Release 0.26.8
What's New
- General
- Allow filtering model entities by tag
- Fabric
- Usage v3 metrics
- Edge
- Bug Fixes
- Ziti CLI
ziti edge create|update canow supportsexternalIdClaim- Improved List CAs
- Identity
- Automatic File Reloads
General
Model entities can now be filtered by tags. This works via the fabric and edge REST APIs and can be
used from the ziti CLI.
Example:
$ ziti edge update service demo --tags location=PA
$ ziti edge update service echo --tags location=NY
$ ziti edge ls services 'limit 4'
╭────────────────────────┬──────────────┬────────────┬─────────────────────┬────────────╮
│ ID │ NAME │ ENCRYPTION │ TERMINATOR STRATEGY │ ATTRIBUTES │
│ │ │ REQUIRED │ │ │
├────────────────────────┼──────────────┼────────────┼─────────────────────┼────────────┤
│ 1WztJ.YuMY │ demo │ true │ smartrouting │ │
│ 68kYZOS54kAbU4hEhKHgHT │ echo │ true │ smartrouting │ echo │
│ EjaiJkYuMY │ project.mgmt │ true │ smartrouting │ │
│ F0JVJkY40Y │ mattermost │ true │ smartrouting │ │
╰────────────────────────┴──────────────┴────────────┴─────────────────────┴────────────╯
results: 1-4 of 13
$ ziti edge ls services 'tags.location != null'
╭────────────────────────┬──────┬────────────┬─────────────────────┬────────────╮
│ ID │ NAME │ ENCRYPTION │ TERMINATOR STRATEGY │ ATTRIBUTES │
│ │ │ REQUIRED │ │ │
├────────────────────────┼──────┼────────────┼─────────────────────┼────────────┤
│ 1WztJ.YuMY │ demo │ true │ smartrouting │ │
│ 68kYZOS54kAbU4hEhKHgHT │ echo │ true │ smartrouting │ echo │
╰────────────────────────┴──────┴────────────┴─────────────────────┴────────────╯
results: 1-2 of 2
$ ziti edge ls services 'tags.location = "NY"'
╭────────────────────────┬──────┬────────────┬─────────────────────┬────────────╮
│ ID │ NAME │ ENCRYPTION │ TERMINATOR STRATEGY │ ATTRIBUTES │
│ │ │ REQUIRED │ │ │
├────────────────────────┼──────┼────────────┼─────────────────────┼────────────┤
│ 68kYZOS54kAbU4hEhKHgHT │ echo │ true │ smartrouting │ echo │
╰────────────────────────┴──────┴────────────┴─────────────────────┴────────────╯
results: 1-1 of 1
Fabric
Usage v3
This a new version of usage events available. The existing v2 version events can still be used. The version
is selected in the events configuration.
Here is a config showing how to get both sets of events:
events:
jsonLogger:
subscriptions:
- type: fabric.usage
version: 2
- type: fabric.usage
versin: 3
If no version is provided for usage, then v2 events will still be outputted by default.
Event Consolidation
V3 events consolidate multiple usage metrics together to minimize the number of events.
Example:
{
"namespace": "fabric.usage",
"version": 3,
"source_id": "cjc.1kYu0",
"circuit_id": "CwbENl.lW",
"usage": {
"egress.rx": 47,
"egress.tx": 47
},
"interval_start_utc": 1663342500,
"interval_length": 60,
"tags": {
"clientId": "XtYOStBYgd",
"hostId": "f3ltEI8Iok",
"serviceId": "fclVFecdgakAoHyBvtIGy"
}
}
Ingress and egress usage for a given circuit will consolidated into a single event per router. Fabric usage
will also be consolided into a single, separate event.
Event tagging
Usage events for ingress and egress usage will be annotated with edge information for both v2 and v3.
In the example above the event has tags for clientId, hostId and serviceId.
clientId- The id of the edge identity using the servicehostId- The id of the edge identity hosting the service (will be blank if not applicable, such as for router hosted)serviceId- The id of the service being used
Edge
Bug Fixes
- Issue 1176: Patching CA
externalIdClaimDoes Not Work
Ziti CLI
ziti edge create|update ca now support `externalIdClaim
Identities now have a field named externalId that can be used with 3rd Party CAs in addition to the existing
External JWT Signer support. 3rd Party CAs now support the following optional fields:
externalIdClaim.index- if multiple externalId claims are located, the index will be used to select one, default 0externalIdClaim.location- extracts values from one of the following locations on a x509 certificate:SAN_URI,SAN_EMAIL,COMMON_NAMEexternalIdClaim.matcher- matches values in one of the following waysPREFIX,SUFFIX,SCHEMEin conjunction withmatcherCriteriaor select all values viaALLexternalIdClaim.matcherCriteria-matchervalues ofPREFIX,SUFFIX, andSCHEMEwill usematcherCriteriaas a matching valueexternalIdClaim.parser: - supports parsing values from all matched externalIds viaSPLITorNONEexternalIdClaim.parserCriteria- for aparservalue ofSPLIT,parserCriteriawill be used to split values
When defined the externalIdClaim configuration will be used to locate any externalIds present in the client
supplied x509 certificate. If an externalId is located, it will be used to associate the authentication request
with an identity. If found, authentication is considered successful if not the authentication request fails. If the
client certificate does not contain an externalId then identities will be searched for that have a certificate
authenticator that matches the supplied client certificate. Should that fail, the authentication request fails.
This functionality can be used to support SPIFFE provisioned identities. For any specific SPIFFE ID, assign it to an
identity's externalId and then use the following externalIdClaim configurations.
CA Create/Update REST API
{
...
"externalIdClaim": {
"location": "SAN_URI",
"index": 0,
"matcher": "SCHEME",
"matcherCriteria": "spiffe",
"parser": "NONE",
"parserCriteria": ""
}
}Ziti CLI
ziti edge create ca myCa ca.pem -l SAN_URI -m SCHEME -x spiffe -p "NONE"
ziti edge update ca myCa -l SAN_URI -m SCHEME -x spiffe -p "NONE"
Improved List CAs Output
The output for listing CAs in non-JSON format has been improved.
Example:
╭────────────────────────┬─────────┬────────┬────────────┬─────────────┬─────────────────────────────────────────────────────────────────╮
│ ID │ NAME │ FLAGS │ TOKEN │ FINGERPRINT │ CONFIGURATION │
├────────────────────────┼─────────┼────────┼────────────┼─────────────┼─────────────────┬──────────────────────┬────────────────────────┤
│ 1tu6CbXT18Dd9rybjCW5eX │ 2 │ [AOE] │ KaPxRiKbk │ - │ AutoCA │ Identity Name Format │ [caName]-[commonName] │
│ │ │ │ │ │ ├──────────────────────┼────────────────────────┤
│ │ │ │ │ │ │ Identity Roles │ a,b,c │
│ │ │ │ │ ├─────────────────┼──────────────────────┼────────────────────────┤
│ │ │ │ │ │ ExternalIdClaim │ Index │ 2 │
│ │ │ │ │ │ ├──────────────────────┼────────────────────────┤
│ │ │ │ │ │ │ Location │ SAN_URI │
│ │ │ │ │ │ ├──────────────────────┼────────────────────────┤
│ │ │ │ │ │ │ Matcher │ ALL │
│ │ │ │ │ │ ├──────────────────────┼────────────────────────┤
│ │ │ │ │ │ │ Matcher Criteria │ │
│ │ │ │ │ │ ├──────────────────────┼────────────────────────┤
│ │ │ │ │ │ │ Parser │ NONE │
│ │ │ │ │ │ ├──────────────────────┼────────────────────────┤
│ │ │ │ │ │ │ Parser Criteria │ │
├────────────────────────┼─────────┼────────┼────────────┼─────────────┼─────────────────┼──────────────────────┼────────────────────────┤
│ 7AGp9vUttJHKA1JWujNtpR │ test-ca │ [VAOE] │ - │ 315e...ba │ AutoCA │ Identity Name Format │ [caName]-[commonName] │
│ │ │ │ │ │ ├──────────────────────┼────────────────────────┤
│ │ │ │ │ │ │ Identity Roles │ three, two,one │
╰────────────────────────┴─────────┴────────┴────────────┴─────────────┴─────────────────┴──────────────────────┴────────────────────────╯
Ziti Library Updates
-
github.com/openziti/channel: v1.0.2 -> v1.0.3
-
github.com/openziti/edge: v0.22.91 -> v0.23.0
- Issue #1173 - Add session_type and service_id to edge session events
- Issue #1176 - Patching CA ExternalIdClaim Does Not Work
- Issue #1174 - Fix patching tags on services and transit routers
- Issue #1154 - Additional filters for service list endpoint
-
github.com/openziti/fabric: v0.19.67 -> v0.20.0
- Issue #496 - Reduce utiliztion messages by combining directionality
- Issue #499 - Fix tag patching tags on service and router
-
github.com/openziti/identity: v1.0.11 -> v1.0.12
-
github.com/openziti/metrics: v1.0.7 -> v1.1.0
- Issue #15 - Support tags and multiple values on usage
-
github.com/openziti/sdk-golang: v0.16.119 -> v0.16.121
-
github.com/openziti/storage: v0.1.20 -> v0.1.21
- Issue #21 - Support querying tags by default
-
github.com/openziti/transport/v2: v2.0.28 -> v2.0.29
-
github.com/openziti/ziti: 0.26.7 -> 0.26.8
- Issue #835 - Ensure model entity tags can be updated via CLI where appropriate