mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-23 12:37:00 +01:00
Code Issues Actions 16 Packages Projects Releases Wiki Activity

Update design for KRC (#2713)

Browse source
This commit is contained in:
Firstyear 2024-05-15 11:05:11 +10:00 committed by GitHub
parent d01990b262
commit 03f9943d41
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 334 additions and 289 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

266
Cargo.lock generated
View file

@ -80,47 +80,48 @@ checksum = "4b46cbb362ab8752921c97e041f5e366ee6297bd428a31275b9fcf1e380f7299"
[[package]]
name = "anstream"
version = "0.6.13"
version = "0.6.14"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d96bd03f33fe50a863e394ee9718a706f988b9079b20c3784fb726e7678b62fb"
checksum = "418c75fa768af9c03be99d17643f93f79bbba589895012a80e3452a19ddda15b"
dependencies = [
"anstyle",
"anstyle-parse",
"anstyle-query",
"anstyle-wincon",
"colorchoice",
"is_terminal_polyfill",
"utf8parse",
]
[[package]]
name = "anstyle"
version = "1.0.6"
version = "1.0.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8901269c6307e8d93993578286ac0edf7f195079ffff5ebdeea6a59ffb7e36bc"
checksum = "038dfcf04a5feb68e9c60b21c9625a54c2c0616e79b72b0fd87075a056ae1d1b"
[[package]]
name = "anstyle-parse"
version = "0.2.3"
version = "0.2.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c75ac65da39e5fe5ab759307499ddad880d724eed2f6ce5b5e8a26f4f387928c"
checksum = "c03a11a9034d92058ceb6ee011ce58af4a9bf61491aa7e1e59ecd24bd40d22d4"
dependencies = [
"utf8parse",
]
[[package]]
name = "anstyle-query"
version = "1.0.2"
version = "1.0.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e28923312444cdd728e4738b3f9c9cac739500909bb3d3c94b43551b16517648"
checksum = "a64c907d4e79225ac72e2a354c9ce84d50ebb4586dee56c82b3ee73004f537f5"
dependencies = [
"windows-sys 0.52.0",
]
[[package]]
name = "anstyle-wincon"
version = "3.0.2"
version = "3.0.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1cd54b81ec8d6180e24654d0b371ad22fc3dd083b6ff8ba325b72e00c87660a7"
checksum = "61a38449feb7068f52bb06c12759005cf459ee52bb4adc1d5a7c4322d716fb19"
dependencies = [
"anstyle",
"windows-sys 0.52.0",
@ -128,9 +129,9 @@ dependencies = [
[[package]]
name = "anyhow"
version = "1.0.82"
version = "1.0.83"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f538837af36e6f6a9be0faa67f9a314f8119e4e4b5867c6ab40ed60360142519"
checksum = "25bdb32cbbdce2b519a9cd7df3a678443100e265d5e25ca763b7572a5104f5f3"
[[package]]
name = "anymap2"
@ -212,9 +213,9 @@ dependencies = [
[[package]]
name = "async-compression"
version = "0.4.9"
version = "0.4.10"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4e9eabd7a98fe442131a17c316bd9349c43695e49e730c3c8e12cfb5f4da2693"
checksum = "9c90a406b4495d129f00461241616194cb8a032c8d1c53c657f0961d5f8e0498"
dependencies = [
"flate2",
"futures-core",
@ -231,7 +232,7 @@ checksum = "3b43422f69d8ff38f95f1b2bb76517c91589a924d1559a0e935d7c8ce0274c11"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.60",
"syn 2.0.63",
]
[[package]]
@ -253,7 +254,7 @@ checksum = "16e62a023e7c117e27523144c5d2459f4397fcc3cab0085af8e2224f643a0193"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.60",
"syn 2.0.63",
]
[[package]]
@ -264,7 +265,7 @@ checksum = "c6fa2087f2753a7da8cc1c0dbfcf89579dd57458e36769de5ac750b4671737ca"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.60",
"syn 2.0.63",
]
[[package]]
@ -297,9 +298,9 @@ dependencies = [
[[package]]
name = "autocfg"
version = "1.2.0"
version = "1.3.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f1fdabc7756949593fe60f30ec81974b613357de856987752631dea1e3394c80"
checksum = "0c4b4d0bd25bd0b74681c0ad21497610ce1b7c91b1022cd21c80c6fbdd9476b0"
[[package]]
name = "axum"
@ -388,7 +389,7 @@ dependencies = [
"heck 0.4.1",
"proc-macro2",
"quote",
"syn 2.0.60",
"syn 2.0.63",
]
[[package]]
@ -472,7 +473,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1a56894edf5cd1efa7068d7454adeb7ce0b3da4ffa5ab08cfc06165bbc62f0c7"
dependencies = [
"base64 0.21.7",
"paste 1.0.14",
"paste 1.0.15",
"serde",
]
@ -498,13 +499,13 @@ dependencies = [
"lazycell",
"log",
"peeking_take_while",
"prettyplease 0.2.19",
"prettyplease 0.2.20",
"proc-macro2",
"quote",
"regex",
"rustc-hash",
"shlex",
"syn 2.0.60",
"syn 2.0.63",
"which",
]
@ -521,13 +522,13 @@ dependencies = [
"lazy_static",
"lazycell",
"log",
"prettyplease 0.2.19",
"prettyplease 0.2.20",
"proc-macro2",
"quote",
"regex",
"rustc-hash",
"shlex",
"syn 2.0.60",
"syn 2.0.63",
"which",
]
@ -622,9 +623,9 @@ checksum = "5ce89b21cab1437276d2650d57e971f9d548a2d9037cc231abdc0562b97498ce"
[[package]]
name = "bytemuck"
version = "1.15.0"
version = "1.16.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5d6d68c57235a3a081186990eca2867354726650f42f7516ca50c28d6281fd15"
checksum = "78834c15cb5d5efe3452d58b1e8ba890dd62d21907f867f383358198e56ebca5"
[[package]]
name = "byteorder"
@ -646,9 +647,9 @@ checksum = "37b2a672a2cb129a2e41c10b1224bb368f9f37a2b16b612598138befd7b37eb5"
[[package]]
name = "cc"
version = "1.0.96"
version = "1.0.97"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "065a29261d53ba54260972629f9ca6bffa69bac13cd1fed61420f7fa68b9f8bd"
checksum = "099a5357d84c4c61eb35fc8eafa9a79a902c2f76911e5747ced4e032edd8d9b4"
[[package]]
name = "cexpr"
@ -770,7 +771,7 @@ dependencies = [
"heck 0.5.0",
"proc-macro2",
"quote",
"syn 2.0.60",
"syn 2.0.63",
]
[[package]]
@ -781,9 +782,9 @@ checksum = "98cc8fbded0c607b7ba9dd60cd98df59af97e84d24e49c8557331cfc26d301ce"
[[package]]
name = "clru"
version = "0.6.1"
version = "0.6.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b8191fa7302e03607ff0e237d4246cc043ff5b3cb9409d995172ba3bea16b807"
checksum = "cbd0f76e066e64fdc5631e3bb46381254deab9ef1158292f27c8c57e3bf3fe59"
[[package]]
name = "color_quant"
@ -793,9 +794,9 @@ checksum = "3d7b894f5411737b7867f4827955924d7c254fc9f4d91a6aad6b097804b1018b"
[[package]]
name = "colorchoice"
version = "1.0.0"
version = "1.0.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "acbf1af155f9b9ef647e42cdc158db4b64a1b61f743629225fde6f3e0be2a7c7"
checksum = "0b6a852b24ab71dffc585bcb46eaf7959d175cb865a7152e35b348d1b2960422"
[[package]]
name = "compact_jwt"
@ -1161,7 +1162,7 @@ dependencies = [
"proc-macro2",
"quote",
"strsim 0.10.0",
"syn 2.0.60",
"syn 2.0.63",
]
[[package]]
@ -1183,7 +1184,7 @@ checksum = "a668eda54683121533a393014d8692171709ff57a7d61f187b6e782719f8933f"
dependencies = [
"darling_core 0.20.8",
"quote",
"syn 2.0.60",
"syn 2.0.63",
]
[[package]]
@ -1335,7 +1336,7 @@ checksum = "487585f4d0c6655fe74905e2504d8ad6908e4db67f744eb140876906c2f3175d"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.60",
"syn 2.0.63",
]
[[package]]
@ -1388,13 +1389,13 @@ dependencies = [
[[package]]
name = "enum-iterator-derive"
version = "1.3.1"
version = "1.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c19cbb53d33b57ac4df1f0af6b92c38c107cded663c4aea9fae1189dcfc17cf5"
checksum = "a1ab991c1362ac86c61ab6f556cff143daa22e5a15e4e189df818b2fd19fe65b"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.60",
"syn 2.0.63",
]
[[package]]
@ -1414,7 +1415,7 @@ checksum = "5c785274071b1b420972453b306eeca06acf4633829db4223b58a2a8c5953bc4"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.60",
"syn 2.0.63",
]
[[package]]
@ -1425,9 +1426,9 @@ checksum = "5443807d6dff69373d433ab9ef5378ad8df50ca6298caf15de6e52e24aaf54d5"
[[package]]
name = "errno"
version = "0.3.8"
version = "0.3.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a258e46cdc063eb8519c00b9fc845fc47bcfca4130e2f08e88665ceda8474245"
checksum = "534c5cf6194dfab3db3242765c03bbe257cf92f22b38f6bc0c58d59108a820ba"
dependencies = [
"libc",
"windows-sys 0.52.0",
@ -1689,7 +1690,7 @@ checksum = "87750cf4b7a4c0625b1529e4c543c2182106e4dedc60a2a6455e00d212c489ac"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.60",
"syn 2.0.63",
]
[[package]]
@ -1744,9 +1745,9 @@ dependencies = [
[[package]]
name = "getrandom"
version = "0.2.14"
version = "0.2.15"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "94b22e06ecb0110981051723910cbf0b5f5e09a2062dd7663334ee79a9d1286c"
checksum = "c4567c8db10ae91089c99af84c68c38da3ec2f087c3f82960bcdbf3656b6f4d7"
dependencies = [
"cfg-if",
"js-sys",
@ -2000,7 +2001,7 @@ checksum = "1dff438f14e67e7713ab9332f5fd18c8f20eb7eb249494f6c2bf170522224032"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.60",
"syn 2.0.63",
]
[[package]]
@ -2820,6 +2821,12 @@ dependencies = [
"windows-sys 0.52.0",
]
[[package]]
name = "is_terminal_polyfill"
version = "1.70.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f8478577c03552c21db0e2724ffb8986a5ce7af88107e6be5d2ee6e158c12800"
[[package]]
name = "iso8601"
version = "0.6.1"
@ -3253,7 +3260,7 @@ version = "1.3.0-dev"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.60",
"syn 2.0.63",
]
[[package]]
@ -3788,7 +3795,7 @@ dependencies = [
"lazy_static",
"libc",
"libnss",
"paste 1.0.14",
"paste 1.0.15",
]
[[package]]
@ -3803,25 +3810,24 @@ dependencies = [
[[package]]
name = "num"
version = "0.4.2"
version = "0.4.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3135b08af27d103b0a51f2ae0f8632117b7b185ccf931445affa8df530576a41"
checksum = "35bd024e8b2ff75562e5f34e7f4905839deb4b22955ef5e73d2fea1b9813cb23"
dependencies = [
"num-bigint",
"num-complex",
"num-integer",
"num-iter",
"num-rational 0.4.1",
"num-rational 0.4.2",
"num-traits",
]
[[package]]
name = "num-bigint"
version = "0.4.4"
version = "0.4.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "608e7659b5c3d7cba262d894801b9ec9d00de989e8a82bd4bef91d08da45cdc0"
checksum = "c165a9ab64cf766f73521c0dd2cfdff64f488b8f0b3e621face3462d3db536d7"
dependencies = [
"autocfg",
"num-integer",
"num-traits",
]
@ -3834,9 +3840,9 @@ checksum = "63335b2e2c34fae2fb0aa2cecfd9f0832a1e24b3b32ecec612c3426d46dc8aaa"
[[package]]
name = "num-complex"
version = "0.4.5"
version = "0.4.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "23c6602fda94a57c990fe0df199a035d83576b496aa29f4e634a8ac6004e68a6"
checksum = "73f88a1307638156682bada9d7604135552957b7818057dcef22705b4d509495"
dependencies = [
"num-traits",
]
@ -3869,9 +3875,9 @@ dependencies = [
[[package]]
name = "num-iter"
version = "0.1.44"
version = "0.1.45"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d869c01cc0c455284163fd0092f1f93835385ccab5a98a0dcc497b2f8bf055a9"
checksum = "1429034a0490724d0075ebb2bc9e875d6503c3cf69e235a8941aa757d83ef5bf"
dependencies = [
"autocfg",
"num-integer",
@ -3891,11 +3897,10 @@ dependencies = [
[[package]]
name = "num-rational"
version = "0.4.1"
version = "0.4.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0638a1c9d0a3c0914158145bc76cff373a75a627e6ecbfb71cbe6f453a5a19b0"
checksum = "f83d14da390562dca69fc84082e73e548e1ad308d24accdedd2720017cb37824"
dependencies = [
"autocfg",
"num-bigint",
"num-integer",
"num-traits",
@ -3903,9 +3908,9 @@ dependencies = [
[[package]]
name = "num-traits"
version = "0.2.18"
version = "0.2.19"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "da0df0e5185db44f69b44f26786fe401b6c293d1907744beaa7fa62b2e5a517a"
checksum = "071dfc062690e90b734c0b2273ce72ad0ffa95f0c74596bc250dcfd960262841"
dependencies = [
"autocfg",
]
@ -4031,7 +4036,7 @@ checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.60",
"syn 2.0.63",
]
[[package]]
@ -4284,9 +4289,9 @@ dependencies = [
[[package]]
name = "paste"
version = "1.0.14"
version = "1.0.15"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "de3145af08024dea9fa9914f381a17b8fc6034dfb00f3a84013f7ff43f29ed4c"
checksum = "57c0d7b74b563b49d38dae00a0c37d4d6de9b432382b2892f0574ddcae73fd0a"
[[package]]
name = "paste-impl"
@ -4338,9 +4343,9 @@ checksum = "e3148f5046208a5d56bcfc03053e3ca6334e51da8dfb19b6cdc8b306fae3283e"
[[package]]
name = "petgraph"
version = "0.6.4"
version = "0.6.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e1d3afd2628e69da2be385eb6f2fd57c8ac7977ceeff6dc166ff1657b0e386a9"
checksum = "b4c5cc86750666a3ed20bdaf5ca2a0344f9c67674cae0515bec2da16fbaa47db"
dependencies = [
"fixedbitset",
"indexmap 2.2.6",
@ -4400,7 +4405,7 @@ checksum = "2f38a4412a78282e09a2cf38d195ea5420d15ba0602cb375210efbc877243965"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.60",
"syn 2.0.63",
]
[[package]]
@ -4521,12 +4526,12 @@ dependencies = [
[[package]]
name = "prettyplease"
version = "0.2.19"
version = "0.2.20"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5ac2cf0f2e4f42b49f5ffd07dae8d746508ef7526c13940e5f524012ae6c6550"
checksum = "5f12335488a2f3b0a83b14edad48dca9879ce89b2edd10e80237e4e852dd645e"
dependencies = [
"proc-macro2",
"syn 2.0.60",
"syn 2.0.63",
]
[[package]]
@ -4571,9 +4576,9 @@ checksum = "dc375e1527247fe1a97d8b7156678dfe7c1af2fc075c9a4db3690ecd2a148068"
[[package]]
name = "proc-macro2"
version = "1.0.81"
version = "1.0.82"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3d1597b0c024618f09a9c3b8655b7e430397a36d23fdafec26d6965e9eec3eba"
checksum = "8ad3d49ab951a01fbaafe34f2ec74122942fe18a3f9814c3268f1bb72042131b"
dependencies = [
"unicode-ident",
]
@ -4916,9 +4921,9 @@ dependencies = [
[[package]]
name = "rust-embed"
version = "8.3.0"
version = "8.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "fb78f46d0066053d16d4ca7b898e9343bc3530f71c61d5ad84cd404ada068745"
checksum = "19549741604902eb99a7ed0ee177a0663ee1eda51a29f71401f166e47e77806a"
dependencies = [
"rust-embed-impl",
"rust-embed-utils",
@ -4927,23 +4932,23 @@ dependencies = [
[[package]]
name = "rust-embed-impl"
version = "8.3.0"
version = "8.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b91ac2a3c6c0520a3fb3dd89321177c3c692937c4eb21893378219da10c44fc8"
checksum = "cb9f96e283ec64401f30d3df8ee2aaeb2561f34c824381efa24a35f79bf40ee4"
dependencies = [
"proc-macro2",
"quote",
"rust-embed-utils",
"shellexpand 3.1.0",
"syn 2.0.60",
"syn 2.0.63",
"walkdir",
]
[[package]]
name = "rust-embed-utils"
version = "8.3.0"
version = "8.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "86f69089032567ffff4eada41c573fc43ff466c7db7c5688b2e7969584345581"
checksum = "38c74a686185620830701348de757fd36bef4aa9680fd23c49fc539ddcc1af32"
dependencies = [
"sha2",
"walkdir",
@ -4951,9 +4956,9 @@ dependencies = [
[[package]]
name = "rustc-demangle"
version = "0.1.23"
version = "0.1.24"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d626bb9dae77e28219937af045c257c28bfd3f69333c512553507f5f9798cb76"
checksum = "719b953e2095829ee67db738b3bfa9fa368c94900df327b3f07fe6e794d2fe1f"
[[package]]
name = "rustc-hash"
@ -4994,15 +4999,15 @@ dependencies = [
[[package]]
name = "rustversion"
version = "1.0.15"
version = "1.0.16"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "80af6f9131f277a45a3fba6ce8e2258037bb0477a67e610d3c1fe046ab31de47"
checksum = "092474d1a01ea8278f69e6a358998405fae5b8b963ddaeb2b0b04a128bf1dfb0"
[[package]]
name = "ryu"
version = "1.0.17"
version = "1.0.18"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e86697c916019a8588c99b5fac3cead74ec0b4b819707a682fd4d23fa0ce1ba1"
checksum = "f3cb5ba0dc43242ce17de99c180e96db90b235b8a9fdc9543c96d2209116bd9f"
[[package]]
name = "same-file"
@ -5059,11 +5064,11 @@ checksum = "621e3680f3e07db4c9c2c3fb07c6223ab2fab2e54bd3c04c3ae037990f428c32"
[[package]]
name = "security-framework"
version = "2.10.0"
version = "2.11.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "770452e37cad93e0a50d5abc3990d2bc351c36d0328f86cefec2f2fb206eaef6"
checksum = "c627723fd09706bacdb5cf41499e95098555af3c3c29d014dc3c458ef6be11c0"
dependencies = [
"bitflags 1.3.2",
"bitflags 2.5.0",
"core-foundation",
"core-foundation-sys",
"libc",
@ -5072,9 +5077,9 @@ dependencies = [
[[package]]
name = "security-framework-sys"
version = "2.10.0"
version = "2.11.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "41f3cc463c0ef97e11c3461a9d3787412d30e8e7eb907c79180c4a57bf7c04ef"
checksum = "317936bbbd05227752583946b9e66d7ce3b489f84e11a94a510b4437fef407d7"
dependencies = [
"core-foundation-sys",
"libc",
@ -5108,15 +5113,15 @@ dependencies = [
[[package]]
name = "semver"
version = "1.0.22"
version = "1.0.23"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "92d43fe69e652f3df9bdc2b85b2854a0825b86e4fb76bc44d945137d053639ca"
checksum = "61697e0a1c7e512e84a621326239844a24d8207b4669b41bc18b32ea5cbf988b"
[[package]]
name = "serde"
version = "1.0.199"
version = "1.0.201"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0c9f6e76df036c77cd94996771fb40db98187f096dd0b9af39c6c6e452ba966a"
checksum = "780f1cebed1629e4753a1a38a3c72d30b97ec044f0aef68cb26650a3c5cf363c"
dependencies = [
"serde_derive",
]
@ -5174,20 +5179,20 @@ dependencies = [
[[package]]
name = "serde_derive"
version = "1.0.199"
version = "1.0.201"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "11bd257a6541e141e42ca6d24ae26f7714887b47e89aa739099104c7e4d3b7fc"
checksum = "c5e405930b9796f1c00bee880d03fc7e0bb4b9a11afc776885ffe84320da2865"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.60",
"syn 2.0.63",
]
[[package]]
name = "serde_json"
version = "1.0.116"
version = "1.0.117"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3e17db7126d17feb94eb3fad46bf1a96b034e8aacbc2e775fe81505f8b0b2813"
checksum = "455182ea6142b14f93f4bc5320a2b31c1f266b66a4a5c858b013302a5d8cbfc3"
dependencies = [
"itoa",
"ryu",
@ -5243,7 +5248,7 @@ dependencies = [
"darling 0.20.8",
"proc-macro2",
"quote",
"syn 2.0.60",
"syn 2.0.63",
]
[[package]]
@ -5474,9 +5479,9 @@ dependencies = [
[[package]]
name = "syn"
version = "2.0.60"
version = "2.0.63"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "909518bc7b1c9b779f1bbf07f2929d35af9f0f37e47c6e9ef7f9dddc1e1821f3"
checksum = "bf5be731623ca1a1fb7d8be6f261a3be6d3e2337b8a1f97be944d020c8fcb704"
dependencies = [
"proc-macro2",
"quote",
@ -5552,27 +5557,27 @@ version = "0.1.0"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.60",
"syn 2.0.63",
]
[[package]]
name = "thiserror"
version = "1.0.59"
version = "1.0.60"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f0126ad08bff79f29fc3ae6a55cc72352056dfff61e3ff8bb7129476d44b23aa"
checksum = "579e9083ca58dd9dcf91a9923bb9054071b9ebbd800b342194c9feb0ee89fc18"
dependencies = [
"thiserror-impl",
]
[[package]]
name = "thiserror-impl"
version = "1.0.59"
version = "1.0.60"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d1cd413b5d558b4c5bf3680e324a6fa5014e7b7c067a51e69dbdf47eb7148b66"
checksum = "e2470041c06ec3ac1ab38d0356a6119054dedaea53e12fbefc0de730a1c08524"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.60",
"syn 2.0.63",
]
[[package]]
@ -5699,7 +5704,7 @@ checksum = "5b8a1e28f2deaa14e508979454cb3a223b10b938b45af148bc0986de36f1923b"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.60",
"syn 2.0.63",
]
[[package]]
@ -5738,16 +5743,15 @@ dependencies = [
[[package]]
name = "tokio-util"
version = "0.7.10"
version = "0.7.11"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5419f34732d9eb6ee4c3578b7989078579b7f039cbbb9ca2c4da015749371e15"
checksum = "9cf6b47b3771c49ac75ad09a6162f53ad4b8088b76ac60e8ec1455b31a189fe1"
dependencies = [
"bytes",
"futures-core",
"futures-sink",
"pin-project-lite",
"tokio",
"tracing",
]
[[package]]
@ -5884,7 +5888,7 @@ checksum = "34704c8d6ebcbc939824180af020566b01a7c01f80641264eba0999f6c2b6be7"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.60",
"syn 2.0.63",
]
[[package]]
@ -6002,7 +6006,7 @@ dependencies = [
"num-derive",
"num-traits",
"oid",
"paste 1.0.14",
"paste 1.0.15",
"picky-asn1",
"picky-asn1-x509",
"regex",
@ -6109,9 +6113,9 @@ checksum = "711b9620af191e0cdc7468a8d14e709c3dcdb115b36f838e601583af800a370a"
[[package]]
name = "utoipa"
version = "4.2.0"
version = "4.2.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "272ebdfbc99111033031d2f10e018836056e4d2c8e2acda76450ec7974269fa7"
checksum = "c5afb1a60e207dca502682537fefcfd9921e71d0b83e9576060f09abc6efab23"
dependencies = [
"indexmap 2.2.6",
"serde",
@ -6121,15 +6125,15 @@ dependencies = [
[[package]]
name = "utoipa-gen"
version = "4.2.0"
version = "4.3.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d3c9f4d08338c1bfa70dde39412a040a884c6f318b3d09aaaf3437a1e52027fc"
checksum = "7bf0e16c02bc4bf5322ab65f10ab1149bdbcaa782cba66dc7057370a3f8190be"
dependencies = [
"proc-macro-error",
"proc-macro2",
"quote",
"regex",
"syn 2.0.60",
"syn 2.0.63",
"url",
"uuid",
]
@ -6241,7 +6245,7 @@ dependencies = [
"once_cell",
"proc-macro2",
"quote",
"syn 2.0.60",
"syn 2.0.63",
"wasm-bindgen-shared",
]
@ -6275,7 +6279,7 @@ checksum = "e94f17b526d0a461a191c78ea52bbce64071ed5c04c9ffe424dcb38f74171bb7"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.60",
"syn 2.0.63",
"wasm-bindgen-backend",
"wasm-bindgen-shared",
]
@ -6308,7 +6312,7 @@ checksum = "b7f89739351a2e03cb94beb799d47fb2cac01759b40ec441f7de39b00cbf7ef0"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.60",
"syn 2.0.63",
]
[[package]]
@ -6833,22 +6837,22 @@ dependencies = [
[[package]]
name = "zerocopy"
version = "0.7.32"
version = "0.7.34"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "74d4d3961e53fa4c9a25a8637fc2bfaf2595b3d3ae34875568a5cf64787716be"
checksum = "ae87e3fcd617500e5d106f0380cf7b77f3c6092aae37191433159dda23cfb087"
dependencies = [
"zerocopy-derive",
]
[[package]]
name = "zerocopy-derive"
version = "0.7.32"
version = "0.7.34"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9ce1b18ccd8e73a9321186f97e46f9f04b778851177567b1975109d26a08d2a6"
checksum = "15e934569e47891f7d9411f1a451d947a60e000ab3bd24fbb970f000387d1b3b"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.60",
"syn 2.0.63",
]
[[package]]
@ -6868,7 +6872,7 @@ checksum = "ce36e65b0d2999d2aafac989fb249189a141aee1f53c612c1f37d72631959f69"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.60",
"syn 2.0.63",
]
[[package]]

355
book/src/developers/designs/replication_coordinator.md
View file

@ -49,31 +49,6 @@ configures the state of replication across the topology.
└────────────────┘ └────────────────┘
```
The KRC issues configuration tokens. These are JWT's that are signed by the KRC.
A configuration token is _not_ unique to a node. It can be copied between many nodes. This allows
stateless deployments where nodes can be spun up and provided their replication config.
The node is provided with the KRC TLS CA, and a configuration token.
The node when configured contacts the KRC with its configuration token as bearer authentication. The
KRC uses this to determine and issue a replication configuration. Because the configuration token is
signed by the KRC, a fraudulent configuration token can _not_ be used by an attacker to fraudulently
subscribe a kanidm node. Because the KRC is contacted over TLS this gives the node strong assurances
of the legitimacy of the KRC due to TLS certificate validation and pinning.
The KRC must be able to revoke replication configuration tokens in case of a token disclosure.
The node sends its KRC token, server UUID, and server repl public key to the KRC.
The configuration token defines the replication group identifier of that node. The KRC uses the
configuration token _and_ the servers UUID to assign replication metadata to the node. The KRC
issues a replication configuration to the node.
The replication configuration defines the nodes that the server should connect to, as well as
providing the public keys that are required for that node to perform replication. These are
elaborated on in node configuration.
## Kanidm Node Configuration
There are some limited cases where an administrator may wish to _manually_ define replication
@ -98,7 +73,8 @@ All replicas require:
### Pull mode
This is the standard and preferred mode. The map contains for each node to pull from.
This is the standard mode. The map contains for each node to pull replication data from. This
logically maps to the implementation of the underlying replication mechanism.
- the url of the node's replication endpoint.
- The self-signed node certificate to be pinned for the connection.
@ -106,11 +82,7 @@ This is the standard and preferred mode. The map contains for each node to pull
### Push mode
This mode is only available in manual configurations, and should only be used as a last resort.
- The url of the nodes replication endpoint.
- The self-signed node certificate to be pinned for the connection.
- If a refresh required message would be sent, if the node should be force-refreshed next cycle.
This mode is unlikely to be developed as it does not match the way that replication works.
## Worked examples
@ -118,175 +90,246 @@ This mode is only available in manual configurations, and should only be used as
There are two nodes, A and B.
The administrator configures the kanidm server with replication urls
The administrator configures both kanidm servers with replication urls.
```
# Server A
[replication]
node_url = https://private.name.of.node
origin = "repl://kanidmd_a:8444"
bindaddress = "[::]:8444"
```
```
# Server B
[replication]
origin = "repl://kanidmd_b:8444"
bindaddress = "[::]:8444"
```
The administrator extracts their replication certificates with the kanidmd binary admin features.
This will reflect the `node_url` in the certificate.
```
kanidmd replication get-certificate
```
For each node, a replication configuration is created in json. For A pulling from B.
For each node, a replication configuration is created in json.
For A pulling from B.
```
[
{ "pull":
{
url: "https://node-b.private-name",
publiccert: "pem certificate from B",
automatic_refresh: false
}
},
{ "allow-pull":
{
clientcert: "pem certificate from B"
}
}
]
[replication."repl://kanidmd_b:8444"]
type = "mutual-pull"
partner_cert = "M..."
automatic_refresh = false
```
For B pulling from A.
```
[
{ "pull":
{
url: "https://node-a.private-name",
publiccert: "pem certificate from A",
automatic_refresh: false
}
},
{ "allow-pull":
{
clientcert: "pem certificate from A"
}
}
]
[replication."repl://kanidmd_a:8444"]
type = "mutual-pull"
partner_cert = "M..."
automatic_refresh = true
```
Notice that automatic refresh only goes from A -> B and not the other way around. This allows one
server to be "authoritative".
TODO: The node configuration will also need to list nodes that can do certain tasks. An example of
these tasks is that to prevent "update storms" a limited set of nodes should be responsible for
recycling and tombstoning of entries. These should be defined as tasks in the replication
configuration, so that the KRC can later issue out which nodes are responsible for those processes.
These are analogous to the AD FSMO roles, but I think we need a different name for them. Single Node
Origin Task? Single Node Operation Runner? Yes I'm trying to make silly acronyms.
### KRC Configuration
> Still not fully sure about the KRC config yet. More thinking needed!
The KRC is configured with its URL and certificates.
```toml
[krc_config]
origin = https://krc.example.com
tls_chain = /path/to/tls/chain
tls_key = /path/to/tls/key
```
The KRC is also configured with replication groups.
The KRC is enabled as a replication parameter. This informs the node that it must not contact other
nodes for its replication topology, and it prepares the node for serving that replication metadata.
This is analgous to a single node operation configuration.
```
[origin_nodes]
# This group never auto refreshes - they are authoritative.
mesh = full
[replication]
origin = "repl://kanidmd_a:8444"
bindaddress = "[::]:8444"
[replicas_syd]
# Every node has two links inside of this group.
mesh = 2
# at least 2 nodes in this group link externally.
linkcount = 2
linkto = [ "origin_nodes" ]
krc_enable = true
[replicas_bne]
# Every node has one link inside of this group.
mesh = 1
# at least 1 node in this group link externally.
linkcount = 1
linkto = [ "origin_nodes" ]
# krc_url -- unset
# krc_ca_dir -- unset
```
This would yield the following arrangement.
All other nodes will have a configuration of:
```
┌ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─
origin_nodes │
┌────────┐ ┌────────┐ │
│ │ │ │ │
│ O1 │◀───────▶│ O2 │ │
│ │ │ │ │
└────────┘◀───┬───▶└────────┘ │
│ ▲ │ ▲
│ │ │ │
│ │ │ │
▼ │ ▼ │
│ ┌────────┐◀───┴───▶┌────────┐
│ │ │ │ │
│ │ O3 │◀───────▶│ O4 │◀─────────────────────────────┐
│ │ │ │ │ │
│ └────────┘ └────────┘ │
▲ ▲ │ │
└ ─ ─ ─ ─│─ ─ ─ ─ ─ ─ ─ ─ ─ ┼ ─ ─ ─ ─ │
│ │ │
│ │ │
│ │ │
┌──┘ │ │
│ │ │
│ │ │
┌ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┼ ─ ─ ─ ─ │ ┌ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┼ ─ ─ ─ ─
replicas_bne │ │ │ replicas_syd │ │
│ │ │ │ │
┌────────┐ ┌────────┐ │ │ ┌────────┐ ┌────────┐ │
│ │ │ │ │ │ │ │ │ │ │
│ B1 │◀───────▶│ B2 │ │ └──────────│ S1 │◀───────▶│ S2 │ │
│ │ │ │ │ │ │ │ │ │
└────────┘ └────────┘ │ └────────┘ └────────┘ │
│ ▲ │ ▲ ▲
│ │ │ │ │
│ │ │ │ │
▼ │ ▼ ▼ │
│ ┌────────┐ ┌────────┐ │ ┌────────┐ ┌────────┐
│ │ │ │ │ │ │ │ │ │
│ │ B3 │◀───────▶│ B4 │ │ │ S3 │◀───────▶│ S4 │
│ │ │ │ │ │ │ │ │ │
│ └────────┘ └────────┘ │ └────────┘ └────────┘
│ │
└ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ └ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─
[replication]
origin = "repl://kanidmd_b:8444"
bindaddress = "[::]:8444"
# krc_enable -- unset / false
# krc_url = https://private.name.of.krc.node
krc_url = https://kanidmd_a
# must contain ca that signs kanidmd_a's tls_chain.
krc_ca_dir = /path/to/ca_dir
```
!!! TBD - How to remove / decomission nodes?
The domain will automatically add a `Default Site`. The KRC implies its own membership to "Default
Site" and it will internally add itself to the `Default Site`.
I think origin nodes are persistent and must be manually defined. Will this require configuration of
their server uuid in the config?
The KRC can then issue Tokens that define which Site a new replica should join. Initially we will
only allow `Default Site` (and will disallow creation of other sites).
Auto-node groups need to check in with periodic elements, and missed checkins.
The new replica will load its KRC token from the environment variable `KANIDMD_KRC_TOKEN_PATH`. This
value will contain a file path where the JWT is stored. This is compatible with systemd credentials
and docker secrets. By default the value if unset will be defined by a profile default
(`/etc/kanidm/krc.token` or `/data/krc.token`).
Checkins need to send ruv? This will allow the KRC to detect nodes that are stale.
A new replica can then contact the `krc_url` validating the presented TLS chain with the roots from
`krc_ca_dir` to assert the legitimacy of the KRC. Only once these are asserted, then the KRC token
can be sent to the instance as a `Bearer` token. The new replica will also provide its mTLS
certificate and its server UUID.
If a node misses checkins after a certain period they should be removed from the KRC knowledge?
Once validated, the KRC will create or update the server's replica entry. The replica entry in the
database will contain the active mTLS cert of the replica and a reference to the replication site
that the token referenced.
R/O nodes could removed after x days of failed checkins, without much consequence.
This will additionally add the "time first seen" to the server entry.
R/W nodes on the other hand it's a bit trickier to know if they should be automatically removed.
From this, for each server in the replication site associated to the token, the KRC will provide a
replication config map to the new replica providing all URL's and mTLS certs.
Or is delete of nodes a manual cleanup / triggers clean-ruv?
Anytime the replica checks in, if the KRC replication map has changed a new one will be provided, or
the response will be `None` for no changes.
Should replication maps have "priorities" to make it a tree so that if nodes are offline then it can
auto-re-route? Should they have multiple paths? Want to avoid excess links/loops/disconnections of
nodes.
To determine no changes we use a "generation". This is where any change to a replication site or
server entries will increment the generation counter. This allows us to detect when a client
requires a new configuration or not.
I think some more thought is needed here. Possibly a node state machine.
If a server's entry in the database is marked to be `Revoked` then it will remain in the database,
but be inelligible for replication participation. This is to allow for forced removal of a
potentially compromised node.
I think for R/O nodes, we need to define how R/W will pass through. I can see a possibility like
The KRC will periodically examine its RUV. For any server entry whose UUID is not contained in the
RUV, and whose "time first seen + trime window" is less than now, then the server entry will be
REMOVED for inactivity since it has now been trimmed from the RUV.
### Moving the Replication Coordinator Role
Since the coordinator is part of a kanidmd server, there must be a process to move the KRC to
another node.
Imagine the following example. Here, Node A is acting as the KRC.
```
┌─────────────────┐ ┌─────────────────┐
│ │ │ │
│ │ │ │
│ Node A │◀───────────────│ Node B │
│ │ │ │
│ │ │ │
└─────────────────┘ └─────────────────┘
▲ ▲
│ │
│ │
│ └────────────────────────────┐
│ │
│ │
│ │
┌─────────────────┐ ┌─────────────────┐
│ │ │ │
│ │ │ │
│ Node C │ │ Node D │
│ │ │ │
│ │ │ │
└─────────────────┘ └─────────────────┘
```
This would allow Node A to be aware of B, C, D and then create a full mesh.
We wish to decommision Node A and promote Node B to become the new KRC. Imagine at this point we cut
over Node D to point its KRC at Node B.
```
┌─────────────────┐ ┌─────────────────┐
│ │ │ │
│ │ │ │
│ Node A │ │ Node B │
│ │ │ │
│ │ │ │
└─────────────────┘ └─────────────────┘
▲ ▲
│ │
│ │
│ │
│ │
│ │
│ │
┌─────────────────┐ ┌─────────────────┐
│ │ │ │
│ │ │ │
│ Node C │ │ Node D │
│ │ │ │
│ │ │ │
└─────────────────┘ └─────────────────┘
```
Since we still have the Server Entry records in the Default Site on both Node A and Node B, then all
nodes will continue to participate in full mesh, and will update certificates as required.
Since all servers would still be updating their RUV's and by proxy, updating RUV's to their partners
then no nodes will be trimmed from the topology.
This allows a time window where servers can be moved from Node A to Node B.
### Gruesome Details
Server Start Up Process
```
Token is read from a file defined in the env.
works with systemd + docker secrets
Token is JWT with HS256. (OR JWE + AES-GCM)
Read the token
- if token domain_uuid != our domain_uuid -> set status to "waiting"
- empty replication config map
- if token domain_uuid == domain_uuid -> status to "ok"
- use cached replication config map
No TOKEN -> Implies KRC role.
- Set status to "ok", we are the domain_uuid source.
```
Client Process
```
connect to KRC
- provide token for site binding
- submit my server_uuid
- submit my public cert with the request
- submit current domain_uuid + generation if possible
- reply from KRC -> repl config map.
- config_map contains issuing KRC server uuid.
- if config_map generation > current config_map
- reload config.
- if config_map == None
- current map remains valid.
```
KRC Process
```
- Validate Token
- is server_uuid present as a server entry?
- if no: add it with site association
- if yes: verify site associated to token
- is server_uuid certificate the same as before?
- if no: replace it.
- compare domain_uuid + generation
- if different supply config
- else None (no change)
```
### FUTURE: Possible Read Only nodes
For R/O nodes, we need to define how R/W will pass through. I can see a possibility like
```
No direct line

2
server/core/src/repl/mod.rs
View file

@ -661,8 +661,6 @@ async fn repl_acceptor(
// Get the private key / cert.
let res = {
// Does this actually need to be a read in case we need to write
// to sqlite?
let ct = duration_from_epoch_now();
let mut idms_prox_write = idms.proxy_write(ct).await;
idms_prox_write