[OSS] Remove remaining references to master (#11827)
This commit is contained in:
parent
bc21e95909
commit
088ba2edaf
|
@ -0,0 +1,3 @@
|
|||
```release-note:breaking-change
|
||||
sdk: several changes to the testutil configuration structs (removed `ACLMasterToken`, renamed `Master` to `InitialManagement`, and `AgentMaster` to `AgentRecovery`)
|
||||
```
|
|
@ -849,10 +849,10 @@ func TestACL_HTTP(t *testing.T) {
|
|||
tokens, ok := raw.(structs.ACLTokenListStubs)
|
||||
require.True(t, ok)
|
||||
|
||||
// 3 tokens created but 1 was deleted + master token + anon token
|
||||
// 3 tokens created but 1 was deleted + initial management token + anon token
|
||||
require.Len(t, tokens, 4)
|
||||
|
||||
// this loop doesn't verify anything about the master token
|
||||
// this loop doesn't verify anything about the initial management token
|
||||
for tokenID, expected := range tokenMap {
|
||||
found := false
|
||||
for _, actual := range tokens {
|
||||
|
@ -1880,7 +1880,7 @@ func TestACL_Authorize(t *testing.T) {
|
|||
var localToken structs.ACLToken
|
||||
require.NoError(t, a2.RPC("ACL.TokenSet", &localTokenReq, &localToken))
|
||||
|
||||
t.Run("master-token", func(t *testing.T) {
|
||||
t.Run("initial-management-token", func(t *testing.T) {
|
||||
request := []structs.ACLAuthorizationRequest{
|
||||
{
|
||||
Resource: "acl",
|
||||
|
@ -2016,7 +2016,7 @@ func TestACL_Authorize(t *testing.T) {
|
|||
resp := responses[idx]
|
||||
|
||||
require.Equal(t, req, resp.ACLAuthorizationRequest)
|
||||
require.True(t, resp.Allow, "should have allowed all access for master token")
|
||||
require.True(t, resp.Allow, "should have allowed all access for initial management token")
|
||||
}
|
||||
})
|
||||
}
|
||||
|
@ -2277,7 +2277,7 @@ func TestACL_Authorize(t *testing.T) {
|
|||
type rpcFn func(string, interface{}, interface{}) error
|
||||
|
||||
func upsertTestCustomizedAuthMethod(
|
||||
rpc rpcFn, masterToken string, datacenter string,
|
||||
rpc rpcFn, initialManagementToken string, datacenter string,
|
||||
modify func(method *structs.ACLAuthMethod),
|
||||
) (*structs.ACLAuthMethod, error) {
|
||||
name, err := uuid.GenerateUUID()
|
||||
|
@ -2291,7 +2291,7 @@ func upsertTestCustomizedAuthMethod(
|
|||
Name: "test-method-" + name,
|
||||
Type: "testing",
|
||||
},
|
||||
WriteRequest: structs.WriteRequest{Token: masterToken},
|
||||
WriteRequest: structs.WriteRequest{Token: initialManagementToken},
|
||||
}
|
||||
|
||||
if modify != nil {
|
||||
|
@ -2308,11 +2308,11 @@ func upsertTestCustomizedAuthMethod(
|
|||
return &out, nil
|
||||
}
|
||||
|
||||
func upsertTestCustomizedBindingRule(rpc rpcFn, masterToken string, datacenter string, modify func(rule *structs.ACLBindingRule)) (*structs.ACLBindingRule, error) {
|
||||
func upsertTestCustomizedBindingRule(rpc rpcFn, initialManagementToken string, datacenter string, modify func(rule *structs.ACLBindingRule)) (*structs.ACLBindingRule, error) {
|
||||
req := structs.ACLBindingRuleSetRequest{
|
||||
Datacenter: datacenter,
|
||||
BindingRule: structs.ACLBindingRule{},
|
||||
WriteRequest: structs.WriteRequest{Token: masterToken},
|
||||
WriteRequest: structs.WriteRequest{Token: initialManagementToken},
|
||||
}
|
||||
|
||||
if modify != nil {
|
||||
|
|
|
@ -209,9 +209,6 @@ type Agent struct {
|
|||
// depending on the configuration
|
||||
delegate delegate
|
||||
|
||||
// aclMasterAuthorizer is an object that helps manage local ACL enforcement.
|
||||
aclMasterAuthorizer acl.Authorizer
|
||||
|
||||
// state stores a local representation of the node,
|
||||
// services and checks. Used for anti-entropy.
|
||||
State *local.State
|
||||
|
|
|
@ -85,7 +85,7 @@ func TestAgent_Services(t *testing.T) {
|
|||
srv1 := &structs.NodeService{
|
||||
ID: "mysql",
|
||||
Service: "mysql",
|
||||
Tags: []string{"master"},
|
||||
Tags: []string{"primary"},
|
||||
Meta: map[string]string{
|
||||
"foo": "bar",
|
||||
},
|
||||
|
@ -120,7 +120,7 @@ func TestAgent_ServicesFiltered(t *testing.T) {
|
|||
srv1 := &structs.NodeService{
|
||||
ID: "mysql",
|
||||
Service: "mysql",
|
||||
Tags: []string{"master"},
|
||||
Tags: []string{"primary"},
|
||||
Meta: map[string]string{
|
||||
"foo": "bar",
|
||||
},
|
||||
|
@ -1517,7 +1517,7 @@ func TestAgent_Self_ACLDeny(t *testing.T) {
|
|||
require.Equal(t, http.StatusForbidden, resp.Code)
|
||||
})
|
||||
|
||||
t.Run("agent master token", func(t *testing.T) {
|
||||
t.Run("agent recovery token", func(t *testing.T) {
|
||||
req, _ := http.NewRequest("GET", "/v1/agent/self?token=towel", nil)
|
||||
resp := httptest.NewRecorder()
|
||||
a.srv.h.ServeHTTP(resp, req)
|
||||
|
@ -1550,7 +1550,7 @@ func TestAgent_Metrics_ACLDeny(t *testing.T) {
|
|||
require.Equal(t, http.StatusForbidden, resp.Code)
|
||||
})
|
||||
|
||||
t.Run("agent master token", func(t *testing.T) {
|
||||
t.Run("agent recovery token", func(t *testing.T) {
|
||||
req, _ := http.NewRequest("GET", "/v1/agent/metrics?token=towel", nil)
|
||||
resp := httptest.NewRecorder()
|
||||
a.srv.h.ServeHTTP(resp, req)
|
||||
|
@ -2125,7 +2125,7 @@ func TestAgent_Join_ACLDeny(t *testing.T) {
|
|||
require.Equal(t, http.StatusForbidden, resp.Code)
|
||||
})
|
||||
|
||||
t.Run("agent master token", func(t *testing.T) {
|
||||
t.Run("agent recovery token", func(t *testing.T) {
|
||||
req, _ := http.NewRequest("PUT", fmt.Sprintf("/v1/agent/join/%s?token=towel", addr), nil)
|
||||
resp := httptest.NewRecorder()
|
||||
a1.srv.h.ServeHTTP(resp, req)
|
||||
|
@ -2246,7 +2246,7 @@ func TestAgent_Leave_ACLDeny(t *testing.T) {
|
|||
|
||||
// this sub-test will change the state so that there is no leader.
|
||||
// it must therefore be the last one in this list.
|
||||
t.Run("agent master token", func(t *testing.T) {
|
||||
t.Run("agent recovery token", func(t *testing.T) {
|
||||
req, _ := http.NewRequest("PUT", "/v1/agent/leave?token=towel", nil)
|
||||
resp := httptest.NewRecorder()
|
||||
a.srv.h.ServeHTTP(resp, req)
|
||||
|
@ -2332,7 +2332,7 @@ func TestAgent_ForceLeave_ACLDeny(t *testing.T) {
|
|||
require.Equal(t, http.StatusForbidden, resp.Code)
|
||||
})
|
||||
|
||||
t.Run("agent master token", func(t *testing.T) {
|
||||
t.Run("agent recovery token", func(t *testing.T) {
|
||||
req, _ := http.NewRequest("PUT", uri+"?token=towel", nil)
|
||||
resp := httptest.NewRecorder()
|
||||
a.srv.h.ServeHTTP(resp, req)
|
||||
|
@ -3266,7 +3266,7 @@ func testAgent_RegisterService(t *testing.T, extraHCL string) {
|
|||
args := &structs.ServiceDefinition{
|
||||
Name: "test",
|
||||
Meta: map[string]string{"hello": "world"},
|
||||
Tags: []string{"master"},
|
||||
Tags: []string{"primary"},
|
||||
Port: 8000,
|
||||
Check: structs.CheckType{
|
||||
TTL: 15 * time.Second,
|
||||
|
@ -3353,7 +3353,7 @@ func testAgent_RegisterService_ReRegister(t *testing.T, extraHCL string) {
|
|||
args := &structs.ServiceDefinition{
|
||||
Name: "test",
|
||||
Meta: map[string]string{"hello": "world"},
|
||||
Tags: []string{"master"},
|
||||
Tags: []string{"primary"},
|
||||
Port: 8000,
|
||||
Checks: []*structs.CheckType{
|
||||
{
|
||||
|
@ -3378,7 +3378,7 @@ func testAgent_RegisterService_ReRegister(t *testing.T, extraHCL string) {
|
|||
args = &structs.ServiceDefinition{
|
||||
Name: "test",
|
||||
Meta: map[string]string{"hello": "world"},
|
||||
Tags: []string{"master"},
|
||||
Tags: []string{"primary"},
|
||||
Port: 8000,
|
||||
Checks: []*structs.CheckType{
|
||||
{
|
||||
|
@ -3434,7 +3434,7 @@ func testAgent_RegisterService_ReRegister_ReplaceExistingChecks(t *testing.T, ex
|
|||
args := &structs.ServiceDefinition{
|
||||
Name: "test",
|
||||
Meta: map[string]string{"hello": "world"},
|
||||
Tags: []string{"master"},
|
||||
Tags: []string{"primary"},
|
||||
Port: 8000,
|
||||
Checks: []*structs.CheckType{
|
||||
{
|
||||
|
@ -3460,7 +3460,7 @@ func testAgent_RegisterService_ReRegister_ReplaceExistingChecks(t *testing.T, ex
|
|||
args = &structs.ServiceDefinition{
|
||||
Name: "test",
|
||||
Meta: map[string]string{"hello": "world"},
|
||||
Tags: []string{"master"},
|
||||
Tags: []string{"primary"},
|
||||
Port: 8000,
|
||||
Checks: []*structs.CheckType{
|
||||
{
|
||||
|
@ -3740,7 +3740,7 @@ func testAgent_RegisterService_ACLDeny(t *testing.T, extraHCL string) {
|
|||
|
||||
args := &structs.ServiceDefinition{
|
||||
Name: "test",
|
||||
Tags: []string{"master"},
|
||||
Tags: []string{"primary"},
|
||||
Port: 8000,
|
||||
Check: structs.CheckType{
|
||||
TTL: 15 * time.Second,
|
||||
|
@ -4588,7 +4588,7 @@ func testAgent_RegisterService_ScriptCheck_ExecDisable(t *testing.T, extraHCL st
|
|||
args := &structs.ServiceDefinition{
|
||||
Name: "test",
|
||||
Meta: map[string]string{"hello": "world"},
|
||||
Tags: []string{"master"},
|
||||
Tags: []string{"primary"},
|
||||
Port: 8000,
|
||||
Check: structs.CheckType{
|
||||
Name: "test-check",
|
||||
|
@ -4640,7 +4640,7 @@ func testAgent_RegisterService_ScriptCheck_ExecRemoteDisable(t *testing.T, extra
|
|||
args := &structs.ServiceDefinition{
|
||||
Name: "test",
|
||||
Meta: map[string]string{"hello": "world"},
|
||||
Tags: []string{"master"},
|
||||
Tags: []string{"primary"},
|
||||
Port: 8000,
|
||||
Check: structs.CheckType{
|
||||
Name: "test-check",
|
||||
|
@ -5379,7 +5379,7 @@ func TestAgent_TokenTriggersFullSync(t *testing.T) {
|
|||
initial_management = "root"
|
||||
default = ""
|
||||
agent = ""
|
||||
agent_master = ""
|
||||
agent_recovery = ""
|
||||
replication = ""
|
||||
}
|
||||
}
|
||||
|
@ -5427,7 +5427,7 @@ func TestAgent_Token(t *testing.T) {
|
|||
initial_management = "root"
|
||||
default = ""
|
||||
agent = ""
|
||||
agent_master = ""
|
||||
agent_recovery = ""
|
||||
replication = ""
|
||||
}
|
||||
}
|
||||
|
@ -5436,20 +5436,20 @@ func TestAgent_Token(t *testing.T) {
|
|||
testrpc.WaitForLeader(t, a.RPC, "dc1")
|
||||
|
||||
type tokens struct {
|
||||
user string
|
||||
userSource tokenStore.TokenSource
|
||||
agent string
|
||||
agentSource tokenStore.TokenSource
|
||||
master string
|
||||
masterSource tokenStore.TokenSource
|
||||
repl string
|
||||
replSource tokenStore.TokenSource
|
||||
user string
|
||||
userSource tokenStore.TokenSource
|
||||
agent string
|
||||
agentSource tokenStore.TokenSource
|
||||
agentRecovery string
|
||||
agentRecoverySource tokenStore.TokenSource
|
||||
repl string
|
||||
replSource tokenStore.TokenSource
|
||||
}
|
||||
|
||||
resetTokens := func(init tokens) {
|
||||
a.tokens.UpdateUserToken(init.user, init.userSource)
|
||||
a.tokens.UpdateAgentToken(init.agent, init.agentSource)
|
||||
a.tokens.UpdateAgentRecoveryToken(init.master, init.masterSource)
|
||||
a.tokens.UpdateAgentRecoveryToken(init.agentRecovery, init.agentRecoverySource)
|
||||
a.tokens.UpdateReplicationToken(init.repl, init.replSource)
|
||||
}
|
||||
|
||||
|
@ -5531,8 +5531,8 @@ func TestAgent_Token(t *testing.T) {
|
|||
url: "acl_agent_master_token?token=root",
|
||||
body: body("M"),
|
||||
code: http.StatusOK,
|
||||
raw: tokens{master: "M", masterSource: tokenStore.TokenSourceAPI},
|
||||
effective: tokens{master: "M"},
|
||||
raw: tokens{agentRecovery: "M", agentRecoverySource: tokenStore.TokenSourceAPI},
|
||||
effective: tokens{agentRecovery: "M"},
|
||||
},
|
||||
{
|
||||
name: "set master",
|
||||
|
@ -5540,8 +5540,8 @@ func TestAgent_Token(t *testing.T) {
|
|||
url: "agent_master?token=root",
|
||||
body: body("M"),
|
||||
code: http.StatusOK,
|
||||
raw: tokens{master: "M", masterSource: tokenStore.TokenSourceAPI},
|
||||
effective: tokens{master: "M"},
|
||||
raw: tokens{agentRecovery: "M", agentRecoverySource: tokenStore.TokenSourceAPI},
|
||||
effective: tokens{agentRecovery: "M"},
|
||||
},
|
||||
{
|
||||
name: "set recovery",
|
||||
|
@ -5549,8 +5549,8 @@ func TestAgent_Token(t *testing.T) {
|
|||
url: "agent_recovery?token=root",
|
||||
body: body("R"),
|
||||
code: http.StatusOK,
|
||||
raw: tokens{master: "R", masterSource: tokenStore.TokenSourceAPI},
|
||||
effective: tokens{master: "R", masterSource: tokenStore.TokenSourceAPI},
|
||||
raw: tokens{agentRecovery: "R", agentRecoverySource: tokenStore.TokenSourceAPI},
|
||||
effective: tokens{agentRecovery: "R", agentRecoverySource: tokenStore.TokenSourceAPI},
|
||||
},
|
||||
{
|
||||
name: "set repl legacy",
|
||||
|
@ -5612,8 +5612,8 @@ func TestAgent_Token(t *testing.T) {
|
|||
url: "acl_agent_master_token?token=root",
|
||||
body: body(""),
|
||||
code: http.StatusOK,
|
||||
init: tokens{master: "M"},
|
||||
raw: tokens{masterSource: tokenStore.TokenSourceAPI},
|
||||
init: tokens{agentRecovery: "M"},
|
||||
raw: tokens{agentRecoverySource: tokenStore.TokenSourceAPI},
|
||||
},
|
||||
{
|
||||
name: "clear master",
|
||||
|
@ -5621,8 +5621,8 @@ func TestAgent_Token(t *testing.T) {
|
|||
url: "agent_master?token=root",
|
||||
body: body(""),
|
||||
code: http.StatusOK,
|
||||
init: tokens{master: "M"},
|
||||
raw: tokens{masterSource: tokenStore.TokenSourceAPI},
|
||||
init: tokens{agentRecovery: "M"},
|
||||
raw: tokens{agentRecoverySource: tokenStore.TokenSourceAPI},
|
||||
},
|
||||
{
|
||||
name: "clear recovery",
|
||||
|
@ -5630,8 +5630,8 @@ func TestAgent_Token(t *testing.T) {
|
|||
url: "agent_recovery?token=root",
|
||||
body: body(""),
|
||||
code: http.StatusOK,
|
||||
init: tokens{master: "R"},
|
||||
raw: tokens{masterSource: tokenStore.TokenSourceAPI},
|
||||
init: tokens{agentRecovery: "R"},
|
||||
raw: tokens{agentRecoverySource: tokenStore.TokenSourceAPI},
|
||||
},
|
||||
{
|
||||
name: "clear repl legacy",
|
||||
|
@ -5667,7 +5667,7 @@ func TestAgent_Token(t *testing.T) {
|
|||
}
|
||||
require.Equal(t, tt.effective.user, a.tokens.UserToken())
|
||||
require.Equal(t, tt.effective.agent, a.tokens.AgentToken())
|
||||
require.Equal(t, tt.effective.master, a.tokens.AgentRecoveryToken())
|
||||
require.Equal(t, tt.effective.agentRecovery, a.tokens.AgentRecoveryToken())
|
||||
require.Equal(t, tt.effective.repl, a.tokens.ReplicationToken())
|
||||
|
||||
tok, src := a.tokens.UserTokenAndSource()
|
||||
|
@ -5679,8 +5679,8 @@ func TestAgent_Token(t *testing.T) {
|
|||
require.Equal(t, tt.raw.agentSource, src)
|
||||
|
||||
tok, src = a.tokens.AgentRecoveryTokenAndSource()
|
||||
require.Equal(t, tt.raw.master, tok)
|
||||
require.Equal(t, tt.raw.masterSource, src)
|
||||
require.Equal(t, tt.raw.agentRecovery, tok)
|
||||
require.Equal(t, tt.raw.agentRecoverySource, src)
|
||||
|
||||
tok, src = a.tokens.ReplicationTokenAndSource()
|
||||
require.Equal(t, tt.raw.repl, tok)
|
||||
|
@ -7031,11 +7031,18 @@ func TestAgentConnectAuthorize_defaultAllow(t *testing.T) {
|
|||
assert := assert.New(t)
|
||||
dc1 := "dc1"
|
||||
a := NewTestAgent(t, `
|
||||
acl_datacenter = "`+dc1+`"
|
||||
acl_default_policy = "allow"
|
||||
acl_master_token = "root"
|
||||
acl_agent_token = "root"
|
||||
acl_agent_master_token = "towel"
|
||||
primary_datacenter = "`+dc1+`"
|
||||
|
||||
acl {
|
||||
enabled = true
|
||||
default_policy = "allow"
|
||||
|
||||
tokens {
|
||||
initial_management = "root"
|
||||
agent = "root"
|
||||
agent_recovery = "towel"
|
||||
}
|
||||
}
|
||||
`)
|
||||
defer a.Shutdown()
|
||||
testrpc.WaitForTestAgent(t, a.RPC, dc1)
|
||||
|
@ -7066,16 +7073,23 @@ func TestAgent_Host(t *testing.T) {
|
|||
|
||||
dc1 := "dc1"
|
||||
a := NewTestAgent(t, `
|
||||
acl_datacenter = "`+dc1+`"
|
||||
acl_default_policy = "allow"
|
||||
acl_master_token = "master"
|
||||
acl_agent_token = "agent"
|
||||
acl_agent_master_token = "towel"
|
||||
`)
|
||||
primary_datacenter = "`+dc1+`"
|
||||
|
||||
acl {
|
||||
enabled = true
|
||||
default_policy = "allow"
|
||||
|
||||
tokens {
|
||||
initial_management = "initial-management"
|
||||
agent = "agent"
|
||||
agent_recovery = "towel"
|
||||
}
|
||||
}
|
||||
`)
|
||||
defer a.Shutdown()
|
||||
|
||||
testrpc.WaitForLeader(t, a.RPC, "dc1")
|
||||
req, _ := http.NewRequest("GET", "/v1/agent/host?token=master", nil)
|
||||
req, _ := http.NewRequest("GET", "/v1/agent/host?token=initial-management", nil)
|
||||
resp := httptest.NewRecorder()
|
||||
// TODO: AgentHost should write to response so that we can test using ServeHTTP()
|
||||
respRaw, err := a.srv.AgentHost(resp, req)
|
||||
|
@ -7098,12 +7112,19 @@ func TestAgent_HostBadACL(t *testing.T) {
|
|||
|
||||
dc1 := "dc1"
|
||||
a := NewTestAgent(t, `
|
||||
acl_datacenter = "`+dc1+`"
|
||||
acl_default_policy = "deny"
|
||||
acl_master_token = "root"
|
||||
acl_agent_token = "agent"
|
||||
acl_agent_master_token = "towel"
|
||||
`)
|
||||
primary_datacenter = "`+dc1+`"
|
||||
|
||||
acl {
|
||||
enabled = true
|
||||
default_policy = "deny"
|
||||
|
||||
tokens {
|
||||
initial_management = "root"
|
||||
agent = "agent"
|
||||
agent_recovery = "towel"
|
||||
}
|
||||
}
|
||||
`)
|
||||
defer a.Shutdown()
|
||||
|
||||
testrpc.WaitForLeader(t, a.RPC, "dc1")
|
||||
|
|
|
@ -263,19 +263,19 @@ type ACLResolver struct {
|
|||
// disabledLock synchronizes access to disabledUntil
|
||||
disabledLock sync.RWMutex
|
||||
|
||||
agentMasterAuthz acl.Authorizer
|
||||
agentRecoveryAuthz acl.Authorizer
|
||||
}
|
||||
|
||||
func agentMasterAuthorizer(nodeName string, entMeta *structs.EnterpriseMeta, aclConf *acl.Config) (acl.Authorizer, error) {
|
||||
func agentRecoveryAuthorizer(nodeName string, entMeta *structs.EnterpriseMeta, aclConf *acl.Config) (acl.Authorizer, error) {
|
||||
var conf acl.Config
|
||||
if aclConf != nil {
|
||||
conf = *aclConf
|
||||
}
|
||||
setEnterpriseConf(entMeta, &conf)
|
||||
|
||||
// Build a policy for the agent master token.
|
||||
// Build a policy for the agent recovery token.
|
||||
//
|
||||
// The builtin agent master policy allows reading any node information
|
||||
// The builtin agent recovery policy allows reading any node information
|
||||
// and allows writes to the agent with the node name of the running agent
|
||||
// only. This used to allow a prefix match on agent names but that seems
|
||||
// entirely unnecessary so it is now using an exact match.
|
||||
|
@ -323,21 +323,21 @@ func NewACLResolver(config *ACLResolverConfig) (*ACLResolver, error) {
|
|||
return nil, fmt.Errorf("invalid ACL down policy %q", config.Config.ACLDownPolicy)
|
||||
}
|
||||
|
||||
authz, err := agentMasterAuthorizer(config.Config.NodeName, &config.Config.EnterpriseMeta, config.ACLConfig)
|
||||
authz, err := agentRecoveryAuthorizer(config.Config.NodeName, &config.Config.EnterpriseMeta, config.ACLConfig)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to initialize the agent master authorizer")
|
||||
return nil, fmt.Errorf("failed to initialize the agent recovery authorizer")
|
||||
}
|
||||
|
||||
return &ACLResolver{
|
||||
config: config.Config,
|
||||
logger: config.Logger.Named(logging.ACL),
|
||||
delegate: config.Delegate,
|
||||
aclConf: config.ACLConfig,
|
||||
cache: cache,
|
||||
disableDuration: config.DisableDuration,
|
||||
down: down,
|
||||
tokens: config.Tokens,
|
||||
agentMasterAuthz: authz,
|
||||
config: config.Config,
|
||||
logger: config.Logger.Named(logging.ACL),
|
||||
delegate: config.Delegate,
|
||||
aclConf: config.ACLConfig,
|
||||
cache: cache,
|
||||
disableDuration: config.DisableDuration,
|
||||
down: down,
|
||||
tokens: config.Tokens,
|
||||
agentRecoveryAuthz: authz,
|
||||
}, nil
|
||||
}
|
||||
|
||||
|
@ -1049,7 +1049,7 @@ func (r *ACLResolver) resolveLocallyManagedToken(token string) (structs.ACLIdent
|
|||
}
|
||||
|
||||
if r.tokens.IsAgentRecoveryToken(token) {
|
||||
return structs.NewAgentMasterTokenIdentity(r.config.NodeName, token), r.agentMasterAuthz, true
|
||||
return structs.NewAgentRecoveryTokenIdentity(r.config.NodeName, token), r.agentRecoveryAuthz, true
|
||||
}
|
||||
|
||||
return r.resolveLocallyManagedEnterpriseToken(token)
|
||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -4007,7 +4007,7 @@ func TestACL_LocalToken(t *testing.T) {
|
|||
})
|
||||
}
|
||||
|
||||
func TestACLResolver_AgentMaster(t *testing.T) {
|
||||
func TestACLResolver_AgentRecovery(t *testing.T) {
|
||||
var tokens token.Store
|
||||
|
||||
d := &ACLResolverTestDelegate{
|
||||
|
@ -4025,9 +4025,9 @@ func TestACLResolver_AgentMaster(t *testing.T) {
|
|||
ident, authz, err := r.ResolveTokenToIdentityAndAuthorizer("9a184a11-5599-459e-b71a-550e5f9a5a23")
|
||||
require.NoError(t, err)
|
||||
require.NotNil(t, ident)
|
||||
require.Equal(t, "agent-master:foo", ident.ID())
|
||||
require.Equal(t, "agent-recovery:foo", ident.ID())
|
||||
require.NotNil(t, authz)
|
||||
require.Equal(t, r.agentMasterAuthz, authz)
|
||||
require.Equal(t, r.agentRecoveryAuthz, authz)
|
||||
require.Equal(t, acl.Allow, authz.AgentWrite("foo", nil))
|
||||
require.Equal(t, acl.Allow, authz.NodeRead("bar", nil))
|
||||
require.Equal(t, acl.Deny, authz.NodeWrite("bar", nil))
|
||||
|
@ -4106,7 +4106,7 @@ func TestACLResolver_ResolveTokenToIdentityAndAuthorizer_UpdatesPurgeTheCache(t
|
|||
Name: "the-policy",
|
||||
Rules: `key_prefix "" { policy = "read"}`,
|
||||
},
|
||||
WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken},
|
||||
WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken},
|
||||
}
|
||||
var respPolicy = structs.ACLPolicy{}
|
||||
err := msgpackrpc.CallWithCodec(codec, "ACL.PolicySet", &reqPolicy, &respPolicy)
|
||||
|
@ -4121,7 +4121,7 @@ func TestACLResolver_ResolveTokenToIdentityAndAuthorizer_UpdatesPurgeTheCache(t
|
|||
SecretID: token,
|
||||
Policies: []structs.ACLTokenPolicyLink{{Name: "the-policy"}},
|
||||
},
|
||||
WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken},
|
||||
WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken},
|
||||
}
|
||||
var respToken structs.ACLToken
|
||||
err = msgpackrpc.CallWithCodec(codec, "ACL.TokenSet", &reqToken, &respToken)
|
||||
|
@ -4142,7 +4142,7 @@ func TestACLResolver_ResolveTokenToIdentityAndAuthorizer_UpdatesPurgeTheCache(t
|
|||
Name: "the-policy",
|
||||
Rules: `{"key_prefix": {"": {"policy": "deny"}}}`,
|
||||
},
|
||||
WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken},
|
||||
WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken},
|
||||
}
|
||||
err := msgpackrpc.CallWithCodec(codec, "ACL.PolicySet", &reqPolicy, &structs.ACLPolicy{})
|
||||
require.NoError(t, err)
|
||||
|
@ -4157,7 +4157,7 @@ func TestACLResolver_ResolveTokenToIdentityAndAuthorizer_UpdatesPurgeTheCache(t
|
|||
req := structs.ACLTokenDeleteRequest{
|
||||
Datacenter: "dc1",
|
||||
TokenID: respToken.AccessorID,
|
||||
WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken},
|
||||
WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken},
|
||||
}
|
||||
var resp string
|
||||
err := msgpackrpc.CallWithCodec(codec, "ACL.TokenDelete", &req, &resp)
|
||||
|
|
|
@ -58,7 +58,7 @@ func testACLTokenReap_Primary(t *testing.T, local, global bool) {
|
|||
|
||||
acl := ACL{srv: s1}
|
||||
|
||||
masterTokenAccessorID, err := retrieveTestTokenAccessorForSecret(codec, "root", "dc1", "root")
|
||||
initialManagementTokenAccessorID, err := retrieveTestTokenAccessorForSecret(codec, "root", "dc1", "root")
|
||||
require.NoError(t, err)
|
||||
|
||||
listTokens := func() (localTokens, globalTokens []string, err error) {
|
||||
|
@ -88,9 +88,9 @@ func testACLTokenReap_Primary(t *testing.T, local, global bool) {
|
|||
t.Helper()
|
||||
|
||||
var expectLocal, expectGlobal []string
|
||||
// The master token and the anonymous token are always going to be
|
||||
// present and global.
|
||||
expectGlobal = append(expectGlobal, masterTokenAccessorID)
|
||||
// The initial management token and the anonymous token are always
|
||||
// going to be present and global.
|
||||
expectGlobal = append(expectGlobal, initialManagementTokenAccessorID)
|
||||
expectGlobal = append(expectGlobal, structs.ACLTokenAnonymousID)
|
||||
|
||||
if local {
|
||||
|
|
|
@ -41,7 +41,7 @@ func TestAutoConfigBackend_CreateACLToken(t *testing.T) {
|
|||
|
||||
waitForLeaderEstablishment(t, srv)
|
||||
|
||||
r1, err := upsertTestRole(codec, TestDefaultMasterToken, "dc1")
|
||||
r1, err := upsertTestRole(codec, TestDefaultInitialManagementToken, "dc1")
|
||||
require.NoError(t, err)
|
||||
|
||||
t.Run("predefined-ids", func(t *testing.T) {
|
||||
|
|
|
@ -163,7 +163,7 @@ func TestConnectCAConfig_GetSet_ACLDeny(t *testing.T) {
|
|||
dir1, s1 := testServerWithConfig(t, func(c *Config) {
|
||||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLInitialManagementToken = TestDefaultMasterToken
|
||||
c.ACLInitialManagementToken = TestDefaultInitialManagementToken
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
|
@ -175,11 +175,11 @@ func TestConnectCAConfig_GetSet_ACLDeny(t *testing.T) {
|
|||
testrpc.WaitForLeader(t, s1.RPC, "dc1")
|
||||
|
||||
opReadToken, err := upsertTestTokenWithPolicyRules(
|
||||
codec, TestDefaultMasterToken, "dc1", `operator = "read"`)
|
||||
codec, TestDefaultInitialManagementToken, "dc1", `operator = "read"`)
|
||||
require.NoError(t, err)
|
||||
|
||||
opWriteToken, err := upsertTestTokenWithPolicyRules(
|
||||
codec, TestDefaultMasterToken, "dc1", `operator = "write"`)
|
||||
codec, TestDefaultInitialManagementToken, "dc1", `operator = "write"`)
|
||||
require.NoError(t, err)
|
||||
|
||||
// Update a config value
|
||||
|
@ -215,7 +215,7 @@ pY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=
|
|||
args := &structs.CARequest{
|
||||
Datacenter: "dc1",
|
||||
Config: newConfig,
|
||||
WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken},
|
||||
WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken},
|
||||
}
|
||||
var reply interface{}
|
||||
require.NoError(t, msgpackrpc.CallWithCodec(codec, "ConnectCA.ConfigurationSet", args, &reply))
|
||||
|
|
|
@ -541,7 +541,7 @@ func TestFederationState_List_ACLDeny(t *testing.T) {
|
|||
gwListEmpty: true,
|
||||
gwFilteredByACLs: true,
|
||||
},
|
||||
"master token": {
|
||||
"initial management token": {
|
||||
token: "root",
|
||||
},
|
||||
}
|
||||
|
|
|
@ -105,7 +105,7 @@ func TestFSM_RegisterNode_Service(t *testing.T) {
|
|||
Service: &structs.NodeService{
|
||||
ID: "db",
|
||||
Service: "db",
|
||||
Tags: []string{"master"},
|
||||
Tags: []string{"primary"},
|
||||
Port: 8000,
|
||||
},
|
||||
Check: &structs.HealthCheck{
|
||||
|
@ -170,7 +170,7 @@ func TestFSM_DeregisterService(t *testing.T) {
|
|||
Service: &structs.NodeService{
|
||||
ID: "db",
|
||||
Service: "db",
|
||||
Tags: []string{"master"},
|
||||
Tags: []string{"primary"},
|
||||
Port: 8000,
|
||||
},
|
||||
}
|
||||
|
@ -296,7 +296,7 @@ func TestFSM_DeregisterNode(t *testing.T) {
|
|||
Service: &structs.NodeService{
|
||||
ID: "db",
|
||||
Service: "db",
|
||||
Tags: []string{"master"},
|
||||
Tags: []string{"primary"},
|
||||
Port: 8000,
|
||||
},
|
||||
Check: &structs.HealthCheck{
|
||||
|
@ -1429,7 +1429,7 @@ func TestFSM_Chunking_Lifecycle(t *testing.T) {
|
|||
Service: &structs.NodeService{
|
||||
ID: "db",
|
||||
Service: "db",
|
||||
Tags: []string{"master"},
|
||||
Tags: []string{"primary"},
|
||||
Port: 8000,
|
||||
},
|
||||
Check: &structs.HealthCheck{
|
||||
|
@ -1559,7 +1559,7 @@ func TestFSM_Chunking_TermChange(t *testing.T) {
|
|||
Service: &structs.NodeService{
|
||||
ID: "db",
|
||||
Service: "db",
|
||||
Tags: []string{"master"},
|
||||
Tags: []string{"primary"},
|
||||
Port: 8000,
|
||||
},
|
||||
Check: &structs.HealthCheck{
|
||||
|
|
|
@ -937,17 +937,17 @@ func TestIntention_WildcardACLEnforcement(t *testing.T) {
|
|||
|
||||
// create some test policies.
|
||||
|
||||
writeToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `service_prefix "" { policy = "deny" intentions = "write" }`)
|
||||
writeToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `service_prefix "" { policy = "deny" intentions = "write" }`)
|
||||
require.NoError(t, err)
|
||||
readToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `service_prefix "" { policy = "deny" intentions = "read" }`)
|
||||
readToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `service_prefix "" { policy = "deny" intentions = "read" }`)
|
||||
require.NoError(t, err)
|
||||
exactToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `service "*" { policy = "deny" intentions = "write" }`)
|
||||
exactToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `service "*" { policy = "deny" intentions = "write" }`)
|
||||
require.NoError(t, err)
|
||||
wildcardPrefixToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `service_prefix "*" { policy = "deny" intentions = "write" }`)
|
||||
wildcardPrefixToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `service_prefix "*" { policy = "deny" intentions = "write" }`)
|
||||
require.NoError(t, err)
|
||||
fooToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `service "foo" { policy = "deny" intentions = "write" }`)
|
||||
fooToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `service "foo" { policy = "deny" intentions = "write" }`)
|
||||
require.NoError(t, err)
|
||||
denyToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `service_prefix "" { policy = "deny" intentions = "deny" }`)
|
||||
denyToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `service_prefix "" { policy = "deny" intentions = "deny" }`)
|
||||
require.NoError(t, err)
|
||||
|
||||
doIntentionCreate := func(t *testing.T, token string, dest string, deny bool) string {
|
||||
|
@ -1607,7 +1607,7 @@ func TestIntentionList_acl(t *testing.T) {
|
|||
|
||||
waitForLeaderEstablishment(t, s1)
|
||||
|
||||
token, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `service_prefix "foo" { policy = "write" }`)
|
||||
token, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `service_prefix "foo" { policy = "write" }`)
|
||||
require.NoError(t, err)
|
||||
|
||||
// Create a few records
|
||||
|
@ -1620,7 +1620,7 @@ func TestIntentionList_acl(t *testing.T) {
|
|||
ixn.Intention.SourceNS = "default"
|
||||
ixn.Intention.DestinationNS = "default"
|
||||
ixn.Intention.DestinationName = name
|
||||
ixn.WriteRequest.Token = TestDefaultMasterToken
|
||||
ixn.WriteRequest.Token = TestDefaultInitialManagementToken
|
||||
|
||||
// Create
|
||||
var reply string
|
||||
|
@ -1639,10 +1639,10 @@ func TestIntentionList_acl(t *testing.T) {
|
|||
})
|
||||
|
||||
// Test with management token
|
||||
t.Run("master-token", func(t *testing.T) {
|
||||
t.Run("initial-management-token", func(t *testing.T) {
|
||||
req := &structs.IntentionListRequest{
|
||||
Datacenter: "dc1",
|
||||
QueryOptions: structs.QueryOptions{Token: TestDefaultMasterToken},
|
||||
QueryOptions: structs.QueryOptions{Token: TestDefaultInitialManagementToken},
|
||||
}
|
||||
var resp structs.IndexedIntentions
|
||||
require.NoError(t, msgpackrpc.CallWithCodec(codec, "Intention.List", req, &resp))
|
||||
|
@ -1666,7 +1666,7 @@ func TestIntentionList_acl(t *testing.T) {
|
|||
req := &structs.IntentionListRequest{
|
||||
Datacenter: "dc1",
|
||||
QueryOptions: structs.QueryOptions{
|
||||
Token: TestDefaultMasterToken,
|
||||
Token: TestDefaultInitialManagementToken,
|
||||
Filter: "DestinationName == foobar",
|
||||
},
|
||||
}
|
||||
|
@ -1763,7 +1763,7 @@ func TestIntentionMatch_acl(t *testing.T) {
|
|||
_, srv, codec := testACLServerWithConfig(t, nil, false)
|
||||
waitForLeaderEstablishment(t, srv)
|
||||
|
||||
token, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `service "bar" { policy = "write" }`)
|
||||
token, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `service "bar" { policy = "write" }`)
|
||||
require.NoError(t, err)
|
||||
|
||||
// Create some records
|
||||
|
@ -1781,7 +1781,7 @@ func TestIntentionMatch_acl(t *testing.T) {
|
|||
Intention: structs.TestIntention(t),
|
||||
}
|
||||
ixn.Intention.DestinationName = v
|
||||
ixn.WriteRequest.Token = TestDefaultMasterToken
|
||||
ixn.WriteRequest.Token = TestDefaultInitialManagementToken
|
||||
|
||||
// Create
|
||||
var reply string
|
||||
|
@ -1993,7 +1993,7 @@ func TestIntentionCheck_match(t *testing.T) {
|
|||
_, srv, codec := testACLServerWithConfig(t, nil, false)
|
||||
waitForLeaderEstablishment(t, srv)
|
||||
|
||||
token, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `service "api" { policy = "read" }`)
|
||||
token, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `service "api" { policy = "read" }`)
|
||||
require.NoError(t, err)
|
||||
|
||||
// Create some intentions
|
||||
|
@ -2015,7 +2015,7 @@ func TestIntentionCheck_match(t *testing.T) {
|
|||
DestinationName: v[1],
|
||||
Action: structs.IntentionActionAllow,
|
||||
},
|
||||
WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken},
|
||||
WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken},
|
||||
}
|
||||
// Create
|
||||
var reply string
|
||||
|
|
|
@ -1790,7 +1790,7 @@ func TestInternal_GatewayIntentions_aclDeny(t *testing.T) {
|
|||
codec := rpcClient(t, s1)
|
||||
defer codec.Close()
|
||||
|
||||
testrpc.WaitForTestAgent(t, s1.RPC, "dc1", testrpc.WithToken(TestDefaultMasterToken))
|
||||
testrpc.WaitForTestAgent(t, s1.RPC, "dc1", testrpc.WithToken(TestDefaultInitialManagementToken))
|
||||
|
||||
// Register terminating gateway and config entry linking it to postgres + redis
|
||||
{
|
||||
|
@ -1809,7 +1809,7 @@ func TestInternal_GatewayIntentions_aclDeny(t *testing.T) {
|
|||
Status: api.HealthPassing,
|
||||
ServiceID: "terminating-gateway",
|
||||
},
|
||||
WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken},
|
||||
WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken},
|
||||
}
|
||||
var regOutput struct{}
|
||||
require.NoError(t, msgpackrpc.CallWithCodec(codec, "Catalog.Register", &arg, ®Output))
|
||||
|
@ -1834,7 +1834,7 @@ func TestInternal_GatewayIntentions_aclDeny(t *testing.T) {
|
|||
Op: structs.ConfigEntryUpsert,
|
||||
Datacenter: "dc1",
|
||||
Entry: args,
|
||||
WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken},
|
||||
WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken},
|
||||
}
|
||||
var configOutput bool
|
||||
require.NoError(t, msgpackrpc.CallWithCodec(codec, "ConfigEntry.Apply", &req, &configOutput))
|
||||
|
@ -1848,7 +1848,7 @@ func TestInternal_GatewayIntentions_aclDeny(t *testing.T) {
|
|||
Datacenter: "dc1",
|
||||
Op: structs.IntentionOpCreate,
|
||||
Intention: structs.TestIntention(t),
|
||||
WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken},
|
||||
WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken},
|
||||
}
|
||||
req.Intention.SourceName = "api"
|
||||
req.Intention.DestinationName = v
|
||||
|
@ -1860,7 +1860,7 @@ func TestInternal_GatewayIntentions_aclDeny(t *testing.T) {
|
|||
Datacenter: "dc1",
|
||||
Op: structs.IntentionOpCreate,
|
||||
Intention: structs.TestIntention(t),
|
||||
WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken},
|
||||
WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken},
|
||||
}
|
||||
req.Intention.SourceName = v
|
||||
req.Intention.DestinationName = "api"
|
||||
|
@ -1868,7 +1868,7 @@ func TestInternal_GatewayIntentions_aclDeny(t *testing.T) {
|
|||
}
|
||||
}
|
||||
|
||||
userToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `
|
||||
userToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `
|
||||
service_prefix "redis" { policy = "read" }
|
||||
service_prefix "terminating-gateway" { policy = "read" }
|
||||
`)
|
||||
|
@ -2192,7 +2192,7 @@ func TestInternal_ServiceTopology_ACL(t *testing.T) {
|
|||
dir1, s1 := testServerWithConfig(t, func(c *Config) {
|
||||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLInitialManagementToken = TestDefaultMasterToken
|
||||
c.ACLInitialManagementToken = TestDefaultInitialManagementToken
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
|
@ -2215,10 +2215,10 @@ func TestInternal_ServiceTopology_ACL(t *testing.T) {
|
|||
// web -> redis exact intention
|
||||
|
||||
// redis and redis-proxy on node zip
|
||||
registerTestTopologyEntries(t, codec, TestDefaultMasterToken)
|
||||
registerTestTopologyEntries(t, codec, TestDefaultInitialManagementToken)
|
||||
|
||||
// Token grants read to: foo/api, foo/api-proxy, bar/web, baz/web
|
||||
userToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `
|
||||
userToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `
|
||||
node_prefix "" { policy = "read" }
|
||||
service_prefix "api" { policy = "read" }
|
||||
service "web" { policy = "read" }
|
||||
|
@ -2331,7 +2331,7 @@ func TestInternal_IntentionUpstreams_ACL(t *testing.T) {
|
|||
dir1, s1 := testServerWithConfig(t, func(c *Config) {
|
||||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLInitialManagementToken = TestDefaultMasterToken
|
||||
c.ACLInitialManagementToken = TestDefaultInitialManagementToken
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
|
@ -2349,11 +2349,11 @@ func TestInternal_IntentionUpstreams_ACL(t *testing.T) {
|
|||
// Intentions
|
||||
// * -> * (deny) intention
|
||||
// web -> api (allow)
|
||||
registerIntentionUpstreamEntries(t, codec, TestDefaultMasterToken)
|
||||
registerIntentionUpstreamEntries(t, codec, TestDefaultInitialManagementToken)
|
||||
|
||||
t.Run("valid token", func(t *testing.T) {
|
||||
// Token grants read to read api service
|
||||
userToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `
|
||||
userToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `
|
||||
service_prefix "api" { policy = "read" }
|
||||
`)
|
||||
require.NoError(t, err)
|
||||
|
@ -2379,7 +2379,7 @@ service_prefix "api" { policy = "read" }
|
|||
|
||||
t.Run("invalid token filters results", func(t *testing.T) {
|
||||
// Token grants read to read an unrelated service, mongo
|
||||
userToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `
|
||||
userToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `
|
||||
service_prefix "mongo" { policy = "read" }
|
||||
`)
|
||||
require.NoError(t, err)
|
||||
|
|
|
@ -196,7 +196,7 @@ func TestCAManager_Initialize_Secondary(t *testing.T) {
|
|||
for _, tc := range tests {
|
||||
tc := tc
|
||||
t.Run(fmt.Sprintf("%s-%d", tc.keyType, tc.keyBits), func(t *testing.T) {
|
||||
masterToken := "8a85f086-dd95-4178-b128-e10902767c5c"
|
||||
initialManagementToken := "8a85f086-dd95-4178-b128-e10902767c5c"
|
||||
|
||||
// Initialize primary as the primary DC
|
||||
dir1, s1 := testServerWithConfig(t, func(c *Config) {
|
||||
|
@ -204,7 +204,7 @@ func TestCAManager_Initialize_Secondary(t *testing.T) {
|
|||
c.PrimaryDatacenter = "primary"
|
||||
c.Build = "1.6.0"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLInitialManagementToken = masterToken
|
||||
c.ACLInitialManagementToken = initialManagementToken
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
c.CAConfig.Config["PrivateKeyType"] = tc.keyType
|
||||
c.CAConfig.Config["PrivateKeyBits"] = tc.keyBits
|
||||
|
@ -213,7 +213,7 @@ func TestCAManager_Initialize_Secondary(t *testing.T) {
|
|||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
||||
s1.tokens.UpdateAgentToken(masterToken, token.TokenSourceConfig)
|
||||
s1.tokens.UpdateAgentToken(initialManagementToken, token.TokenSourceConfig)
|
||||
|
||||
testrpc.WaitForLeader(t, s1.RPC, "primary")
|
||||
|
||||
|
@ -232,8 +232,8 @@ func TestCAManager_Initialize_Secondary(t *testing.T) {
|
|||
defer os.RemoveAll(dir2)
|
||||
defer s2.Shutdown()
|
||||
|
||||
s2.tokens.UpdateAgentToken(masterToken, token.TokenSourceConfig)
|
||||
s2.tokens.UpdateReplicationToken(masterToken, token.TokenSourceConfig)
|
||||
s2.tokens.UpdateAgentToken(initialManagementToken, token.TokenSourceConfig)
|
||||
s2.tokens.UpdateReplicationToken(initialManagementToken, token.TokenSourceConfig)
|
||||
|
||||
// Create the WAN link
|
||||
joinWAN(t, s2, s1)
|
||||
|
|
|
@ -1162,15 +1162,15 @@ func TestLeader_ACL_Initialization(t *testing.T) {
|
|||
t.Parallel()
|
||||
|
||||
tests := []struct {
|
||||
name string
|
||||
build string
|
||||
master string
|
||||
bootstrap bool
|
||||
name string
|
||||
build string
|
||||
initialManagement string
|
||||
bootstrap bool
|
||||
}{
|
||||
{"old version, no master", "0.8.0", "", true},
|
||||
{"old version, master", "0.8.0", "root", false},
|
||||
{"new version, no master", "0.9.1", "", true},
|
||||
{"new version, master", "0.9.1", "root", false},
|
||||
{"old version, no initial management", "0.8.0", "", true},
|
||||
{"old version, initial management", "0.8.0", "root", false},
|
||||
{"new version, no initial management", "0.9.1", "", true},
|
||||
{"new version, initial management", "0.9.1", "root", false},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
|
@ -1180,17 +1180,17 @@ func TestLeader_ACL_Initialization(t *testing.T) {
|
|||
c.Datacenter = "dc1"
|
||||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLInitialManagementToken = tt.master
|
||||
c.ACLInitialManagementToken = tt.initialManagement
|
||||
}
|
||||
dir1, s1 := testServerWithConfig(t, conf)
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
testrpc.WaitForTestAgent(t, s1.RPC, "dc1")
|
||||
|
||||
if tt.master != "" {
|
||||
_, master, err := s1.fsm.State().ACLTokenGetBySecret(nil, tt.master, nil)
|
||||
if tt.initialManagement != "" {
|
||||
_, initialManagement, err := s1.fsm.State().ACLTokenGetBySecret(nil, tt.initialManagement, nil)
|
||||
require.NoError(t, err)
|
||||
require.NotNil(t, master)
|
||||
require.NotNil(t, initialManagement)
|
||||
}
|
||||
|
||||
_, anon, err := s1.fsm.State().ACLTokenGetBySecret(nil, anonymousToken, nil)
|
||||
|
|
|
@ -222,7 +222,7 @@ func TestPreparedQuery_Apply_ACLDeny(t *testing.T) {
|
|||
Datacenter: "dc1",
|
||||
Op: structs.PreparedQueryCreate,
|
||||
Query: &structs.PreparedQuery{
|
||||
Name: "redis-master",
|
||||
Name: "redis-primary",
|
||||
Service: structs.ServiceQuery{
|
||||
Service: "the-redis",
|
||||
},
|
||||
|
@ -503,7 +503,7 @@ func TestPreparedQuery_Apply_ForwardLeader(t *testing.T) {
|
|||
Address: "127.0.0.1",
|
||||
Service: &structs.NodeService{
|
||||
Service: "redis",
|
||||
Tags: []string{"master"},
|
||||
Tags: []string{"primary"},
|
||||
Port: 8000,
|
||||
},
|
||||
}
|
||||
|
@ -853,7 +853,7 @@ func TestPreparedQuery_Get(t *testing.T) {
|
|||
Datacenter: "dc1",
|
||||
Op: structs.PreparedQueryCreate,
|
||||
Query: &structs.PreparedQuery{
|
||||
Name: "redis-master",
|
||||
Name: "redis-primary",
|
||||
Service: structs.ServiceQuery{
|
||||
Service: "the-redis",
|
||||
},
|
||||
|
@ -1110,7 +1110,7 @@ func TestPreparedQuery_List(t *testing.T) {
|
|||
Datacenter: "dc1",
|
||||
Op: structs.PreparedQueryCreate,
|
||||
Query: &structs.PreparedQuery{
|
||||
Name: "redis-master",
|
||||
Name: "redis-primary",
|
||||
Token: "le-token",
|
||||
Service: structs.ServiceQuery{
|
||||
Service: "the-redis",
|
||||
|
@ -2348,7 +2348,7 @@ func TestPreparedQuery_Execute_ForwardLeader(t *testing.T) {
|
|||
Address: "127.0.0.1",
|
||||
Service: &structs.NodeService{
|
||||
Service: "redis",
|
||||
Tags: []string{"master"},
|
||||
Tags: []string{"primary"},
|
||||
Port: 8000,
|
||||
},
|
||||
}
|
||||
|
|
|
@ -35,7 +35,7 @@ import (
|
|||
)
|
||||
|
||||
const (
|
||||
TestDefaultMasterToken = "d9f05e83-a7ae-47ce-839e-c0d53a68c00a"
|
||||
TestDefaultInitialManagementToken = "d9f05e83-a7ae-47ce-839e-c0d53a68c00a"
|
||||
)
|
||||
|
||||
// testTLSCertificates Generates a TLS CA and server key/cert and returns them
|
||||
|
@ -70,7 +70,7 @@ func testTLSCertificates(serverName string) (cert string, key string, cacert str
|
|||
func testServerACLConfig(c *Config) {
|
||||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLInitialManagementToken = TestDefaultMasterToken
|
||||
c.ACLInitialManagementToken = TestDefaultInitialManagementToken
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
}
|
||||
|
||||
|
@ -245,7 +245,7 @@ func testACLServerWithConfig(t *testing.T, cb func(*Config), initReplicationToke
|
|||
|
||||
if initReplicationToken {
|
||||
// setup some tokens here so we get less warnings in the logs
|
||||
srv.tokens.UpdateReplicationToken(TestDefaultMasterToken, token.TokenSourceConfig)
|
||||
srv.tokens.UpdateReplicationToken(TestDefaultInitialManagementToken, token.TokenSourceConfig)
|
||||
}
|
||||
|
||||
codec := rpcClient(t, srv)
|
||||
|
|
|
@ -5,8 +5,9 @@ import (
|
|||
"strings"
|
||||
"testing"
|
||||
|
||||
"github.com/hashicorp/consul/agent/structs"
|
||||
"github.com/hashicorp/go-memdb"
|
||||
|
||||
"github.com/hashicorp/consul/agent/structs"
|
||||
)
|
||||
|
||||
func TestStateStore_PreparedQuery_isUUID(t *testing.T) {
|
||||
|
@ -663,7 +664,7 @@ func TestStateStore_PreparedQueryResolve(t *testing.T) {
|
|||
Regexp: "^prod-(.*)$",
|
||||
},
|
||||
Service: structs.ServiceQuery{
|
||||
Service: "${match(1)}-master",
|
||||
Service: "${match(1)}-primary",
|
||||
},
|
||||
}
|
||||
if err := s.PreparedQuerySet(5, tmpl2); err != nil {
|
||||
|
@ -705,7 +706,7 @@ func TestStateStore_PreparedQueryResolve(t *testing.T) {
|
|||
Regexp: "^prod-(.*)$",
|
||||
},
|
||||
Service: structs.ServiceQuery{
|
||||
Service: "redis-foobar-master",
|
||||
Service: "redis-foobar-primary",
|
||||
},
|
||||
RaftIndex: structs.RaftIndex{
|
||||
CreateIndex: 5,
|
||||
|
|
|
@ -52,7 +52,7 @@ func TestAgentAntiEntropy_Services(t *testing.T) {
|
|||
srv1 := &structs.NodeService{
|
||||
ID: "mysql",
|
||||
Service: "mysql",
|
||||
Tags: []string{"master"},
|
||||
Tags: []string{"primary"},
|
||||
Port: 5000,
|
||||
Weights: &structs.Weights{
|
||||
Passing: 1,
|
||||
|
@ -675,7 +675,7 @@ func TestAgentAntiEntropy_Services_WithChecks(t *testing.T) {
|
|||
srv := &structs.NodeService{
|
||||
ID: "mysql",
|
||||
Service: "mysql",
|
||||
Tags: []string{"master"},
|
||||
Tags: []string{"primary"},
|
||||
Port: 5000,
|
||||
}
|
||||
a.State.AddService(srv, "")
|
||||
|
@ -725,7 +725,7 @@ func TestAgentAntiEntropy_Services_WithChecks(t *testing.T) {
|
|||
srv := &structs.NodeService{
|
||||
ID: "redis",
|
||||
Service: "redis",
|
||||
Tags: []string{"master"},
|
||||
Tags: []string{"primary"},
|
||||
Port: 5000,
|
||||
}
|
||||
a.State.AddService(srv, "")
|
||||
|
@ -821,7 +821,7 @@ func TestAgentAntiEntropy_Services_ACLDeny(t *testing.T) {
|
|||
srv1 := &structs.NodeService{
|
||||
ID: "mysql",
|
||||
Service: "mysql",
|
||||
Tags: []string{"master"},
|
||||
Tags: []string{"primary"},
|
||||
Port: 5000,
|
||||
Weights: &structs.Weights{
|
||||
Passing: 1,
|
||||
|
@ -1278,7 +1278,7 @@ func TestAgentAntiEntropy_Checks_ACLDeny(t *testing.T) {
|
|||
srv1 := &structs.NodeService{
|
||||
ID: "mysql",
|
||||
Service: "mysql",
|
||||
Tags: []string{"master"},
|
||||
Tags: []string{"primary"},
|
||||
Port: 5000,
|
||||
Weights: &structs.Weights{
|
||||
Passing: 1,
|
||||
|
@ -1348,7 +1348,7 @@ func TestAgentAntiEntropy_Checks_ACLDeny(t *testing.T) {
|
|||
Node: a.Config.NodeName,
|
||||
ServiceID: "mysql",
|
||||
ServiceName: "mysql",
|
||||
ServiceTags: []string{"master"},
|
||||
ServiceTags: []string{"primary"},
|
||||
CheckID: "mysql-check",
|
||||
Name: "mysql",
|
||||
Status: api.HealthPassing,
|
||||
|
|
|
@ -1728,50 +1728,50 @@ func CreateACLAuthorizationResponses(authz acl.Authorizer, requests []ACLAuthori
|
|||
return responses, nil
|
||||
}
|
||||
|
||||
type AgentMasterTokenIdentity struct {
|
||||
type AgentRecoveryTokenIdentity struct {
|
||||
agent string
|
||||
secretID string
|
||||
}
|
||||
|
||||
func NewAgentMasterTokenIdentity(agent string, secretID string) *AgentMasterTokenIdentity {
|
||||
return &AgentMasterTokenIdentity{
|
||||
func NewAgentRecoveryTokenIdentity(agent string, secretID string) *AgentRecoveryTokenIdentity {
|
||||
return &AgentRecoveryTokenIdentity{
|
||||
agent: agent,
|
||||
secretID: secretID,
|
||||
}
|
||||
}
|
||||
|
||||
func (id *AgentMasterTokenIdentity) ID() string {
|
||||
return fmt.Sprintf("agent-master:%s", id.agent)
|
||||
func (id *AgentRecoveryTokenIdentity) ID() string {
|
||||
return fmt.Sprintf("agent-recovery:%s", id.agent)
|
||||
}
|
||||
|
||||
func (id *AgentMasterTokenIdentity) SecretToken() string {
|
||||
func (id *AgentRecoveryTokenIdentity) SecretToken() string {
|
||||
return id.secretID
|
||||
}
|
||||
|
||||
func (id *AgentMasterTokenIdentity) PolicyIDs() []string {
|
||||
func (id *AgentRecoveryTokenIdentity) PolicyIDs() []string {
|
||||
return nil
|
||||
}
|
||||
|
||||
func (id *AgentMasterTokenIdentity) RoleIDs() []string {
|
||||
func (id *AgentRecoveryTokenIdentity) RoleIDs() []string {
|
||||
return nil
|
||||
}
|
||||
|
||||
func (id *AgentMasterTokenIdentity) ServiceIdentityList() []*ACLServiceIdentity {
|
||||
func (id *AgentRecoveryTokenIdentity) ServiceIdentityList() []*ACLServiceIdentity {
|
||||
return nil
|
||||
}
|
||||
|
||||
func (id *AgentMasterTokenIdentity) NodeIdentityList() []*ACLNodeIdentity {
|
||||
func (id *AgentRecoveryTokenIdentity) NodeIdentityList() []*ACLNodeIdentity {
|
||||
return nil
|
||||
}
|
||||
|
||||
func (id *AgentMasterTokenIdentity) IsExpired(asOf time.Time) bool {
|
||||
func (id *AgentRecoveryTokenIdentity) IsExpired(asOf time.Time) bool {
|
||||
return false
|
||||
}
|
||||
|
||||
func (id *AgentMasterTokenIdentity) IsLocal() bool {
|
||||
func (id *AgentRecoveryTokenIdentity) IsLocal() bool {
|
||||
return true
|
||||
}
|
||||
|
||||
func (id *AgentMasterTokenIdentity) EnterpriseMetadata() *EnterpriseMeta {
|
||||
func (id *AgentRecoveryTokenIdentity) EnterpriseMetadata() *EnterpriseMeta {
|
||||
return nil
|
||||
}
|
||||
|
|
|
@ -455,7 +455,7 @@ func TestAPI_ACLToken_List(t *testing.T) {
|
|||
|
||||
tokens, qm, err := acl.TokenList(nil)
|
||||
require.NoError(t, err)
|
||||
// 3 + anon + master
|
||||
// 3 + anon + initial management
|
||||
require.Len(t, tokens, 5)
|
||||
require.NotEqual(t, 0, qm.LastIndex)
|
||||
require.True(t, qm.KnownLeader)
|
||||
|
@ -500,7 +500,7 @@ func TestAPI_ACLToken_List(t *testing.T) {
|
|||
require.True(t, ok)
|
||||
require.NotNil(t, token4)
|
||||
|
||||
// ensure the 5th token is the root master token
|
||||
// ensure the 5th token is the initial management token
|
||||
root, _, err := acl.TokenReadSelf(nil)
|
||||
require.NoError(t, err)
|
||||
require.NotNil(t, root)
|
||||
|
@ -516,17 +516,17 @@ func TestAPI_ACLToken_Clone(t *testing.T) {
|
|||
|
||||
acl := c.ACL()
|
||||
|
||||
master, _, err := acl.TokenReadSelf(nil)
|
||||
initialManagement, _, err := acl.TokenReadSelf(nil)
|
||||
require.NoError(t, err)
|
||||
require.NotNil(t, master)
|
||||
require.NotNil(t, initialManagement)
|
||||
|
||||
cloned, _, err := acl.TokenClone(master.AccessorID, "cloned", nil)
|
||||
cloned, _, err := acl.TokenClone(initialManagement.AccessorID, "cloned", nil)
|
||||
require.NoError(t, err)
|
||||
require.NotNil(t, cloned)
|
||||
require.NotEqual(t, master.AccessorID, cloned.AccessorID)
|
||||
require.NotEqual(t, master.SecretID, cloned.SecretID)
|
||||
require.NotEqual(t, initialManagement.AccessorID, cloned.AccessorID)
|
||||
require.NotEqual(t, initialManagement.SecretID, cloned.SecretID)
|
||||
require.Equal(t, "cloned", cloned.Description)
|
||||
require.ElementsMatch(t, master.Policies, cloned.Policies)
|
||||
require.ElementsMatch(t, initialManagement.Policies, cloned.Policies)
|
||||
|
||||
read, _, err := acl.TokenRead(cloned.AccessorID, nil)
|
||||
require.NoError(t, err)
|
||||
|
|
|
@ -16,10 +16,11 @@ import (
|
|||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/hashicorp/consul/sdk/testutil"
|
||||
"github.com/hashicorp/consul/sdk/testutil/retry"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
|
||||
"github.com/hashicorp/consul/sdk/testutil"
|
||||
"github.com/hashicorp/consul/sdk/testutil/retry"
|
||||
)
|
||||
|
||||
type configCallback func(c *Config)
|
||||
|
@ -39,7 +40,7 @@ func makeACLClient(t *testing.T) (*Client, *testutil.TestServer) {
|
|||
clientConfig.Token = "root"
|
||||
}, func(serverConfig *testutil.TestServerConfig) {
|
||||
serverConfig.PrimaryDatacenter = "dc1"
|
||||
serverConfig.ACL.Tokens.Master = "root"
|
||||
serverConfig.ACL.Tokens.InitialManagement = "root"
|
||||
serverConfig.ACL.Tokens.Agent = "root"
|
||||
serverConfig.ACL.Enabled = true
|
||||
serverConfig.ACL.DefaultPolicy = "deny"
|
||||
|
|
|
@ -826,7 +826,7 @@ func TestAPI_CatalogRegistration(t *testing.T) {
|
|||
service := &AgentService{
|
||||
ID: "redis1",
|
||||
Service: "redis",
|
||||
Tags: []string{"master", "v1"},
|
||||
Tags: []string{"primary", "v1"},
|
||||
Port: 8000,
|
||||
}
|
||||
|
||||
|
@ -1023,7 +1023,7 @@ func TestAPI_CatalogEnableTagOverride(t *testing.T) {
|
|||
service := &AgentService{
|
||||
ID: "redis1",
|
||||
Service: "redis",
|
||||
Tags: []string{"master", "v1"},
|
||||
Tags: []string{"primary", "v1"},
|
||||
Port: 8000,
|
||||
}
|
||||
|
||||
|
|
|
@ -24,7 +24,7 @@ func TestAPI_PreparedQuery(t *testing.T) {
|
|||
Service: &AgentService{
|
||||
ID: "redis1",
|
||||
Service: "redis",
|
||||
Tags: []string{"master", "v1"},
|
||||
Tags: []string{"primary", "v1"},
|
||||
Meta: map[string]string{"redis-version": "4.0"},
|
||||
Port: 8000,
|
||||
},
|
||||
|
|
|
@ -56,10 +56,10 @@ func TestFoo_bar(t *testing.T) {
|
|||
})
|
||||
|
||||
// Create a service
|
||||
srv1.AddService(t, "redis", structs.HealthPassing, []string{"master"})
|
||||
srv1.AddService(t, "redis", structs.HealthPassing, []string{"primary"})
|
||||
|
||||
// Create a service that will be accessed in target source code
|
||||
srv1.AddAccessibleService("redis", structs.HealthPassing, "127.0.0.1", 6379, []string{"master"})
|
||||
srv1.AddAccessibleService("redis", structs.HealthPassing, "127.0.0.1", 6379, []string{"primary"})
|
||||
|
||||
// Create a service check
|
||||
srv1.AddCheck(t, "service:redis", "redis", structs.HealthPassing)
|
||||
|
|
|
@ -86,7 +86,6 @@ type TestServerConfig struct {
|
|||
Addresses *TestAddressConfig `json:"addresses,omitempty"`
|
||||
Ports *TestPortConfig `json:"ports,omitempty"`
|
||||
RaftProtocol int `json:"raft_protocol,omitempty"`
|
||||
ACLMasterToken string `json:"acl_master_token,omitempty"`
|
||||
ACLDatacenter string `json:"acl_datacenter,omitempty"`
|
||||
PrimaryDatacenter string `json:"primary_datacenter,omitempty"`
|
||||
ACLDefaultPolicy string `json:"acl_default_policy,omitempty"`
|
||||
|
@ -124,11 +123,17 @@ type TestACLs struct {
|
|||
}
|
||||
|
||||
type TestTokens struct {
|
||||
Master string `json:"master,omitempty"`
|
||||
Replication string `json:"replication,omitempty"`
|
||||
AgentMaster string `json:"agent_master,omitempty"`
|
||||
Default string `json:"default,omitempty"`
|
||||
Agent string `json:"agent,omitempty"`
|
||||
|
||||
// Note: this field is marshaled as master for compatibility with
|
||||
// versions of Consul prior to 1.11.
|
||||
InitialManagement string `json:"master,omitempty"`
|
||||
|
||||
// Note: this field is marshaled as agent_master for compatibility with
|
||||
// versions of Consul prior to 1.11.
|
||||
AgentRecovery string `json:"agent_master,omitempty"`
|
||||
}
|
||||
|
||||
// ServerConfigCallback is a function interface which can be
|
||||
|
@ -375,7 +380,7 @@ func (s *TestServer) waitForAPI() error {
|
|||
time.Sleep(timer.Wait)
|
||||
|
||||
url := s.url("/v1/status/leader")
|
||||
resp, err := s.masterGet(url)
|
||||
resp, err := s.privilegedGet(url)
|
||||
if err != nil {
|
||||
failed = true
|
||||
continue
|
||||
|
@ -397,7 +402,7 @@ func (s *TestServer) WaitForLeader(t testing.TB) {
|
|||
retry.Run(t, func(r *retry.R) {
|
||||
// Query the API and check the status code.
|
||||
url := s.url("/v1/catalog/nodes")
|
||||
resp, err := s.masterGet(url)
|
||||
resp, err := s.privilegedGet(url)
|
||||
if err != nil {
|
||||
r.Fatalf("failed http get '%s': %v", url, err)
|
||||
}
|
||||
|
@ -433,7 +438,7 @@ func (s *TestServer) WaitForActiveCARoot(t testing.TB) {
|
|||
retry.Run(t, func(r *retry.R) {
|
||||
// Query the API and check the status code.
|
||||
url := s.url("/v1/agent/connect/ca/roots")
|
||||
resp, err := s.masterGet(url)
|
||||
resp, err := s.privilegedGet(url)
|
||||
if err != nil {
|
||||
r.Fatalf("failed http get '%s': %v", url, err)
|
||||
}
|
||||
|
@ -469,7 +474,7 @@ func (s *TestServer) WaitForServiceIntentions(t testing.TB) {
|
|||
// preflightCheck call in agent/consul/config_endpoint.go will fail if
|
||||
// we aren't ready yet, vs just doing no work instead.
|
||||
url := s.url("/v1/config/service-intentions/" + fakeConfigName)
|
||||
resp, err := s.masterDelete(url)
|
||||
resp, err := s.privilegedDelete(url)
|
||||
if err != nil {
|
||||
r.Fatalf("failed http get '%s': %v", url, err)
|
||||
}
|
||||
|
@ -486,7 +491,7 @@ func (s *TestServer) WaitForSerfCheck(t testing.TB) {
|
|||
retry.Run(t, func(r *retry.R) {
|
||||
// Query the API and check the status code.
|
||||
url := s.url("/v1/catalog/nodes?index=0")
|
||||
resp, err := s.masterGet(url)
|
||||
resp, err := s.privilegedGet(url)
|
||||
if err != nil {
|
||||
r.Fatalf("failed http get: %v", err)
|
||||
}
|
||||
|
@ -507,7 +512,7 @@ func (s *TestServer) WaitForSerfCheck(t testing.TB) {
|
|||
|
||||
// Ensure the serfHealth check is registered
|
||||
url = s.url(fmt.Sprintf("/v1/health/node/%s", payload[0]["Node"]))
|
||||
resp, err = s.masterGet(url)
|
||||
resp, err = s.privilegedGet(url)
|
||||
if err != nil {
|
||||
r.Fatalf("failed http get: %v", err)
|
||||
}
|
||||
|
@ -533,24 +538,24 @@ func (s *TestServer) WaitForSerfCheck(t testing.TB) {
|
|||
})
|
||||
}
|
||||
|
||||
func (s *TestServer) masterGet(url string) (*http.Response, error) {
|
||||
func (s *TestServer) privilegedGet(url string) (*http.Response, error) {
|
||||
req, err := http.NewRequest("GET", url, nil)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if s.Config.ACL.Tokens.Master != "" {
|
||||
req.Header.Set("x-consul-token", s.Config.ACL.Tokens.Master)
|
||||
if s.Config.ACL.Tokens.InitialManagement != "" {
|
||||
req.Header.Set("x-consul-token", s.Config.ACL.Tokens.InitialManagement)
|
||||
}
|
||||
return s.HTTPClient.Do(req)
|
||||
}
|
||||
|
||||
func (s *TestServer) masterDelete(url string) (*http.Response, error) {
|
||||
func (s *TestServer) privilegedDelete(url string) (*http.Response, error) {
|
||||
req, err := http.NewRequest("DELETE", url, nil)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if s.Config.ACL.Tokens.Master != "" {
|
||||
req.Header.Set("x-consul-token", s.Config.ACL.Tokens.Master)
|
||||
if s.Config.ACL.Tokens.InitialManagement != "" {
|
||||
req.Header.Set("x-consul-token", s.Config.ACL.Tokens.InitialManagement)
|
||||
}
|
||||
return s.HTTPClient.Do(req)
|
||||
}
|
||||
|
|
|
@ -20,7 +20,7 @@ ${
|
|||
},
|
||||
{
|
||||
"ID":"secret",
|
||||
"Name":"Master Token",
|
||||
"Name":"Initial Management Token",
|
||||
"Type":"management",
|
||||
"Rules":"",
|
||||
"CreateIndex":5,
|
||||
|
|
Loading…
Reference in New Issue