From d4265f9a138bafe79b2a28c3b66fed6062287877 Mon Sep 17 00:00:00 2001 From: Harshavardhana Date: Wed, 21 Nov 2018 19:01:05 -0800 Subject: [PATCH] Simplify OPA to use rootCAs custom transport (#6843) Also close the connections properly to use the connection pooling properly for HTTP clients. --- cmd/config-current.go | 6 +++-- pkg/iam/policy/opa.go | 58 ++++++++----------------------------------- 2 files changed, 15 insertions(+), 49 deletions(-) diff --git a/cmd/config-current.go b/cmd/config-current.go index bfa1b5514..a99b4e837 100644 --- a/cmd/config-current.go +++ b/cmd/config-current.go @@ -556,8 +556,10 @@ func (s *serverConfig) loadToCachedConfigs() { if globalPolicyOPA == nil { if s.Policy.OPA.URL != nil && s.Policy.OPA.URL.String() != "" { globalPolicyOPA = iampolicy.NewOpa(iampolicy.OpaArgs{ - URL: s.Policy.OPA.URL, - AuthToken: s.Policy.OPA.AuthToken, + URL: s.Policy.OPA.URL, + AuthToken: s.Policy.OPA.AuthToken, + Transport: NewCustomHTTPTransport(), + CloseRespFn: CloseResponse, }) } } diff --git a/pkg/iam/policy/opa.go b/pkg/iam/policy/opa.go index 61193284a..b9640e5fc 100644 --- a/pkg/iam/policy/opa.go +++ b/pkg/iam/policy/opa.go @@ -18,20 +18,20 @@ package iampolicy import ( "bytes" - "crypto/tls" "encoding/json" - "net" + "io" "net/http" "os" - "time" xnet "github.com/minio/minio/pkg/net" ) // OpaArgs opa general purpose policy engine configuration. type OpaArgs struct { - URL *xnet.URL `json:"url"` - AuthToken string `json:"authToken"` + URL *xnet.URL `json:"url"` + AuthToken string `json:"authToken"` + Transport http.RoundTripper `json:"-"` + CloseRespFn func(r io.ReadCloser) `json:"-"` } // Validate - validate opa configuration params. @@ -74,31 +74,8 @@ func (a *OpaArgs) UnmarshalJSON(data []byte) error { // Opa - implements opa policy agent calls. type Opa struct { - args OpaArgs - secureFailed bool - client *http.Client - insecureClient *http.Client -} - -// newCustomHTTPTransport returns a new http configuration -// used while communicating with the cloud backends. -// This sets the value for MaxIdleConnsPerHost from 2 (go default) -// to 100. -func newCustomHTTPTransport(insecure bool) *http.Transport { - return &http.Transport{ - Proxy: http.ProxyFromEnvironment, - DialContext: (&net.Dialer{ - Timeout: 30 * time.Second, - KeepAlive: 30 * time.Second, - }).DialContext, - MaxIdleConns: 1024, - MaxIdleConnsPerHost: 1024, - IdleConnTimeout: 30 * time.Second, - TLSHandshakeTimeout: 10 * time.Second, - ExpectContinueTimeout: 1 * time.Second, - TLSClientConfig: &tls.Config{InsecureSkipVerify: insecure}, - DisableCompression: true, - } + args OpaArgs + client *http.Client } // NewOpa - initializes opa policy engine connector. @@ -108,9 +85,8 @@ func NewOpa(args OpaArgs) *Opa { return nil } return &Opa{ - args: args, - client: &http.Client{Transport: newCustomHTTPTransport(false)}, - insecureClient: &http.Client{Transport: newCustomHTTPTransport(true)}, + args: args, + client: &http.Client{Transport: args.Transport}, } } @@ -139,23 +115,11 @@ func (o *Opa) IsAllowed(args Args) bool { req.Header.Set("Authorization", o.args.AuthToken) } - var resp *http.Response - if o.secureFailed { - resp, err = o.insecureClient.Do(req) - } else { - resp, err = o.client.Do(req) - if err != nil { - o.secureFailed = true - resp, err = o.insecureClient.Do(req) - if err != nil { - return false - } - } - } + resp, err := o.client.Do(req) if err != nil { return false } - defer resp.Body.Close() + defer o.args.CloseRespFn(resp.Body) // Handle OPA response type opaResponse struct {