From 088ba2edaf409f8a0510dc521fbf109365417ec6 Mon Sep 17 00:00:00 2001 From: Dan Upton Date: Thu, 20 Jan 2022 12:47:50 +0000 Subject: [PATCH] [OSS] Remove remaining references to master (#11827) --- .changelog/11827.txt | 3 + agent/acl_endpoint_test.go | 16 +- agent/agent.go | 3 - agent/agent_endpoint_test.go | 139 ++-- agent/consul/acl.go | 32 +- agent/consul/acl_endpoint_test.go | 714 +++++++++--------- agent/consul/acl_test.go | 14 +- agent/consul/acl_token_exp_test.go | 8 +- agent/consul/auto_config_backend_test.go | 2 +- agent/consul/connect_ca_endpoint_test.go | 8 +- .../consul/federation_state_endpoint_test.go | 2 +- agent/consul/fsm/commands_oss_test.go | 10 +- agent/consul/intention_endpoint_test.go | 30 +- agent/consul/internal_endpoint_test.go | 26 +- agent/consul/leader_connect_test.go | 10 +- agent/consul/leader_test.go | 24 +- agent/consul/prepared_query_endpoint_test.go | 10 +- agent/consul/server_test.go | 6 +- agent/consul/state/prepared_query_test.go | 7 +- agent/local/state_test.go | 12 +- agent/structs/acl.go | 26 +- api/acl_test.go | 16 +- api/api_test.go | 7 +- api/catalog_test.go | 4 +- api/prepared_query_test.go | 2 +- sdk/testutil/README.md | 4 +- sdk/testutil/server.go | 35 +- ui/packages/consul-ui/mock-api/v1/acl/list | 2 +- 28 files changed, 600 insertions(+), 572 deletions(-) create mode 100644 .changelog/11827.txt diff --git a/.changelog/11827.txt b/.changelog/11827.txt new file mode 100644 index 000000000..dc8cc8244 --- /dev/null +++ b/.changelog/11827.txt @@ -0,0 +1,3 @@ +```release-note:breaking-change +sdk: several changes to the testutil configuration structs (removed `ACLMasterToken`, renamed `Master` to `InitialManagement`, and `AgentMaster` to `AgentRecovery`) +``` diff --git a/agent/acl_endpoint_test.go b/agent/acl_endpoint_test.go index ca5239061..84efebc19 100644 --- a/agent/acl_endpoint_test.go +++ b/agent/acl_endpoint_test.go @@ -849,10 +849,10 @@ func TestACL_HTTP(t *testing.T) { tokens, ok := raw.(structs.ACLTokenListStubs) require.True(t, ok) - // 3 tokens created but 1 was deleted + master token + anon token + // 3 tokens created but 1 was deleted + initial management token + anon token require.Len(t, tokens, 4) - // this loop doesn't verify anything about the master token + // this loop doesn't verify anything about the initial management token for tokenID, expected := range tokenMap { found := false for _, actual := range tokens { @@ -1880,7 +1880,7 @@ func TestACL_Authorize(t *testing.T) { var localToken structs.ACLToken require.NoError(t, a2.RPC("ACL.TokenSet", &localTokenReq, &localToken)) - t.Run("master-token", func(t *testing.T) { + t.Run("initial-management-token", func(t *testing.T) { request := []structs.ACLAuthorizationRequest{ { Resource: "acl", @@ -2016,7 +2016,7 @@ func TestACL_Authorize(t *testing.T) { resp := responses[idx] require.Equal(t, req, resp.ACLAuthorizationRequest) - require.True(t, resp.Allow, "should have allowed all access for master token") + require.True(t, resp.Allow, "should have allowed all access for initial management token") } }) } @@ -2277,7 +2277,7 @@ func TestACL_Authorize(t *testing.T) { type rpcFn func(string, interface{}, interface{}) error func upsertTestCustomizedAuthMethod( - rpc rpcFn, masterToken string, datacenter string, + rpc rpcFn, initialManagementToken string, datacenter string, modify func(method *structs.ACLAuthMethod), ) (*structs.ACLAuthMethod, error) { name, err := uuid.GenerateUUID() @@ -2291,7 +2291,7 @@ func upsertTestCustomizedAuthMethod( Name: "test-method-" + name, Type: "testing", }, - WriteRequest: structs.WriteRequest{Token: masterToken}, + WriteRequest: structs.WriteRequest{Token: initialManagementToken}, } if modify != nil { @@ -2308,11 +2308,11 @@ func upsertTestCustomizedAuthMethod( return &out, nil } -func upsertTestCustomizedBindingRule(rpc rpcFn, masterToken string, datacenter string, modify func(rule *structs.ACLBindingRule)) (*structs.ACLBindingRule, error) { +func upsertTestCustomizedBindingRule(rpc rpcFn, initialManagementToken string, datacenter string, modify func(rule *structs.ACLBindingRule)) (*structs.ACLBindingRule, error) { req := structs.ACLBindingRuleSetRequest{ Datacenter: datacenter, BindingRule: structs.ACLBindingRule{}, - WriteRequest: structs.WriteRequest{Token: masterToken}, + WriteRequest: structs.WriteRequest{Token: initialManagementToken}, } if modify != nil { diff --git a/agent/agent.go b/agent/agent.go index d4f0397bb..41bab89e7 100644 --- a/agent/agent.go +++ b/agent/agent.go @@ -209,9 +209,6 @@ type Agent struct { // depending on the configuration delegate delegate - // aclMasterAuthorizer is an object that helps manage local ACL enforcement. - aclMasterAuthorizer acl.Authorizer - // state stores a local representation of the node, // services and checks. Used for anti-entropy. State *local.State diff --git a/agent/agent_endpoint_test.go b/agent/agent_endpoint_test.go index 6e5025dd2..e8c8d63fe 100644 --- a/agent/agent_endpoint_test.go +++ b/agent/agent_endpoint_test.go @@ -85,7 +85,7 @@ func TestAgent_Services(t *testing.T) { srv1 := &structs.NodeService{ ID: "mysql", Service: "mysql", - Tags: []string{"master"}, + Tags: []string{"primary"}, Meta: map[string]string{ "foo": "bar", }, @@ -120,7 +120,7 @@ func TestAgent_ServicesFiltered(t *testing.T) { srv1 := &structs.NodeService{ ID: "mysql", Service: "mysql", - Tags: []string{"master"}, + Tags: []string{"primary"}, Meta: map[string]string{ "foo": "bar", }, @@ -1517,7 +1517,7 @@ func TestAgent_Self_ACLDeny(t *testing.T) { require.Equal(t, http.StatusForbidden, resp.Code) }) - t.Run("agent master token", func(t *testing.T) { + t.Run("agent recovery token", func(t *testing.T) { req, _ := http.NewRequest("GET", "/v1/agent/self?token=towel", nil) resp := httptest.NewRecorder() a.srv.h.ServeHTTP(resp, req) @@ -1550,7 +1550,7 @@ func TestAgent_Metrics_ACLDeny(t *testing.T) { require.Equal(t, http.StatusForbidden, resp.Code) }) - t.Run("agent master token", func(t *testing.T) { + t.Run("agent recovery token", func(t *testing.T) { req, _ := http.NewRequest("GET", "/v1/agent/metrics?token=towel", nil) resp := httptest.NewRecorder() a.srv.h.ServeHTTP(resp, req) @@ -2125,7 +2125,7 @@ func TestAgent_Join_ACLDeny(t *testing.T) { require.Equal(t, http.StatusForbidden, resp.Code) }) - t.Run("agent master token", func(t *testing.T) { + t.Run("agent recovery token", func(t *testing.T) { req, _ := http.NewRequest("PUT", fmt.Sprintf("/v1/agent/join/%s?token=towel", addr), nil) resp := httptest.NewRecorder() a1.srv.h.ServeHTTP(resp, req) @@ -2246,7 +2246,7 @@ func TestAgent_Leave_ACLDeny(t *testing.T) { // this sub-test will change the state so that there is no leader. // it must therefore be the last one in this list. - t.Run("agent master token", func(t *testing.T) { + t.Run("agent recovery token", func(t *testing.T) { req, _ := http.NewRequest("PUT", "/v1/agent/leave?token=towel", nil) resp := httptest.NewRecorder() a.srv.h.ServeHTTP(resp, req) @@ -2332,7 +2332,7 @@ func TestAgent_ForceLeave_ACLDeny(t *testing.T) { require.Equal(t, http.StatusForbidden, resp.Code) }) - t.Run("agent master token", func(t *testing.T) { + t.Run("agent recovery token", func(t *testing.T) { req, _ := http.NewRequest("PUT", uri+"?token=towel", nil) resp := httptest.NewRecorder() a.srv.h.ServeHTTP(resp, req) @@ -3266,7 +3266,7 @@ func testAgent_RegisterService(t *testing.T, extraHCL string) { args := &structs.ServiceDefinition{ Name: "test", Meta: map[string]string{"hello": "world"}, - Tags: []string{"master"}, + Tags: []string{"primary"}, Port: 8000, Check: structs.CheckType{ TTL: 15 * time.Second, @@ -3353,7 +3353,7 @@ func testAgent_RegisterService_ReRegister(t *testing.T, extraHCL string) { args := &structs.ServiceDefinition{ Name: "test", Meta: map[string]string{"hello": "world"}, - Tags: []string{"master"}, + Tags: []string{"primary"}, Port: 8000, Checks: []*structs.CheckType{ { @@ -3378,7 +3378,7 @@ func testAgent_RegisterService_ReRegister(t *testing.T, extraHCL string) { args = &structs.ServiceDefinition{ Name: "test", Meta: map[string]string{"hello": "world"}, - Tags: []string{"master"}, + Tags: []string{"primary"}, Port: 8000, Checks: []*structs.CheckType{ { @@ -3434,7 +3434,7 @@ func testAgent_RegisterService_ReRegister_ReplaceExistingChecks(t *testing.T, ex args := &structs.ServiceDefinition{ Name: "test", Meta: map[string]string{"hello": "world"}, - Tags: []string{"master"}, + Tags: []string{"primary"}, Port: 8000, Checks: []*structs.CheckType{ { @@ -3460,7 +3460,7 @@ func testAgent_RegisterService_ReRegister_ReplaceExistingChecks(t *testing.T, ex args = &structs.ServiceDefinition{ Name: "test", Meta: map[string]string{"hello": "world"}, - Tags: []string{"master"}, + Tags: []string{"primary"}, Port: 8000, Checks: []*structs.CheckType{ { @@ -3740,7 +3740,7 @@ func testAgent_RegisterService_ACLDeny(t *testing.T, extraHCL string) { args := &structs.ServiceDefinition{ Name: "test", - Tags: []string{"master"}, + Tags: []string{"primary"}, Port: 8000, Check: structs.CheckType{ TTL: 15 * time.Second, @@ -4588,7 +4588,7 @@ func testAgent_RegisterService_ScriptCheck_ExecDisable(t *testing.T, extraHCL st args := &structs.ServiceDefinition{ Name: "test", Meta: map[string]string{"hello": "world"}, - Tags: []string{"master"}, + Tags: []string{"primary"}, Port: 8000, Check: structs.CheckType{ Name: "test-check", @@ -4640,7 +4640,7 @@ func testAgent_RegisterService_ScriptCheck_ExecRemoteDisable(t *testing.T, extra args := &structs.ServiceDefinition{ Name: "test", Meta: map[string]string{"hello": "world"}, - Tags: []string{"master"}, + Tags: []string{"primary"}, Port: 8000, Check: structs.CheckType{ Name: "test-check", @@ -5379,7 +5379,7 @@ func TestAgent_TokenTriggersFullSync(t *testing.T) { initial_management = "root" default = "" agent = "" - agent_master = "" + agent_recovery = "" replication = "" } } @@ -5427,7 +5427,7 @@ func TestAgent_Token(t *testing.T) { initial_management = "root" default = "" agent = "" - agent_master = "" + agent_recovery = "" replication = "" } } @@ -5436,20 +5436,20 @@ func TestAgent_Token(t *testing.T) { testrpc.WaitForLeader(t, a.RPC, "dc1") type tokens struct { - user string - userSource tokenStore.TokenSource - agent string - agentSource tokenStore.TokenSource - master string - masterSource tokenStore.TokenSource - repl string - replSource tokenStore.TokenSource + user string + userSource tokenStore.TokenSource + agent string + agentSource tokenStore.TokenSource + agentRecovery string + agentRecoverySource tokenStore.TokenSource + repl string + replSource tokenStore.TokenSource } resetTokens := func(init tokens) { a.tokens.UpdateUserToken(init.user, init.userSource) a.tokens.UpdateAgentToken(init.agent, init.agentSource) - a.tokens.UpdateAgentRecoveryToken(init.master, init.masterSource) + a.tokens.UpdateAgentRecoveryToken(init.agentRecovery, init.agentRecoverySource) a.tokens.UpdateReplicationToken(init.repl, init.replSource) } @@ -5531,8 +5531,8 @@ func TestAgent_Token(t *testing.T) { url: "acl_agent_master_token?token=root", body: body("M"), code: http.StatusOK, - raw: tokens{master: "M", masterSource: tokenStore.TokenSourceAPI}, - effective: tokens{master: "M"}, + raw: tokens{agentRecovery: "M", agentRecoverySource: tokenStore.TokenSourceAPI}, + effective: tokens{agentRecovery: "M"}, }, { name: "set master", @@ -5540,8 +5540,8 @@ func TestAgent_Token(t *testing.T) { url: "agent_master?token=root", body: body("M"), code: http.StatusOK, - raw: tokens{master: "M", masterSource: tokenStore.TokenSourceAPI}, - effective: tokens{master: "M"}, + raw: tokens{agentRecovery: "M", agentRecoverySource: tokenStore.TokenSourceAPI}, + effective: tokens{agentRecovery: "M"}, }, { name: "set recovery", @@ -5549,8 +5549,8 @@ func TestAgent_Token(t *testing.T) { url: "agent_recovery?token=root", body: body("R"), code: http.StatusOK, - raw: tokens{master: "R", masterSource: tokenStore.TokenSourceAPI}, - effective: tokens{master: "R", masterSource: tokenStore.TokenSourceAPI}, + raw: tokens{agentRecovery: "R", agentRecoverySource: tokenStore.TokenSourceAPI}, + effective: tokens{agentRecovery: "R", agentRecoverySource: tokenStore.TokenSourceAPI}, }, { name: "set repl legacy", @@ -5612,8 +5612,8 @@ func TestAgent_Token(t *testing.T) { url: "acl_agent_master_token?token=root", body: body(""), code: http.StatusOK, - init: tokens{master: "M"}, - raw: tokens{masterSource: tokenStore.TokenSourceAPI}, + init: tokens{agentRecovery: "M"}, + raw: tokens{agentRecoverySource: tokenStore.TokenSourceAPI}, }, { name: "clear master", @@ -5621,8 +5621,8 @@ func TestAgent_Token(t *testing.T) { url: "agent_master?token=root", body: body(""), code: http.StatusOK, - init: tokens{master: "M"}, - raw: tokens{masterSource: tokenStore.TokenSourceAPI}, + init: tokens{agentRecovery: "M"}, + raw: tokens{agentRecoverySource: tokenStore.TokenSourceAPI}, }, { name: "clear recovery", @@ -5630,8 +5630,8 @@ func TestAgent_Token(t *testing.T) { url: "agent_recovery?token=root", body: body(""), code: http.StatusOK, - init: tokens{master: "R"}, - raw: tokens{masterSource: tokenStore.TokenSourceAPI}, + init: tokens{agentRecovery: "R"}, + raw: tokens{agentRecoverySource: tokenStore.TokenSourceAPI}, }, { name: "clear repl legacy", @@ -5667,7 +5667,7 @@ func TestAgent_Token(t *testing.T) { } require.Equal(t, tt.effective.user, a.tokens.UserToken()) require.Equal(t, tt.effective.agent, a.tokens.AgentToken()) - require.Equal(t, tt.effective.master, a.tokens.AgentRecoveryToken()) + require.Equal(t, tt.effective.agentRecovery, a.tokens.AgentRecoveryToken()) require.Equal(t, tt.effective.repl, a.tokens.ReplicationToken()) tok, src := a.tokens.UserTokenAndSource() @@ -5679,8 +5679,8 @@ func TestAgent_Token(t *testing.T) { require.Equal(t, tt.raw.agentSource, src) tok, src = a.tokens.AgentRecoveryTokenAndSource() - require.Equal(t, tt.raw.master, tok) - require.Equal(t, tt.raw.masterSource, src) + require.Equal(t, tt.raw.agentRecovery, tok) + require.Equal(t, tt.raw.agentRecoverySource, src) tok, src = a.tokens.ReplicationTokenAndSource() require.Equal(t, tt.raw.repl, tok) @@ -7031,11 +7031,18 @@ func TestAgentConnectAuthorize_defaultAllow(t *testing.T) { assert := assert.New(t) dc1 := "dc1" a := NewTestAgent(t, ` - acl_datacenter = "`+dc1+`" - acl_default_policy = "allow" - acl_master_token = "root" - acl_agent_token = "root" - acl_agent_master_token = "towel" + primary_datacenter = "`+dc1+`" + + acl { + enabled = true + default_policy = "allow" + + tokens { + initial_management = "root" + agent = "root" + agent_recovery = "towel" + } + } `) defer a.Shutdown() testrpc.WaitForTestAgent(t, a.RPC, dc1) @@ -7066,16 +7073,23 @@ func TestAgent_Host(t *testing.T) { dc1 := "dc1" a := NewTestAgent(t, ` - acl_datacenter = "`+dc1+`" - acl_default_policy = "allow" - acl_master_token = "master" - acl_agent_token = "agent" - acl_agent_master_token = "towel" -`) + primary_datacenter = "`+dc1+`" + + acl { + enabled = true + default_policy = "allow" + + tokens { + initial_management = "initial-management" + agent = "agent" + agent_recovery = "towel" + } + } + `) defer a.Shutdown() testrpc.WaitForLeader(t, a.RPC, "dc1") - req, _ := http.NewRequest("GET", "/v1/agent/host?token=master", nil) + req, _ := http.NewRequest("GET", "/v1/agent/host?token=initial-management", nil) resp := httptest.NewRecorder() // TODO: AgentHost should write to response so that we can test using ServeHTTP() respRaw, err := a.srv.AgentHost(resp, req) @@ -7098,12 +7112,19 @@ func TestAgent_HostBadACL(t *testing.T) { dc1 := "dc1" a := NewTestAgent(t, ` - acl_datacenter = "`+dc1+`" - acl_default_policy = "deny" - acl_master_token = "root" - acl_agent_token = "agent" - acl_agent_master_token = "towel" -`) + primary_datacenter = "`+dc1+`" + + acl { + enabled = true + default_policy = "deny" + + tokens { + initial_management = "root" + agent = "agent" + agent_recovery = "towel" + } + } + `) defer a.Shutdown() testrpc.WaitForLeader(t, a.RPC, "dc1") diff --git a/agent/consul/acl.go b/agent/consul/acl.go index d259437f7..b475bf159 100644 --- a/agent/consul/acl.go +++ b/agent/consul/acl.go @@ -263,19 +263,19 @@ type ACLResolver struct { // disabledLock synchronizes access to disabledUntil disabledLock sync.RWMutex - agentMasterAuthz acl.Authorizer + agentRecoveryAuthz acl.Authorizer } -func agentMasterAuthorizer(nodeName string, entMeta *structs.EnterpriseMeta, aclConf *acl.Config) (acl.Authorizer, error) { +func agentRecoveryAuthorizer(nodeName string, entMeta *structs.EnterpriseMeta, aclConf *acl.Config) (acl.Authorizer, error) { var conf acl.Config if aclConf != nil { conf = *aclConf } setEnterpriseConf(entMeta, &conf) - // Build a policy for the agent master token. + // Build a policy for the agent recovery token. // - // The builtin agent master policy allows reading any node information + // The builtin agent recovery policy allows reading any node information // and allows writes to the agent with the node name of the running agent // only. This used to allow a prefix match on agent names but that seems // entirely unnecessary so it is now using an exact match. @@ -323,21 +323,21 @@ func NewACLResolver(config *ACLResolverConfig) (*ACLResolver, error) { return nil, fmt.Errorf("invalid ACL down policy %q", config.Config.ACLDownPolicy) } - authz, err := agentMasterAuthorizer(config.Config.NodeName, &config.Config.EnterpriseMeta, config.ACLConfig) + authz, err := agentRecoveryAuthorizer(config.Config.NodeName, &config.Config.EnterpriseMeta, config.ACLConfig) if err != nil { - return nil, fmt.Errorf("failed to initialize the agent master authorizer") + return nil, fmt.Errorf("failed to initialize the agent recovery authorizer") } return &ACLResolver{ - config: config.Config, - logger: config.Logger.Named(logging.ACL), - delegate: config.Delegate, - aclConf: config.ACLConfig, - cache: cache, - disableDuration: config.DisableDuration, - down: down, - tokens: config.Tokens, - agentMasterAuthz: authz, + config: config.Config, + logger: config.Logger.Named(logging.ACL), + delegate: config.Delegate, + aclConf: config.ACLConfig, + cache: cache, + disableDuration: config.DisableDuration, + down: down, + tokens: config.Tokens, + agentRecoveryAuthz: authz, }, nil } @@ -1049,7 +1049,7 @@ func (r *ACLResolver) resolveLocallyManagedToken(token string) (structs.ACLIdent } if r.tokens.IsAgentRecoveryToken(token) { - return structs.NewAgentMasterTokenIdentity(r.config.NodeName, token), r.agentMasterAuthz, true + return structs.NewAgentRecoveryTokenIdentity(r.config.NodeName, token), r.agentRecoveryAuthz, true } return r.resolveLocallyManagedEnterpriseToken(token) diff --git a/agent/consul/acl_endpoint_test.go b/agent/consul/acl_endpoint_test.go index ddf00ba11..c96fec4e4 100644 --- a/agent/consul/acl_endpoint_test.go +++ b/agent/consul/acl_endpoint_test.go @@ -116,14 +116,14 @@ func TestACLEndpoint_TokenRead(t *testing.T) { acl := ACL{srv: srv} t.Run("exists and matches what we created", func(t *testing.T) { - token, err := upsertTestToken(codec, TestDefaultMasterToken, "dc1", nil) + token, err := upsertTestToken(codec, TestDefaultInitialManagementToken, "dc1", nil) require.NoError(t, err) req := structs.ACLTokenGetRequest{ Datacenter: "dc1", TokenID: token.AccessorID, TokenIDType: structs.ACLTokenAccessor, - QueryOptions: structs.QueryOptions{Token: TestDefaultMasterToken}, + QueryOptions: structs.QueryOptions{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLTokenResponse{} @@ -136,7 +136,7 @@ func TestACLEndpoint_TokenRead(t *testing.T) { t.Run("expired tokens are filtered", func(t *testing.T) { // insert a token that will expire - token, err := upsertTestToken(codec, TestDefaultMasterToken, "dc1", func(t *structs.ACLToken) { + token, err := upsertTestToken(codec, TestDefaultInitialManagementToken, "dc1", func(t *structs.ACLToken) { t.ExpirationTTL = 200 * time.Millisecond }) require.NoError(t, err) @@ -146,7 +146,7 @@ func TestACLEndpoint_TokenRead(t *testing.T) { Datacenter: "dc1", TokenID: token.AccessorID, TokenIDType: structs.ACLTokenAccessor, - QueryOptions: structs.QueryOptions{Token: TestDefaultMasterToken}, + QueryOptions: structs.QueryOptions{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLTokenResponse{} @@ -160,7 +160,7 @@ func TestACLEndpoint_TokenRead(t *testing.T) { Datacenter: "dc1", TokenID: token.AccessorID, TokenIDType: structs.ACLTokenAccessor, - QueryOptions: structs.QueryOptions{Token: TestDefaultMasterToken}, + QueryOptions: structs.QueryOptions{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLTokenResponse{} @@ -180,7 +180,7 @@ func TestACLEndpoint_TokenRead(t *testing.T) { Datacenter: "dc1", TokenID: fakeID, TokenIDType: structs.ACLTokenAccessor, - QueryOptions: structs.QueryOptions{Token: TestDefaultMasterToken}, + QueryOptions: structs.QueryOptions{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLTokenResponse{} @@ -195,7 +195,7 @@ func TestACLEndpoint_TokenRead(t *testing.T) { Datacenter: "dc1", TokenID: "definitely-really-certainly-not-a-uuid", TokenIDType: structs.ACLTokenAccessor, - QueryOptions: structs.QueryOptions{Token: TestDefaultMasterToken}, + QueryOptions: structs.QueryOptions{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLTokenResponse{} @@ -219,13 +219,13 @@ func TestACLEndpoint_TokenClone(t *testing.T) { }, false) waitForLeaderEstablishment(t, srv) - p1, err := upsertTestPolicy(codec, TestDefaultMasterToken, "dc1") + p1, err := upsertTestPolicy(codec, TestDefaultInitialManagementToken, "dc1") require.NoError(t, err) - r1, err := upsertTestRole(codec, TestDefaultMasterToken, "dc1") + r1, err := upsertTestRole(codec, TestDefaultInitialManagementToken, "dc1") require.NoError(t, err) - t1, err := upsertTestToken(codec, TestDefaultMasterToken, "dc1", func(t *structs.ACLToken) { + t1, err := upsertTestToken(codec, TestDefaultInitialManagementToken, "dc1", func(t *structs.ACLToken) { t.Policies = []structs.ACLTokenPolicyLink{ {ID: p1.ID}, } @@ -247,7 +247,7 @@ func TestACLEndpoint_TokenClone(t *testing.T) { req := structs.ACLTokenSetRequest{ Datacenter: "dc1", ACLToken: structs.ACLToken{AccessorID: t1.AccessorID}, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } t2 := structs.ACLToken{} @@ -268,7 +268,7 @@ func TestACLEndpoint_TokenClone(t *testing.T) { t.Run("can't clone expired token", func(t *testing.T) { // insert a token that will expire - t1, err := upsertTestToken(codec, TestDefaultMasterToken, "dc1", func(t *structs.ACLToken) { + t1, err := upsertTestToken(codec, TestDefaultInitialManagementToken, "dc1", func(t *structs.ACLToken) { t.ExpirationTTL = 11 * time.Millisecond }) require.NoError(t, err) @@ -278,7 +278,7 @@ func TestACLEndpoint_TokenClone(t *testing.T) { req := structs.ACLTokenSetRequest{ Datacenter: "dc1", ACLToken: structs.ACLToken{AccessorID: t1.AccessorID}, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } t2 := structs.ACLToken{} @@ -320,7 +320,7 @@ func TestACLEndpoint_TokenSet(t *testing.T) { }, }, }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLToken{} @@ -329,7 +329,7 @@ func TestACLEndpoint_TokenSet(t *testing.T) { require.NoError(t, err) // Get the token directly to validate that it exists - tokenResp, err := retrieveTestToken(codec, TestDefaultMasterToken, "dc1", resp.AccessorID) + tokenResp, err := retrieveTestToken(codec, TestDefaultInitialManagementToken, "dc1", resp.AccessorID) require.NoError(t, err) token := tokenResp.Token @@ -351,7 +351,7 @@ func TestACLEndpoint_TokenSet(t *testing.T) { Description: "new-description", AccessorID: tokenID, }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLToken{} @@ -360,7 +360,7 @@ func TestACLEndpoint_TokenSet(t *testing.T) { require.NoError(t, err) // Get the token directly to validate that it exists - tokenResp, err := retrieveTestToken(codec, TestDefaultMasterToken, "dc1", resp.AccessorID) + tokenResp, err := retrieveTestToken(codec, TestDefaultInitialManagementToken, "dc1", resp.AccessorID) require.NoError(t, err) token := tokenResp.Token @@ -372,9 +372,9 @@ func TestACLEndpoint_TokenSet(t *testing.T) { }) t.Run("Create it using Policies linked by id and name", func(t *testing.T) { - policy1, err := upsertTestPolicy(codec, TestDefaultMasterToken, "dc1") + policy1, err := upsertTestPolicy(codec, TestDefaultInitialManagementToken, "dc1") require.NoError(t, err) - policy2, err := upsertTestPolicy(codec, TestDefaultMasterToken, "dc1") + policy2, err := upsertTestPolicy(codec, TestDefaultInitialManagementToken, "dc1") require.NoError(t, err) req := structs.ACLTokenSetRequest{ @@ -391,7 +391,7 @@ func TestACLEndpoint_TokenSet(t *testing.T) { }, Local: false, }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLToken{} @@ -401,11 +401,11 @@ func TestACLEndpoint_TokenSet(t *testing.T) { // Delete both policies to ensure that we skip resolving ID->Name // in the returned data. - require.NoError(t, deleteTestPolicy(codec, TestDefaultMasterToken, "dc1", policy1.ID)) - require.NoError(t, deleteTestPolicy(codec, TestDefaultMasterToken, "dc1", policy2.ID)) + require.NoError(t, deleteTestPolicy(codec, TestDefaultInitialManagementToken, "dc1", policy1.ID)) + require.NoError(t, deleteTestPolicy(codec, TestDefaultInitialManagementToken, "dc1", policy2.ID)) // Get the token directly to validate that it exists - tokenResp, err := retrieveTestToken(codec, TestDefaultMasterToken, "dc1", resp.AccessorID) + tokenResp, err := retrieveTestToken(codec, TestDefaultInitialManagementToken, "dc1", resp.AccessorID) require.NoError(t, err) token := tokenResp.Token @@ -418,9 +418,9 @@ func TestACLEndpoint_TokenSet(t *testing.T) { }) t.Run("Create it using Roles linked by id and name", func(t *testing.T) { - role1, err := upsertTestRole(codec, TestDefaultMasterToken, "dc1") + role1, err := upsertTestRole(codec, TestDefaultInitialManagementToken, "dc1") require.NoError(t, err) - role2, err := upsertTestRole(codec, TestDefaultMasterToken, "dc1") + role2, err := upsertTestRole(codec, TestDefaultInitialManagementToken, "dc1") require.NoError(t, err) req := structs.ACLTokenSetRequest{ @@ -437,7 +437,7 @@ func TestACLEndpoint_TokenSet(t *testing.T) { }, Local: false, }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLToken{} @@ -447,11 +447,11 @@ func TestACLEndpoint_TokenSet(t *testing.T) { // Delete both roles to ensure that we skip resolving ID->Name // in the returned data. - require.NoError(t, deleteTestRole(codec, TestDefaultMasterToken, "dc1", role1.ID)) - require.NoError(t, deleteTestRole(codec, TestDefaultMasterToken, "dc1", role2.ID)) + require.NoError(t, deleteTestRole(codec, TestDefaultInitialManagementToken, "dc1", role1.ID)) + require.NoError(t, deleteTestRole(codec, TestDefaultInitialManagementToken, "dc1", role2.ID)) // Get the token directly to validate that it exists - tokenResp, err := retrieveTestToken(codec, TestDefaultMasterToken, "dc1", resp.AccessorID) + tokenResp, err := retrieveTestToken(codec, TestDefaultInitialManagementToken, "dc1", resp.AccessorID) require.NoError(t, err) token := tokenResp.Token @@ -470,7 +470,7 @@ func TestACLEndpoint_TokenSet(t *testing.T) { Description: "foobar", AuthMethod: "fakemethod", }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLToken{} @@ -486,10 +486,10 @@ func TestACLEndpoint_TokenSet(t *testing.T) { defer testauth.ResetSession(testSessionID) testauth.InstallSessionToken(testSessionID, "fake-token", "default", "demo", "abc123") - method1, err := upsertTestAuthMethod(codec, TestDefaultMasterToken, "dc1", testSessionID) + method1, err := upsertTestAuthMethod(codec, TestDefaultInitialManagementToken, "dc1", testSessionID) require.NoError(t, err) - _, err = upsertTestBindingRule(codec, TestDefaultMasterToken, "dc1", method1.Name, "", structs.BindingRuleBindTypeService, "demo") + _, err = upsertTestBindingRule(codec, TestDefaultInitialManagementToken, "dc1", method1.Name, "", structs.BindingRuleBindTypeService, "demo") require.NoError(t, err) // create a token in one method @@ -502,7 +502,7 @@ func TestACLEndpoint_TokenSet(t *testing.T) { Datacenter: "dc1", }, &methodToken)) - method2, err := upsertTestAuthMethod(codec, TestDefaultMasterToken, "dc1", "") + method2, err := upsertTestAuthMethod(codec, TestDefaultInitialManagementToken, "dc1", "") require.NoError(t, err) // try to update the token and change the method @@ -515,7 +515,7 @@ func TestACLEndpoint_TokenSet(t *testing.T) { Description: "updated token", Local: true, }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLToken{} @@ -531,10 +531,10 @@ func TestACLEndpoint_TokenSet(t *testing.T) { defer testauth.ResetSession(testSessionID) testauth.InstallSessionToken(testSessionID, "fake-token", "default", "demo", "abc123") - method, err := upsertTestAuthMethod(codec, TestDefaultMasterToken, "dc1", testSessionID) + method, err := upsertTestAuthMethod(codec, TestDefaultInitialManagementToken, "dc1", testSessionID) require.NoError(t, err) - _, err = upsertTestBindingRule(codec, TestDefaultMasterToken, "dc1", method.Name, "", structs.BindingRuleBindTypeService, "demo") + _, err = upsertTestBindingRule(codec, TestDefaultInitialManagementToken, "dc1", method.Name, "", structs.BindingRuleBindTypeService, "demo") require.NoError(t, err) methodToken := structs.ACLToken{} @@ -555,7 +555,7 @@ func TestACLEndpoint_TokenSet(t *testing.T) { Description: "updated token", Local: true, }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLToken{} @@ -563,7 +563,7 @@ func TestACLEndpoint_TokenSet(t *testing.T) { require.NoError(t, acl.TokenSet(&req, &resp)) // Get the token directly to validate that it exists - tokenResp, err := retrieveTestToken(codec, TestDefaultMasterToken, "dc1", resp.AccessorID) + tokenResp, err := retrieveTestToken(codec, TestDefaultInitialManagementToken, "dc1", resp.AccessorID) require.NoError(t, err) token := tokenResp.Token @@ -586,7 +586,7 @@ func TestACLEndpoint_TokenSet(t *testing.T) { {ServiceName: ""}, }, }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLToken{} @@ -607,7 +607,7 @@ func TestACLEndpoint_TokenSet(t *testing.T) { {ServiceName: long}, }, }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLToken{} @@ -653,7 +653,7 @@ func TestACLEndpoint_TokenSet(t *testing.T) { {ServiceName: test.name}, }, }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLToken{} @@ -663,7 +663,7 @@ func TestACLEndpoint_TokenSet(t *testing.T) { require.NoError(t, err) // Get the token directly to validate that it exists - tokenResp, err := retrieveTestToken(codec, TestDefaultMasterToken, "dc1", resp.AccessorID) + tokenResp, err := retrieveTestToken(codec, TestDefaultInitialManagementToken, "dc1", resp.AccessorID) require.NoError(t, err) token := tokenResp.Token require.NotNil(t, token) @@ -686,7 +686,7 @@ func TestACLEndpoint_TokenSet(t *testing.T) { {ServiceName: "example"}, }, }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLToken{} @@ -695,7 +695,7 @@ func TestACLEndpoint_TokenSet(t *testing.T) { require.NoError(t, err) // Get the token directly to validate that it exists - tokenResp, err := retrieveTestToken(codec, TestDefaultMasterToken, "dc1", resp.AccessorID) + tokenResp, err := retrieveTestToken(codec, TestDefaultInitialManagementToken, "dc1", resp.AccessorID) require.NoError(t, err) token := tokenResp.Token require.NotNil(t, token) @@ -720,7 +720,7 @@ func TestACLEndpoint_TokenSet(t *testing.T) { }, }, }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLToken{} @@ -729,7 +729,7 @@ func TestACLEndpoint_TokenSet(t *testing.T) { require.NoError(t, err) // Get the token directly to validate that it exists - tokenResp, err := retrieveTestToken(codec, TestDefaultMasterToken, "dc1", resp.AccessorID) + tokenResp, err := retrieveTestToken(codec, TestDefaultInitialManagementToken, "dc1", resp.AccessorID) require.NoError(t, err) token := tokenResp.Token require.NotNil(t, token) @@ -750,7 +750,7 @@ func TestACLEndpoint_TokenSet(t *testing.T) { {ServiceName: "foo", Datacenters: []string{"dc2"}}, }, }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLToken{} @@ -778,7 +778,7 @@ func TestACLEndpoint_TokenSet(t *testing.T) { Local: false, ExpirationTime: timePointer(time.Now().Add(test.offset)), }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLToken{} @@ -800,7 +800,7 @@ func TestACLEndpoint_TokenSet(t *testing.T) { Local: false, ExpirationTTL: test.offset, }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLToken{} @@ -824,7 +824,7 @@ func TestACLEndpoint_TokenSet(t *testing.T) { ExpirationTime: timePointer(time.Now().Add(4 * time.Second)), ExpirationTTL: 4 * time.Second, }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLToken{} @@ -842,7 +842,7 @@ func TestACLEndpoint_TokenSet(t *testing.T) { Local: false, ExpirationTTL: 4 * time.Second, }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLToken{} @@ -851,7 +851,7 @@ func TestACLEndpoint_TokenSet(t *testing.T) { require.NoError(t, err) // Get the token directly to validate that it exists - tokenResp, err := retrieveTestToken(codec, TestDefaultMasterToken, "dc1", resp.AccessorID) + tokenResp, err := retrieveTestToken(codec, TestDefaultInitialManagementToken, "dc1", resp.AccessorID) require.NoError(t, err) token := tokenResp.Token @@ -877,7 +877,7 @@ func TestACLEndpoint_TokenSet(t *testing.T) { Local: false, ExpirationTime: &expTime, }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLToken{} @@ -886,7 +886,7 @@ func TestACLEndpoint_TokenSet(t *testing.T) { require.NoError(t, err) // Get the token directly to validate that it exists - tokenResp, err := retrieveTestToken(codec, TestDefaultMasterToken, "dc1", resp.AccessorID) + tokenResp, err := retrieveTestToken(codec, TestDefaultInitialManagementToken, "dc1", resp.AccessorID) require.NoError(t, err) token := tokenResp.Token @@ -909,7 +909,7 @@ func TestACLEndpoint_TokenSet(t *testing.T) { AccessorID: tokenID, ExpirationTime: timePointer(expTime.Add(-1 * time.Second)), }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLToken{} @@ -927,7 +927,7 @@ func TestACLEndpoint_TokenSet(t *testing.T) { Description: "new-description-1", AccessorID: tokenID, }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLToken{} @@ -936,7 +936,7 @@ func TestACLEndpoint_TokenSet(t *testing.T) { require.NoError(t, err) // Get the token directly to validate that it exists - tokenResp, err := retrieveTestToken(codec, TestDefaultMasterToken, "dc1", resp.AccessorID) + tokenResp, err := retrieveTestToken(codec, TestDefaultInitialManagementToken, "dc1", resp.AccessorID) require.NoError(t, err) token := tokenResp.Token @@ -955,7 +955,7 @@ func TestACLEndpoint_TokenSet(t *testing.T) { AccessorID: tokenID, ExpirationTime: &expTime, }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLToken{} @@ -964,7 +964,7 @@ func TestACLEndpoint_TokenSet(t *testing.T) { require.NoError(t, err) // Get the token directly to validate that it exists - tokenResp, err := retrieveTestToken(codec, TestDefaultMasterToken, "dc1", resp.AccessorID) + tokenResp, err := retrieveTestToken(codec, TestDefaultInitialManagementToken, "dc1", resp.AccessorID) require.NoError(t, err) token := tokenResp.Token @@ -977,7 +977,7 @@ func TestACLEndpoint_TokenSet(t *testing.T) { t.Run("cannot update a token that is past its expiration time", func(t *testing.T) { // create a token that will expire - expiringToken, err := upsertTestToken(codec, TestDefaultMasterToken, "dc1", func(token *structs.ACLToken) { + expiringToken, err := upsertTestToken(codec, TestDefaultInitialManagementToken, "dc1", func(token *structs.ACLToken) { token.ExpirationTTL = 11 * time.Millisecond }) require.NoError(t, err) @@ -991,7 +991,7 @@ func TestACLEndpoint_TokenSet(t *testing.T) { AccessorID: expiringToken.AccessorID, ExpirationTTL: 4 * time.Second, }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLToken{} @@ -1010,7 +1010,7 @@ func TestACLEndpoint_TokenSet(t *testing.T) { }, }, }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLToken{} @@ -1030,7 +1030,7 @@ func TestACLEndpoint_TokenSet(t *testing.T) { }, }, }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLToken{} @@ -1048,7 +1048,7 @@ func TestACLEndpoint_TokenSet(t *testing.T) { }, }, }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLToken{} @@ -1081,7 +1081,7 @@ func TestACLEndpoint_TokenSet_CustomID(t *testing.T) { Policies: nil, Local: false, }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLToken{} @@ -1102,7 +1102,7 @@ func TestACLEndpoint_TokenSet_CustomID(t *testing.T) { Local: false, }, Create: true, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLToken{} @@ -1111,7 +1111,7 @@ func TestACLEndpoint_TokenSet_CustomID(t *testing.T) { require.NoError(t, err) // Get the token directly to validate that it exists - tokenResp, err := retrieveTestToken(codec, TestDefaultMasterToken, "dc1", resp.AccessorID) + tokenResp, err := retrieveTestToken(codec, TestDefaultInitialManagementToken, "dc1", resp.AccessorID) require.NoError(t, err) token := tokenResp.Token @@ -1132,7 +1132,7 @@ func TestACLEndpoint_TokenSet_CustomID(t *testing.T) { Local: false, }, Create: true, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLToken{} @@ -1152,7 +1152,7 @@ func TestACLEndpoint_TokenSet_CustomID(t *testing.T) { Local: false, }, Create: true, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLToken{} @@ -1172,7 +1172,7 @@ func TestACLEndpoint_TokenSet_CustomID(t *testing.T) { Local: false, }, Create: true, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLToken{} @@ -1192,7 +1192,7 @@ func TestACLEndpoint_TokenSet_CustomID(t *testing.T) { Local: false, }, Create: true, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLToken{} @@ -1212,7 +1212,7 @@ func TestACLEndpoint_TokenSet_CustomID(t *testing.T) { Local: false, }, Create: true, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLToken{} @@ -1232,7 +1232,7 @@ func TestACLEndpoint_TokenSet_CustomID(t *testing.T) { Local: false, }, Create: true, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLToken{} @@ -1252,7 +1252,7 @@ func TestACLEndpoint_TokenSet_CustomID(t *testing.T) { Policies: nil, Local: false, }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLToken{} @@ -1273,7 +1273,7 @@ func TestACLEndpoint_TokenSet_CustomID(t *testing.T) { Local: false, }, Create: true, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLToken{} @@ -1293,7 +1293,7 @@ func TestACLEndpoint_TokenSet_CustomID(t *testing.T) { Policies: nil, Local: false, }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLToken{} @@ -1314,7 +1314,7 @@ func TestACLEndpoint_TokenSet_CustomID(t *testing.T) { Local: false, }, Create: true, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLToken{} @@ -1334,7 +1334,7 @@ func TestACLEndpoint_TokenSet_anon(t *testing.T) { _, srv, codec := testACLServerWithConfig(t, nil, false) waitForLeaderEstablishment(t, srv) - policy, err := upsertTestPolicy(codec, TestDefaultMasterToken, "dc1") + policy, err := upsertTestPolicy(codec, TestDefaultInitialManagementToken, "dc1") require.NoError(t, err) acl := ACL{srv: srv} @@ -1350,14 +1350,14 @@ func TestACLEndpoint_TokenSet_anon(t *testing.T) { }, }, }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } token := structs.ACLToken{} err = acl.TokenSet(&tokenUpsertReq, &token) require.NoError(t, err) require.NotEmpty(t, token.SecretID) - tokenResp, err := retrieveTestToken(codec, TestDefaultMasterToken, "dc1", structs.ACLTokenAnonymousID) + tokenResp, err := retrieveTestToken(codec, TestDefaultInitialManagementToken, "dc1", structs.ACLTokenAnonymousID) require.NoError(t, err) require.Equal(t, len(tokenResp.Token.Policies), 1) require.Equal(t, tokenResp.Token.Policies[0].ID, policy.ID) @@ -1396,18 +1396,18 @@ func TestACLEndpoint_TokenDelete(t *testing.T) { acl := ACL{srv: s1} acl2 := ACL{srv: s2} - existingToken, err := upsertTestToken(codec, TestDefaultMasterToken, "dc1", nil) + existingToken, err := upsertTestToken(codec, TestDefaultInitialManagementToken, "dc1", nil) require.NoError(t, err) t.Run("deletes a token that has an expiration time in the future", func(t *testing.T) { // create a token that will expire - testToken, err := upsertTestToken(codec, TestDefaultMasterToken, "dc1", func(token *structs.ACLToken) { + testToken, err := upsertTestToken(codec, TestDefaultInitialManagementToken, "dc1", func(token *structs.ACLToken) { token.ExpirationTTL = 4 * time.Second }) require.NoError(t, err) // Make sure the token is listable - tokenResp, err := retrieveTestToken(codec, TestDefaultMasterToken, "dc1", testToken.AccessorID) + tokenResp, err := retrieveTestToken(codec, TestDefaultInitialManagementToken, "dc1", testToken.AccessorID) require.NoError(t, err) require.NotNil(t, tokenResp.Token) @@ -1415,7 +1415,7 @@ func TestACLEndpoint_TokenDelete(t *testing.T) { req := structs.ACLTokenDeleteRequest{ Datacenter: "dc1", TokenID: testToken.AccessorID, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } var resp string @@ -1424,14 +1424,14 @@ func TestACLEndpoint_TokenDelete(t *testing.T) { require.NoError(t, err) // Make sure the token is gone - tokenResp, err = retrieveTestToken(codec, TestDefaultMasterToken, "dc1", testToken.AccessorID) + tokenResp, err = retrieveTestToken(codec, TestDefaultInitialManagementToken, "dc1", testToken.AccessorID) require.NoError(t, err) require.Nil(t, tokenResp.Token) }) t.Run("deletes a token that is past its expiration time", func(t *testing.T) { // create a token that will expire - expiringToken, err := upsertTestToken(codec, TestDefaultMasterToken, "dc1", func(token *structs.ACLToken) { + expiringToken, err := upsertTestToken(codec, TestDefaultInitialManagementToken, "dc1", func(token *structs.ACLToken) { token.ExpirationTTL = 11 * time.Millisecond }) require.NoError(t, err) @@ -1439,7 +1439,7 @@ func TestACLEndpoint_TokenDelete(t *testing.T) { time.Sleep(20 * time.Millisecond) // now 'expiringToken' is expired // Make sure the token is not listable (filtered due to expiry) - tokenResp, err := retrieveTestToken(codec, TestDefaultMasterToken, "dc1", expiringToken.AccessorID) + tokenResp, err := retrieveTestToken(codec, TestDefaultInitialManagementToken, "dc1", expiringToken.AccessorID) require.NoError(t, err) require.Nil(t, tokenResp.Token) @@ -1447,7 +1447,7 @@ func TestACLEndpoint_TokenDelete(t *testing.T) { req := structs.ACLTokenDeleteRequest{ Datacenter: "dc1", TokenID: expiringToken.AccessorID, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } var resp string @@ -1456,7 +1456,7 @@ func TestACLEndpoint_TokenDelete(t *testing.T) { require.NoError(t, err) // Make sure the token is still gone (this time it's actually gone) - tokenResp, err = retrieveTestToken(codec, TestDefaultMasterToken, "dc1", expiringToken.AccessorID) + tokenResp, err = retrieveTestToken(codec, TestDefaultInitialManagementToken, "dc1", expiringToken.AccessorID) require.NoError(t, err) require.Nil(t, tokenResp.Token) }) @@ -1465,7 +1465,7 @@ func TestACLEndpoint_TokenDelete(t *testing.T) { req := structs.ACLTokenDeleteRequest{ Datacenter: "dc1", TokenID: existingToken.AccessorID, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } var resp string @@ -1474,7 +1474,7 @@ func TestACLEndpoint_TokenDelete(t *testing.T) { require.NoError(t, err) // Make sure the token is gone - tokenResp, err := retrieveTestToken(codec, TestDefaultMasterToken, "dc1", existingToken.AccessorID) + tokenResp, err := retrieveTestToken(codec, TestDefaultInitialManagementToken, "dc1", existingToken.AccessorID) require.Nil(t, tokenResp.Token) require.NoError(t, err) }) @@ -1482,9 +1482,9 @@ func TestACLEndpoint_TokenDelete(t *testing.T) { t.Run("can't delete itself", func(t *testing.T) { readReq := structs.ACLTokenGetRequest{ Datacenter: "dc1", - TokenID: TestDefaultMasterToken, + TokenID: TestDefaultInitialManagementToken, TokenIDType: structs.ACLTokenSecret, - QueryOptions: structs.QueryOptions{Token: TestDefaultMasterToken}, + QueryOptions: structs.QueryOptions{Token: TestDefaultInitialManagementToken}, } var out structs.ACLTokenResponse @@ -1496,7 +1496,7 @@ func TestACLEndpoint_TokenDelete(t *testing.T) { req := structs.ACLTokenDeleteRequest{ Datacenter: "dc1", TokenID: out.Token.AccessorID, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } var resp string @@ -1511,7 +1511,7 @@ func TestACLEndpoint_TokenDelete(t *testing.T) { req := structs.ACLTokenDeleteRequest{ Datacenter: "dc1", TokenID: fakeID, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } var resp string @@ -1520,7 +1520,7 @@ func TestACLEndpoint_TokenDelete(t *testing.T) { require.NoError(t, err) // token should be nil - tokenResp, err := retrieveTestToken(codec, TestDefaultMasterToken, "dc1", existingToken.AccessorID) + tokenResp, err := retrieveTestToken(codec, TestDefaultInitialManagementToken, "dc1", existingToken.AccessorID) require.Nil(t, tokenResp.Token) require.NoError(t, err) }) @@ -1532,7 +1532,7 @@ func TestACLEndpoint_TokenDelete(t *testing.T) { req := structs.ACLTokenDeleteRequest{ Datacenter: "dc2", TokenID: fakeID, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } var resp string @@ -1541,7 +1541,7 @@ func TestACLEndpoint_TokenDelete(t *testing.T) { require.NoError(t, err) // token should be nil - tokenResp, err := retrieveTestToken(codec2, TestDefaultMasterToken, "dc1", existingToken.AccessorID) + tokenResp, err := retrieveTestToken(codec2, TestDefaultInitialManagementToken, "dc1", existingToken.AccessorID) require.Nil(t, tokenResp.Token) require.NoError(t, err) }) @@ -1562,7 +1562,7 @@ func TestACLEndpoint_TokenDelete_anon(t *testing.T) { req := structs.ACLTokenDeleteRequest{ Datacenter: "dc1", TokenID: structs.ACLTokenAnonymousID, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } var resp string @@ -1571,7 +1571,7 @@ func TestACLEndpoint_TokenDelete_anon(t *testing.T) { require.EqualError(t, err, "Delete operation not permitted on the anonymous token") // Make sure the token is still there - tokenResp, err := retrieveTestToken(codec, TestDefaultMasterToken, "dc1", structs.ACLTokenAnonymousID) + tokenResp, err := retrieveTestToken(codec, TestDefaultInitialManagementToken, "dc1", structs.ACLTokenAnonymousID) require.NoError(t, err) require.NotNil(t, tokenResp.Token) } @@ -1591,13 +1591,13 @@ func TestACLEndpoint_TokenList(t *testing.T) { acl := ACL{srv: srv} - t1, err := upsertTestToken(codec, TestDefaultMasterToken, "dc1", nil) + t1, err := upsertTestToken(codec, TestDefaultInitialManagementToken, "dc1", nil) require.NoError(t, err) - t2, err := upsertTestToken(codec, TestDefaultMasterToken, "dc1", nil) + t2, err := upsertTestToken(codec, TestDefaultInitialManagementToken, "dc1", nil) require.NoError(t, err) - masterTokenAccessorID, err := retrieveTestTokenAccessorForSecret(codec, TestDefaultMasterToken, "dc1", TestDefaultMasterToken) + initialManagementTokenAccessorID, err := retrieveTestTokenAccessorForSecret(codec, TestDefaultInitialManagementToken, "dc1", TestDefaultInitialManagementToken) require.NoError(t, err) t.Run("normal", func(t *testing.T) { @@ -1605,14 +1605,14 @@ func TestACLEndpoint_TokenList(t *testing.T) { // however previously inserting it outside of the subtest func resulted in this being // extra flakey due to there being more code that needed to run to setup the subtest // between when we inserted the token and when we performed the listing. - t3, err := upsertTestToken(codec, TestDefaultMasterToken, "dc1", func(token *structs.ACLToken) { + t3, err := upsertTestToken(codec, TestDefaultInitialManagementToken, "dc1", func(token *structs.ACLToken) { token.ExpirationTTL = 50 * time.Millisecond }) require.NoError(t, err) req := structs.ACLTokenListRequest{ Datacenter: "dc1", - QueryOptions: structs.QueryOptions{Token: TestDefaultMasterToken}, + QueryOptions: structs.QueryOptions{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLTokenListResponse{} @@ -1621,7 +1621,7 @@ func TestACLEndpoint_TokenList(t *testing.T) { require.NoError(t, err) tokens := []string{ - masterTokenAccessorID, + initialManagementTokenAccessorID, structs.ACLTokenAnonymousID, t1.AccessorID, t2.AccessorID, @@ -1635,7 +1635,7 @@ func TestACLEndpoint_TokenList(t *testing.T) { t.Run("filter expired", func(t *testing.T) { req := structs.ACLTokenListRequest{ Datacenter: "dc1", - QueryOptions: structs.QueryOptions{Token: TestDefaultMasterToken}, + QueryOptions: structs.QueryOptions{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLTokenListResponse{} @@ -1644,7 +1644,7 @@ func TestACLEndpoint_TokenList(t *testing.T) { require.NoError(t, err) tokens := []string{ - masterTokenAccessorID, + initialManagementTokenAccessorID, structs.ACLTokenAnonymousID, t1.AccessorID, t2.AccessorID, @@ -1656,7 +1656,7 @@ func TestACLEndpoint_TokenList(t *testing.T) { rules := ` acl = "read" ` - readOnlyToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", rules) + readOnlyToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", rules) require.NoError(t, err) req := structs.ACLTokenListRequest{ @@ -1670,7 +1670,7 @@ func TestACLEndpoint_TokenList(t *testing.T) { require.NoError(t, err) tokens := []string{ - masterTokenAccessorID, + initialManagementTokenAccessorID, structs.ACLTokenAnonymousID, readOnlyToken.AccessorID, t1.AccessorID, @@ -1698,13 +1698,13 @@ func TestACLEndpoint_TokenBatchRead(t *testing.T) { acl := ACL{srv: srv} - t1, err := upsertTestToken(codec, TestDefaultMasterToken, "dc1", nil) + t1, err := upsertTestToken(codec, TestDefaultInitialManagementToken, "dc1", nil) require.NoError(t, err) - t2, err := upsertTestToken(codec, TestDefaultMasterToken, "dc1", nil) + t2, err := upsertTestToken(codec, TestDefaultInitialManagementToken, "dc1", nil) require.NoError(t, err) - t3, err := upsertTestToken(codec, TestDefaultMasterToken, "dc1", func(token *structs.ACLToken) { + t3, err := upsertTestToken(codec, TestDefaultInitialManagementToken, "dc1", func(token *structs.ACLToken) { token.ExpirationTTL = 4 * time.Second }) require.NoError(t, err) @@ -1715,7 +1715,7 @@ func TestACLEndpoint_TokenBatchRead(t *testing.T) { req := structs.ACLTokenBatchGetRequest{ Datacenter: "dc1", AccessorIDs: tokens, - QueryOptions: structs.QueryOptions{Token: TestDefaultMasterToken}, + QueryOptions: structs.QueryOptions{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLTokenBatchResponse{} @@ -1733,7 +1733,7 @@ func TestACLEndpoint_TokenBatchRead(t *testing.T) { req := structs.ACLTokenBatchGetRequest{ Datacenter: "dc1", AccessorIDs: tokens, - QueryOptions: structs.QueryOptions{Token: TestDefaultMasterToken}, + QueryOptions: structs.QueryOptions{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLTokenBatchResponse{} @@ -1753,7 +1753,7 @@ func TestACLEndpoint_PolicyRead(t *testing.T) { _, srv, codec := testACLServerWithConfig(t, nil, false) waitForLeaderEstablishment(t, srv) - policy, err := upsertTestPolicy(codec, TestDefaultMasterToken, "dc1") + policy, err := upsertTestPolicy(codec, TestDefaultInitialManagementToken, "dc1") require.NoError(t, err) acl := ACL{srv: srv} @@ -1761,7 +1761,7 @@ func TestACLEndpoint_PolicyRead(t *testing.T) { req := structs.ACLPolicyGetRequest{ Datacenter: "dc1", PolicyID: policy.ID, - QueryOptions: structs.QueryOptions{Token: TestDefaultMasterToken}, + QueryOptions: structs.QueryOptions{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLPolicyResponse{} @@ -1780,7 +1780,7 @@ func TestACLEndpoint_PolicyReadByName(t *testing.T) { _, srv, codec := testACLServerWithConfig(t, nil, false) waitForLeaderEstablishment(t, srv) - policy, err := upsertTestPolicy(codec, TestDefaultMasterToken, "dc1") + policy, err := upsertTestPolicy(codec, TestDefaultInitialManagementToken, "dc1") require.NoError(t, err) acl := ACL{srv: srv} @@ -1788,7 +1788,7 @@ func TestACLEndpoint_PolicyReadByName(t *testing.T) { req := structs.ACLPolicyGetRequest{ Datacenter: "dc1", PolicyName: policy.Name, - QueryOptions: structs.QueryOptions{Token: TestDefaultMasterToken}, + QueryOptions: structs.QueryOptions{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLPolicyResponse{} @@ -1808,10 +1808,10 @@ func TestACLEndpoint_PolicyBatchRead(t *testing.T) { _, srv, codec := testACLServerWithConfig(t, nil, false) waitForLeaderEstablishment(t, srv) - p1, err := upsertTestPolicy(codec, TestDefaultMasterToken, "dc1") + p1, err := upsertTestPolicy(codec, TestDefaultInitialManagementToken, "dc1") require.NoError(t, err) - p2, err := upsertTestPolicy(codec, TestDefaultMasterToken, "dc1") + p2, err := upsertTestPolicy(codec, TestDefaultInitialManagementToken, "dc1") require.NoError(t, err) acl := ACL{srv: srv} @@ -1820,7 +1820,7 @@ func TestACLEndpoint_PolicyBatchRead(t *testing.T) { req := structs.ACLPolicyBatchGetRequest{ Datacenter: "dc1", PolicyIDs: policies, - QueryOptions: structs.QueryOptions{Token: TestDefaultMasterToken}, + QueryOptions: structs.QueryOptions{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLPolicyBatchResponse{} @@ -1851,7 +1851,7 @@ func TestACLEndpoint_PolicySet(t *testing.T) { Name: "baz", Rules: "service \"\" { policy = \"read\" }", }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLPolicy{} @@ -1860,7 +1860,7 @@ func TestACLEndpoint_PolicySet(t *testing.T) { require.NotNil(t, resp.ID) // Get the policy directly to validate that it exists - policyResp, err := retrieveTestPolicy(codec, TestDefaultMasterToken, "dc1", resp.ID) + policyResp, err := retrieveTestPolicy(codec, TestDefaultInitialManagementToken, "dc1", resp.ID) require.NoError(t, err) policy := policyResp.Policy @@ -1880,7 +1880,7 @@ func TestACLEndpoint_PolicySet(t *testing.T) { Name: "baz", Rules: "service \"\" { policy = \"read\" }", }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLPolicy{} @@ -1897,7 +1897,7 @@ func TestACLEndpoint_PolicySet(t *testing.T) { Name: "bar", Rules: "service \"\" { policy = \"write\" }", }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLPolicy{} @@ -1906,7 +1906,7 @@ func TestACLEndpoint_PolicySet(t *testing.T) { require.NotNil(t, resp.ID) // Get the policy directly to validate that it exists - policyResp, err := retrieveTestPolicy(codec, TestDefaultMasterToken, "dc1", resp.ID) + policyResp, err := retrieveTestPolicy(codec, TestDefaultInitialManagementToken, "dc1", resp.ID) require.NoError(t, err) policy := policyResp.Policy @@ -1938,7 +1938,7 @@ func TestACLEndpoint_PolicySet_CustomID(t *testing.T) { Name: "baz", Rules: "service \"\" { policy = \"read\" }", }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLPolicy{} @@ -1967,7 +1967,7 @@ func TestACLEndpoint_PolicySet_globalManagement(t *testing.T) { Name: "foobar", // This is required to get past validation Rules: "service \"\" { policy = \"write\" }", }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLPolicy{} @@ -1984,7 +1984,7 @@ func TestACLEndpoint_PolicySet_globalManagement(t *testing.T) { Name: "foobar", Rules: structs.ACLPolicyGlobalManagement, }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLPolicy{} @@ -1992,7 +1992,7 @@ func TestACLEndpoint_PolicySet_globalManagement(t *testing.T) { require.NoError(t, err) // Get the policy again - policyResp, err := retrieveTestPolicy(codec, TestDefaultMasterToken, "dc1", structs.ACLPolicyGlobalManagementID) + policyResp, err := retrieveTestPolicy(codec, TestDefaultInitialManagementToken, "dc1", structs.ACLPolicyGlobalManagementID) require.NoError(t, err) policy := policyResp.Policy @@ -2012,7 +2012,7 @@ func TestACLEndpoint_PolicyDelete(t *testing.T) { _, srv, codec := testACLServerWithConfig(t, nil, false) waitForLeaderEstablishment(t, srv) - existingPolicy, err := upsertTestPolicy(codec, TestDefaultMasterToken, "dc1") + existingPolicy, err := upsertTestPolicy(codec, TestDefaultInitialManagementToken, "dc1") require.NoError(t, err) acl := ACL{srv: srv} @@ -2020,7 +2020,7 @@ func TestACLEndpoint_PolicyDelete(t *testing.T) { req := structs.ACLPolicyDeleteRequest{ Datacenter: "dc1", PolicyID: existingPolicy.ID, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } var resp string @@ -2029,7 +2029,7 @@ func TestACLEndpoint_PolicyDelete(t *testing.T) { require.NoError(t, err) // Make sure the policy is gone - tokenResp, err := retrieveTestPolicy(codec, TestDefaultMasterToken, "dc1", existingPolicy.ID) + tokenResp, err := retrieveTestPolicy(codec, TestDefaultInitialManagementToken, "dc1", existingPolicy.ID) require.NoError(t, err) require.Nil(t, tokenResp.Policy) } @@ -2048,7 +2048,7 @@ func TestACLEndpoint_PolicyDelete_globalManagement(t *testing.T) { req := structs.ACLPolicyDeleteRequest{ Datacenter: "dc1", PolicyID: structs.ACLPolicyGlobalManagementID, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } var resp string @@ -2067,17 +2067,17 @@ func TestACLEndpoint_PolicyList(t *testing.T) { _, srv, codec := testACLServerWithConfig(t, nil, false) waitForLeaderEstablishment(t, srv) - p1, err := upsertTestPolicy(codec, TestDefaultMasterToken, "dc1") + p1, err := upsertTestPolicy(codec, TestDefaultInitialManagementToken, "dc1") require.NoError(t, err) - p2, err := upsertTestPolicy(codec, TestDefaultMasterToken, "dc1") + p2, err := upsertTestPolicy(codec, TestDefaultInitialManagementToken, "dc1") require.NoError(t, err) acl := ACL{srv: srv} req := structs.ACLPolicyListRequest{ Datacenter: "dc1", - QueryOptions: structs.QueryOptions{Token: TestDefaultMasterToken}, + QueryOptions: structs.QueryOptions{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLPolicyListResponse{} @@ -2103,10 +2103,10 @@ func TestACLEndpoint_PolicyResolve(t *testing.T) { _, srv, codec := testACLServerWithConfig(t, nil, false) waitForLeaderEstablishment(t, srv) - p1, err := upsertTestPolicy(codec, TestDefaultMasterToken, "dc1") + p1, err := upsertTestPolicy(codec, TestDefaultInitialManagementToken, "dc1") require.NoError(t, err) - p2, err := upsertTestPolicy(codec, TestDefaultMasterToken, "dc1") + p2, err := upsertTestPolicy(codec, TestDefaultInitialManagementToken, "dc1") require.NoError(t, err) acl := ACL{srv: srv} @@ -2126,7 +2126,7 @@ func TestACLEndpoint_PolicyResolve(t *testing.T) { }, }, }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } token := structs.ACLToken{} err = acl.TokenSet(&tokenUpsertReq, &token) @@ -2153,7 +2153,7 @@ func TestACLEndpoint_RoleRead(t *testing.T) { _, srv, codec := testACLServerWithConfig(t, nil, false) waitForLeaderEstablishment(t, srv) - role, err := upsertTestRole(codec, TestDefaultMasterToken, "dc1") + role, err := upsertTestRole(codec, TestDefaultInitialManagementToken, "dc1") require.NoError(t, err) acl := ACL{srv: srv} @@ -2161,7 +2161,7 @@ func TestACLEndpoint_RoleRead(t *testing.T) { req := structs.ACLRoleGetRequest{ Datacenter: "dc1", RoleID: role.ID, - QueryOptions: structs.QueryOptions{Token: TestDefaultMasterToken}, + QueryOptions: structs.QueryOptions{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLRoleResponse{} @@ -2181,10 +2181,10 @@ func TestACLEndpoint_RoleBatchRead(t *testing.T) { _, srv, codec := testACLServerWithConfig(t, nil, false) waitForLeaderEstablishment(t, srv) - r1, err := upsertTestRole(codec, TestDefaultMasterToken, "dc1") + r1, err := upsertTestRole(codec, TestDefaultInitialManagementToken, "dc1") require.NoError(t, err) - r2, err := upsertTestRole(codec, TestDefaultMasterToken, "dc1") + r2, err := upsertTestRole(codec, TestDefaultInitialManagementToken, "dc1") require.NoError(t, err) acl := ACL{srv: srv} @@ -2193,7 +2193,7 @@ func TestACLEndpoint_RoleBatchRead(t *testing.T) { req := structs.ACLRoleBatchGetRequest{ Datacenter: "dc1", RoleIDs: roles, - QueryOptions: structs.QueryOptions{Token: TestDefaultMasterToken}, + QueryOptions: structs.QueryOptions{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLRoleBatchResponse{} @@ -2216,9 +2216,9 @@ func TestACLEndpoint_RoleSet(t *testing.T) { acl := ACL{srv: srv} var roleID string - testPolicy1, err := upsertTestPolicy(codec, TestDefaultMasterToken, "dc1") + testPolicy1, err := upsertTestPolicy(codec, TestDefaultInitialManagementToken, "dc1") require.NoError(t, err) - testPolicy2, err := upsertTestPolicy(codec, TestDefaultMasterToken, "dc1") + testPolicy2, err := upsertTestPolicy(codec, TestDefaultInitialManagementToken, "dc1") require.NoError(t, err) t.Run("Create it", func(t *testing.T) { @@ -2239,7 +2239,7 @@ func TestACLEndpoint_RoleSet(t *testing.T) { }, }, }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLRole{} @@ -2248,7 +2248,7 @@ func TestACLEndpoint_RoleSet(t *testing.T) { require.NotNil(t, resp.ID) // Get the role directly to validate that it exists - roleResp, err := retrieveTestRole(codec, TestDefaultMasterToken, "dc1", resp.ID) + roleResp, err := retrieveTestRole(codec, TestDefaultInitialManagementToken, "dc1", resp.ID) require.NoError(t, err) role := roleResp.Role @@ -2277,7 +2277,7 @@ func TestACLEndpoint_RoleSet(t *testing.T) { }, }, }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLRole{} @@ -2286,7 +2286,7 @@ func TestACLEndpoint_RoleSet(t *testing.T) { require.NotNil(t, resp.ID) // Get the role directly to validate that it exists - roleResp, err := retrieveTestRole(codec, TestDefaultMasterToken, "dc1", resp.ID) + roleResp, err := retrieveTestRole(codec, TestDefaultInitialManagementToken, "dc1", resp.ID) require.NoError(t, err) role := roleResp.Role @@ -2299,9 +2299,9 @@ func TestACLEndpoint_RoleSet(t *testing.T) { }) t.Run("Create it using Policies linked by id and name", func(t *testing.T) { - policy1, err := upsertTestPolicy(codec, TestDefaultMasterToken, "dc1") + policy1, err := upsertTestPolicy(codec, TestDefaultInitialManagementToken, "dc1") require.NoError(t, err) - policy2, err := upsertTestPolicy(codec, TestDefaultMasterToken, "dc1") + policy2, err := upsertTestPolicy(codec, TestDefaultInitialManagementToken, "dc1") require.NoError(t, err) req := structs.ACLRoleSetRequest{ @@ -2318,7 +2318,7 @@ func TestACLEndpoint_RoleSet(t *testing.T) { }, }, }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLRole{} @@ -2328,11 +2328,11 @@ func TestACLEndpoint_RoleSet(t *testing.T) { // Delete both policies to ensure that we skip resolving ID->Name // in the returned data. - require.NoError(t, deleteTestPolicy(codec, TestDefaultMasterToken, "dc1", policy1.ID)) - require.NoError(t, deleteTestPolicy(codec, TestDefaultMasterToken, "dc1", policy2.ID)) + require.NoError(t, deleteTestPolicy(codec, TestDefaultInitialManagementToken, "dc1", policy1.ID)) + require.NoError(t, deleteTestPolicy(codec, TestDefaultInitialManagementToken, "dc1", policy2.ID)) // Get the role directly to validate that it exists - roleResp, err := retrieveTestRole(codec, TestDefaultMasterToken, "dc1", resp.ID) + roleResp, err := retrieveTestRole(codec, TestDefaultInitialManagementToken, "dc1", resp.ID) require.NoError(t, err) role := roleResp.Role @@ -2360,7 +2360,7 @@ func TestACLEndpoint_RoleSet(t *testing.T) { {ServiceName: ""}, }, }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLRole{} @@ -2379,7 +2379,7 @@ func TestACLEndpoint_RoleSet(t *testing.T) { {ServiceName: long}, }, }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLRole{} @@ -2423,7 +2423,7 @@ func TestACLEndpoint_RoleSet(t *testing.T) { {ServiceName: test.name}, }, }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLRole{} @@ -2433,7 +2433,7 @@ func TestACLEndpoint_RoleSet(t *testing.T) { require.NoError(t, err) // Get the token directly to validate that it exists - roleResp, err := retrieveTestRole(codec, TestDefaultMasterToken, "dc1", resp.ID) + roleResp, err := retrieveTestRole(codec, TestDefaultInitialManagementToken, "dc1", resp.ID) require.NoError(t, err) role := roleResp.Role require.ElementsMatch(t, req.Role.ServiceIdentities, role.ServiceIdentities) @@ -2454,7 +2454,7 @@ func TestACLEndpoint_RoleSet(t *testing.T) { {ServiceName: "example"}, }, }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLRole{} @@ -2463,7 +2463,7 @@ func TestACLEndpoint_RoleSet(t *testing.T) { require.NoError(t, err) // Get the role directly to validate that it exists - roleResp, err := retrieveTestRole(codec, TestDefaultMasterToken, "dc1", resp.ID) + roleResp, err := retrieveTestRole(codec, TestDefaultInitialManagementToken, "dc1", resp.ID) require.NoError(t, err) role := roleResp.Role require.Len(t, role.ServiceIdentities, 1) @@ -2486,7 +2486,7 @@ func TestACLEndpoint_RoleSet(t *testing.T) { }, }, }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLRole{} @@ -2495,7 +2495,7 @@ func TestACLEndpoint_RoleSet(t *testing.T) { require.NoError(t, err) // Get the role directly to validate that it exists - roleResp, err := retrieveTestRole(codec, TestDefaultMasterToken, "dc1", resp.ID) + roleResp, err := retrieveTestRole(codec, TestDefaultInitialManagementToken, "dc1", resp.ID) require.NoError(t, err) role := roleResp.Role require.Len(t, role.ServiceIdentities, 1) @@ -2515,7 +2515,7 @@ func TestACLEndpoint_RoleSet(t *testing.T) { }, }, }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLRole{} @@ -2536,7 +2536,7 @@ func TestACLEndpoint_RoleSet(t *testing.T) { }, }, }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLRole{} @@ -2555,7 +2555,7 @@ func TestACLEndpoint_RoleSet(t *testing.T) { }, }, }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLRole{} @@ -2576,7 +2576,7 @@ func TestACLEndpoint_RoleSet_names(t *testing.T) { waitForLeaderEstablishment(t, srv) acl := ACL{srv: srv} - testPolicy1, err := upsertTestPolicy(codec, TestDefaultMasterToken, "dc1") + testPolicy1, err := upsertTestPolicy(codec, TestDefaultInitialManagementToken, "dc1") require.NoError(t, err) @@ -2615,7 +2615,7 @@ func TestACLEndpoint_RoleSet_names(t *testing.T) { t.Run(testName, func(t *testing.T) { // cleanup from a prior insertion that may have succeeded - require.NoError(t, deleteTestRoleByName(codec, TestDefaultMasterToken, "dc1", test.name)) + require.NoError(t, deleteTestRoleByName(codec, TestDefaultInitialManagementToken, "dc1", test.name)) req := structs.ACLRoleSetRequest{ Datacenter: "dc1", @@ -2628,7 +2628,7 @@ func TestACLEndpoint_RoleSet_names(t *testing.T) { }, }, }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLRole{} @@ -2636,7 +2636,7 @@ func TestACLEndpoint_RoleSet_names(t *testing.T) { if test.ok { require.NoError(t, err) - roleResp, err := retrieveTestRole(codec, TestDefaultMasterToken, "dc1", resp.ID) + roleResp, err := retrieveTestRole(codec, TestDefaultInitialManagementToken, "dc1", resp.ID) require.NoError(t, err) role := roleResp.Role require.Equal(t, test.name, role.Name) @@ -2656,7 +2656,7 @@ func TestACLEndpoint_RoleDelete(t *testing.T) { _, srv, codec := testACLServerWithConfig(t, nil, false) waitForLeaderEstablishment(t, srv) - existingRole, err := upsertTestRole(codec, TestDefaultMasterToken, "dc1") + existingRole, err := upsertTestRole(codec, TestDefaultInitialManagementToken, "dc1") require.NoError(t, err) @@ -2665,7 +2665,7 @@ func TestACLEndpoint_RoleDelete(t *testing.T) { req := structs.ACLRoleDeleteRequest{ Datacenter: "dc1", RoleID: existingRole.ID, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } var resp string @@ -2674,7 +2674,7 @@ func TestACLEndpoint_RoleDelete(t *testing.T) { require.NoError(t, err) // Make sure the role is gone - roleResp, err := retrieveTestRole(codec, TestDefaultMasterToken, "dc1", existingRole.ID) + roleResp, err := retrieveTestRole(codec, TestDefaultInitialManagementToken, "dc1", existingRole.ID) require.NoError(t, err) require.Nil(t, roleResp.Role) } @@ -2689,17 +2689,17 @@ func TestACLEndpoint_RoleList(t *testing.T) { _, srv, codec := testACLServerWithConfig(t, nil, false) waitForLeaderEstablishment(t, srv) - r1, err := upsertTestRole(codec, TestDefaultMasterToken, "dc1") + r1, err := upsertTestRole(codec, TestDefaultInitialManagementToken, "dc1") require.NoError(t, err) - r2, err := upsertTestRole(codec, TestDefaultMasterToken, "dc1") + r2, err := upsertTestRole(codec, TestDefaultInitialManagementToken, "dc1") require.NoError(t, err) acl := ACL{srv: srv} req := structs.ACLRoleListRequest{ Datacenter: "dc1", - QueryOptions: structs.QueryOptions{Token: TestDefaultMasterToken}, + QueryOptions: structs.QueryOptions{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLRoleListResponse{} @@ -2720,10 +2720,10 @@ func TestACLEndpoint_RoleResolve(t *testing.T) { waitForLeaderEstablishment(t, srv) t.Run("Normal", func(t *testing.T) { - r1, err := upsertTestRole(codec, TestDefaultMasterToken, "dc1") + r1, err := upsertTestRole(codec, TestDefaultInitialManagementToken, "dc1") require.NoError(t, err) - r2, err := upsertTestRole(codec, TestDefaultMasterToken, "dc1") + r2, err := upsertTestRole(codec, TestDefaultInitialManagementToken, "dc1") require.NoError(t, err) acl := ACL{srv: srv} @@ -2741,7 +2741,7 @@ func TestACLEndpoint_RoleResolve(t *testing.T) { }, }, }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } token := structs.ACLToken{} err = acl.TokenSet(&tokenUpsertReq, &token) @@ -2790,7 +2790,7 @@ func TestACLEndpoint_AuthMethodSet(t *testing.T) { req := structs.ACLAuthMethodSetRequest{ Datacenter: "dc1", AuthMethod: reqMethod, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLAuthMethod{} @@ -2798,7 +2798,7 @@ func TestACLEndpoint_AuthMethodSet(t *testing.T) { require.NoError(t, err) // Get the method directly to validate that it exists - methodResp, err := retrieveTestAuthMethod(codec, TestDefaultMasterToken, "dc1", resp.Name) + methodResp, err := retrieveTestAuthMethod(codec, TestDefaultInitialManagementToken, "dc1", resp.Name) require.NoError(t, err) method := methodResp.AuthMethod @@ -2814,7 +2814,7 @@ func TestACLEndpoint_AuthMethodSet(t *testing.T) { req := structs.ACLAuthMethodSetRequest{ Datacenter: "dc1", AuthMethod: reqMethod, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLAuthMethod{} @@ -2831,7 +2831,7 @@ func TestACLEndpoint_AuthMethodSet(t *testing.T) { req := structs.ACLAuthMethodSetRequest{ Datacenter: "dc1", AuthMethod: reqMethod, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLAuthMethod{} @@ -2839,7 +2839,7 @@ func TestACLEndpoint_AuthMethodSet(t *testing.T) { require.NoError(t, err) // Get the method directly to validate that it exists - methodResp, err := retrieveTestAuthMethod(codec, TestDefaultMasterToken, "dc1", resp.Name) + methodResp, err := retrieveTestAuthMethod(codec, TestDefaultInitialManagementToken, "dc1", resp.Name) require.NoError(t, err) method := methodResp.AuthMethod @@ -2857,7 +2857,7 @@ func TestACLEndpoint_AuthMethodSet(t *testing.T) { req := structs.ACLAuthMethodSetRequest{ Datacenter: "dc1", AuthMethod: reqMethod, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLAuthMethod{} @@ -2865,7 +2865,7 @@ func TestACLEndpoint_AuthMethodSet(t *testing.T) { require.NoError(t, err) // Get the method directly to validate that it exists - methodResp, err := retrieveTestAuthMethod(codec, TestDefaultMasterToken, "dc1", resp.Name) + methodResp, err := retrieveTestAuthMethod(codec, TestDefaultInitialManagementToken, "dc1", resp.Name) require.NoError(t, err) method := methodResp.AuthMethod @@ -2879,7 +2879,7 @@ func TestACLEndpoint_AuthMethodSet(t *testing.T) { req := structs.ACLAuthMethodSetRequest{ Datacenter: "dc1", AuthMethod: newAuthMethod(""), - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLAuthMethod{} @@ -2895,7 +2895,7 @@ func TestACLEndpoint_AuthMethodSet(t *testing.T) { Description: "invalid test", Type: "invalid", }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLAuthMethod{} @@ -2935,7 +2935,7 @@ func TestACLEndpoint_AuthMethodSet(t *testing.T) { req := structs.ACLAuthMethodSetRequest{ Datacenter: "dc1", AuthMethod: newAuthMethod(test.name), - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLAuthMethod{} @@ -2945,7 +2945,7 @@ func TestACLEndpoint_AuthMethodSet(t *testing.T) { require.NoError(t, err) // Get the method directly to validate that it exists - methodResp, err := retrieveTestAuthMethod(codec, TestDefaultMasterToken, "dc1", resp.Name) + methodResp, err := retrieveTestAuthMethod(codec, TestDefaultInitialManagementToken, "dc1", resp.Name) require.NoError(t, err) method := methodResp.AuthMethod @@ -2964,7 +2964,7 @@ func TestACLEndpoint_AuthMethodSet(t *testing.T) { req := structs.ACLAuthMethodSetRequest{ Datacenter: "dc1", AuthMethod: reqMethod, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLAuthMethod{} @@ -2972,7 +2972,7 @@ func TestACLEndpoint_AuthMethodSet(t *testing.T) { require.NoError(t, err) // Get the method directly to validate that it exists - methodResp, err := retrieveTestAuthMethod(codec, TestDefaultMasterToken, "dc1", resp.Name) + methodResp, err := retrieveTestAuthMethod(codec, TestDefaultInitialManagementToken, "dc1", resp.Name) require.NoError(t, err) method := methodResp.AuthMethod @@ -2991,7 +2991,7 @@ func TestACLEndpoint_AuthMethodSet(t *testing.T) { req := structs.ACLAuthMethodSetRequest{ Datacenter: "dc1", AuthMethod: reqMethod, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLAuthMethod{} @@ -2999,7 +2999,7 @@ func TestACLEndpoint_AuthMethodSet(t *testing.T) { require.NoError(t, err) // Get the method directly to validate that it exists - methodResp, err := retrieveTestAuthMethod(codec, TestDefaultMasterToken, "dc1", resp.Name) + methodResp, err := retrieveTestAuthMethod(codec, TestDefaultInitialManagementToken, "dc1", resp.Name) require.NoError(t, err) method := methodResp.AuthMethod @@ -3017,7 +3017,7 @@ func TestACLEndpoint_AuthMethodSet(t *testing.T) { req := structs.ACLAuthMethodSetRequest{ Datacenter: "dc1", AuthMethod: reqMethod, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLAuthMethod{} @@ -3032,7 +3032,7 @@ func TestACLEndpoint_AuthMethodSet(t *testing.T) { req := structs.ACLAuthMethodSetRequest{ Datacenter: "dc1", AuthMethod: reqMethod, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLAuthMethod{} @@ -3054,7 +3054,7 @@ func TestACLEndpoint_AuthMethodDelete(t *testing.T) { testSessionID := testauth.StartSession() defer testauth.ResetSession(testSessionID) - existingMethod, err := upsertTestAuthMethod(codec, TestDefaultMasterToken, "dc1", testSessionID) + existingMethod, err := upsertTestAuthMethod(codec, TestDefaultInitialManagementToken, "dc1", testSessionID) require.NoError(t, err) acl := ACL{srv: srv} @@ -3063,7 +3063,7 @@ func TestACLEndpoint_AuthMethodDelete(t *testing.T) { req := structs.ACLAuthMethodDeleteRequest{ Datacenter: "dc1", AuthMethodName: existingMethod.Name, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } var ignored bool @@ -3071,7 +3071,7 @@ func TestACLEndpoint_AuthMethodDelete(t *testing.T) { require.NoError(t, err) // Make sure the method is gone - methodResp, err := retrieveTestAuthMethod(codec, TestDefaultMasterToken, "dc1", existingMethod.Name) + methodResp, err := retrieveTestAuthMethod(codec, TestDefaultInitialManagementToken, "dc1", existingMethod.Name) require.NoError(t, err) require.Nil(t, methodResp.AuthMethod) }) @@ -3080,7 +3080,7 @@ func TestACLEndpoint_AuthMethodDelete(t *testing.T) { req := structs.ACLAuthMethodDeleteRequest{ Datacenter: "dc1", AuthMethodName: "missing", - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } var ignored bool @@ -3124,10 +3124,10 @@ func TestACLEndpoint_AuthMethodDelete_RuleAndTokenCascade(t *testing.T) { return &resp } - method1, err := upsertTestAuthMethod(codec, TestDefaultMasterToken, "dc1", testSessionID1) + method1, err := upsertTestAuthMethod(codec, TestDefaultInitialManagementToken, "dc1", testSessionID1) require.NoError(t, err) i1_r1, err := upsertTestBindingRule( - codec, TestDefaultMasterToken, "dc1", + codec, TestDefaultInitialManagementToken, "dc1", method1.Name, "serviceaccount.name==abc", structs.BindingRuleBindTypeService, @@ -3135,7 +3135,7 @@ func TestACLEndpoint_AuthMethodDelete_RuleAndTokenCascade(t *testing.T) { ) require.NoError(t, err) i1_r2, err := upsertTestBindingRule( - codec, TestDefaultMasterToken, "dc1", + codec, TestDefaultInitialManagementToken, "dc1", method1.Name, "serviceaccount.name==def", structs.BindingRuleBindTypeService, @@ -3145,10 +3145,10 @@ func TestACLEndpoint_AuthMethodDelete_RuleAndTokenCascade(t *testing.T) { i1_t1 := createToken(method1.Name, "fake-token1") i1_t2 := createToken(method1.Name, "fake-token1") - method2, err := upsertTestAuthMethod(codec, TestDefaultMasterToken, "dc1", testSessionID2) + method2, err := upsertTestAuthMethod(codec, TestDefaultInitialManagementToken, "dc1", testSessionID2) require.NoError(t, err) i2_r1, err := upsertTestBindingRule( - codec, TestDefaultMasterToken, "dc1", + codec, TestDefaultInitialManagementToken, "dc1", method2.Name, "serviceaccount.name==abc", structs.BindingRuleBindTypeService, @@ -3156,7 +3156,7 @@ func TestACLEndpoint_AuthMethodDelete_RuleAndTokenCascade(t *testing.T) { ) require.NoError(t, err) i2_r2, err := upsertTestBindingRule( - codec, TestDefaultMasterToken, "dc1", + codec, TestDefaultInitialManagementToken, "dc1", method2.Name, "serviceaccount.name==def", structs.BindingRuleBindTypeService, @@ -3171,7 +3171,7 @@ func TestACLEndpoint_AuthMethodDelete_RuleAndTokenCascade(t *testing.T) { req := structs.ACLAuthMethodDeleteRequest{ Datacenter: "dc1", AuthMethodName: method1.Name, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } var ignored bool @@ -3179,30 +3179,30 @@ func TestACLEndpoint_AuthMethodDelete_RuleAndTokenCascade(t *testing.T) { require.NoError(t, err) // Make sure the method is gone. - methodResp, err := retrieveTestAuthMethod(codec, TestDefaultMasterToken, "dc1", method1.Name) + methodResp, err := retrieveTestAuthMethod(codec, TestDefaultInitialManagementToken, "dc1", method1.Name) require.NoError(t, err) require.Nil(t, methodResp.AuthMethod) // Make sure the rules and tokens are gone. for _, id := range []string{i1_r1.ID, i1_r2.ID} { - ruleResp, err := retrieveTestBindingRule(codec, TestDefaultMasterToken, "dc1", id) + ruleResp, err := retrieveTestBindingRule(codec, TestDefaultInitialManagementToken, "dc1", id) require.NoError(t, err) require.Nil(t, ruleResp.BindingRule) } for _, id := range []string{i1_t1.AccessorID, i1_t2.AccessorID} { - tokResp, err := retrieveTestToken(codec, TestDefaultMasterToken, "dc1", id) + tokResp, err := retrieveTestToken(codec, TestDefaultInitialManagementToken, "dc1", id) require.NoError(t, err) require.Nil(t, tokResp.Token) } // Make sure the rules and tokens for the untouched auth method are still there. for _, id := range []string{i2_r1.ID, i2_r2.ID} { - ruleResp, err := retrieveTestBindingRule(codec, TestDefaultMasterToken, "dc1", id) + ruleResp, err := retrieveTestBindingRule(codec, TestDefaultInitialManagementToken, "dc1", id) require.NoError(t, err) require.NotNil(t, ruleResp.BindingRule) } for _, id := range []string{i2_t1.AccessorID, i2_t2.AccessorID} { - tokResp, err := retrieveTestToken(codec, TestDefaultMasterToken, "dc1", id) + tokResp, err := retrieveTestToken(codec, TestDefaultInitialManagementToken, "dc1", id) require.NoError(t, err) require.NotNil(t, tokResp.Token) } @@ -3218,17 +3218,17 @@ func TestACLEndpoint_AuthMethodList(t *testing.T) { _, srv, codec := testACLServerWithConfig(t, nil, false) waitForLeaderEstablishment(t, srv) - i1, err := upsertTestAuthMethod(codec, TestDefaultMasterToken, "dc1", "") + i1, err := upsertTestAuthMethod(codec, TestDefaultInitialManagementToken, "dc1", "") require.NoError(t, err) - i2, err := upsertTestAuthMethod(codec, TestDefaultMasterToken, "dc1", "") + i2, err := upsertTestAuthMethod(codec, TestDefaultInitialManagementToken, "dc1", "") require.NoError(t, err) acl := ACL{srv: srv} req := structs.ACLAuthMethodListRequest{ Datacenter: "dc1", - QueryOptions: structs.QueryOptions{Token: TestDefaultMasterToken}, + QueryOptions: structs.QueryOptions{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLAuthMethodListResponse{} @@ -3251,10 +3251,10 @@ func TestACLEndpoint_BindingRuleSet(t *testing.T) { var ruleID string - testAuthMethod, err := upsertTestAuthMethod(codec, TestDefaultMasterToken, "dc1", "") + testAuthMethod, err := upsertTestAuthMethod(codec, TestDefaultInitialManagementToken, "dc1", "") require.NoError(t, err) - otherTestAuthMethod, err := upsertTestAuthMethod(codec, TestDefaultMasterToken, "dc1", "") + otherTestAuthMethod, err := upsertTestAuthMethod(codec, TestDefaultInitialManagementToken, "dc1", "") require.NoError(t, err) newRule := func() structs.ACLBindingRule { @@ -3271,7 +3271,7 @@ func TestACLEndpoint_BindingRuleSet(t *testing.T) { req := structs.ACLBindingRuleSetRequest{ Datacenter: "dc1", BindingRule: reqRule, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLBindingRule{} @@ -3283,7 +3283,7 @@ func TestACLEndpoint_BindingRuleSet(t *testing.T) { req := structs.ACLBindingRuleSetRequest{ Datacenter: "dc1", BindingRule: reqRule, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLBindingRule{} @@ -3299,7 +3299,7 @@ func TestACLEndpoint_BindingRuleSet(t *testing.T) { req := structs.ACLBindingRuleSetRequest{ Datacenter: "dc1", BindingRule: reqRule, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLBindingRule{} @@ -3308,7 +3308,7 @@ func TestACLEndpoint_BindingRuleSet(t *testing.T) { require.NotNil(t, resp.ID) // Get the rule directly to validate that it exists - ruleResp, err := retrieveTestBindingRule(codec, TestDefaultMasterToken, "dc1", resp.ID) + ruleResp, err := retrieveTestBindingRule(codec, TestDefaultInitialManagementToken, "dc1", resp.ID) require.NoError(t, err) rule := ruleResp.BindingRule @@ -3332,7 +3332,7 @@ func TestACLEndpoint_BindingRuleSet(t *testing.T) { BindType: structs.BindingRuleBindTypeNode, BindName: "test-node", }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } var resp structs.ACLBindingRule @@ -3341,7 +3341,7 @@ func TestACLEndpoint_BindingRuleSet(t *testing.T) { require.NotNil(t, resp.ID) // Get the rule directly to validate that it exists - ruleResp, err := retrieveTestBindingRule(codec, TestDefaultMasterToken, "dc1", resp.ID) + ruleResp, err := retrieveTestBindingRule(codec, TestDefaultInitialManagementToken, "dc1", resp.ID) require.NoError(t, err) rule := ruleResp.BindingRule @@ -3372,7 +3372,7 @@ func TestACLEndpoint_BindingRuleSet(t *testing.T) { req := structs.ACLBindingRuleSetRequest{ Datacenter: "dc1", BindingRule: reqRule, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLBindingRule{} @@ -3381,7 +3381,7 @@ func TestACLEndpoint_BindingRuleSet(t *testing.T) { require.NotNil(t, resp.ID) // Get the rule directly to validate that it exists - ruleResp, err := retrieveTestBindingRule(codec, TestDefaultMasterToken, "dc1", resp.ID) + ruleResp, err := retrieveTestBindingRule(codec, TestDefaultInitialManagementToken, "dc1", resp.ID) require.NoError(t, err) rule := ruleResp.BindingRule @@ -3404,7 +3404,7 @@ func TestACLEndpoint_BindingRuleSet(t *testing.T) { req := structs.ACLBindingRuleSetRequest{ Datacenter: "dc1", BindingRule: reqRule, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLBindingRule{} @@ -3413,7 +3413,7 @@ func TestACLEndpoint_BindingRuleSet(t *testing.T) { require.NotNil(t, resp.ID) // Get the rule directly to validate that it exists - ruleResp, err := retrieveTestBindingRule(codec, TestDefaultMasterToken, "dc1", resp.ID) + ruleResp, err := retrieveTestBindingRule(codec, TestDefaultInitialManagementToken, "dc1", resp.ID) require.NoError(t, err) rule := ruleResp.BindingRule @@ -3509,11 +3509,11 @@ func TestACLEndpoint_BindingRuleDelete(t *testing.T) { _, srv, codec := testACLServerWithConfig(t, nil, false) waitForLeaderEstablishment(t, srv) - testAuthMethod, err := upsertTestAuthMethod(codec, TestDefaultMasterToken, "dc1", "") + testAuthMethod, err := upsertTestAuthMethod(codec, TestDefaultInitialManagementToken, "dc1", "") require.NoError(t, err) existingRule, err := upsertTestBindingRule( - codec, TestDefaultMasterToken, "dc1", + codec, TestDefaultInitialManagementToken, "dc1", testAuthMethod.Name, "serviceaccount.name==abc", structs.BindingRuleBindTypeService, @@ -3527,7 +3527,7 @@ func TestACLEndpoint_BindingRuleDelete(t *testing.T) { req := structs.ACLBindingRuleDeleteRequest{ Datacenter: "dc1", BindingRuleID: existingRule.ID, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } var ignored bool @@ -3535,7 +3535,7 @@ func TestACLEndpoint_BindingRuleDelete(t *testing.T) { require.NoError(t, err) // Make sure the rule is gone - ruleResp, err := retrieveTestBindingRule(codec, TestDefaultMasterToken, "dc1", existingRule.ID) + ruleResp, err := retrieveTestBindingRule(codec, TestDefaultInitialManagementToken, "dc1", existingRule.ID) require.NoError(t, err) require.Nil(t, ruleResp.BindingRule) }) @@ -3547,7 +3547,7 @@ func TestACLEndpoint_BindingRuleDelete(t *testing.T) { req := structs.ACLBindingRuleDeleteRequest{ Datacenter: "dc1", BindingRuleID: fakeID, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } var ignored bool @@ -3566,11 +3566,11 @@ func TestACLEndpoint_BindingRuleList(t *testing.T) { _, srv, codec := testACLServerWithConfig(t, nil, false) waitForLeaderEstablishment(t, srv) - testAuthMethod, err := upsertTestAuthMethod(codec, TestDefaultMasterToken, "dc1", "") + testAuthMethod, err := upsertTestAuthMethod(codec, TestDefaultInitialManagementToken, "dc1", "") require.NoError(t, err) r1, err := upsertTestBindingRule( - codec, TestDefaultMasterToken, "dc1", + codec, TestDefaultInitialManagementToken, "dc1", testAuthMethod.Name, "serviceaccount.name==abc", structs.BindingRuleBindTypeService, @@ -3579,7 +3579,7 @@ func TestACLEndpoint_BindingRuleList(t *testing.T) { require.NoError(t, err) r2, err := upsertTestBindingRule( - codec, TestDefaultMasterToken, "dc1", + codec, TestDefaultInitialManagementToken, "dc1", testAuthMethod.Name, "serviceaccount.name==def", structs.BindingRuleBindTypeService, @@ -3591,7 +3591,7 @@ func TestACLEndpoint_BindingRuleList(t *testing.T) { req := structs.ACLBindingRuleListRequest{ Datacenter: "dc1", - QueryOptions: structs.QueryOptions{Token: TestDefaultMasterToken}, + QueryOptions: structs.QueryOptions{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLBindingRuleListResponse{} @@ -3765,19 +3765,19 @@ func TestACLEndpoint_SecureIntroEndpoints_OnlyCreateLocalData(t *testing.T) { "SessionID": testSessionID_2, }, }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLAuthMethod{} require.NoError(t, acl2.AuthMethodSet(&req, &resp)) // present in dc2 - resp2, err := retrieveTestAuthMethod(codec2, TestDefaultMasterToken, "dc2", "testmethod") + resp2, err := retrieveTestAuthMethod(codec2, TestDefaultInitialManagementToken, "dc2", "testmethod") require.NoError(t, err) require.NotNil(t, resp2.AuthMethod) require.Equal(t, "test original", resp2.AuthMethod.Description) // absent in dc1 - resp2, err = retrieveTestAuthMethod(codec1, TestDefaultMasterToken, "dc1", "testmethod") + resp2, err = retrieveTestAuthMethod(codec1, TestDefaultInitialManagementToken, "dc1", "testmethod") require.NoError(t, err) require.Nil(t, resp2.AuthMethod) }) @@ -3792,19 +3792,19 @@ func TestACLEndpoint_SecureIntroEndpoints_OnlyCreateLocalData(t *testing.T) { "SessionID": testSessionID_2, }, }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLAuthMethod{} require.NoError(t, acl2.AuthMethodSet(&req, &resp)) // present in dc2 - resp2, err := retrieveTestAuthMethod(codec2, TestDefaultMasterToken, "dc2", "testmethod") + resp2, err := retrieveTestAuthMethod(codec2, TestDefaultInitialManagementToken, "dc2", "testmethod") require.NoError(t, err) require.NotNil(t, resp2.AuthMethod) require.Equal(t, "test updated", resp2.AuthMethod.Description) // absent in dc1 - resp2, err = retrieveTestAuthMethod(codec1, TestDefaultMasterToken, "dc1", "testmethod") + resp2, err = retrieveTestAuthMethod(codec1, TestDefaultInitialManagementToken, "dc1", "testmethod") require.NoError(t, err) require.Nil(t, resp2.AuthMethod) }) @@ -3814,7 +3814,7 @@ func TestACLEndpoint_SecureIntroEndpoints_OnlyCreateLocalData(t *testing.T) { req := structs.ACLAuthMethodGetRequest{ Datacenter: "dc2", AuthMethodName: "testmethod", - QueryOptions: structs.QueryOptions{Token: TestDefaultMasterToken}, + QueryOptions: structs.QueryOptions{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLAuthMethodResponse{} require.NoError(t, acl2.AuthMethodRead(&req, &resp)) @@ -3825,7 +3825,7 @@ func TestACLEndpoint_SecureIntroEndpoints_OnlyCreateLocalData(t *testing.T) { req = structs.ACLAuthMethodGetRequest{ Datacenter: "dc1", AuthMethodName: "testmethod", - QueryOptions: structs.QueryOptions{Token: TestDefaultMasterToken}, + QueryOptions: structs.QueryOptions{Token: TestDefaultInitialManagementToken}, } resp = structs.ACLAuthMethodResponse{} require.NoError(t, acl.AuthMethodRead(&req, &resp)) @@ -3836,7 +3836,7 @@ func TestACLEndpoint_SecureIntroEndpoints_OnlyCreateLocalData(t *testing.T) { // present in dc2 req := structs.ACLAuthMethodListRequest{ Datacenter: "dc2", - QueryOptions: structs.QueryOptions{Token: TestDefaultMasterToken}, + QueryOptions: structs.QueryOptions{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLAuthMethodListResponse{} require.NoError(t, acl2.AuthMethodList(&req, &resp)) @@ -3845,7 +3845,7 @@ func TestACLEndpoint_SecureIntroEndpoints_OnlyCreateLocalData(t *testing.T) { // absent in dc1 req = structs.ACLAuthMethodListRequest{ Datacenter: "dc1", - QueryOptions: structs.QueryOptions{Token: TestDefaultMasterToken}, + QueryOptions: structs.QueryOptions{Token: TestDefaultInitialManagementToken}, } resp = structs.ACLAuthMethodListResponse{} require.NoError(t, acl.AuthMethodList(&req, &resp)) @@ -3862,7 +3862,7 @@ func TestACLEndpoint_SecureIntroEndpoints_OnlyCreateLocalData(t *testing.T) { BindType: structs.BindingRuleBindTypeService, BindName: "${serviceaccount.name}", }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLBindingRule{} @@ -3871,12 +3871,12 @@ func TestACLEndpoint_SecureIntroEndpoints_OnlyCreateLocalData(t *testing.T) { ruleID = resp.ID // present in dc2 - resp2, err := retrieveTestBindingRule(codec2, TestDefaultMasterToken, "dc2", ruleID) + resp2, err := retrieveTestBindingRule(codec2, TestDefaultInitialManagementToken, "dc2", ruleID) require.NoError(t, err) require.NotNil(t, resp2.BindingRule) require.Equal(t, "test original", resp2.BindingRule.Description) // absent in dc1 - resp2, err = retrieveTestBindingRule(codec1, TestDefaultMasterToken, "dc1", ruleID) + resp2, err = retrieveTestBindingRule(codec1, TestDefaultInitialManagementToken, "dc1", ruleID) require.NoError(t, err) require.Nil(t, resp2.BindingRule) }) @@ -3891,7 +3891,7 @@ func TestACLEndpoint_SecureIntroEndpoints_OnlyCreateLocalData(t *testing.T) { BindType: structs.BindingRuleBindTypeService, BindName: "${serviceaccount.name}", }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLBindingRule{} @@ -3900,12 +3900,12 @@ func TestACLEndpoint_SecureIntroEndpoints_OnlyCreateLocalData(t *testing.T) { ruleID = resp.ID // present in dc2 - resp2, err := retrieveTestBindingRule(codec2, TestDefaultMasterToken, "dc2", ruleID) + resp2, err := retrieveTestBindingRule(codec2, TestDefaultInitialManagementToken, "dc2", ruleID) require.NoError(t, err) require.NotNil(t, resp2.BindingRule) require.Equal(t, "test updated", resp2.BindingRule.Description) // absent in dc1 - resp2, err = retrieveTestBindingRule(codec1, TestDefaultMasterToken, "dc1", ruleID) + resp2, err = retrieveTestBindingRule(codec1, TestDefaultInitialManagementToken, "dc1", ruleID) require.NoError(t, err) require.Nil(t, resp2.BindingRule) }) @@ -3915,7 +3915,7 @@ func TestACLEndpoint_SecureIntroEndpoints_OnlyCreateLocalData(t *testing.T) { req := structs.ACLBindingRuleGetRequest{ Datacenter: "dc2", BindingRuleID: ruleID, - QueryOptions: structs.QueryOptions{Token: TestDefaultMasterToken}, + QueryOptions: structs.QueryOptions{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLBindingRuleResponse{} require.NoError(t, acl2.BindingRuleRead(&req, &resp)) @@ -3926,7 +3926,7 @@ func TestACLEndpoint_SecureIntroEndpoints_OnlyCreateLocalData(t *testing.T) { req = structs.ACLBindingRuleGetRequest{ Datacenter: "dc1", BindingRuleID: ruleID, - QueryOptions: structs.QueryOptions{Token: TestDefaultMasterToken}, + QueryOptions: structs.QueryOptions{Token: TestDefaultInitialManagementToken}, } resp = structs.ACLBindingRuleResponse{} require.NoError(t, acl.BindingRuleRead(&req, &resp)) @@ -3937,7 +3937,7 @@ func TestACLEndpoint_SecureIntroEndpoints_OnlyCreateLocalData(t *testing.T) { // present in dc2 req := structs.ACLBindingRuleListRequest{ Datacenter: "dc2", - QueryOptions: structs.QueryOptions{Token: TestDefaultMasterToken}, + QueryOptions: structs.QueryOptions{Token: TestDefaultInitialManagementToken}, } resp := structs.ACLBindingRuleListResponse{} require.NoError(t, acl2.BindingRuleList(&req, &resp)) @@ -3946,7 +3946,7 @@ func TestACLEndpoint_SecureIntroEndpoints_OnlyCreateLocalData(t *testing.T) { // absent in dc1 req = structs.ACLBindingRuleListRequest{ Datacenter: "dc1", - QueryOptions: structs.QueryOptions{Token: TestDefaultMasterToken}, + QueryOptions: structs.QueryOptions{Token: TestDefaultInitialManagementToken}, } resp = structs.ACLBindingRuleListResponse{} require.NoError(t, acl.BindingRuleList(&req, &resp)) @@ -3968,13 +3968,13 @@ func TestACLEndpoint_SecureIntroEndpoints_OnlyCreateLocalData(t *testing.T) { remoteToken = &resp // present in dc2 - resp2, err := retrieveTestToken(codec2, TestDefaultMasterToken, "dc2", remoteToken.AccessorID) + resp2, err := retrieveTestToken(codec2, TestDefaultInitialManagementToken, "dc2", remoteToken.AccessorID) require.NoError(t, err) require.NotNil(t, resp2.Token) require.Len(t, resp2.Token.ServiceIdentities, 1) require.Equal(t, "web2", resp2.Token.ServiceIdentities[0].ServiceName) // absent in dc1 - resp2, err = retrieveTestToken(codec1, TestDefaultMasterToken, "dc1", remoteToken.AccessorID) + resp2, err = retrieveTestToken(codec1, TestDefaultInitialManagementToken, "dc1", remoteToken.AccessorID) require.NoError(t, err) require.Nil(t, resp2.Token) }) @@ -3993,7 +3993,7 @@ func TestACLEndpoint_SecureIntroEndpoints_OnlyCreateLocalData(t *testing.T) { "SessionID": testSessionID_1, }, }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } respAM := structs.ACLAuthMethod{} require.NoError(t, acl.AuthMethodSet(&reqAM, &respAM)) @@ -4005,7 +4005,7 @@ func TestACLEndpoint_SecureIntroEndpoints_OnlyCreateLocalData(t *testing.T) { BindType: structs.BindingRuleBindTypeService, BindName: "${serviceaccount.name}", }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } respBR := structs.ACLBindingRule{} @@ -4027,13 +4027,13 @@ func TestACLEndpoint_SecureIntroEndpoints_OnlyCreateLocalData(t *testing.T) { primaryToken = &resp // present in dc1 - resp2, err := retrieveTestToken(codec1, TestDefaultMasterToken, "dc1", primaryToken.AccessorID) + resp2, err := retrieveTestToken(codec1, TestDefaultInitialManagementToken, "dc1", primaryToken.AccessorID) require.NoError(t, err) require.NotNil(t, resp2.Token) require.Len(t, resp2.Token.ServiceIdentities, 1) require.Equal(t, "web1", resp2.Token.ServiceIdentities[0].ServiceName) // absent in dc2 - resp2, err = retrieveTestToken(codec2, TestDefaultMasterToken, "dc2", primaryToken.AccessorID) + resp2, err = retrieveTestToken(codec2, TestDefaultInitialManagementToken, "dc2", primaryToken.AccessorID) require.NoError(t, err) require.Nil(t, resp2.Token) }) @@ -4051,11 +4051,11 @@ func TestACLEndpoint_SecureIntroEndpoints_OnlyCreateLocalData(t *testing.T) { require.NoError(t, acl.Logout(&req, &ignored)) // absent in dc2 - resp2, err := retrieveTestToken(codec2, TestDefaultMasterToken, "dc2", remoteToken.AccessorID) + resp2, err := retrieveTestToken(codec2, TestDefaultInitialManagementToken, "dc2", remoteToken.AccessorID) require.NoError(t, err) require.Nil(t, resp2.Token) // absent in dc1 - resp2, err = retrieveTestToken(codec1, TestDefaultMasterToken, "dc1", remoteToken.AccessorID) + resp2, err = retrieveTestToken(codec1, TestDefaultInitialManagementToken, "dc1", remoteToken.AccessorID) require.NoError(t, err) require.Nil(t, resp2.Token) }) @@ -4070,13 +4070,13 @@ func TestACLEndpoint_SecureIntroEndpoints_OnlyCreateLocalData(t *testing.T) { testutil.RequireErrorContains(t, acl.Logout(&req, &ignored), "ACL not found") // present in dc1 - resp2, err := retrieveTestToken(codec1, TestDefaultMasterToken, "dc1", primaryToken.AccessorID) + resp2, err := retrieveTestToken(codec1, TestDefaultInitialManagementToken, "dc1", primaryToken.AccessorID) require.NoError(t, err) require.NotNil(t, resp2.Token) require.Len(t, resp2.Token.ServiceIdentities, 1) require.Equal(t, "web1", resp2.Token.ServiceIdentities[0].ServiceName) // absent in dc2 - resp2, err = retrieveTestToken(codec2, TestDefaultMasterToken, "dc2", primaryToken.AccessorID) + resp2, err = retrieveTestToken(codec2, TestDefaultInitialManagementToken, "dc2", primaryToken.AccessorID) require.NoError(t, err) require.Nil(t, resp2.Token) }) @@ -4088,18 +4088,18 @@ func TestACLEndpoint_SecureIntroEndpoints_OnlyCreateLocalData(t *testing.T) { req := structs.ACLBindingRuleDeleteRequest{ Datacenter: "dc2", BindingRuleID: ruleID, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } var ignored bool require.NoError(t, acl2.BindingRuleDelete(&req, &ignored)) // absent in dc2 - resp2, err := retrieveTestBindingRule(codec2, TestDefaultMasterToken, "dc2", ruleID) + resp2, err := retrieveTestBindingRule(codec2, TestDefaultInitialManagementToken, "dc2", ruleID) require.NoError(t, err) require.Nil(t, resp2.BindingRule) // absent in dc1 - resp2, err = retrieveTestBindingRule(codec1, TestDefaultMasterToken, "dc1", ruleID) + resp2, err = retrieveTestBindingRule(codec1, TestDefaultInitialManagementToken, "dc1", ruleID) require.NoError(t, err) require.Nil(t, resp2.BindingRule) }) @@ -4108,18 +4108,18 @@ func TestACLEndpoint_SecureIntroEndpoints_OnlyCreateLocalData(t *testing.T) { req := structs.ACLAuthMethodDeleteRequest{ Datacenter: "dc2", AuthMethodName: "testmethod", - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } var ignored bool require.NoError(t, acl2.AuthMethodDelete(&req, &ignored)) // absent in dc2 - resp2, err := retrieveTestAuthMethod(codec2, TestDefaultMasterToken, "dc2", "testmethod") + resp2, err := retrieveTestAuthMethod(codec2, TestDefaultInitialManagementToken, "dc2", "testmethod") require.NoError(t, err) require.Nil(t, resp2.AuthMethod) // absent in dc1 - resp2, err = retrieveTestAuthMethod(codec1, TestDefaultMasterToken, "dc1", "testmethod") + resp2, err = retrieveTestAuthMethod(codec1, TestDefaultInitialManagementToken, "dc1", "testmethod") require.NoError(t, err) require.Nil(t, resp2.AuthMethod) }) @@ -4166,12 +4166,12 @@ func TestACLEndpoint_Login(t *testing.T) { "default", "mynode", "jkl101", ) - method, err := upsertTestAuthMethod(codec, TestDefaultMasterToken, "dc1", testSessionID) + method, err := upsertTestAuthMethod(codec, TestDefaultInitialManagementToken, "dc1", testSessionID) require.NoError(t, err) // 'fake-db' rules ruleDB, err := upsertTestBindingRule( - codec, TestDefaultMasterToken, "dc1", method.Name, + codec, TestDefaultInitialManagementToken, "dc1", method.Name, "serviceaccount.namespace==default and serviceaccount.name==db", structs.BindingRuleBindTypeService, "method-${serviceaccount.name}", @@ -4180,7 +4180,7 @@ func TestACLEndpoint_Login(t *testing.T) { // 'fake-vault' rules _, err = upsertTestBindingRule( - codec, TestDefaultMasterToken, "dc1", method.Name, + codec, TestDefaultInitialManagementToken, "dc1", method.Name, "serviceaccount.namespace==default and serviceaccount.name==vault", structs.BindingRuleBindTypeRole, "method-${serviceaccount.name}", @@ -4189,14 +4189,14 @@ func TestACLEndpoint_Login(t *testing.T) { // 'fake-monolith' rules _, err = upsertTestBindingRule( - codec, TestDefaultMasterToken, "dc1", method.Name, + codec, TestDefaultInitialManagementToken, "dc1", method.Name, "serviceaccount.namespace==default and serviceaccount.name==monolith", structs.BindingRuleBindTypeService, "method-${serviceaccount.name}", ) require.NoError(t, err) _, err = upsertTestBindingRule( - codec, TestDefaultMasterToken, "dc1", method.Name, + codec, TestDefaultInitialManagementToken, "dc1", method.Name, "serviceaccount.namespace==default and serviceaccount.name==monolith", structs.BindingRuleBindTypeRole, "method-${serviceaccount.name}", @@ -4205,7 +4205,7 @@ func TestACLEndpoint_Login(t *testing.T) { // node identity rule _, err = upsertTestBindingRule( - codec, TestDefaultMasterToken, "dc1", method.Name, + codec, TestDefaultInitialManagementToken, "dc1", method.Name, "serviceaccount.namespace==default and serviceaccount.name==mynode", structs.BindingRuleBindTypeNode, "${serviceaccount.name}", @@ -4291,7 +4291,7 @@ func TestACLEndpoint_Login(t *testing.T) { Role: structs.ACLRole{ Name: "method-vault", }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } var out structs.ACLRole @@ -4354,7 +4354,7 @@ func TestACLEndpoint_Login(t *testing.T) { Role: structs.ACLRole{ Name: "method-monolith", }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } var out structs.ACLRole @@ -4445,7 +4445,7 @@ func TestACLEndpoint_Login(t *testing.T) { BindName: ruleDB.BindName, Selector: "", }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } var out structs.ACLBindingRule @@ -4489,7 +4489,7 @@ func TestACLEndpoint_Login(t *testing.T) { req := structs.ACLAuthMethodSetRequest{ Datacenter: "dc1", AuthMethod: updated, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } var ignored structs.ACLAuthMethod @@ -4534,7 +4534,7 @@ func TestACLEndpoint_Login_with_MaxTokenTTL(t *testing.T) { "default", "web", "abc123", ) - method, err := upsertTestCustomizedAuthMethod(codec, TestDefaultMasterToken, "dc1", func(method *structs.ACLAuthMethod) { + method, err := upsertTestCustomizedAuthMethod(codec, TestDefaultInitialManagementToken, "dc1", func(method *structs.ACLAuthMethod) { method.MaxTokenTTL = 5 * time.Minute method.Config = map[string]interface{}{ "SessionID": testSessionID, @@ -4543,7 +4543,7 @@ func TestACLEndpoint_Login_with_MaxTokenTTL(t *testing.T) { require.NoError(t, err) _, err = upsertTestBindingRule( - codec, TestDefaultMasterToken, "dc1", method.Name, + codec, TestDefaultInitialManagementToken, "dc1", method.Name, "", structs.BindingRuleBindTypeService, "web", @@ -4640,7 +4640,7 @@ func TestACLEndpoint_Login_with_TokenLocality(t *testing.T) { for name, tc := range cases { tc := tc t.Run(name, func(t *testing.T) { - method, err := upsertTestCustomizedAuthMethod(codec, TestDefaultMasterToken, "dc1", func(method *structs.ACLAuthMethod) { + method, err := upsertTestCustomizedAuthMethod(codec, TestDefaultInitialManagementToken, "dc1", func(method *structs.ACLAuthMethod) { method.TokenLocality = tc.tokenLocality method.Config = map[string]interface{}{ "SessionID": testSessionID, @@ -4649,7 +4649,7 @@ func TestACLEndpoint_Login_with_TokenLocality(t *testing.T) { require.NoError(t, err) _, err = upsertTestBindingRule( - codec, TestDefaultMasterToken, "dc1", method.Name, + codec, TestDefaultInitialManagementToken, "dc1", method.Name, "", structs.BindingRuleBindTypeService, "web", @@ -4706,7 +4706,7 @@ func TestACLEndpoint_Login_with_TokenLocality(t *testing.T) { TokenIDType: structs.ACLTokenSecret, Datacenter: "dc2", EnterpriseMeta: *defaultEntMeta, - QueryOptions: structs.QueryOptions{Token: TestDefaultMasterToken}, + QueryOptions: structs.QueryOptions{Token: TestDefaultInitialManagementToken}, }, &resp)) require.NotNil(r, resp.Token, "cannot lookup token with secretID %q", secretID) }) @@ -4755,7 +4755,7 @@ func TestACLEndpoint_Login_k8s(t *testing.T) { ) method, err := upsertTestKubernetesAuthMethod( - codec, TestDefaultMasterToken, "dc1", + codec, TestDefaultInitialManagementToken, "dc1", testSrv.CACert(), testSrv.Addr(), goodJWT_A, @@ -4791,7 +4791,7 @@ func TestACLEndpoint_Login_k8s(t *testing.T) { }) _, err = upsertTestBindingRule( - codec, TestDefaultMasterToken, "dc1", method.Name, + codec, TestDefaultInitialManagementToken, "dc1", method.Name, "serviceaccount.namespace==default", structs.BindingRuleBindTypeService, "${serviceaccount.name}", @@ -4899,7 +4899,7 @@ func TestACLEndpoint_Login_jwt(t *testing.T) { for name, tc := range cases { tc := tc t.Run(name, func(t *testing.T) { - method, err := upsertTestCustomizedAuthMethod(codec, TestDefaultMasterToken, "dc1", func(method *structs.ACLAuthMethod) { + method, err := upsertTestCustomizedAuthMethod(codec, TestDefaultInitialManagementToken, "dc1", func(method *structs.ACLAuthMethod) { method.Type = "jwt" method.Config = map[string]interface{}{ "JWTSupportedAlgs": []string{"ES256"}, @@ -4970,7 +4970,7 @@ func TestACLEndpoint_Login_jwt(t *testing.T) { }) _, err = upsertTestBindingRule( - codec, TestDefaultMasterToken, "dc1", method.Name, + codec, TestDefaultInitialManagementToken, "dc1", method.Name, "value.name == jeff2 and value.primary_org == engineering and foo in list.groups", structs.BindingRuleBindTypeService, "test--${value.name}--${value.primary_org}", @@ -5022,11 +5022,11 @@ func TestACLEndpoint_Logout(t *testing.T) { "default", "db", "def456", ) - method, err := upsertTestAuthMethod(codec, TestDefaultMasterToken, "dc1", testSessionID) + method, err := upsertTestAuthMethod(codec, TestDefaultInitialManagementToken, "dc1", testSessionID) require.NoError(t, err) _, err = upsertTestBindingRule( - codec, TestDefaultMasterToken, "dc1", method.Name, + codec, TestDefaultInitialManagementToken, "dc1", method.Name, "", structs.BindingRuleBindTypeService, "method-${serviceaccount.name}", @@ -5035,8 +5035,8 @@ func TestACLEndpoint_Logout(t *testing.T) { t.Run("you must provide a token", func(t *testing.T) { req := structs.ACLLogoutRequest{ - Datacenter: "dc1", - // WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + Datacenter: "dc1", + WriteRequest: structs.WriteRequest{Token: ""}, } req.Token = "" var ignored bool @@ -5056,7 +5056,7 @@ func TestACLEndpoint_Logout(t *testing.T) { t.Run("logout from non-auth method-linked token should fail", func(t *testing.T) { req := structs.ACLLogoutRequest{ Datacenter: "dc1", - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } var ignored bool testutil.RequireErrorContains(t, acl.Logout(&req, &ignored), "Permission denied") @@ -5239,7 +5239,7 @@ func TestValidateBindingRuleBindName(t *testing.T) { } // upsertTestToken creates a token for testing purposes -func upsertTestTokenInEntMeta(codec rpc.ClientCodec, masterToken string, datacenter string, +func upsertTestTokenInEntMeta(codec rpc.ClientCodec, initialManagementToken string, datacenter string, tokenModificationFn func(token *structs.ACLToken), entMeta *structs.EnterpriseMeta) (*structs.ACLToken, error) { if entMeta == nil { entMeta = structs.DefaultEnterpriseMetaInDefaultPartition() @@ -5252,7 +5252,7 @@ func upsertTestTokenInEntMeta(codec rpc.ClientCodec, masterToken string, datacen Policies: nil, EnterpriseMeta: *entMeta, }, - WriteRequest: structs.WriteRequest{Token: masterToken}, + WriteRequest: structs.WriteRequest{Token: initialManagementToken}, } if tokenModificationFn != nil { @@ -5274,19 +5274,19 @@ func upsertTestTokenInEntMeta(codec rpc.ClientCodec, masterToken string, datacen return &out, nil } -func upsertTestToken(codec rpc.ClientCodec, masterToken string, datacenter string, +func upsertTestToken(codec rpc.ClientCodec, initialManagementToken string, datacenter string, tokenModificationFn func(token *structs.ACLToken)) (*structs.ACLToken, error) { - return upsertTestTokenInEntMeta(codec, masterToken, datacenter, + return upsertTestTokenInEntMeta(codec, initialManagementToken, datacenter, tokenModificationFn, structs.DefaultEnterpriseMetaInDefaultPartition()) } -func upsertTestTokenWithPolicyRulesInEntMeta(codec rpc.ClientCodec, masterToken string, datacenter string, rules string, entMeta *structs.EnterpriseMeta) (*structs.ACLToken, error) { - policy, err := upsertTestPolicyWithRulesInEntMeta(codec, masterToken, datacenter, rules, entMeta) +func upsertTestTokenWithPolicyRulesInEntMeta(codec rpc.ClientCodec, initialManagementToken string, datacenter string, rules string, entMeta *structs.EnterpriseMeta) (*structs.ACLToken, error) { + policy, err := upsertTestPolicyWithRulesInEntMeta(codec, initialManagementToken, datacenter, rules, entMeta) if err != nil { return nil, err } - token, err := upsertTestTokenInEntMeta(codec, masterToken, datacenter, func(token *structs.ACLToken) { + token, err := upsertTestTokenInEntMeta(codec, initialManagementToken, datacenter, func(token *structs.ACLToken) { token.Policies = []structs.ACLTokenPolicyLink{{ID: policy.ID}} }, entMeta) if err != nil { @@ -5296,16 +5296,16 @@ func upsertTestTokenWithPolicyRulesInEntMeta(codec rpc.ClientCodec, masterToken return token, nil } -func upsertTestTokenWithPolicyRules(codec rpc.ClientCodec, masterToken string, datacenter string, rules string) (*structs.ACLToken, error) { - return upsertTestTokenWithPolicyRulesInEntMeta(codec, masterToken, datacenter, rules, nil) +func upsertTestTokenWithPolicyRules(codec rpc.ClientCodec, initialManagementToken string, datacenter string, rules string) (*structs.ACLToken, error) { + return upsertTestTokenWithPolicyRulesInEntMeta(codec, initialManagementToken, datacenter, rules, nil) } -func retrieveTestTokenAccessorForSecret(codec rpc.ClientCodec, masterToken string, datacenter string, id string) (string, error) { +func retrieveTestTokenAccessorForSecret(codec rpc.ClientCodec, initialManagementToken string, datacenter string, id string) (string, error) { arg := structs.ACLTokenGetRequest{ TokenID: id, TokenIDType: structs.ACLTokenSecret, Datacenter: datacenter, - QueryOptions: structs.QueryOptions{Token: masterToken}, + QueryOptions: structs.QueryOptions{Token: initialManagementToken}, } var out structs.ACLTokenResponse @@ -5324,12 +5324,12 @@ func retrieveTestTokenAccessorForSecret(codec rpc.ClientCodec, masterToken strin } // retrieveTestToken returns a policy for testing purposes -func retrieveTestToken(codec rpc.ClientCodec, masterToken string, datacenter string, id string) (*structs.ACLTokenResponse, error) { +func retrieveTestToken(codec rpc.ClientCodec, initialManagementToken string, datacenter string, id string) (*structs.ACLTokenResponse, error) { arg := structs.ACLTokenGetRequest{ Datacenter: datacenter, TokenID: id, TokenIDType: structs.ACLTokenAccessor, - QueryOptions: structs.QueryOptions{Token: masterToken}, + QueryOptions: structs.QueryOptions{Token: initialManagementToken}, } var out structs.ACLTokenResponse @@ -5343,11 +5343,11 @@ func retrieveTestToken(codec rpc.ClientCodec, masterToken string, datacenter str return &out, nil } -func deleteTestToken(codec rpc.ClientCodec, masterToken string, datacenter string, tokenAccessor string) error { +func deleteTestToken(codec rpc.ClientCodec, initialManagementToken string, datacenter string, tokenAccessor string) error { arg := structs.ACLTokenDeleteRequest{ Datacenter: datacenter, TokenID: tokenAccessor, - WriteRequest: structs.WriteRequest{Token: masterToken}, + WriteRequest: structs.WriteRequest{Token: initialManagementToken}, } var ignored string @@ -5355,11 +5355,11 @@ func deleteTestToken(codec rpc.ClientCodec, masterToken string, datacenter strin return err } -func deleteTestPolicy(codec rpc.ClientCodec, masterToken string, datacenter string, policyID string) error { +func deleteTestPolicy(codec rpc.ClientCodec, initialManagementToken string, datacenter string, policyID string) error { arg := structs.ACLPolicyDeleteRequest{ Datacenter: datacenter, PolicyID: policyID, - WriteRequest: structs.WriteRequest{Token: masterToken}, + WriteRequest: structs.WriteRequest{Token: initialManagementToken}, } var ignored string @@ -5367,7 +5367,7 @@ func deleteTestPolicy(codec rpc.ClientCodec, masterToken string, datacenter stri return err } -func upsertTestCustomizedPolicy(codec rpc.ClientCodec, masterToken string, datacenter string, policyModificationFn func(policy *structs.ACLPolicy)) (*structs.ACLPolicy, error) { +func upsertTestCustomizedPolicy(codec rpc.ClientCodec, initialManagementToken string, datacenter string, policyModificationFn func(policy *structs.ACLPolicy)) (*structs.ACLPolicy, error) { // Make sure test policies can't collide policyUnq, err := uuid.GenerateUUID() if err != nil { @@ -5379,7 +5379,7 @@ func upsertTestCustomizedPolicy(codec rpc.ClientCodec, masterToken string, datac Policy: structs.ACLPolicy{ Name: fmt.Sprintf("test-policy-%s", policyUnq), }, - WriteRequest: structs.WriteRequest{Token: masterToken}, + WriteRequest: structs.WriteRequest{Token: initialManagementToken}, } if policyModificationFn != nil { @@ -5402,16 +5402,16 @@ func upsertTestCustomizedPolicy(codec rpc.ClientCodec, masterToken string, datac } // upsertTestPolicy creates a policy for testing purposes -func upsertTestPolicy(codec rpc.ClientCodec, masterToken string, datacenter string) (*structs.ACLPolicy, error) { - return upsertTestPolicyWithRules(codec, masterToken, datacenter, "") +func upsertTestPolicy(codec rpc.ClientCodec, initialManagementToken string, datacenter string) (*structs.ACLPolicy, error) { + return upsertTestPolicyWithRules(codec, initialManagementToken, datacenter, "") } -func upsertTestPolicyWithRules(codec rpc.ClientCodec, masterToken string, datacenter string, rules string) (*structs.ACLPolicy, error) { - return upsertTestPolicyWithRulesInEntMeta(codec, masterToken, datacenter, rules, structs.DefaultEnterpriseMetaInDefaultPartition()) +func upsertTestPolicyWithRules(codec rpc.ClientCodec, initialManagementToken string, datacenter string, rules string) (*structs.ACLPolicy, error) { + return upsertTestPolicyWithRulesInEntMeta(codec, initialManagementToken, datacenter, rules, structs.DefaultEnterpriseMetaInDefaultPartition()) } -func upsertTestPolicyWithRulesInEntMeta(codec rpc.ClientCodec, masterToken string, datacenter string, rules string, entMeta *structs.EnterpriseMeta) (*structs.ACLPolicy, error) { - return upsertTestCustomizedPolicy(codec, masterToken, datacenter, func(policy *structs.ACLPolicy) { +func upsertTestPolicyWithRulesInEntMeta(codec rpc.ClientCodec, initialManagementToken string, datacenter string, rules string, entMeta *structs.EnterpriseMeta) (*structs.ACLPolicy, error) { + return upsertTestCustomizedPolicy(codec, initialManagementToken, datacenter, func(policy *structs.ACLPolicy) { if entMeta == nil { entMeta = structs.DefaultEnterpriseMetaInDefaultPartition() } @@ -5421,11 +5421,11 @@ func upsertTestPolicyWithRulesInEntMeta(codec rpc.ClientCodec, masterToken strin } // retrieveTestPolicy returns a policy for testing purposes -func retrieveTestPolicy(codec rpc.ClientCodec, masterToken string, datacenter string, id string) (*structs.ACLPolicyResponse, error) { +func retrieveTestPolicy(codec rpc.ClientCodec, initialManagementToken string, datacenter string, id string) (*structs.ACLPolicyResponse, error) { arg := structs.ACLPolicyGetRequest{ Datacenter: datacenter, PolicyID: id, - QueryOptions: structs.QueryOptions{Token: masterToken}, + QueryOptions: structs.QueryOptions{Token: initialManagementToken}, } var out structs.ACLPolicyResponse @@ -5439,11 +5439,11 @@ func retrieveTestPolicy(codec rpc.ClientCodec, masterToken string, datacenter st return &out, nil } -func deleteTestRole(codec rpc.ClientCodec, masterToken string, datacenter string, roleID string) error { +func deleteTestRole(codec rpc.ClientCodec, initialManagementToken string, datacenter string, roleID string) error { arg := structs.ACLRoleDeleteRequest{ Datacenter: datacenter, RoleID: roleID, - WriteRequest: structs.WriteRequest{Token: masterToken}, + WriteRequest: structs.WriteRequest{Token: initialManagementToken}, } var ignored string @@ -5451,8 +5451,8 @@ func deleteTestRole(codec rpc.ClientCodec, masterToken string, datacenter string return err } -func deleteTestRoleByName(codec rpc.ClientCodec, masterToken string, datacenter string, roleName string) error { - resp, err := retrieveTestRoleByName(codec, masterToken, datacenter, roleName) +func deleteTestRoleByName(codec rpc.ClientCodec, initialManagementToken string, datacenter string, roleName string) error { + resp, err := retrieveTestRoleByName(codec, initialManagementToken, datacenter, roleName) if err != nil { return err } @@ -5460,15 +5460,15 @@ func deleteTestRoleByName(codec rpc.ClientCodec, masterToken string, datacenter return nil } - return deleteTestRole(codec, masterToken, datacenter, resp.Role.ID) + return deleteTestRole(codec, initialManagementToken, datacenter, resp.Role.ID) } // upsertTestRole creates a role for testing purposes -func upsertTestRole(codec rpc.ClientCodec, masterToken string, datacenter string) (*structs.ACLRole, error) { - return upsertTestCustomizedRole(codec, masterToken, datacenter, nil) +func upsertTestRole(codec rpc.ClientCodec, initialManagementToken string, datacenter string) (*structs.ACLRole, error) { + return upsertTestCustomizedRole(codec, initialManagementToken, datacenter, nil) } -func upsertTestCustomizedRole(codec rpc.ClientCodec, masterToken string, datacenter string, modify func(role *structs.ACLRole)) (*structs.ACLRole, error) { +func upsertTestCustomizedRole(codec rpc.ClientCodec, initialManagementToken string, datacenter string, modify func(role *structs.ACLRole)) (*structs.ACLRole, error) { // Make sure test roles can't collide roleUnq, err := uuid.GenerateUUID() if err != nil { @@ -5480,7 +5480,7 @@ func upsertTestCustomizedRole(codec rpc.ClientCodec, masterToken string, datacen Role: structs.ACLRole{ Name: fmt.Sprintf("test-role-%s", roleUnq), }, - WriteRequest: structs.WriteRequest{Token: masterToken}, + WriteRequest: structs.WriteRequest{Token: initialManagementToken}, } if modify != nil { @@ -5502,11 +5502,11 @@ func upsertTestCustomizedRole(codec rpc.ClientCodec, masterToken string, datacen return &out, nil } -func retrieveTestRole(codec rpc.ClientCodec, masterToken string, datacenter string, id string) (*structs.ACLRoleResponse, error) { +func retrieveTestRole(codec rpc.ClientCodec, initialManagementToken string, datacenter string, id string) (*structs.ACLRoleResponse, error) { arg := structs.ACLRoleGetRequest{ Datacenter: datacenter, RoleID: id, - QueryOptions: structs.QueryOptions{Token: masterToken}, + QueryOptions: structs.QueryOptions{Token: initialManagementToken}, } var out structs.ACLRoleResponse @@ -5520,11 +5520,11 @@ func retrieveTestRole(codec rpc.ClientCodec, masterToken string, datacenter stri return &out, nil } -func retrieveTestRoleByName(codec rpc.ClientCodec, masterToken string, datacenter string, name string) (*structs.ACLRoleResponse, error) { +func retrieveTestRoleByName(codec rpc.ClientCodec, initialManagementToken string, datacenter string, name string) (*structs.ACLRoleResponse, error) { arg := structs.ACLRoleGetRequest{ Datacenter: datacenter, RoleName: name, - QueryOptions: structs.QueryOptions{Token: masterToken}, + QueryOptions: structs.QueryOptions{Token: initialManagementToken}, } var out structs.ACLRoleResponse @@ -5538,11 +5538,11 @@ func retrieveTestRoleByName(codec rpc.ClientCodec, masterToken string, datacente return &out, nil } -func deleteTestAuthMethod(codec rpc.ClientCodec, masterToken string, datacenter string, methodName string) error { +func deleteTestAuthMethod(codec rpc.ClientCodec, initialManagementToken string, datacenter string, methodName string) error { arg := structs.ACLAuthMethodDeleteRequest{ Datacenter: datacenter, AuthMethodName: methodName, - WriteRequest: structs.WriteRequest{Token: masterToken}, + WriteRequest: structs.WriteRequest{Token: initialManagementToken}, } var ignored string @@ -5550,10 +5550,10 @@ func deleteTestAuthMethod(codec rpc.ClientCodec, masterToken string, datacenter return err } func upsertTestAuthMethod( - codec rpc.ClientCodec, masterToken string, datacenter string, + codec rpc.ClientCodec, initialManagementToken string, datacenter string, sessionID string, ) (*structs.ACLAuthMethod, error) { - return upsertTestCustomizedAuthMethod(codec, masterToken, datacenter, func(method *structs.ACLAuthMethod) { + return upsertTestCustomizedAuthMethod(codec, initialManagementToken, datacenter, func(method *structs.ACLAuthMethod) { method.Config = map[string]interface{}{ "SessionID": sessionID, } @@ -5561,7 +5561,7 @@ func upsertTestAuthMethod( } func upsertTestCustomizedAuthMethod( - codec rpc.ClientCodec, masterToken string, datacenter string, + codec rpc.ClientCodec, initialManagementToken string, datacenter string, modify func(method *structs.ACLAuthMethod), ) (*structs.ACLAuthMethod, error) { name, err := uuid.GenerateUUID() @@ -5575,7 +5575,7 @@ func upsertTestCustomizedAuthMethod( Name: "test-method-" + name, Type: "testing", }, - WriteRequest: structs.WriteRequest{Token: masterToken}, + WriteRequest: structs.WriteRequest{Token: initialManagementToken}, } if modify != nil { @@ -5593,7 +5593,7 @@ func upsertTestCustomizedAuthMethod( } func upsertTestKubernetesAuthMethod( - codec rpc.ClientCodec, masterToken string, datacenter string, + codec rpc.ClientCodec, initialManagementToken string, datacenter string, caCert, kubeHost, kubeJWT string, ) (*structs.ACLAuthMethod, error) { name, err := uuid.GenerateUUID() @@ -5619,7 +5619,7 @@ func upsertTestKubernetesAuthMethod( "ServiceAccountJWT": kubeJWT, }, }, - WriteRequest: structs.WriteRequest{Token: masterToken}, + WriteRequest: structs.WriteRequest{Token: initialManagementToken}, } var out structs.ACLAuthMethod @@ -5632,11 +5632,11 @@ func upsertTestKubernetesAuthMethod( return &out, nil } -func retrieveTestAuthMethod(codec rpc.ClientCodec, masterToken string, datacenter string, name string) (*structs.ACLAuthMethodResponse, error) { +func retrieveTestAuthMethod(codec rpc.ClientCodec, initialManagementToken string, datacenter string, name string) (*structs.ACLAuthMethodResponse, error) { arg := structs.ACLAuthMethodGetRequest{ Datacenter: datacenter, AuthMethodName: name, - QueryOptions: structs.QueryOptions{Token: masterToken}, + QueryOptions: structs.QueryOptions{Token: initialManagementToken}, } var out structs.ACLAuthMethodResponse @@ -5650,11 +5650,11 @@ func retrieveTestAuthMethod(codec rpc.ClientCodec, masterToken string, datacente return &out, nil } -func deleteTestBindingRule(codec rpc.ClientCodec, masterToken string, datacenter string, ruleID string) error { +func deleteTestBindingRule(codec rpc.ClientCodec, initialManagementToken string, datacenter string, ruleID string) error { arg := structs.ACLBindingRuleDeleteRequest{ Datacenter: datacenter, BindingRuleID: ruleID, - WriteRequest: structs.WriteRequest{Token: masterToken}, + WriteRequest: structs.WriteRequest{Token: initialManagementToken}, } var ignored string @@ -5664,14 +5664,14 @@ func deleteTestBindingRule(codec rpc.ClientCodec, masterToken string, datacenter func upsertTestBindingRule( codec rpc.ClientCodec, - masterToken string, + initialManagementToken string, datacenter string, methodName string, selector string, bindType string, bindName string, ) (*structs.ACLBindingRule, error) { - return upsertTestCustomizedBindingRule(codec, masterToken, datacenter, func(rule *structs.ACLBindingRule) { + return upsertTestCustomizedBindingRule(codec, initialManagementToken, datacenter, func(rule *structs.ACLBindingRule) { rule.AuthMethod = methodName rule.BindType = bindType rule.BindName = bindName @@ -5679,11 +5679,11 @@ func upsertTestBindingRule( }) } -func upsertTestCustomizedBindingRule(codec rpc.ClientCodec, masterToken string, datacenter string, modify func(rule *structs.ACLBindingRule)) (*structs.ACLBindingRule, error) { +func upsertTestCustomizedBindingRule(codec rpc.ClientCodec, initialManagementToken string, datacenter string, modify func(rule *structs.ACLBindingRule)) (*structs.ACLBindingRule, error) { req := structs.ACLBindingRuleSetRequest{ Datacenter: datacenter, BindingRule: structs.ACLBindingRule{}, - WriteRequest: structs.WriteRequest{Token: masterToken}, + WriteRequest: structs.WriteRequest{Token: initialManagementToken}, } if modify != nil { @@ -5700,11 +5700,11 @@ func upsertTestCustomizedBindingRule(codec rpc.ClientCodec, masterToken string, return &out, nil } -func retrieveTestBindingRule(codec rpc.ClientCodec, masterToken string, datacenter string, ruleID string) (*structs.ACLBindingRuleResponse, error) { +func retrieveTestBindingRule(codec rpc.ClientCodec, initialManagementToken string, datacenter string, ruleID string) (*structs.ACLBindingRuleResponse, error) { arg := structs.ACLBindingRuleGetRequest{ Datacenter: datacenter, BindingRuleID: ruleID, - QueryOptions: structs.QueryOptions{Token: masterToken}, + QueryOptions: structs.QueryOptions{Token: initialManagementToken}, } var out structs.ACLBindingRuleResponse diff --git a/agent/consul/acl_test.go b/agent/consul/acl_test.go index 03707c0cb..f4ca0610b 100644 --- a/agent/consul/acl_test.go +++ b/agent/consul/acl_test.go @@ -4007,7 +4007,7 @@ func TestACL_LocalToken(t *testing.T) { }) } -func TestACLResolver_AgentMaster(t *testing.T) { +func TestACLResolver_AgentRecovery(t *testing.T) { var tokens token.Store d := &ACLResolverTestDelegate{ @@ -4025,9 +4025,9 @@ func TestACLResolver_AgentMaster(t *testing.T) { ident, authz, err := r.ResolveTokenToIdentityAndAuthorizer("9a184a11-5599-459e-b71a-550e5f9a5a23") require.NoError(t, err) require.NotNil(t, ident) - require.Equal(t, "agent-master:foo", ident.ID()) + require.Equal(t, "agent-recovery:foo", ident.ID()) require.NotNil(t, authz) - require.Equal(t, r.agentMasterAuthz, authz) + require.Equal(t, r.agentRecoveryAuthz, authz) require.Equal(t, acl.Allow, authz.AgentWrite("foo", nil)) require.Equal(t, acl.Allow, authz.NodeRead("bar", nil)) require.Equal(t, acl.Deny, authz.NodeWrite("bar", nil)) @@ -4106,7 +4106,7 @@ func TestACLResolver_ResolveTokenToIdentityAndAuthorizer_UpdatesPurgeTheCache(t Name: "the-policy", Rules: `key_prefix "" { policy = "read"}`, }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } var respPolicy = structs.ACLPolicy{} err := msgpackrpc.CallWithCodec(codec, "ACL.PolicySet", &reqPolicy, &respPolicy) @@ -4121,7 +4121,7 @@ func TestACLResolver_ResolveTokenToIdentityAndAuthorizer_UpdatesPurgeTheCache(t SecretID: token, Policies: []structs.ACLTokenPolicyLink{{Name: "the-policy"}}, }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } var respToken structs.ACLToken err = msgpackrpc.CallWithCodec(codec, "ACL.TokenSet", &reqToken, &respToken) @@ -4142,7 +4142,7 @@ func TestACLResolver_ResolveTokenToIdentityAndAuthorizer_UpdatesPurgeTheCache(t Name: "the-policy", Rules: `{"key_prefix": {"": {"policy": "deny"}}}`, }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } err := msgpackrpc.CallWithCodec(codec, "ACL.PolicySet", &reqPolicy, &structs.ACLPolicy{}) require.NoError(t, err) @@ -4157,7 +4157,7 @@ func TestACLResolver_ResolveTokenToIdentityAndAuthorizer_UpdatesPurgeTheCache(t req := structs.ACLTokenDeleteRequest{ Datacenter: "dc1", TokenID: respToken.AccessorID, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } var resp string err := msgpackrpc.CallWithCodec(codec, "ACL.TokenDelete", &req, &resp) diff --git a/agent/consul/acl_token_exp_test.go b/agent/consul/acl_token_exp_test.go index 17e8622c1..672cb332c 100644 --- a/agent/consul/acl_token_exp_test.go +++ b/agent/consul/acl_token_exp_test.go @@ -58,7 +58,7 @@ func testACLTokenReap_Primary(t *testing.T, local, global bool) { acl := ACL{srv: s1} - masterTokenAccessorID, err := retrieveTestTokenAccessorForSecret(codec, "root", "dc1", "root") + initialManagementTokenAccessorID, err := retrieveTestTokenAccessorForSecret(codec, "root", "dc1", "root") require.NoError(t, err) listTokens := func() (localTokens, globalTokens []string, err error) { @@ -88,9 +88,9 @@ func testACLTokenReap_Primary(t *testing.T, local, global bool) { t.Helper() var expectLocal, expectGlobal []string - // The master token and the anonymous token are always going to be - // present and global. - expectGlobal = append(expectGlobal, masterTokenAccessorID) + // The initial management token and the anonymous token are always + // going to be present and global. + expectGlobal = append(expectGlobal, initialManagementTokenAccessorID) expectGlobal = append(expectGlobal, structs.ACLTokenAnonymousID) if local { diff --git a/agent/consul/auto_config_backend_test.go b/agent/consul/auto_config_backend_test.go index f5078494b..b4a8a2c6c 100644 --- a/agent/consul/auto_config_backend_test.go +++ b/agent/consul/auto_config_backend_test.go @@ -41,7 +41,7 @@ func TestAutoConfigBackend_CreateACLToken(t *testing.T) { waitForLeaderEstablishment(t, srv) - r1, err := upsertTestRole(codec, TestDefaultMasterToken, "dc1") + r1, err := upsertTestRole(codec, TestDefaultInitialManagementToken, "dc1") require.NoError(t, err) t.Run("predefined-ids", func(t *testing.T) { diff --git a/agent/consul/connect_ca_endpoint_test.go b/agent/consul/connect_ca_endpoint_test.go index 40a384f90..84ea9f69a 100644 --- a/agent/consul/connect_ca_endpoint_test.go +++ b/agent/consul/connect_ca_endpoint_test.go @@ -163,7 +163,7 @@ func TestConnectCAConfig_GetSet_ACLDeny(t *testing.T) { dir1, s1 := testServerWithConfig(t, func(c *Config) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true - c.ACLInitialManagementToken = TestDefaultMasterToken + c.ACLInitialManagementToken = TestDefaultInitialManagementToken c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) @@ -175,11 +175,11 @@ func TestConnectCAConfig_GetSet_ACLDeny(t *testing.T) { testrpc.WaitForLeader(t, s1.RPC, "dc1") opReadToken, err := upsertTestTokenWithPolicyRules( - codec, TestDefaultMasterToken, "dc1", `operator = "read"`) + codec, TestDefaultInitialManagementToken, "dc1", `operator = "read"`) require.NoError(t, err) opWriteToken, err := upsertTestTokenWithPolicyRules( - codec, TestDefaultMasterToken, "dc1", `operator = "write"`) + codec, TestDefaultInitialManagementToken, "dc1", `operator = "write"`) require.NoError(t, err) // Update a config value @@ -215,7 +215,7 @@ pY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g= args := &structs.CARequest{ Datacenter: "dc1", Config: newConfig, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } var reply interface{} require.NoError(t, msgpackrpc.CallWithCodec(codec, "ConnectCA.ConfigurationSet", args, &reply)) diff --git a/agent/consul/federation_state_endpoint_test.go b/agent/consul/federation_state_endpoint_test.go index a8544869c..f3a1e345f 100644 --- a/agent/consul/federation_state_endpoint_test.go +++ b/agent/consul/federation_state_endpoint_test.go @@ -541,7 +541,7 @@ func TestFederationState_List_ACLDeny(t *testing.T) { gwListEmpty: true, gwFilteredByACLs: true, }, - "master token": { + "initial management token": { token: "root", }, } diff --git a/agent/consul/fsm/commands_oss_test.go b/agent/consul/fsm/commands_oss_test.go index 380c790c7..868de93bb 100644 --- a/agent/consul/fsm/commands_oss_test.go +++ b/agent/consul/fsm/commands_oss_test.go @@ -105,7 +105,7 @@ func TestFSM_RegisterNode_Service(t *testing.T) { Service: &structs.NodeService{ ID: "db", Service: "db", - Tags: []string{"master"}, + Tags: []string{"primary"}, Port: 8000, }, Check: &structs.HealthCheck{ @@ -170,7 +170,7 @@ func TestFSM_DeregisterService(t *testing.T) { Service: &structs.NodeService{ ID: "db", Service: "db", - Tags: []string{"master"}, + Tags: []string{"primary"}, Port: 8000, }, } @@ -296,7 +296,7 @@ func TestFSM_DeregisterNode(t *testing.T) { Service: &structs.NodeService{ ID: "db", Service: "db", - Tags: []string{"master"}, + Tags: []string{"primary"}, Port: 8000, }, Check: &structs.HealthCheck{ @@ -1429,7 +1429,7 @@ func TestFSM_Chunking_Lifecycle(t *testing.T) { Service: &structs.NodeService{ ID: "db", Service: "db", - Tags: []string{"master"}, + Tags: []string{"primary"}, Port: 8000, }, Check: &structs.HealthCheck{ @@ -1559,7 +1559,7 @@ func TestFSM_Chunking_TermChange(t *testing.T) { Service: &structs.NodeService{ ID: "db", Service: "db", - Tags: []string{"master"}, + Tags: []string{"primary"}, Port: 8000, }, Check: &structs.HealthCheck{ diff --git a/agent/consul/intention_endpoint_test.go b/agent/consul/intention_endpoint_test.go index ec8349f82..028c66fef 100644 --- a/agent/consul/intention_endpoint_test.go +++ b/agent/consul/intention_endpoint_test.go @@ -937,17 +937,17 @@ func TestIntention_WildcardACLEnforcement(t *testing.T) { // create some test policies. - writeToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `service_prefix "" { policy = "deny" intentions = "write" }`) + writeToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `service_prefix "" { policy = "deny" intentions = "write" }`) require.NoError(t, err) - readToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `service_prefix "" { policy = "deny" intentions = "read" }`) + readToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `service_prefix "" { policy = "deny" intentions = "read" }`) require.NoError(t, err) - exactToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `service "*" { policy = "deny" intentions = "write" }`) + exactToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `service "*" { policy = "deny" intentions = "write" }`) require.NoError(t, err) - wildcardPrefixToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `service_prefix "*" { policy = "deny" intentions = "write" }`) + wildcardPrefixToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `service_prefix "*" { policy = "deny" intentions = "write" }`) require.NoError(t, err) - fooToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `service "foo" { policy = "deny" intentions = "write" }`) + fooToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `service "foo" { policy = "deny" intentions = "write" }`) require.NoError(t, err) - denyToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `service_prefix "" { policy = "deny" intentions = "deny" }`) + denyToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `service_prefix "" { policy = "deny" intentions = "deny" }`) require.NoError(t, err) doIntentionCreate := func(t *testing.T, token string, dest string, deny bool) string { @@ -1607,7 +1607,7 @@ func TestIntentionList_acl(t *testing.T) { waitForLeaderEstablishment(t, s1) - token, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `service_prefix "foo" { policy = "write" }`) + token, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `service_prefix "foo" { policy = "write" }`) require.NoError(t, err) // Create a few records @@ -1620,7 +1620,7 @@ func TestIntentionList_acl(t *testing.T) { ixn.Intention.SourceNS = "default" ixn.Intention.DestinationNS = "default" ixn.Intention.DestinationName = name - ixn.WriteRequest.Token = TestDefaultMasterToken + ixn.WriteRequest.Token = TestDefaultInitialManagementToken // Create var reply string @@ -1639,10 +1639,10 @@ func TestIntentionList_acl(t *testing.T) { }) // Test with management token - t.Run("master-token", func(t *testing.T) { + t.Run("initial-management-token", func(t *testing.T) { req := &structs.IntentionListRequest{ Datacenter: "dc1", - QueryOptions: structs.QueryOptions{Token: TestDefaultMasterToken}, + QueryOptions: structs.QueryOptions{Token: TestDefaultInitialManagementToken}, } var resp structs.IndexedIntentions require.NoError(t, msgpackrpc.CallWithCodec(codec, "Intention.List", req, &resp)) @@ -1666,7 +1666,7 @@ func TestIntentionList_acl(t *testing.T) { req := &structs.IntentionListRequest{ Datacenter: "dc1", QueryOptions: structs.QueryOptions{ - Token: TestDefaultMasterToken, + Token: TestDefaultInitialManagementToken, Filter: "DestinationName == foobar", }, } @@ -1763,7 +1763,7 @@ func TestIntentionMatch_acl(t *testing.T) { _, srv, codec := testACLServerWithConfig(t, nil, false) waitForLeaderEstablishment(t, srv) - token, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `service "bar" { policy = "write" }`) + token, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `service "bar" { policy = "write" }`) require.NoError(t, err) // Create some records @@ -1781,7 +1781,7 @@ func TestIntentionMatch_acl(t *testing.T) { Intention: structs.TestIntention(t), } ixn.Intention.DestinationName = v - ixn.WriteRequest.Token = TestDefaultMasterToken + ixn.WriteRequest.Token = TestDefaultInitialManagementToken // Create var reply string @@ -1993,7 +1993,7 @@ func TestIntentionCheck_match(t *testing.T) { _, srv, codec := testACLServerWithConfig(t, nil, false) waitForLeaderEstablishment(t, srv) - token, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `service "api" { policy = "read" }`) + token, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `service "api" { policy = "read" }`) require.NoError(t, err) // Create some intentions @@ -2015,7 +2015,7 @@ func TestIntentionCheck_match(t *testing.T) { DestinationName: v[1], Action: structs.IntentionActionAllow, }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } // Create var reply string diff --git a/agent/consul/internal_endpoint_test.go b/agent/consul/internal_endpoint_test.go index 7a354e7b5..599b4330c 100644 --- a/agent/consul/internal_endpoint_test.go +++ b/agent/consul/internal_endpoint_test.go @@ -1790,7 +1790,7 @@ func TestInternal_GatewayIntentions_aclDeny(t *testing.T) { codec := rpcClient(t, s1) defer codec.Close() - testrpc.WaitForTestAgent(t, s1.RPC, "dc1", testrpc.WithToken(TestDefaultMasterToken)) + testrpc.WaitForTestAgent(t, s1.RPC, "dc1", testrpc.WithToken(TestDefaultInitialManagementToken)) // Register terminating gateway and config entry linking it to postgres + redis { @@ -1809,7 +1809,7 @@ func TestInternal_GatewayIntentions_aclDeny(t *testing.T) { Status: api.HealthPassing, ServiceID: "terminating-gateway", }, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } var regOutput struct{} require.NoError(t, msgpackrpc.CallWithCodec(codec, "Catalog.Register", &arg, ®Output)) @@ -1834,7 +1834,7 @@ func TestInternal_GatewayIntentions_aclDeny(t *testing.T) { Op: structs.ConfigEntryUpsert, Datacenter: "dc1", Entry: args, - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } var configOutput bool require.NoError(t, msgpackrpc.CallWithCodec(codec, "ConfigEntry.Apply", &req, &configOutput)) @@ -1848,7 +1848,7 @@ func TestInternal_GatewayIntentions_aclDeny(t *testing.T) { Datacenter: "dc1", Op: structs.IntentionOpCreate, Intention: structs.TestIntention(t), - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } req.Intention.SourceName = "api" req.Intention.DestinationName = v @@ -1860,7 +1860,7 @@ func TestInternal_GatewayIntentions_aclDeny(t *testing.T) { Datacenter: "dc1", Op: structs.IntentionOpCreate, Intention: structs.TestIntention(t), - WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, + WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } req.Intention.SourceName = v req.Intention.DestinationName = "api" @@ -1868,7 +1868,7 @@ func TestInternal_GatewayIntentions_aclDeny(t *testing.T) { } } - userToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", ` + userToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", ` service_prefix "redis" { policy = "read" } service_prefix "terminating-gateway" { policy = "read" } `) @@ -2192,7 +2192,7 @@ func TestInternal_ServiceTopology_ACL(t *testing.T) { dir1, s1 := testServerWithConfig(t, func(c *Config) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true - c.ACLInitialManagementToken = TestDefaultMasterToken + c.ACLInitialManagementToken = TestDefaultInitialManagementToken c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) @@ -2215,10 +2215,10 @@ func TestInternal_ServiceTopology_ACL(t *testing.T) { // web -> redis exact intention // redis and redis-proxy on node zip - registerTestTopologyEntries(t, codec, TestDefaultMasterToken) + registerTestTopologyEntries(t, codec, TestDefaultInitialManagementToken) // Token grants read to: foo/api, foo/api-proxy, bar/web, baz/web - userToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", ` + userToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", ` node_prefix "" { policy = "read" } service_prefix "api" { policy = "read" } service "web" { policy = "read" } @@ -2331,7 +2331,7 @@ func TestInternal_IntentionUpstreams_ACL(t *testing.T) { dir1, s1 := testServerWithConfig(t, func(c *Config) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true - c.ACLInitialManagementToken = TestDefaultMasterToken + c.ACLInitialManagementToken = TestDefaultInitialManagementToken c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) @@ -2349,11 +2349,11 @@ func TestInternal_IntentionUpstreams_ACL(t *testing.T) { // Intentions // * -> * (deny) intention // web -> api (allow) - registerIntentionUpstreamEntries(t, codec, TestDefaultMasterToken) + registerIntentionUpstreamEntries(t, codec, TestDefaultInitialManagementToken) t.Run("valid token", func(t *testing.T) { // Token grants read to read api service - userToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", ` + userToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", ` service_prefix "api" { policy = "read" } `) require.NoError(t, err) @@ -2379,7 +2379,7 @@ service_prefix "api" { policy = "read" } t.Run("invalid token filters results", func(t *testing.T) { // Token grants read to read an unrelated service, mongo - userToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", ` + userToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", ` service_prefix "mongo" { policy = "read" } `) require.NoError(t, err) diff --git a/agent/consul/leader_connect_test.go b/agent/consul/leader_connect_test.go index 3257e9f79..ea6e3482d 100644 --- a/agent/consul/leader_connect_test.go +++ b/agent/consul/leader_connect_test.go @@ -196,7 +196,7 @@ func TestCAManager_Initialize_Secondary(t *testing.T) { for _, tc := range tests { tc := tc t.Run(fmt.Sprintf("%s-%d", tc.keyType, tc.keyBits), func(t *testing.T) { - masterToken := "8a85f086-dd95-4178-b128-e10902767c5c" + initialManagementToken := "8a85f086-dd95-4178-b128-e10902767c5c" // Initialize primary as the primary DC dir1, s1 := testServerWithConfig(t, func(c *Config) { @@ -204,7 +204,7 @@ func TestCAManager_Initialize_Secondary(t *testing.T) { c.PrimaryDatacenter = "primary" c.Build = "1.6.0" c.ACLsEnabled = true - c.ACLInitialManagementToken = masterToken + c.ACLInitialManagementToken = initialManagementToken c.ACLResolverSettings.ACLDefaultPolicy = "deny" c.CAConfig.Config["PrivateKeyType"] = tc.keyType c.CAConfig.Config["PrivateKeyBits"] = tc.keyBits @@ -213,7 +213,7 @@ func TestCAManager_Initialize_Secondary(t *testing.T) { defer os.RemoveAll(dir1) defer s1.Shutdown() - s1.tokens.UpdateAgentToken(masterToken, token.TokenSourceConfig) + s1.tokens.UpdateAgentToken(initialManagementToken, token.TokenSourceConfig) testrpc.WaitForLeader(t, s1.RPC, "primary") @@ -232,8 +232,8 @@ func TestCAManager_Initialize_Secondary(t *testing.T) { defer os.RemoveAll(dir2) defer s2.Shutdown() - s2.tokens.UpdateAgentToken(masterToken, token.TokenSourceConfig) - s2.tokens.UpdateReplicationToken(masterToken, token.TokenSourceConfig) + s2.tokens.UpdateAgentToken(initialManagementToken, token.TokenSourceConfig) + s2.tokens.UpdateReplicationToken(initialManagementToken, token.TokenSourceConfig) // Create the WAN link joinWAN(t, s2, s1) diff --git a/agent/consul/leader_test.go b/agent/consul/leader_test.go index d7f681622..aeaf70f22 100644 --- a/agent/consul/leader_test.go +++ b/agent/consul/leader_test.go @@ -1162,15 +1162,15 @@ func TestLeader_ACL_Initialization(t *testing.T) { t.Parallel() tests := []struct { - name string - build string - master string - bootstrap bool + name string + build string + initialManagement string + bootstrap bool }{ - {"old version, no master", "0.8.0", "", true}, - {"old version, master", "0.8.0", "root", false}, - {"new version, no master", "0.9.1", "", true}, - {"new version, master", "0.9.1", "root", false}, + {"old version, no initial management", "0.8.0", "", true}, + {"old version, initial management", "0.8.0", "root", false}, + {"new version, no initial management", "0.9.1", "", true}, + {"new version, initial management", "0.9.1", "root", false}, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { @@ -1180,17 +1180,17 @@ func TestLeader_ACL_Initialization(t *testing.T) { c.Datacenter = "dc1" c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true - c.ACLInitialManagementToken = tt.master + c.ACLInitialManagementToken = tt.initialManagement } dir1, s1 := testServerWithConfig(t, conf) defer os.RemoveAll(dir1) defer s1.Shutdown() testrpc.WaitForTestAgent(t, s1.RPC, "dc1") - if tt.master != "" { - _, master, err := s1.fsm.State().ACLTokenGetBySecret(nil, tt.master, nil) + if tt.initialManagement != "" { + _, initialManagement, err := s1.fsm.State().ACLTokenGetBySecret(nil, tt.initialManagement, nil) require.NoError(t, err) - require.NotNil(t, master) + require.NotNil(t, initialManagement) } _, anon, err := s1.fsm.State().ACLTokenGetBySecret(nil, anonymousToken, nil) diff --git a/agent/consul/prepared_query_endpoint_test.go b/agent/consul/prepared_query_endpoint_test.go index 9d82fdfa2..2d1702f4f 100644 --- a/agent/consul/prepared_query_endpoint_test.go +++ b/agent/consul/prepared_query_endpoint_test.go @@ -222,7 +222,7 @@ func TestPreparedQuery_Apply_ACLDeny(t *testing.T) { Datacenter: "dc1", Op: structs.PreparedQueryCreate, Query: &structs.PreparedQuery{ - Name: "redis-master", + Name: "redis-primary", Service: structs.ServiceQuery{ Service: "the-redis", }, @@ -503,7 +503,7 @@ func TestPreparedQuery_Apply_ForwardLeader(t *testing.T) { Address: "127.0.0.1", Service: &structs.NodeService{ Service: "redis", - Tags: []string{"master"}, + Tags: []string{"primary"}, Port: 8000, }, } @@ -853,7 +853,7 @@ func TestPreparedQuery_Get(t *testing.T) { Datacenter: "dc1", Op: structs.PreparedQueryCreate, Query: &structs.PreparedQuery{ - Name: "redis-master", + Name: "redis-primary", Service: structs.ServiceQuery{ Service: "the-redis", }, @@ -1110,7 +1110,7 @@ func TestPreparedQuery_List(t *testing.T) { Datacenter: "dc1", Op: structs.PreparedQueryCreate, Query: &structs.PreparedQuery{ - Name: "redis-master", + Name: "redis-primary", Token: "le-token", Service: structs.ServiceQuery{ Service: "the-redis", @@ -2348,7 +2348,7 @@ func TestPreparedQuery_Execute_ForwardLeader(t *testing.T) { Address: "127.0.0.1", Service: &structs.NodeService{ Service: "redis", - Tags: []string{"master"}, + Tags: []string{"primary"}, Port: 8000, }, } diff --git a/agent/consul/server_test.go b/agent/consul/server_test.go index 0c7b84223..c06b95487 100644 --- a/agent/consul/server_test.go +++ b/agent/consul/server_test.go @@ -35,7 +35,7 @@ import ( ) const ( - TestDefaultMasterToken = "d9f05e83-a7ae-47ce-839e-c0d53a68c00a" + TestDefaultInitialManagementToken = "d9f05e83-a7ae-47ce-839e-c0d53a68c00a" ) // testTLSCertificates Generates a TLS CA and server key/cert and returns them @@ -70,7 +70,7 @@ func testTLSCertificates(serverName string) (cert string, key string, cacert str func testServerACLConfig(c *Config) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true - c.ACLInitialManagementToken = TestDefaultMasterToken + c.ACLInitialManagementToken = TestDefaultInitialManagementToken c.ACLResolverSettings.ACLDefaultPolicy = "deny" } @@ -245,7 +245,7 @@ func testACLServerWithConfig(t *testing.T, cb func(*Config), initReplicationToke if initReplicationToken { // setup some tokens here so we get less warnings in the logs - srv.tokens.UpdateReplicationToken(TestDefaultMasterToken, token.TokenSourceConfig) + srv.tokens.UpdateReplicationToken(TestDefaultInitialManagementToken, token.TokenSourceConfig) } codec := rpcClient(t, srv) diff --git a/agent/consul/state/prepared_query_test.go b/agent/consul/state/prepared_query_test.go index 9ccd90dd0..6c66b9eee 100644 --- a/agent/consul/state/prepared_query_test.go +++ b/agent/consul/state/prepared_query_test.go @@ -5,8 +5,9 @@ import ( "strings" "testing" - "github.com/hashicorp/consul/agent/structs" "github.com/hashicorp/go-memdb" + + "github.com/hashicorp/consul/agent/structs" ) func TestStateStore_PreparedQuery_isUUID(t *testing.T) { @@ -663,7 +664,7 @@ func TestStateStore_PreparedQueryResolve(t *testing.T) { Regexp: "^prod-(.*)$", }, Service: structs.ServiceQuery{ - Service: "${match(1)}-master", + Service: "${match(1)}-primary", }, } if err := s.PreparedQuerySet(5, tmpl2); err != nil { @@ -705,7 +706,7 @@ func TestStateStore_PreparedQueryResolve(t *testing.T) { Regexp: "^prod-(.*)$", }, Service: structs.ServiceQuery{ - Service: "redis-foobar-master", + Service: "redis-foobar-primary", }, RaftIndex: structs.RaftIndex{ CreateIndex: 5, diff --git a/agent/local/state_test.go b/agent/local/state_test.go index 7deb2893f..0ec473505 100644 --- a/agent/local/state_test.go +++ b/agent/local/state_test.go @@ -52,7 +52,7 @@ func TestAgentAntiEntropy_Services(t *testing.T) { srv1 := &structs.NodeService{ ID: "mysql", Service: "mysql", - Tags: []string{"master"}, + Tags: []string{"primary"}, Port: 5000, Weights: &structs.Weights{ Passing: 1, @@ -675,7 +675,7 @@ func TestAgentAntiEntropy_Services_WithChecks(t *testing.T) { srv := &structs.NodeService{ ID: "mysql", Service: "mysql", - Tags: []string{"master"}, + Tags: []string{"primary"}, Port: 5000, } a.State.AddService(srv, "") @@ -725,7 +725,7 @@ func TestAgentAntiEntropy_Services_WithChecks(t *testing.T) { srv := &structs.NodeService{ ID: "redis", Service: "redis", - Tags: []string{"master"}, + Tags: []string{"primary"}, Port: 5000, } a.State.AddService(srv, "") @@ -821,7 +821,7 @@ func TestAgentAntiEntropy_Services_ACLDeny(t *testing.T) { srv1 := &structs.NodeService{ ID: "mysql", Service: "mysql", - Tags: []string{"master"}, + Tags: []string{"primary"}, Port: 5000, Weights: &structs.Weights{ Passing: 1, @@ -1278,7 +1278,7 @@ func TestAgentAntiEntropy_Checks_ACLDeny(t *testing.T) { srv1 := &structs.NodeService{ ID: "mysql", Service: "mysql", - Tags: []string{"master"}, + Tags: []string{"primary"}, Port: 5000, Weights: &structs.Weights{ Passing: 1, @@ -1348,7 +1348,7 @@ func TestAgentAntiEntropy_Checks_ACLDeny(t *testing.T) { Node: a.Config.NodeName, ServiceID: "mysql", ServiceName: "mysql", - ServiceTags: []string{"master"}, + ServiceTags: []string{"primary"}, CheckID: "mysql-check", Name: "mysql", Status: api.HealthPassing, diff --git a/agent/structs/acl.go b/agent/structs/acl.go index ae63878bc..756cadbb1 100644 --- a/agent/structs/acl.go +++ b/agent/structs/acl.go @@ -1728,50 +1728,50 @@ func CreateACLAuthorizationResponses(authz acl.Authorizer, requests []ACLAuthori return responses, nil } -type AgentMasterTokenIdentity struct { +type AgentRecoveryTokenIdentity struct { agent string secretID string } -func NewAgentMasterTokenIdentity(agent string, secretID string) *AgentMasterTokenIdentity { - return &AgentMasterTokenIdentity{ +func NewAgentRecoveryTokenIdentity(agent string, secretID string) *AgentRecoveryTokenIdentity { + return &AgentRecoveryTokenIdentity{ agent: agent, secretID: secretID, } } -func (id *AgentMasterTokenIdentity) ID() string { - return fmt.Sprintf("agent-master:%s", id.agent) +func (id *AgentRecoveryTokenIdentity) ID() string { + return fmt.Sprintf("agent-recovery:%s", id.agent) } -func (id *AgentMasterTokenIdentity) SecretToken() string { +func (id *AgentRecoveryTokenIdentity) SecretToken() string { return id.secretID } -func (id *AgentMasterTokenIdentity) PolicyIDs() []string { +func (id *AgentRecoveryTokenIdentity) PolicyIDs() []string { return nil } -func (id *AgentMasterTokenIdentity) RoleIDs() []string { +func (id *AgentRecoveryTokenIdentity) RoleIDs() []string { return nil } -func (id *AgentMasterTokenIdentity) ServiceIdentityList() []*ACLServiceIdentity { +func (id *AgentRecoveryTokenIdentity) ServiceIdentityList() []*ACLServiceIdentity { return nil } -func (id *AgentMasterTokenIdentity) NodeIdentityList() []*ACLNodeIdentity { +func (id *AgentRecoveryTokenIdentity) NodeIdentityList() []*ACLNodeIdentity { return nil } -func (id *AgentMasterTokenIdentity) IsExpired(asOf time.Time) bool { +func (id *AgentRecoveryTokenIdentity) IsExpired(asOf time.Time) bool { return false } -func (id *AgentMasterTokenIdentity) IsLocal() bool { +func (id *AgentRecoveryTokenIdentity) IsLocal() bool { return true } -func (id *AgentMasterTokenIdentity) EnterpriseMetadata() *EnterpriseMeta { +func (id *AgentRecoveryTokenIdentity) EnterpriseMetadata() *EnterpriseMeta { return nil } diff --git a/api/acl_test.go b/api/acl_test.go index c4749f23e..59c9bc315 100644 --- a/api/acl_test.go +++ b/api/acl_test.go @@ -455,7 +455,7 @@ func TestAPI_ACLToken_List(t *testing.T) { tokens, qm, err := acl.TokenList(nil) require.NoError(t, err) - // 3 + anon + master + // 3 + anon + initial management require.Len(t, tokens, 5) require.NotEqual(t, 0, qm.LastIndex) require.True(t, qm.KnownLeader) @@ -500,7 +500,7 @@ func TestAPI_ACLToken_List(t *testing.T) { require.True(t, ok) require.NotNil(t, token4) - // ensure the 5th token is the root master token + // ensure the 5th token is the initial management token root, _, err := acl.TokenReadSelf(nil) require.NoError(t, err) require.NotNil(t, root) @@ -516,17 +516,17 @@ func TestAPI_ACLToken_Clone(t *testing.T) { acl := c.ACL() - master, _, err := acl.TokenReadSelf(nil) + initialManagement, _, err := acl.TokenReadSelf(nil) require.NoError(t, err) - require.NotNil(t, master) + require.NotNil(t, initialManagement) - cloned, _, err := acl.TokenClone(master.AccessorID, "cloned", nil) + cloned, _, err := acl.TokenClone(initialManagement.AccessorID, "cloned", nil) require.NoError(t, err) require.NotNil(t, cloned) - require.NotEqual(t, master.AccessorID, cloned.AccessorID) - require.NotEqual(t, master.SecretID, cloned.SecretID) + require.NotEqual(t, initialManagement.AccessorID, cloned.AccessorID) + require.NotEqual(t, initialManagement.SecretID, cloned.SecretID) require.Equal(t, "cloned", cloned.Description) - require.ElementsMatch(t, master.Policies, cloned.Policies) + require.ElementsMatch(t, initialManagement.Policies, cloned.Policies) read, _, err := acl.TokenRead(cloned.AccessorID, nil) require.NoError(t, err) diff --git a/api/api_test.go b/api/api_test.go index 01dc0b681..6558efbd1 100644 --- a/api/api_test.go +++ b/api/api_test.go @@ -16,10 +16,11 @@ import ( "testing" "time" - "github.com/hashicorp/consul/sdk/testutil" - "github.com/hashicorp/consul/sdk/testutil/retry" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" + + "github.com/hashicorp/consul/sdk/testutil" + "github.com/hashicorp/consul/sdk/testutil/retry" ) type configCallback func(c *Config) @@ -39,7 +40,7 @@ func makeACLClient(t *testing.T) (*Client, *testutil.TestServer) { clientConfig.Token = "root" }, func(serverConfig *testutil.TestServerConfig) { serverConfig.PrimaryDatacenter = "dc1" - serverConfig.ACL.Tokens.Master = "root" + serverConfig.ACL.Tokens.InitialManagement = "root" serverConfig.ACL.Tokens.Agent = "root" serverConfig.ACL.Enabled = true serverConfig.ACL.DefaultPolicy = "deny" diff --git a/api/catalog_test.go b/api/catalog_test.go index 093d6d974..c1b7f0593 100644 --- a/api/catalog_test.go +++ b/api/catalog_test.go @@ -826,7 +826,7 @@ func TestAPI_CatalogRegistration(t *testing.T) { service := &AgentService{ ID: "redis1", Service: "redis", - Tags: []string{"master", "v1"}, + Tags: []string{"primary", "v1"}, Port: 8000, } @@ -1023,7 +1023,7 @@ func TestAPI_CatalogEnableTagOverride(t *testing.T) { service := &AgentService{ ID: "redis1", Service: "redis", - Tags: []string{"master", "v1"}, + Tags: []string{"primary", "v1"}, Port: 8000, } diff --git a/api/prepared_query_test.go b/api/prepared_query_test.go index 7fe727c6c..0e358d777 100644 --- a/api/prepared_query_test.go +++ b/api/prepared_query_test.go @@ -24,7 +24,7 @@ func TestAPI_PreparedQuery(t *testing.T) { Service: &AgentService{ ID: "redis1", Service: "redis", - Tags: []string{"master", "v1"}, + Tags: []string{"primary", "v1"}, Meta: map[string]string{"redis-version": "4.0"}, Port: 8000, }, diff --git a/sdk/testutil/README.md b/sdk/testutil/README.md index dfd57ceb8..a3f4c904d 100644 --- a/sdk/testutil/README.md +++ b/sdk/testutil/README.md @@ -56,10 +56,10 @@ func TestFoo_bar(t *testing.T) { }) // Create a service - srv1.AddService(t, "redis", structs.HealthPassing, []string{"master"}) + srv1.AddService(t, "redis", structs.HealthPassing, []string{"primary"}) // Create a service that will be accessed in target source code - srv1.AddAccessibleService("redis", structs.HealthPassing, "127.0.0.1", 6379, []string{"master"}) + srv1.AddAccessibleService("redis", structs.HealthPassing, "127.0.0.1", 6379, []string{"primary"}) // Create a service check srv1.AddCheck(t, "service:redis", "redis", structs.HealthPassing) diff --git a/sdk/testutil/server.go b/sdk/testutil/server.go index cd894a2ef..f017506d2 100644 --- a/sdk/testutil/server.go +++ b/sdk/testutil/server.go @@ -86,7 +86,6 @@ type TestServerConfig struct { Addresses *TestAddressConfig `json:"addresses,omitempty"` Ports *TestPortConfig `json:"ports,omitempty"` RaftProtocol int `json:"raft_protocol,omitempty"` - ACLMasterToken string `json:"acl_master_token,omitempty"` ACLDatacenter string `json:"acl_datacenter,omitempty"` PrimaryDatacenter string `json:"primary_datacenter,omitempty"` ACLDefaultPolicy string `json:"acl_default_policy,omitempty"` @@ -124,11 +123,17 @@ type TestACLs struct { } type TestTokens struct { - Master string `json:"master,omitempty"` Replication string `json:"replication,omitempty"` - AgentMaster string `json:"agent_master,omitempty"` Default string `json:"default,omitempty"` Agent string `json:"agent,omitempty"` + + // Note: this field is marshaled as master for compatibility with + // versions of Consul prior to 1.11. + InitialManagement string `json:"master,omitempty"` + + // Note: this field is marshaled as agent_master for compatibility with + // versions of Consul prior to 1.11. + AgentRecovery string `json:"agent_master,omitempty"` } // ServerConfigCallback is a function interface which can be @@ -375,7 +380,7 @@ func (s *TestServer) waitForAPI() error { time.Sleep(timer.Wait) url := s.url("/v1/status/leader") - resp, err := s.masterGet(url) + resp, err := s.privilegedGet(url) if err != nil { failed = true continue @@ -397,7 +402,7 @@ func (s *TestServer) WaitForLeader(t testing.TB) { retry.Run(t, func(r *retry.R) { // Query the API and check the status code. url := s.url("/v1/catalog/nodes") - resp, err := s.masterGet(url) + resp, err := s.privilegedGet(url) if err != nil { r.Fatalf("failed http get '%s': %v", url, err) } @@ -433,7 +438,7 @@ func (s *TestServer) WaitForActiveCARoot(t testing.TB) { retry.Run(t, func(r *retry.R) { // Query the API and check the status code. url := s.url("/v1/agent/connect/ca/roots") - resp, err := s.masterGet(url) + resp, err := s.privilegedGet(url) if err != nil { r.Fatalf("failed http get '%s': %v", url, err) } @@ -469,7 +474,7 @@ func (s *TestServer) WaitForServiceIntentions(t testing.TB) { // preflightCheck call in agent/consul/config_endpoint.go will fail if // we aren't ready yet, vs just doing no work instead. url := s.url("/v1/config/service-intentions/" + fakeConfigName) - resp, err := s.masterDelete(url) + resp, err := s.privilegedDelete(url) if err != nil { r.Fatalf("failed http get '%s': %v", url, err) } @@ -486,7 +491,7 @@ func (s *TestServer) WaitForSerfCheck(t testing.TB) { retry.Run(t, func(r *retry.R) { // Query the API and check the status code. url := s.url("/v1/catalog/nodes?index=0") - resp, err := s.masterGet(url) + resp, err := s.privilegedGet(url) if err != nil { r.Fatalf("failed http get: %v", err) } @@ -507,7 +512,7 @@ func (s *TestServer) WaitForSerfCheck(t testing.TB) { // Ensure the serfHealth check is registered url = s.url(fmt.Sprintf("/v1/health/node/%s", payload[0]["Node"])) - resp, err = s.masterGet(url) + resp, err = s.privilegedGet(url) if err != nil { r.Fatalf("failed http get: %v", err) } @@ -533,24 +538,24 @@ func (s *TestServer) WaitForSerfCheck(t testing.TB) { }) } -func (s *TestServer) masterGet(url string) (*http.Response, error) { +func (s *TestServer) privilegedGet(url string) (*http.Response, error) { req, err := http.NewRequest("GET", url, nil) if err != nil { return nil, err } - if s.Config.ACL.Tokens.Master != "" { - req.Header.Set("x-consul-token", s.Config.ACL.Tokens.Master) + if s.Config.ACL.Tokens.InitialManagement != "" { + req.Header.Set("x-consul-token", s.Config.ACL.Tokens.InitialManagement) } return s.HTTPClient.Do(req) } -func (s *TestServer) masterDelete(url string) (*http.Response, error) { +func (s *TestServer) privilegedDelete(url string) (*http.Response, error) { req, err := http.NewRequest("DELETE", url, nil) if err != nil { return nil, err } - if s.Config.ACL.Tokens.Master != "" { - req.Header.Set("x-consul-token", s.Config.ACL.Tokens.Master) + if s.Config.ACL.Tokens.InitialManagement != "" { + req.Header.Set("x-consul-token", s.Config.ACL.Tokens.InitialManagement) } return s.HTTPClient.Do(req) } diff --git a/ui/packages/consul-ui/mock-api/v1/acl/list b/ui/packages/consul-ui/mock-api/v1/acl/list index aa9f8c6a7..27fe3e99f 100644 --- a/ui/packages/consul-ui/mock-api/v1/acl/list +++ b/ui/packages/consul-ui/mock-api/v1/acl/list @@ -20,7 +20,7 @@ ${ }, { "ID":"secret", - "Name":"Master Token", + "Name":"Initial Management Token", "Type":"management", "Rules":"", "CreateIndex":5,