func NewNamespaceStore(ctx context.Context, core *Core, baseView BarrierView, system logical.SystemView, logger hclog.Logger) (*NamespaceStore, error) { |
There was a problem hiding this comment.
| func NewNamespaceStore(ctx context.Context, core *Core, baseView BarrierView, system logical.SystemView, logger hclog.Logger) (*NamespaceStore, error) { | |
| func NewNamespaceStore(ctx context.Context, core *Core, baseView BarrierView, logger hclog.Logger) (*NamespaceStore, error) { |
SystemView is unused and I don't think it has a purpose in this code.
There was a problem hiding this comment.
This has ramifications elsewhere.
| return nil | ||
| } | ||
|
|
||
| func (ps *NamespaceStore) invalidate(ctx context.Context, path string) error { |
There was a problem hiding this comment.
| func (ps *NamespaceStore) invalidate(ctx context.Context, path string) error { | |
| func (ns *NamespaceStore) invalidate(ctx context.Context, path string) error { |
How about ns rather than ps for NamespaceStore?
| if err != nil { | ||
| return nil, fmt.Errorf("could not parse namespace from http context: %w", err) | ||
| } | ||
| //ns, err := namespace.FromContext(ctx) |
There was a problem hiding this comment.
Not quite sure I understand this? Don't we want to be grabbing the namespace?
| } | ||
|
|
||
| // PatchNamespace is used to update the given namespace | ||
| func (ps *NamespaceStore) PatchNamespace(ctx context.Context, path string, meta map[string]string) error { |
There was a problem hiding this comment.
PatchNamespace should be supported to update custom_metadata, see https://github.com/openbao/openbao/blob/main/website/content/api-docs/system/namespaces.mdx#patch-namespace
This is the first step toward the full namespace feature in Openbao, described in RFC - Add Namespace Support to OpenBao #787
Changes:
To run the tests:
$ ./bin/bao server -config=./command/ns_openbao/file.hcl
go to another terminal and run
$ cd command/ns_openbao/file/
$ go test ./...