luxolus
/
open-consul
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity

[OSS] Remove remaining references to master (#11827)

This commit is contained in:
Dan Upton 2022-01-20 12:47:50 +00:00 committed by GitHub
parent bc21e95909
commit 088ba2edaf
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
28 changed files with 600 additions and 572 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.changelog/11827.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:breaking-change
sdk: several changes to the testutil configuration structs (removed `ACLMasterToken`, renamed `Master` to `InitialManagement`, and `AgentMaster` to `AgentRecovery`)
```

16
agent/acl_endpoint_test.go
View File

@ -849,10 +849,10 @@ func TestACL_HTTP(t *testing.T) {
tokens, ok := raw.(structs.ACLTokenListStubs) tokens, ok := raw.(structs.ACLTokenListStubs)
require.True(t, ok) require.True(t, ok)
// 3 tokens created but 1 was deleted + master token + anon token // 3 tokens created but 1 was deleted + initial management token + anon token
require.Len(t, tokens, 4) require.Len(t, tokens, 4)
// this loop doesn't verify anything about the master token // this loop doesn't verify anything about the initial management token
for tokenID, expected := range tokenMap { for tokenID, expected := range tokenMap {
found := false found := false
for _, actual := range tokens { for _, actual := range tokens {
@ -1880,7 +1880,7 @@ func TestACL_Authorize(t *testing.T) {
var localToken structs.ACLToken var localToken structs.ACLToken
require.NoError(t, a2.RPC("ACL.TokenSet", &localTokenReq, &localToken)) require.NoError(t, a2.RPC("ACL.TokenSet", &localTokenReq, &localToken))
t.Run("master-token", func(t *testing.T) { t.Run("initial-management-token", func(t *testing.T) {
request := []structs.ACLAuthorizationRequest{ request := []structs.ACLAuthorizationRequest{
{ {
Resource: "acl", Resource: "acl",
@ -2016,7 +2016,7 @@ func TestACL_Authorize(t *testing.T) {
resp := responses[idx] resp := responses[idx]
require.Equal(t, req, resp.ACLAuthorizationRequest) require.Equal(t, req, resp.ACLAuthorizationRequest)
require.True(t, resp.Allow, "should have allowed all access for master token") require.True(t, resp.Allow, "should have allowed all access for initial management token")
} }
}) })
} }
@ -2277,7 +2277,7 @@ func TestACL_Authorize(t *testing.T) {
type rpcFn func(string, interface{}, interface{}) error type rpcFn func(string, interface{}, interface{}) error
func upsertTestCustomizedAuthMethod( func upsertTestCustomizedAuthMethod(
rpc rpcFn, masterToken string, datacenter string, rpc rpcFn, initialManagementToken string, datacenter string,
modify func(method *structs.ACLAuthMethod), modify func(method *structs.ACLAuthMethod),
) (*structs.ACLAuthMethod, error) { ) (*structs.ACLAuthMethod, error) {
name, err := uuid.GenerateUUID() name, err := uuid.GenerateUUID()
@ -2291,7 +2291,7 @@ func upsertTestCustomizedAuthMethod(
Name: "test-method-" + name, Name: "test-method-" + name,
Type: "testing", Type: "testing",
}, },
WriteRequest: structs.WriteRequest{Token: masterToken}, WriteRequest: structs.WriteRequest{Token: initialManagementToken},
} }
if modify != nil { if modify != nil {
@ -2308,11 +2308,11 @@ func upsertTestCustomizedAuthMethod(
return &out, nil return &out, nil
} }
func upsertTestCustomizedBindingRule(rpc rpcFn, masterToken string, datacenter string, modify func(rule *structs.ACLBindingRule)) (*structs.ACLBindingRule, error) { func upsertTestCustomizedBindingRule(rpc rpcFn, initialManagementToken string, datacenter string, modify func(rule *structs.ACLBindingRule)) (*structs.ACLBindingRule, error) {
req := structs.ACLBindingRuleSetRequest{ req := structs.ACLBindingRuleSetRequest{
Datacenter: datacenter, Datacenter: datacenter,
BindingRule: structs.ACLBindingRule{}, BindingRule: structs.ACLBindingRule{},
WriteRequest: structs.WriteRequest{Token: masterToken}, WriteRequest: structs.WriteRequest{Token: initialManagementToken},
} }
if modify != nil { if modify != nil {

3
agent/agent.go
View File

@ -209,9 +209,6 @@ type Agent struct {
// depending on the configuration // depending on the configuration
delegate delegate delegate delegate
// aclMasterAuthorizer is an object that helps manage local ACL enforcement.
aclMasterAuthorizer acl.Authorizer
// state stores a local representation of the node, // state stores a local representation of the node,
// services and checks. Used for anti-entropy. // services and checks. Used for anti-entropy.
State *local.State State *local.State

127
agent/agent_endpoint_test.go
View File

@ -85,7 +85,7 @@ func TestAgent_Services(t *testing.T) {
srv1 := &structs.NodeService{ srv1 := &structs.NodeService{
ID: "mysql", ID: "mysql",
Service: "mysql", Service: "mysql",
Tags: []string{"master"}, Tags: []string{"primary"},
Meta: map[string]string{ Meta: map[string]string{
"foo": "bar", "foo": "bar",
}, },
@ -120,7 +120,7 @@ func TestAgent_ServicesFiltered(t *testing.T) {
srv1 := &structs.NodeService{ srv1 := &structs.NodeService{
ID: "mysql", ID: "mysql",
Service: "mysql", Service: "mysql",
Tags: []string{"master"}, Tags: []string{"primary"},
Meta: map[string]string{ Meta: map[string]string{
"foo": "bar", "foo": "bar",
}, },
@ -1517,7 +1517,7 @@ func TestAgent_Self_ACLDeny(t *testing.T) {
require.Equal(t, http.StatusForbidden, resp.Code) require.Equal(t, http.StatusForbidden, resp.Code)
}) })
t.Run("agent master token", func(t *testing.T) { t.Run("agent recovery token", func(t *testing.T) {
req, _ := http.NewRequest("GET", "/v1/agent/self?token=towel", nil) req, _ := http.NewRequest("GET", "/v1/agent/self?token=towel", nil)
resp := httptest.NewRecorder() resp := httptest.NewRecorder()
a.srv.h.ServeHTTP(resp, req) a.srv.h.ServeHTTP(resp, req)
@ -1550,7 +1550,7 @@ func TestAgent_Metrics_ACLDeny(t *testing.T) {
require.Equal(t, http.StatusForbidden, resp.Code) require.Equal(t, http.StatusForbidden, resp.Code)
}) })
t.Run("agent master token", func(t *testing.T) { t.Run("agent recovery token", func(t *testing.T) {
req, _ := http.NewRequest("GET", "/v1/agent/metrics?token=towel", nil) req, _ := http.NewRequest("GET", "/v1/agent/metrics?token=towel", nil)
resp := httptest.NewRecorder() resp := httptest.NewRecorder()
a.srv.h.ServeHTTP(resp, req) a.srv.h.ServeHTTP(resp, req)
@ -2125,7 +2125,7 @@ func TestAgent_Join_ACLDeny(t *testing.T) {
require.Equal(t, http.StatusForbidden, resp.Code) require.Equal(t, http.StatusForbidden, resp.Code)
}) })
t.Run("agent master token", func(t *testing.T) { t.Run("agent recovery token", func(t *testing.T) {
req, _ := http.NewRequest("PUT", fmt.Sprintf("/v1/agent/join/%s?token=towel", addr), nil) req, _ := http.NewRequest("PUT", fmt.Sprintf("/v1/agent/join/%s?token=towel", addr), nil)
resp := httptest.NewRecorder() resp := httptest.NewRecorder()
a1.srv.h.ServeHTTP(resp, req) a1.srv.h.ServeHTTP(resp, req)
@ -2246,7 +2246,7 @@ func TestAgent_Leave_ACLDeny(t *testing.T) {
// this sub-test will change the state so that there is no leader. // this sub-test will change the state so that there is no leader.
// it must therefore be the last one in this list. // it must therefore be the last one in this list.
t.Run("agent master token", func(t *testing.T) { t.Run("agent recovery token", func(t *testing.T) {
req, _ := http.NewRequest("PUT", "/v1/agent/leave?token=towel", nil) req, _ := http.NewRequest("PUT", "/v1/agent/leave?token=towel", nil)
resp := httptest.NewRecorder() resp := httptest.NewRecorder()
a.srv.h.ServeHTTP(resp, req) a.srv.h.ServeHTTP(resp, req)
@ -2332,7 +2332,7 @@ func TestAgent_ForceLeave_ACLDeny(t *testing.T) {
require.Equal(t, http.StatusForbidden, resp.Code) require.Equal(t, http.StatusForbidden, resp.Code)
}) })
t.Run("agent master token", func(t *testing.T) { t.Run("agent recovery token", func(t *testing.T) {
req, _ := http.NewRequest("PUT", uri+"?token=towel", nil) req, _ := http.NewRequest("PUT", uri+"?token=towel", nil)
resp := httptest.NewRecorder() resp := httptest.NewRecorder()
a.srv.h.ServeHTTP(resp, req) a.srv.h.ServeHTTP(resp, req)
@ -3266,7 +3266,7 @@ func testAgent_RegisterService(t *testing.T, extraHCL string) {
args := &structs.ServiceDefinition{ args := &structs.ServiceDefinition{
Name: "test", Name: "test",
Meta: map[string]string{"hello": "world"}, Meta: map[string]string{"hello": "world"},
Tags: []string{"master"}, Tags: []string{"primary"},
Port: 8000, Port: 8000,
Check: structs.CheckType{ Check: structs.CheckType{
TTL: 15 * time.Second, TTL: 15 * time.Second,
@ -3353,7 +3353,7 @@ func testAgent_RegisterService_ReRegister(t *testing.T, extraHCL string) {
args := &structs.ServiceDefinition{ args := &structs.ServiceDefinition{
Name: "test", Name: "test",
Meta: map[string]string{"hello": "world"}, Meta: map[string]string{"hello": "world"},
Tags: []string{"master"}, Tags: []string{"primary"},
Port: 8000, Port: 8000,
Checks: []*structs.CheckType{ Checks: []*structs.CheckType{
{ {
@ -3378,7 +3378,7 @@ func testAgent_RegisterService_ReRegister(t *testing.T, extraHCL string) {
args = &structs.ServiceDefinition{ args = &structs.ServiceDefinition{
Name: "test", Name: "test",
Meta: map[string]string{"hello": "world"}, Meta: map[string]string{"hello": "world"},
Tags: []string{"master"}, Tags: []string{"primary"},
Port: 8000, Port: 8000,
Checks: []*structs.CheckType{ Checks: []*structs.CheckType{
{ {
@ -3434,7 +3434,7 @@ func testAgent_RegisterService_ReRegister_ReplaceExistingChecks(t *testing.T, ex
args := &structs.ServiceDefinition{ args := &structs.ServiceDefinition{
Name: "test", Name: "test",
Meta: map[string]string{"hello": "world"}, Meta: map[string]string{"hello": "world"},
Tags: []string{"master"}, Tags: []string{"primary"},
Port: 8000, Port: 8000,
Checks: []*structs.CheckType{ Checks: []*structs.CheckType{
{ {
@ -3460,7 +3460,7 @@ func testAgent_RegisterService_ReRegister_ReplaceExistingChecks(t *testing.T, ex
args = &structs.ServiceDefinition{ args = &structs.ServiceDefinition{
Name: "test", Name: "test",
Meta: map[string]string{"hello": "world"}, Meta: map[string]string{"hello": "world"},
Tags: []string{"master"}, Tags: []string{"primary"},
Port: 8000, Port: 8000,
Checks: []*structs.CheckType{ Checks: []*structs.CheckType{
{ {
@ -3740,7 +3740,7 @@ func testAgent_RegisterService_ACLDeny(t *testing.T, extraHCL string) {
args := &structs.ServiceDefinition{ args := &structs.ServiceDefinition{
Name: "test", Name: "test",
Tags: []string{"master"}, Tags: []string{"primary"},
Port: 8000, Port: 8000,
Check: structs.CheckType{ Check: structs.CheckType{
TTL: 15 * time.Second, TTL: 15 * time.Second,
@ -4588,7 +4588,7 @@ func testAgent_RegisterService_ScriptCheck_ExecDisable(t *testing.T, extraHCL st
args := &structs.ServiceDefinition{ args := &structs.ServiceDefinition{
Name: "test", Name: "test",
Meta: map[string]string{"hello": "world"}, Meta: map[string]string{"hello": "world"},
Tags: []string{"master"}, Tags: []string{"primary"},
Port: 8000, Port: 8000,
Check: structs.CheckType{ Check: structs.CheckType{
Name: "test-check", Name: "test-check",
@ -4640,7 +4640,7 @@ func testAgent_RegisterService_ScriptCheck_ExecRemoteDisable(t *testing.T, extra
args := &structs.ServiceDefinition{ args := &structs.ServiceDefinition{
Name: "test", Name: "test",
Meta: map[string]string{"hello": "world"}, Meta: map[string]string{"hello": "world"},
Tags: []string{"master"}, Tags: []string{"primary"},
Port: 8000, Port: 8000,
Check: structs.CheckType{ Check: structs.CheckType{
Name: "test-check", Name: "test-check",
@ -5379,7 +5379,7 @@ func TestAgent_TokenTriggersFullSync(t *testing.T) {
initial_management = "root" initial_management = "root"
default = "" default = ""
agent = "" agent = ""
agent_master = "" agent_recovery = ""
replication = "" replication = ""
} }
} }
@ -5427,7 +5427,7 @@ func TestAgent_Token(t *testing.T) {
initial_management = "root" initial_management = "root"
default = "" default = ""
agent = "" agent = ""
agent_master = "" agent_recovery = ""
replication = "" replication = ""
} }
} }
@ -5440,8 +5440,8 @@ func TestAgent_Token(t *testing.T) {
userSource tokenStore.TokenSource userSource tokenStore.TokenSource
agent string agent string
agentSource tokenStore.TokenSource agentSource tokenStore.TokenSource
master string agentRecovery string
masterSource tokenStore.TokenSource agentRecoverySource tokenStore.TokenSource
repl string repl string
replSource tokenStore.TokenSource replSource tokenStore.TokenSource
} }
@ -5449,7 +5449,7 @@ func TestAgent_Token(t *testing.T) {
resetTokens := func(init tokens) { resetTokens := func(init tokens) {
a.tokens.UpdateUserToken(init.user, init.userSource) a.tokens.UpdateUserToken(init.user, init.userSource)
a.tokens.UpdateAgentToken(init.agent, init.agentSource) a.tokens.UpdateAgentToken(init.agent, init.agentSource)
a.tokens.UpdateAgentRecoveryToken(init.master, init.masterSource) a.tokens.UpdateAgentRecoveryToken(init.agentRecovery, init.agentRecoverySource)
a.tokens.UpdateReplicationToken(init.repl, init.replSource) a.tokens.UpdateReplicationToken(init.repl, init.replSource)
} }
@ -5531,8 +5531,8 @@ func TestAgent_Token(t *testing.T) {
url: "acl_agent_master_token?token=root", url: "acl_agent_master_token?token=root",
body: body("M"), body: body("M"),
code: http.StatusOK, code: http.StatusOK,
raw: tokens{master: "M", masterSource: tokenStore.TokenSourceAPI}, raw: tokens{agentRecovery: "M", agentRecoverySource: tokenStore.TokenSourceAPI},
effective: tokens{master: "M"}, effective: tokens{agentRecovery: "M"},
}, },
{ {
name: "set master", name: "set master",
@ -5540,8 +5540,8 @@ func TestAgent_Token(t *testing.T) {
url: "agent_master?token=root", url: "agent_master?token=root",
body: body("M"), body: body("M"),
code: http.StatusOK, code: http.StatusOK,
raw: tokens{master: "M", masterSource: tokenStore.TokenSourceAPI}, raw: tokens{agentRecovery: "M", agentRecoverySource: tokenStore.TokenSourceAPI},
effective: tokens{master: "M"}, effective: tokens{agentRecovery: "M"},
}, },
{ {
name: "set recovery", name: "set recovery",
@ -5549,8 +5549,8 @@ func TestAgent_Token(t *testing.T) {
url: "agent_recovery?token=root", url: "agent_recovery?token=root",
body: body("R"), body: body("R"),
code: http.StatusOK, code: http.StatusOK,
raw: tokens{master: "R", masterSource: tokenStore.TokenSourceAPI}, raw: tokens{agentRecovery: "R", agentRecoverySource: tokenStore.TokenSourceAPI},
effective: tokens{master: "R", masterSource: tokenStore.TokenSourceAPI}, effective: tokens{agentRecovery: "R", agentRecoverySource: tokenStore.TokenSourceAPI},
}, },
{ {
name: "set repl legacy", name: "set repl legacy",
@ -5612,8 +5612,8 @@ func TestAgent_Token(t *testing.T) {
url: "acl_agent_master_token?token=root", url: "acl_agent_master_token?token=root",
body: body(""), body: body(""),
code: http.StatusOK, code: http.StatusOK,
init: tokens{master: "M"}, init: tokens{agentRecovery: "M"},
raw: tokens{masterSource: tokenStore.TokenSourceAPI}, raw: tokens{agentRecoverySource: tokenStore.TokenSourceAPI},
}, },
{ {
name: "clear master", name: "clear master",
@ -5621,8 +5621,8 @@ func TestAgent_Token(t *testing.T) {
url: "agent_master?token=root", url: "agent_master?token=root",
body: body(""), body: body(""),
code: http.StatusOK, code: http.StatusOK,
init: tokens{master: "M"}, init: tokens{agentRecovery: "M"},
raw: tokens{masterSource: tokenStore.TokenSourceAPI}, raw: tokens{agentRecoverySource: tokenStore.TokenSourceAPI},
}, },
{ {
name: "clear recovery", name: "clear recovery",
@ -5630,8 +5630,8 @@ func TestAgent_Token(t *testing.T) {
url: "agent_recovery?token=root", url: "agent_recovery?token=root",
body: body(""), body: body(""),
code: http.StatusOK, code: http.StatusOK,
init: tokens{master: "R"}, init: tokens{agentRecovery: "R"},
raw: tokens{masterSource: tokenStore.TokenSourceAPI}, raw: tokens{agentRecoverySource: tokenStore.TokenSourceAPI},
}, },
{ {
name: "clear repl legacy", name: "clear repl legacy",
@ -5667,7 +5667,7 @@ func TestAgent_Token(t *testing.T) {
} }
require.Equal(t, tt.effective.user, a.tokens.UserToken()) require.Equal(t, tt.effective.user, a.tokens.UserToken())
require.Equal(t, tt.effective.agent, a.tokens.AgentToken()) require.Equal(t, tt.effective.agent, a.tokens.AgentToken())
require.Equal(t, tt.effective.master, a.tokens.AgentRecoveryToken()) require.Equal(t, tt.effective.agentRecovery, a.tokens.AgentRecoveryToken())
require.Equal(t, tt.effective.repl, a.tokens.ReplicationToken()) require.Equal(t, tt.effective.repl, a.tokens.ReplicationToken())
tok, src := a.tokens.UserTokenAndSource() tok, src := a.tokens.UserTokenAndSource()
@ -5679,8 +5679,8 @@ func TestAgent_Token(t *testing.T) {
require.Equal(t, tt.raw.agentSource, src) require.Equal(t, tt.raw.agentSource, src)
tok, src = a.tokens.AgentRecoveryTokenAndSource() tok, src = a.tokens.AgentRecoveryTokenAndSource()
require.Equal(t, tt.raw.master, tok) require.Equal(t, tt.raw.agentRecovery, tok)
require.Equal(t, tt.raw.masterSource, src) require.Equal(t, tt.raw.agentRecoverySource, src)
tok, src = a.tokens.ReplicationTokenAndSource() tok, src = a.tokens.ReplicationTokenAndSource()
require.Equal(t, tt.raw.repl, tok) require.Equal(t, tt.raw.repl, tok)
@ -7031,11 +7031,18 @@ func TestAgentConnectAuthorize_defaultAllow(t *testing.T) {
assert := assert.New(t) assert := assert.New(t)
dc1 := "dc1" dc1 := "dc1"
a := NewTestAgent(t, ` a := NewTestAgent(t, `
acl_datacenter = "`+dc1+`" primary_datacenter = "`+dc1+`"
acl_default_policy = "allow"
acl_master_token = "root" acl {
acl_agent_token = "root" enabled = true
acl_agent_master_token = "towel" default_policy = "allow"
tokens {
initial_management = "root"
agent = "root"
agent_recovery = "towel"
}
}
`) `)
defer a.Shutdown() defer a.Shutdown()
testrpc.WaitForTestAgent(t, a.RPC, dc1) testrpc.WaitForTestAgent(t, a.RPC, dc1)
@ -7066,16 +7073,23 @@ func TestAgent_Host(t *testing.T) {
dc1 := "dc1" dc1 := "dc1"
a := NewTestAgent(t, ` a := NewTestAgent(t, `
acl_datacenter = "`+dc1+`" primary_datacenter = "`+dc1+`"
acl_default_policy = "allow"
acl_master_token = "master" acl {
acl_agent_token = "agent" enabled = true
acl_agent_master_token = "towel" default_policy = "allow"
`)
tokens {
initial_management = "initial-management"
agent = "agent"
agent_recovery = "towel"
}
}
`)
defer a.Shutdown() defer a.Shutdown()
testrpc.WaitForLeader(t, a.RPC, "dc1") testrpc.WaitForLeader(t, a.RPC, "dc1")
req, _ := http.NewRequest("GET", "/v1/agent/host?token=master", nil) req, _ := http.NewRequest("GET", "/v1/agent/host?token=initial-management", nil)
resp := httptest.NewRecorder() resp := httptest.NewRecorder()
// TODO: AgentHost should write to response so that we can test using ServeHTTP() // TODO: AgentHost should write to response so that we can test using ServeHTTP()
respRaw, err := a.srv.AgentHost(resp, req) respRaw, err := a.srv.AgentHost(resp, req)
@ -7098,12 +7112,19 @@ func TestAgent_HostBadACL(t *testing.T) {
dc1 := "dc1" dc1 := "dc1"
a := NewTestAgent(t, ` a := NewTestAgent(t, `
acl_datacenter = "`+dc1+`" primary_datacenter = "`+dc1+`"
acl_default_policy = "deny"
acl_master_token = "root" acl {
acl_agent_token = "agent" enabled = true
acl_agent_master_token = "towel" default_policy = "deny"
`)
tokens {
initial_management = "root"
agent = "agent"
agent_recovery = "towel"
}
}
`)
defer a.Shutdown() defer a.Shutdown()
testrpc.WaitForLeader(t, a.RPC, "dc1") testrpc.WaitForLeader(t, a.RPC, "dc1")

16
agent/consul/acl.go
View File

@ -263,19 +263,19 @@ type ACLResolver struct {
// disabledLock synchronizes access to disabledUntil // disabledLock synchronizes access to disabledUntil
disabledLock sync.RWMutex disabledLock sync.RWMutex
agentMasterAuthz acl.Authorizer agentRecoveryAuthz acl.Authorizer
} }
func agentMasterAuthorizer(nodeName string, entMeta *structs.EnterpriseMeta, aclConf *acl.Config) (acl.Authorizer, error) { func agentRecoveryAuthorizer(nodeName string, entMeta *structs.EnterpriseMeta, aclConf *acl.Config) (acl.Authorizer, error) {
var conf acl.Config var conf acl.Config
if aclConf != nil { if aclConf != nil {
conf = *aclConf conf = *aclConf
} }
setEnterpriseConf(entMeta, &conf) setEnterpriseConf(entMeta, &conf)
// Build a policy for the agent master token. // Build a policy for the agent recovery token.
// //
// The builtin agent master policy allows reading any node information // The builtin agent recovery policy allows reading any node information
// and allows writes to the agent with the node name of the running agent // and allows writes to the agent with the node name of the running agent
// only. This used to allow a prefix match on agent names but that seems // only. This used to allow a prefix match on agent names but that seems
// entirely unnecessary so it is now using an exact match. // entirely unnecessary so it is now using an exact match.
@ -323,9 +323,9 @@ func NewACLResolver(config *ACLResolverConfig) (*ACLResolver, error) {
return nil, fmt.Errorf("invalid ACL down policy %q", config.Config.ACLDownPolicy) return nil, fmt.Errorf("invalid ACL down policy %q", config.Config.ACLDownPolicy)
} }
authz, err := agentMasterAuthorizer(config.Config.NodeName, &config.Config.EnterpriseMeta, config.ACLConfig) authz, err := agentRecoveryAuthorizer(config.Config.NodeName, &config.Config.EnterpriseMeta, config.ACLConfig)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to initialize the agent master authorizer") return nil, fmt.Errorf("failed to initialize the agent recovery authorizer")
} }
return &ACLResolver{ return &ACLResolver{
@ -337,7 +337,7 @@ func NewACLResolver(config *ACLResolverConfig) (*ACLResolver, error) {
disableDuration: config.DisableDuration, disableDuration: config.DisableDuration,
down: down, down: down,
tokens: config.Tokens, tokens: config.Tokens,
agentMasterAuthz: authz, agentRecoveryAuthz: authz,
}, nil }, nil
} }
@ -1049,7 +1049,7 @@ func (r *ACLResolver) resolveLocallyManagedToken(token string) (structs.ACLIdent
} }
if r.tokens.IsAgentRecoveryToken(token) { if r.tokens.IsAgentRecoveryToken(token) {
return structs.NewAgentMasterTokenIdentity(r.config.NodeName, token), r.agentMasterAuthz, true return structs.NewAgentRecoveryTokenIdentity(r.config.NodeName, token), r.agentRecoveryAuthz, true
} }
return r.resolveLocallyManagedEnterpriseToken(token) return r.resolveLocallyManagedEnterpriseToken(token)

712
agent/consul/acl_endpoint_test.go
View File

File diff suppressed because it is too large Load Diff

14
agent/consul/acl_test.go
View File

@ -4007,7 +4007,7 @@ func TestACL_LocalToken(t *testing.T) {
}) })
} }
func TestACLResolver_AgentMaster(t *testing.T) { func TestACLResolver_AgentRecovery(t *testing.T) {
var tokens token.Store var tokens token.Store
d := &ACLResolverTestDelegate{ d := &ACLResolverTestDelegate{
@ -4025,9 +4025,9 @@ func TestACLResolver_AgentMaster(t *testing.T) {
ident, authz, err := r.ResolveTokenToIdentityAndAuthorizer("9a184a11-5599-459e-b71a-550e5f9a5a23") ident, authz, err := r.ResolveTokenToIdentityAndAuthorizer("9a184a11-5599-459e-b71a-550e5f9a5a23")
require.NoError(t, err) require.NoError(t, err)
require.NotNil(t, ident) require.NotNil(t, ident)
require.Equal(t, "agent-master:foo", ident.ID()) require.Equal(t, "agent-recovery:foo", ident.ID())
require.NotNil(t, authz) require.NotNil(t, authz)
require.Equal(t, r.agentMasterAuthz, authz) require.Equal(t, r.agentRecoveryAuthz, authz)
require.Equal(t, acl.Allow, authz.AgentWrite("foo", nil)) require.Equal(t, acl.Allow, authz.AgentWrite("foo", nil))
require.Equal(t, acl.Allow, authz.NodeRead("bar", nil)) require.Equal(t, acl.Allow, authz.NodeRead("bar", nil))
require.Equal(t, acl.Deny, authz.NodeWrite("bar", nil)) require.Equal(t, acl.Deny, authz.NodeWrite("bar", nil))
@ -4106,7 +4106,7 @@ func TestACLResolver_ResolveTokenToIdentityAndAuthorizer_UpdatesPurgeTheCache(t
Name: "the-policy", Name: "the-policy",
Rules: `key_prefix "" { policy = "read"}`, Rules: `key_prefix "" { policy = "read"}`,
}, },
WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken},
} }
var respPolicy = structs.ACLPolicy{} var respPolicy = structs.ACLPolicy{}
err := msgpackrpc.CallWithCodec(codec, "ACL.PolicySet", &reqPolicy, &respPolicy) err := msgpackrpc.CallWithCodec(codec, "ACL.PolicySet", &reqPolicy, &respPolicy)
@ -4121,7 +4121,7 @@ func TestACLResolver_ResolveTokenToIdentityAndAuthorizer_UpdatesPurgeTheCache(t
SecretID: token, SecretID: token,
Policies: []structs.ACLTokenPolicyLink{{Name: "the-policy"}}, Policies: []structs.ACLTokenPolicyLink{{Name: "the-policy"}},
}, },
WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken},
} }
var respToken structs.ACLToken var respToken structs.ACLToken
err = msgpackrpc.CallWithCodec(codec, "ACL.TokenSet", &reqToken, &respToken) err = msgpackrpc.CallWithCodec(codec, "ACL.TokenSet", &reqToken, &respToken)
@ -4142,7 +4142,7 @@ func TestACLResolver_ResolveTokenToIdentityAndAuthorizer_UpdatesPurgeTheCache(t
Name: "the-policy", Name: "the-policy",
Rules: `{"key_prefix": {"": {"policy": "deny"}}}`, Rules: `{"key_prefix": {"": {"policy": "deny"}}}`,
}, },
WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken},
} }
err := msgpackrpc.CallWithCodec(codec, "ACL.PolicySet", &reqPolicy, &structs.ACLPolicy{}) err := msgpackrpc.CallWithCodec(codec, "ACL.PolicySet", &reqPolicy, &structs.ACLPolicy{})
require.NoError(t, err) require.NoError(t, err)
@ -4157,7 +4157,7 @@ func TestACLResolver_ResolveTokenToIdentityAndAuthorizer_UpdatesPurgeTheCache(t
req := structs.ACLTokenDeleteRequest{ req := structs.ACLTokenDeleteRequest{
Datacenter: "dc1", Datacenter: "dc1",
TokenID: respToken.AccessorID, TokenID: respToken.AccessorID,
WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken},
} }
var resp string var resp string
err := msgpackrpc.CallWithCodec(codec, "ACL.TokenDelete", &req, &resp) err := msgpackrpc.CallWithCodec(codec, "ACL.TokenDelete", &req, &resp)

8
agent/consul/acl_token_exp_test.go
View File

@ -58,7 +58,7 @@ func testACLTokenReap_Primary(t *testing.T, local, global bool) {
acl := ACL{srv: s1} acl := ACL{srv: s1}
masterTokenAccessorID, err := retrieveTestTokenAccessorForSecret(codec, "root", "dc1", "root") initialManagementTokenAccessorID, err := retrieveTestTokenAccessorForSecret(codec, "root", "dc1", "root")
require.NoError(t, err) require.NoError(t, err)
listTokens := func() (localTokens, globalTokens []string, err error) { listTokens := func() (localTokens, globalTokens []string, err error) {
@ -88,9 +88,9 @@ func testACLTokenReap_Primary(t *testing.T, local, global bool) {
t.Helper() t.Helper()
var expectLocal, expectGlobal []string var expectLocal, expectGlobal []string
// The master token and the anonymous token are always going to be // The initial management token and the anonymous token are always
// present and global. // going to be present and global.
expectGlobal = append(expectGlobal, masterTokenAccessorID) expectGlobal = append(expectGlobal, initialManagementTokenAccessorID)
expectGlobal = append(expectGlobal, structs.ACLTokenAnonymousID) expectGlobal = append(expectGlobal, structs.ACLTokenAnonymousID)
if local { if local {

2
agent/consul/auto_config_backend_test.go
View File

@ -41,7 +41,7 @@ func TestAutoConfigBackend_CreateACLToken(t *testing.T) {
waitForLeaderEstablishment(t, srv) waitForLeaderEstablishment(t, srv)
r1, err := upsertTestRole(codec, TestDefaultMasterToken, "dc1") r1, err := upsertTestRole(codec, TestDefaultInitialManagementToken, "dc1")
require.NoError(t, err) require.NoError(t, err)
t.Run("predefined-ids", func(t *testing.T) { t.Run("predefined-ids", func(t *testing.T) {

8
agent/consul/connect_ca_endpoint_test.go
View File

@ -163,7 +163,7 @@ func TestConnectCAConfig_GetSet_ACLDeny(t *testing.T) {
dir1, s1 := testServerWithConfig(t, func(c *Config) { dir1, s1 := testServerWithConfig(t, func(c *Config) {
c.PrimaryDatacenter = "dc1" c.PrimaryDatacenter = "dc1"
c.ACLsEnabled = true c.ACLsEnabled = true
c.ACLInitialManagementToken = TestDefaultMasterToken c.ACLInitialManagementToken = TestDefaultInitialManagementToken
c.ACLResolverSettings.ACLDefaultPolicy = "deny" c.ACLResolverSettings.ACLDefaultPolicy = "deny"
}) })
defer os.RemoveAll(dir1) defer os.RemoveAll(dir1)
@ -175,11 +175,11 @@ func TestConnectCAConfig_GetSet_ACLDeny(t *testing.T) {
testrpc.WaitForLeader(t, s1.RPC, "dc1") testrpc.WaitForLeader(t, s1.RPC, "dc1")
opReadToken, err := upsertTestTokenWithPolicyRules( opReadToken, err := upsertTestTokenWithPolicyRules(
codec, TestDefaultMasterToken, "dc1", `operator = "read"`) codec, TestDefaultInitialManagementToken, "dc1", `operator = "read"`)
require.NoError(t, err) require.NoError(t, err)
opWriteToken, err := upsertTestTokenWithPolicyRules( opWriteToken, err := upsertTestTokenWithPolicyRules(
codec, TestDefaultMasterToken, "dc1", `operator = "write"`) codec, TestDefaultInitialManagementToken, "dc1", `operator = "write"`)
require.NoError(t, err) require.NoError(t, err)
// Update a config value // Update a config value
@ -215,7 +215,7 @@ pY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=
args := &structs.CARequest{ args := &structs.CARequest{
Datacenter: "dc1", Datacenter: "dc1",
Config: newConfig, Config: newConfig,
WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken},
} }
var reply interface{} var reply interface{}
require.NoError(t, msgpackrpc.CallWithCodec(codec, "ConnectCA.ConfigurationSet", args, &reply)) require.NoError(t, msgpackrpc.CallWithCodec(codec, "ConnectCA.ConfigurationSet", args, &reply))

2
agent/consul/federation_state_endpoint_test.go
View File

@ -541,7 +541,7 @@ func TestFederationState_List_ACLDeny(t *testing.T) {
gwListEmpty: true, gwListEmpty: true,
gwFilteredByACLs: true, gwFilteredByACLs: true,
}, },
"master token": { "initial management token": {
token: "root", token: "root",
}, },
} }

10
agent/consul/fsm/commands_oss_test.go
View File

@ -105,7 +105,7 @@ func TestFSM_RegisterNode_Service(t *testing.T) {
Service: &structs.NodeService{ Service: &structs.NodeService{
ID: "db", ID: "db",
Service: "db", Service: "db",
Tags: []string{"master"}, Tags: []string{"primary"},
Port: 8000, Port: 8000,
}, },
Check: &structs.HealthCheck{ Check: &structs.HealthCheck{
@ -170,7 +170,7 @@ func TestFSM_DeregisterService(t *testing.T) {
Service: &structs.NodeService{ Service: &structs.NodeService{
ID: "db", ID: "db",
Service: "db", Service: "db",
Tags: []string{"master"}, Tags: []string{"primary"},
Port: 8000, Port: 8000,
}, },
} }
@ -296,7 +296,7 @@ func TestFSM_DeregisterNode(t *testing.T) {
Service: &structs.NodeService{ Service: &structs.NodeService{
ID: "db", ID: "db",
Service: "db", Service: "db",
Tags: []string{"master"}, Tags: []string{"primary"},
Port: 8000, Port: 8000,
}, },
Check: &structs.HealthCheck{ Check: &structs.HealthCheck{
@ -1429,7 +1429,7 @@ func TestFSM_Chunking_Lifecycle(t *testing.T) {
Service: &structs.NodeService{ Service: &structs.NodeService{
ID: "db", ID: "db",
Service: "db", Service: "db",
Tags: []string{"master"}, Tags: []string{"primary"},
Port: 8000, Port: 8000,
}, },
Check: &structs.HealthCheck{ Check: &structs.HealthCheck{
@ -1559,7 +1559,7 @@ func TestFSM_Chunking_TermChange(t *testing.T) {
Service: &structs.NodeService{ Service: &structs.NodeService{
ID: "db", ID: "db",
Service: "db", Service: "db",
Tags: []string{"master"}, Tags: []string{"primary"},
Port: 8000, Port: 8000,
}, },
Check: &structs.HealthCheck{ Check: &structs.HealthCheck{

30
agent/consul/intention_endpoint_test.go
View File

@ -937,17 +937,17 @@ func TestIntention_WildcardACLEnforcement(t *testing.T) {
// create some test policies. // create some test policies.
writeToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `service_prefix "" { policy = "deny" intentions = "write" }`) writeToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `service_prefix "" { policy = "deny" intentions = "write" }`)
require.NoError(t, err) require.NoError(t, err)
readToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `service_prefix "" { policy = "deny" intentions = "read" }`) readToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `service_prefix "" { policy = "deny" intentions = "read" }`)
require.NoError(t, err) require.NoError(t, err)
exactToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `service "*" { policy = "deny" intentions = "write" }`) exactToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `service "*" { policy = "deny" intentions = "write" }`)
require.NoError(t, err) require.NoError(t, err)
wildcardPrefixToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `service_prefix "*" { policy = "deny" intentions = "write" }`) wildcardPrefixToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `service_prefix "*" { policy = "deny" intentions = "write" }`)
require.NoError(t, err) require.NoError(t, err)
fooToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `service "foo" { policy = "deny" intentions = "write" }`) fooToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `service "foo" { policy = "deny" intentions = "write" }`)
require.NoError(t, err) require.NoError(t, err)
denyToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `service_prefix "" { policy = "deny" intentions = "deny" }`) denyToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `service_prefix "" { policy = "deny" intentions = "deny" }`)
require.NoError(t, err) require.NoError(t, err)
doIntentionCreate := func(t *testing.T, token string, dest string, deny bool) string { doIntentionCreate := func(t *testing.T, token string, dest string, deny bool) string {
@ -1607,7 +1607,7 @@ func TestIntentionList_acl(t *testing.T) {
waitForLeaderEstablishment(t, s1) waitForLeaderEstablishment(t, s1)
token, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `service_prefix "foo" { policy = "write" }`) token, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `service_prefix "foo" { policy = "write" }`)
require.NoError(t, err) require.NoError(t, err)
// Create a few records // Create a few records
@ -1620,7 +1620,7 @@ func TestIntentionList_acl(t *testing.T) {
ixn.Intention.SourceNS = "default" ixn.Intention.SourceNS = "default"
ixn.Intention.DestinationNS = "default" ixn.Intention.DestinationNS = "default"
ixn.Intention.DestinationName = name ixn.Intention.DestinationName = name
ixn.WriteRequest.Token = TestDefaultMasterToken ixn.WriteRequest.Token = TestDefaultInitialManagementToken
// Create // Create
var reply string var reply string
@ -1639,10 +1639,10 @@ func TestIntentionList_acl(t *testing.T) {
}) })
// Test with management token // Test with management token
t.Run("master-token", func(t *testing.T) { t.Run("initial-management-token", func(t *testing.T) {
req := &structs.IntentionListRequest{ req := &structs.IntentionListRequest{
Datacenter: "dc1", Datacenter: "dc1",
QueryOptions: structs.QueryOptions{Token: TestDefaultMasterToken}, QueryOptions: structs.QueryOptions{Token: TestDefaultInitialManagementToken},
} }
var resp structs.IndexedIntentions var resp structs.IndexedIntentions
require.NoError(t, msgpackrpc.CallWithCodec(codec, "Intention.List", req, &resp)) require.NoError(t, msgpackrpc.CallWithCodec(codec, "Intention.List", req, &resp))
@ -1666,7 +1666,7 @@ func TestIntentionList_acl(t *testing.T) {
req := &structs.IntentionListRequest{ req := &structs.IntentionListRequest{
Datacenter: "dc1", Datacenter: "dc1",
QueryOptions: structs.QueryOptions{ QueryOptions: structs.QueryOptions{
Token: TestDefaultMasterToken, Token: TestDefaultInitialManagementToken,
Filter: "DestinationName == foobar", Filter: "DestinationName == foobar",
}, },
} }
@ -1763,7 +1763,7 @@ func TestIntentionMatch_acl(t *testing.T) {
_, srv, codec := testACLServerWithConfig(t, nil, false) _, srv, codec := testACLServerWithConfig(t, nil, false)
waitForLeaderEstablishment(t, srv) waitForLeaderEstablishment(t, srv)
token, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `service "bar" { policy = "write" }`) token, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `service "bar" { policy = "write" }`)
require.NoError(t, err) require.NoError(t, err)
// Create some records // Create some records
@ -1781,7 +1781,7 @@ func TestIntentionMatch_acl(t *testing.T) {
Intention: structs.TestIntention(t), Intention: structs.TestIntention(t),
} }
ixn.Intention.DestinationName = v ixn.Intention.DestinationName = v
ixn.WriteRequest.Token = TestDefaultMasterToken ixn.WriteRequest.Token = TestDefaultInitialManagementToken
// Create // Create
var reply string var reply string
@ -1993,7 +1993,7 @@ func TestIntentionCheck_match(t *testing.T) {
_, srv, codec := testACLServerWithConfig(t, nil, false) _, srv, codec := testACLServerWithConfig(t, nil, false)
waitForLeaderEstablishment(t, srv) waitForLeaderEstablishment(t, srv)
token, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `service "api" { policy = "read" }`) token, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `service "api" { policy = "read" }`)
require.NoError(t, err) require.NoError(t, err)
// Create some intentions // Create some intentions
@ -2015,7 +2015,7 @@ func TestIntentionCheck_match(t *testing.T) {
DestinationName: v[1], DestinationName: v[1],
Action: structs.IntentionActionAllow, Action: structs.IntentionActionAllow,
}, },
WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken},
} }
// Create // Create
var reply string var reply string

26
agent/consul/internal_endpoint_test.go
View File

@ -1790,7 +1790,7 @@ func TestInternal_GatewayIntentions_aclDeny(t *testing.T) {
codec := rpcClient(t, s1) codec := rpcClient(t, s1)
defer codec.Close() defer codec.Close()
testrpc.WaitForTestAgent(t, s1.RPC, "dc1", testrpc.WithToken(TestDefaultMasterToken)) testrpc.WaitForTestAgent(t, s1.RPC, "dc1", testrpc.WithToken(TestDefaultInitialManagementToken))
// Register terminating gateway and config entry linking it to postgres + redis // Register terminating gateway and config entry linking it to postgres + redis
{ {
@ -1809,7 +1809,7 @@ func TestInternal_GatewayIntentions_aclDeny(t *testing.T) {
Status: api.HealthPassing, Status: api.HealthPassing,
ServiceID: "terminating-gateway", ServiceID: "terminating-gateway",
}, },
WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken},
} }
var regOutput struct{} var regOutput struct{}
require.NoError(t, msgpackrpc.CallWithCodec(codec, "Catalog.Register", &arg, &regOutput)) require.NoError(t, msgpackrpc.CallWithCodec(codec, "Catalog.Register", &arg, &regOutput))
@ -1834,7 +1834,7 @@ func TestInternal_GatewayIntentions_aclDeny(t *testing.T) {
Op: structs.ConfigEntryUpsert, Op: structs.ConfigEntryUpsert,
Datacenter: "dc1", Datacenter: "dc1",
Entry: args, Entry: args,
WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken},
} }
var configOutput bool var configOutput bool
require.NoError(t, msgpackrpc.CallWithCodec(codec, "ConfigEntry.Apply", &req, &configOutput)) require.NoError(t, msgpackrpc.CallWithCodec(codec, "ConfigEntry.Apply", &req, &configOutput))
@ -1848,7 +1848,7 @@ func TestInternal_GatewayIntentions_aclDeny(t *testing.T) {
Datacenter: "dc1", Datacenter: "dc1",
Op: structs.IntentionOpCreate, Op: structs.IntentionOpCreate,
Intention: structs.TestIntention(t), Intention: structs.TestIntention(t),
WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken},
} }
req.Intention.SourceName = "api" req.Intention.SourceName = "api"
req.Intention.DestinationName = v req.Intention.DestinationName = v
@ -1860,7 +1860,7 @@ func TestInternal_GatewayIntentions_aclDeny(t *testing.T) {
Datacenter: "dc1", Datacenter: "dc1",
Op: structs.IntentionOpCreate, Op: structs.IntentionOpCreate,
Intention: structs.TestIntention(t), Intention: structs.TestIntention(t),
WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken},
} }
req.Intention.SourceName = v req.Intention.SourceName = v
req.Intention.DestinationName = "api" req.Intention.DestinationName = "api"
@ -1868,7 +1868,7 @@ func TestInternal_GatewayIntentions_aclDeny(t *testing.T) {
} }
} }
userToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", ` userToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `
service_prefix "redis" { policy = "read" } service_prefix "redis" { policy = "read" }
service_prefix "terminating-gateway" { policy = "read" } service_prefix "terminating-gateway" { policy = "read" }
`) `)
@ -2192,7 +2192,7 @@ func TestInternal_ServiceTopology_ACL(t *testing.T) {
dir1, s1 := testServerWithConfig(t, func(c *Config) { dir1, s1 := testServerWithConfig(t, func(c *Config) {
c.PrimaryDatacenter = "dc1" c.PrimaryDatacenter = "dc1"
c.ACLsEnabled = true c.ACLsEnabled = true
c.ACLInitialManagementToken = TestDefaultMasterToken c.ACLInitialManagementToken = TestDefaultInitialManagementToken
c.ACLResolverSettings.ACLDefaultPolicy = "deny" c.ACLResolverSettings.ACLDefaultPolicy = "deny"
}) })
defer os.RemoveAll(dir1) defer os.RemoveAll(dir1)
@ -2215,10 +2215,10 @@ func TestInternal_ServiceTopology_ACL(t *testing.T) {
// web -> redis exact intention // web -> redis exact intention
// redis and redis-proxy on node zip // redis and redis-proxy on node zip
registerTestTopologyEntries(t, codec, TestDefaultMasterToken) registerTestTopologyEntries(t, codec, TestDefaultInitialManagementToken)
// Token grants read to: foo/api, foo/api-proxy, bar/web, baz/web // Token grants read to: foo/api, foo/api-proxy, bar/web, baz/web
userToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", ` userToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `
node_prefix "" { policy = "read" } node_prefix "" { policy = "read" }
service_prefix "api" { policy = "read" } service_prefix "api" { policy = "read" }
service "web" { policy = "read" } service "web" { policy = "read" }
@ -2331,7 +2331,7 @@ func TestInternal_IntentionUpstreams_ACL(t *testing.T) {
dir1, s1 := testServerWithConfig(t, func(c *Config) { dir1, s1 := testServerWithConfig(t, func(c *Config) {
c.PrimaryDatacenter = "dc1" c.PrimaryDatacenter = "dc1"
c.ACLsEnabled = true c.ACLsEnabled = true
c.ACLInitialManagementToken = TestDefaultMasterToken c.ACLInitialManagementToken = TestDefaultInitialManagementToken
c.ACLResolverSettings.ACLDefaultPolicy = "deny" c.ACLResolverSettings.ACLDefaultPolicy = "deny"
}) })
defer os.RemoveAll(dir1) defer os.RemoveAll(dir1)
@ -2349,11 +2349,11 @@ func TestInternal_IntentionUpstreams_ACL(t *testing.T) {
// Intentions // Intentions
// * -> * (deny) intention // * -> * (deny) intention
// web -> api (allow) // web -> api (allow)
registerIntentionUpstreamEntries(t, codec, TestDefaultMasterToken) registerIntentionUpstreamEntries(t, codec, TestDefaultInitialManagementToken)
t.Run("valid token", func(t *testing.T) { t.Run("valid token", func(t *testing.T) {
// Token grants read to read api service // Token grants read to read api service
userToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", ` userToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `
service_prefix "api" { policy = "read" } service_prefix "api" { policy = "read" }
`) `)
require.NoError(t, err) require.NoError(t, err)
@ -2379,7 +2379,7 @@ service_prefix "api" { policy = "read" }
t.Run("invalid token filters results", func(t *testing.T) { t.Run("invalid token filters results", func(t *testing.T) {
// Token grants read to read an unrelated service, mongo // Token grants read to read an unrelated service, mongo
userToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", ` userToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `
service_prefix "mongo" { policy = "read" } service_prefix "mongo" { policy = "read" }
`) `)
require.NoError(t, err) require.NoError(t, err)

10
agent/consul/leader_connect_test.go
View File

@ -196,7 +196,7 @@ func TestCAManager_Initialize_Secondary(t *testing.T) {
for _, tc := range tests { for _, tc := range tests {
tc := tc tc := tc
t.Run(fmt.Sprintf("%s-%d", tc.keyType, tc.keyBits), func(t *testing.T) { t.Run(fmt.Sprintf("%s-%d", tc.keyType, tc.keyBits), func(t *testing.T) {
masterToken := "8a85f086-dd95-4178-b128-e10902767c5c" initialManagementToken := "8a85f086-dd95-4178-b128-e10902767c5c"
// Initialize primary as the primary DC // Initialize primary as the primary DC
dir1, s1 := testServerWithConfig(t, func(c *Config) { dir1, s1 := testServerWithConfig(t, func(c *Config) {
@ -204,7 +204,7 @@ func TestCAManager_Initialize_Secondary(t *testing.T) {
c.PrimaryDatacenter = "primary" c.PrimaryDatacenter = "primary"
c.Build = "1.6.0" c.Build = "1.6.0"
c.ACLsEnabled = true c.ACLsEnabled = true
c.ACLInitialManagementToken = masterToken c.ACLInitialManagementToken = initialManagementToken
c.ACLResolverSettings.ACLDefaultPolicy = "deny" c.ACLResolverSettings.ACLDefaultPolicy = "deny"
c.CAConfig.Config["PrivateKeyType"] = tc.keyType c.CAConfig.Config["PrivateKeyType"] = tc.keyType
c.CAConfig.Config["PrivateKeyBits"] = tc.keyBits c.CAConfig.Config["PrivateKeyBits"] = tc.keyBits
@ -213,7 +213,7 @@ func TestCAManager_Initialize_Secondary(t *testing.T) {
defer os.RemoveAll(dir1) defer os.RemoveAll(dir1)
defer s1.Shutdown() defer s1.Shutdown()
s1.tokens.UpdateAgentToken(masterToken, token.TokenSourceConfig) s1.tokens.UpdateAgentToken(initialManagementToken, token.TokenSourceConfig)
testrpc.WaitForLeader(t, s1.RPC, "primary") testrpc.WaitForLeader(t, s1.RPC, "primary")
@ -232,8 +232,8 @@ func TestCAManager_Initialize_Secondary(t *testing.T) {
defer os.RemoveAll(dir2) defer os.RemoveAll(dir2)
defer s2.Shutdown() defer s2.Shutdown()
s2.tokens.UpdateAgentToken(masterToken, token.TokenSourceConfig) s2.tokens.UpdateAgentToken(initialManagementToken, token.TokenSourceConfig)
s2.tokens.UpdateReplicationToken(masterToken, token.TokenSourceConfig) s2.tokens.UpdateReplicationToken(initialManagementToken, token.TokenSourceConfig)
// Create the WAN link // Create the WAN link
joinWAN(t, s2, s1) joinWAN(t, s2, s1)

18
agent/consul/leader_test.go
View File

@ -1164,13 +1164,13 @@ func TestLeader_ACL_Initialization(t *testing.T) {
tests := []struct { tests := []struct {
name string name string
build string build string
master string initialManagement string
bootstrap bool bootstrap bool
}{ }{
{"old version, no master", "0.8.0", "", true}, {"old version, no initial management", "0.8.0", "", true},
{"old version, master", "0.8.0", "root", false}, {"old version, initial management", "0.8.0", "root", false},
{"new version, no master", "0.9.1", "", true}, {"new version, no initial management", "0.9.1", "", true},
{"new version, master", "0.9.1", "root", false}, {"new version, initial management", "0.9.1", "root", false},
} }
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
@ -1180,17 +1180,17 @@ func TestLeader_ACL_Initialization(t *testing.T) {
c.Datacenter = "dc1" c.Datacenter = "dc1"
c.PrimaryDatacenter = "dc1" c.PrimaryDatacenter = "dc1"
c.ACLsEnabled = true c.ACLsEnabled = true
c.ACLInitialManagementToken = tt.master c.ACLInitialManagementToken = tt.initialManagement
} }
dir1, s1 := testServerWithConfig(t, conf) dir1, s1 := testServerWithConfig(t, conf)
defer os.RemoveAll(dir1) defer os.RemoveAll(dir1)
defer s1.Shutdown() defer s1.Shutdown()
testrpc.WaitForTestAgent(t, s1.RPC, "dc1") testrpc.WaitForTestAgent(t, s1.RPC, "dc1")
if tt.master != "" { if tt.initialManagement != "" {
_, master, err := s1.fsm.State().ACLTokenGetBySecret(nil, tt.master, nil) _, initialManagement, err := s1.fsm.State().ACLTokenGetBySecret(nil, tt.initialManagement, nil)
require.NoError(t, err) require.NoError(t, err)
require.NotNil(t, master) require.NotNil(t, initialManagement)
} }
_, anon, err := s1.fsm.State().ACLTokenGetBySecret(nil, anonymousToken, nil) _, anon, err := s1.fsm.State().ACLTokenGetBySecret(nil, anonymousToken, nil)

10
agent/consul/prepared_query_endpoint_test.go
View File

@ -222,7 +222,7 @@ func TestPreparedQuery_Apply_ACLDeny(t *testing.T) {
Datacenter: "dc1", Datacenter: "dc1",
Op: structs.PreparedQueryCreate, Op: structs.PreparedQueryCreate,
Query: &structs.PreparedQuery{ Query: &structs.PreparedQuery{
Name: "redis-master", Name: "redis-primary",
Service: structs.ServiceQuery{ Service: structs.ServiceQuery{
Service: "the-redis", Service: "the-redis",
}, },
@ -503,7 +503,7 @@ func TestPreparedQuery_Apply_ForwardLeader(t *testing.T) {
Address: "127.0.0.1", Address: "127.0.0.1",
Service: &structs.NodeService{ Service: &structs.NodeService{
Service: "redis", Service: "redis",
Tags: []string{"master"}, Tags: []string{"primary"},
Port: 8000, Port: 8000,
}, },
} }
@ -853,7 +853,7 @@ func TestPreparedQuery_Get(t *testing.T) {
Datacenter: "dc1", Datacenter: "dc1",
Op: structs.PreparedQueryCreate, Op: structs.PreparedQueryCreate,
Query: &structs.PreparedQuery{ Query: &structs.PreparedQuery{
Name: "redis-master", Name: "redis-primary",
Service: structs.ServiceQuery{ Service: structs.ServiceQuery{
Service: "the-redis", Service: "the-redis",
}, },
@ -1110,7 +1110,7 @@ func TestPreparedQuery_List(t *testing.T) {
Datacenter: "dc1", Datacenter: "dc1",
Op: structs.PreparedQueryCreate, Op: structs.PreparedQueryCreate,
Query: &structs.PreparedQuery{ Query: &structs.PreparedQuery{
Name: "redis-master", Name: "redis-primary",
Token: "le-token", Token: "le-token",
Service: structs.ServiceQuery{ Service: structs.ServiceQuery{
Service: "the-redis", Service: "the-redis",
@ -2348,7 +2348,7 @@ func TestPreparedQuery_Execute_ForwardLeader(t *testing.T) {
Address: "127.0.0.1", Address: "127.0.0.1",
Service: &structs.NodeService{ Service: &structs.NodeService{
Service: "redis", Service: "redis",
Tags: []string{"master"}, Tags: []string{"primary"},
Port: 8000, Port: 8000,
}, },
} }

6
agent/consul/server_test.go
View File

@ -35,7 +35,7 @@ import (
) )
const ( const (
TestDefaultMasterToken = "d9f05e83-a7ae-47ce-839e-c0d53a68c00a" TestDefaultInitialManagementToken = "d9f05e83-a7ae-47ce-839e-c0d53a68c00a"
) )
// testTLSCertificates Generates a TLS CA and server key/cert and returns them // testTLSCertificates Generates a TLS CA and server key/cert and returns them
@ -70,7 +70,7 @@ func testTLSCertificates(serverName string) (cert string, key string, cacert str
func testServerACLConfig(c *Config) { func testServerACLConfig(c *Config) {
c.PrimaryDatacenter = "dc1" c.PrimaryDatacenter = "dc1"
c.ACLsEnabled = true c.ACLsEnabled = true
c.ACLInitialManagementToken = TestDefaultMasterToken c.ACLInitialManagementToken = TestDefaultInitialManagementToken
c.ACLResolverSettings.ACLDefaultPolicy = "deny" c.ACLResolverSettings.ACLDefaultPolicy = "deny"
} }
@ -245,7 +245,7 @@ func testACLServerWithConfig(t *testing.T, cb func(*Config), initReplicationToke
if initReplicationToken { if initReplicationToken {
// setup some tokens here so we get less warnings in the logs // setup some tokens here so we get less warnings in the logs
srv.tokens.UpdateReplicationToken(TestDefaultMasterToken, token.TokenSourceConfig) srv.tokens.UpdateReplicationToken(TestDefaultInitialManagementToken, token.TokenSourceConfig)
} }
codec := rpcClient(t, srv) codec := rpcClient(t, srv)

7
agent/consul/state/prepared_query_test.go
View File

@ -5,8 +5,9 @@ import (
"strings" "strings"
"testing" "testing"
"github.com/hashicorp/consul/agent/structs"
"github.com/hashicorp/go-memdb" "github.com/hashicorp/go-memdb"
"github.com/hashicorp/consul/agent/structs"
) )
func TestStateStore_PreparedQuery_isUUID(t *testing.T) { func TestStateStore_PreparedQuery_isUUID(t *testing.T) {
@ -663,7 +664,7 @@ func TestStateStore_PreparedQueryResolve(t *testing.T) {
Regexp: "^prod-(.*)$", Regexp: "^prod-(.*)$",
}, },
Service: structs.ServiceQuery{ Service: structs.ServiceQuery{
Service: "${match(1)}-master", Service: "${match(1)}-primary",
}, },
} }
if err := s.PreparedQuerySet(5, tmpl2); err != nil { if err := s.PreparedQuerySet(5, tmpl2); err != nil {
@ -705,7 +706,7 @@ func TestStateStore_PreparedQueryResolve(t *testing.T) {
Regexp: "^prod-(.*)$", Regexp: "^prod-(.*)$",
}, },
Service: structs.ServiceQuery{ Service: structs.ServiceQuery{
Service: "redis-foobar-master", Service: "redis-foobar-primary",
}, },
RaftIndex: structs.RaftIndex{ RaftIndex: structs.RaftIndex{
CreateIndex: 5, CreateIndex: 5,

12
agent/local/state_test.go
View File

@ -52,7 +52,7 @@ func TestAgentAntiEntropy_Services(t *testing.T) {
srv1 := &structs.NodeService{ srv1 := &structs.NodeService{
ID: "mysql", ID: "mysql",
Service: "mysql", Service: "mysql",
Tags: []string{"master"}, Tags: []string{"primary"},
Port: 5000, Port: 5000,
Weights: &structs.Weights{ Weights: &structs.Weights{
Passing: 1, Passing: 1,
@ -675,7 +675,7 @@ func TestAgentAntiEntropy_Services_WithChecks(t *testing.T) {
srv := &structs.NodeService{ srv := &structs.NodeService{
ID: "mysql", ID: "mysql",
Service: "mysql", Service: "mysql",
Tags: []string{"master"}, Tags: []string{"primary"},
Port: 5000, Port: 5000,
} }
a.State.AddService(srv, "") a.State.AddService(srv, "")
@ -725,7 +725,7 @@ func TestAgentAntiEntropy_Services_WithChecks(t *testing.T) {
srv := &structs.NodeService{ srv := &structs.NodeService{
ID: "redis", ID: "redis",
Service: "redis", Service: "redis",
Tags: []string{"master"}, Tags: []string{"primary"},
Port: 5000, Port: 5000,
} }
a.State.AddService(srv, "") a.State.AddService(srv, "")
@ -821,7 +821,7 @@ func TestAgentAntiEntropy_Services_ACLDeny(t *testing.T) {
srv1 := &structs.NodeService{ srv1 := &structs.NodeService{
ID: "mysql", ID: "mysql",
Service: "mysql", Service: "mysql",
Tags: []string{"master"}, Tags: []string{"primary"},
Port: 5000, Port: 5000,
Weights: &structs.Weights{ Weights: &structs.Weights{
Passing: 1, Passing: 1,
@ -1278,7 +1278,7 @@ func TestAgentAntiEntropy_Checks_ACLDeny(t *testing.T) {
srv1 := &structs.NodeService{ srv1 := &structs.NodeService{
ID: "mysql", ID: "mysql",
Service: "mysql", Service: "mysql",
Tags: []string{"master"}, Tags: []string{"primary"},
Port: 5000, Port: 5000,
Weights: &structs.Weights{ Weights: &structs.Weights{
Passing: 1, Passing: 1,
@ -1348,7 +1348,7 @@ func TestAgentAntiEntropy_Checks_ACLDeny(t *testing.T) {
Node: a.Config.NodeName, Node: a.Config.NodeName,
ServiceID: "mysql", ServiceID: "mysql",
ServiceName: "mysql", ServiceName: "mysql",
ServiceTags: []string{"master"}, ServiceTags: []string{"primary"},
CheckID: "mysql-check", CheckID: "mysql-check",
Name: "mysql", Name: "mysql",
Status: api.HealthPassing, Status: api.HealthPassing,

26
agent/structs/acl.go
View File

@ -1728,50 +1728,50 @@ func CreateACLAuthorizationResponses(authz acl.Authorizer, requests []ACLAuthori
return responses, nil return responses, nil
} }
type AgentMasterTokenIdentity struct { type AgentRecoveryTokenIdentity struct {
agent string agent string
secretID string secretID string
} }
func NewAgentMasterTokenIdentity(agent string, secretID string) *AgentMasterTokenIdentity { func NewAgentRecoveryTokenIdentity(agent string, secretID string) *AgentRecoveryTokenIdentity {
return &AgentMasterTokenIdentity{ return &AgentRecoveryTokenIdentity{
agent: agent, agent: agent,
secretID: secretID, secretID: secretID,
} }
} }
func (id *AgentMasterTokenIdentity) ID() string { func (id *AgentRecoveryTokenIdentity) ID() string {
return fmt.Sprintf("agent-master:%s", id.agent) return fmt.Sprintf("agent-recovery:%s", id.agent)
} }
func (id *AgentMasterTokenIdentity) SecretToken() string { func (id *AgentRecoveryTokenIdentity) SecretToken() string {
return id.secretID return id.secretID
} }
func (id *AgentMasterTokenIdentity) PolicyIDs() []string { func (id *AgentRecoveryTokenIdentity) PolicyIDs() []string {
return nil return nil
} }
func (id *AgentMasterTokenIdentity) RoleIDs() []string { func (id *AgentRecoveryTokenIdentity) RoleIDs() []string {
return nil return nil
} }
func (id *AgentMasterTokenIdentity) ServiceIdentityList() []*ACLServiceIdentity { func (id *AgentRecoveryTokenIdentity) ServiceIdentityList() []*ACLServiceIdentity {
return nil return nil
} }
func (id *AgentMasterTokenIdentity) NodeIdentityList() []*ACLNodeIdentity { func (id *AgentRecoveryTokenIdentity) NodeIdentityList() []*ACLNodeIdentity {
return nil return nil
} }
func (id *AgentMasterTokenIdentity) IsExpired(asOf time.Time) bool { func (id *AgentRecoveryTokenIdentity) IsExpired(asOf time.Time) bool {
return false return false
} }
func (id *AgentMasterTokenIdentity) IsLocal() bool { func (id *AgentRecoveryTokenIdentity) IsLocal() bool {
return true return true
} }
func (id *AgentMasterTokenIdentity) EnterpriseMetadata() *EnterpriseMeta { func (id *AgentRecoveryTokenIdentity) EnterpriseMetadata() *EnterpriseMeta {
return nil return nil
} }

16
api/acl_test.go
View File

@ -455,7 +455,7 @@ func TestAPI_ACLToken_List(t *testing.T) {
tokens, qm, err := acl.TokenList(nil) tokens, qm, err := acl.TokenList(nil)
require.NoError(t, err) require.NoError(t, err)
// 3 + anon + master // 3 + anon + initial management
require.Len(t, tokens, 5) require.Len(t, tokens, 5)
require.NotEqual(t, 0, qm.LastIndex) require.NotEqual(t, 0, qm.LastIndex)
require.True(t, qm.KnownLeader) require.True(t, qm.KnownLeader)
@ -500,7 +500,7 @@ func TestAPI_ACLToken_List(t *testing.T) {
require.True(t, ok) require.True(t, ok)
require.NotNil(t, token4) require.NotNil(t, token4)
// ensure the 5th token is the root master token // ensure the 5th token is the initial management token
root, _, err := acl.TokenReadSelf(nil) root, _, err := acl.TokenReadSelf(nil)
require.NoError(t, err) require.NoError(t, err)
require.NotNil(t, root) require.NotNil(t, root)
@ -516,17 +516,17 @@ func TestAPI_ACLToken_Clone(t *testing.T) {
acl := c.ACL() acl := c.ACL()
master, _, err := acl.TokenReadSelf(nil) initialManagement, _, err := acl.TokenReadSelf(nil)
require.NoError(t, err) require.NoError(t, err)
require.NotNil(t, master) require.NotNil(t, initialManagement)
cloned, _, err := acl.TokenClone(master.AccessorID, "cloned", nil) cloned, _, err := acl.TokenClone(initialManagement.AccessorID, "cloned", nil)
require.NoError(t, err) require.NoError(t, err)
require.NotNil(t, cloned) require.NotNil(t, cloned)
require.NotEqual(t, master.AccessorID, cloned.AccessorID) require.NotEqual(t, initialManagement.AccessorID, cloned.AccessorID)
require.NotEqual(t, master.SecretID, cloned.SecretID) require.NotEqual(t, initialManagement.SecretID, cloned.SecretID)
require.Equal(t, "cloned", cloned.Description) require.Equal(t, "cloned", cloned.Description)
require.ElementsMatch(t, master.Policies, cloned.Policies) require.ElementsMatch(t, initialManagement.Policies, cloned.Policies)
read, _, err := acl.TokenRead(cloned.AccessorID, nil) read, _, err := acl.TokenRead(cloned.AccessorID, nil)
require.NoError(t, err) require.NoError(t, err)

7
api/api_test.go
View File

@ -16,10 +16,11 @@ import (
"testing" "testing"
"time" "time"
"github.com/hashicorp/consul/sdk/testutil"
"github.com/hashicorp/consul/sdk/testutil/retry"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
"github.com/hashicorp/consul/sdk/testutil"
"github.com/hashicorp/consul/sdk/testutil/retry"
) )
type configCallback func(c *Config) type configCallback func(c *Config)
@ -39,7 +40,7 @@ func makeACLClient(t *testing.T) (*Client, *testutil.TestServer) {
clientConfig.Token = "root" clientConfig.Token = "root"
}, func(serverConfig *testutil.TestServerConfig) { }, func(serverConfig *testutil.TestServerConfig) {
serverConfig.PrimaryDatacenter = "dc1" serverConfig.PrimaryDatacenter = "dc1"
serverConfig.ACL.Tokens.Master = "root" serverConfig.ACL.Tokens.InitialManagement = "root"
serverConfig.ACL.Tokens.Agent = "root" serverConfig.ACL.Tokens.Agent = "root"
serverConfig.ACL.Enabled = true serverConfig.ACL.Enabled = true
serverConfig.ACL.DefaultPolicy = "deny" serverConfig.ACL.DefaultPolicy = "deny"

4
api/catalog_test.go
View File

@ -826,7 +826,7 @@ func TestAPI_CatalogRegistration(t *testing.T) {
service := &AgentService{ service := &AgentService{
ID: "redis1", ID: "redis1",
Service: "redis", Service: "redis",
Tags: []string{"master", "v1"}, Tags: []string{"primary", "v1"},
Port: 8000, Port: 8000,
} }
@ -1023,7 +1023,7 @@ func TestAPI_CatalogEnableTagOverride(t *testing.T) {
service := &AgentService{ service := &AgentService{
ID: "redis1", ID: "redis1",
Service: "redis", Service: "redis",
Tags: []string{"master", "v1"}, Tags: []string{"primary", "v1"},
Port: 8000, Port: 8000,
} }

2
api/prepared_query_test.go
View File

@ -24,7 +24,7 @@ func TestAPI_PreparedQuery(t *testing.T) {
Service: &AgentService{ Service: &AgentService{
ID: "redis1", ID: "redis1",
Service: "redis", Service: "redis",
Tags: []string{"master", "v1"}, Tags: []string{"primary", "v1"},
Meta: map[string]string{"redis-version": "4.0"}, Meta: map[string]string{"redis-version": "4.0"},
Port: 8000, Port: 8000,
}, },

4
sdk/testutil/README.md
View File

@ -56,10 +56,10 @@ func TestFoo_bar(t *testing.T) {
}) })
// Create a service // Create a service
srv1.AddService(t, "redis", structs.HealthPassing, []string{"master"}) srv1.AddService(t, "redis", structs.HealthPassing, []string{"primary"})
// Create a service that will be accessed in target source code // Create a service that will be accessed in target source code
srv1.AddAccessibleService("redis", structs.HealthPassing, "127.0.0.1", 6379, []string{"master"}) srv1.AddAccessibleService("redis", structs.HealthPassing, "127.0.0.1", 6379, []string{"primary"})
// Create a service check // Create a service check
srv1.AddCheck(t, "service:redis", "redis", structs.HealthPassing) srv1.AddCheck(t, "service:redis", "redis", structs.HealthPassing)

35
sdk/testutil/server.go
View File

@ -86,7 +86,6 @@ type TestServerConfig struct {
Addresses *TestAddressConfig `json:"addresses,omitempty"` Addresses *TestAddressConfig `json:"addresses,omitempty"`
Ports *TestPortConfig `json:"ports,omitempty"` Ports *TestPortConfig `json:"ports,omitempty"`
RaftProtocol int `json:"raft_protocol,omitempty"` RaftProtocol int `json:"raft_protocol,omitempty"`
ACLMasterToken string `json:"acl_master_token,omitempty"`
ACLDatacenter string `json:"acl_datacenter,omitempty"` ACLDatacenter string `json:"acl_datacenter,omitempty"`
PrimaryDatacenter string `json:"primary_datacenter,omitempty"` PrimaryDatacenter string `json:"primary_datacenter,omitempty"`
ACLDefaultPolicy string `json:"acl_default_policy,omitempty"` ACLDefaultPolicy string `json:"acl_default_policy,omitempty"`
@ -124,11 +123,17 @@ type TestACLs struct {
} }
type TestTokens struct { type TestTokens struct {
Master string `json:"master,omitempty"`
Replication string `json:"replication,omitempty"` Replication string `json:"replication,omitempty"`
AgentMaster string `json:"agent_master,omitempty"`
Default string `json:"default,omitempty"` Default string `json:"default,omitempty"`
Agent string `json:"agent,omitempty"` Agent string `json:"agent,omitempty"`
// Note: this field is marshaled as master for compatibility with
// versions of Consul prior to 1.11.
InitialManagement string `json:"master,omitempty"`
// Note: this field is marshaled as agent_master for compatibility with
// versions of Consul prior to 1.11.
AgentRecovery string `json:"agent_master,omitempty"`
} }
// ServerConfigCallback is a function interface which can be // ServerConfigCallback is a function interface which can be
@ -375,7 +380,7 @@ func (s *TestServer) waitForAPI() error {
time.Sleep(timer.Wait) time.Sleep(timer.Wait)
url := s.url("/v1/status/leader") url := s.url("/v1/status/leader")
resp, err := s.masterGet(url) resp, err := s.privilegedGet(url)
if err != nil { if err != nil {
failed = true failed = true
continue continue
@ -397,7 +402,7 @@ func (s *TestServer) WaitForLeader(t testing.TB) {
retry.Run(t, func(r *retry.R) { retry.Run(t, func(r *retry.R) {
// Query the API and check the status code. // Query the API and check the status code.
url := s.url("/v1/catalog/nodes") url := s.url("/v1/catalog/nodes")
resp, err := s.masterGet(url) resp, err := s.privilegedGet(url)
if err != nil { if err != nil {
r.Fatalf("failed http get '%s': %v", url, err) r.Fatalf("failed http get '%s': %v", url, err)
} }
@ -433,7 +438,7 @@ func (s *TestServer) WaitForActiveCARoot(t testing.TB) {
retry.Run(t, func(r *retry.R) { retry.Run(t, func(r *retry.R) {
// Query the API and check the status code. // Query the API and check the status code.
url := s.url("/v1/agent/connect/ca/roots") url := s.url("/v1/agent/connect/ca/roots")
resp, err := s.masterGet(url) resp, err := s.privilegedGet(url)
if err != nil { if err != nil {
r.Fatalf("failed http get '%s': %v", url, err) r.Fatalf("failed http get '%s': %v", url, err)
} }
@ -469,7 +474,7 @@ func (s *TestServer) WaitForServiceIntentions(t testing.TB) {
// preflightCheck call in agent/consul/config_endpoint.go will fail if // preflightCheck call in agent/consul/config_endpoint.go will fail if
// we aren't ready yet, vs just doing no work instead. // we aren't ready yet, vs just doing no work instead.
url := s.url("/v1/config/service-intentions/" + fakeConfigName) url := s.url("/v1/config/service-intentions/" + fakeConfigName)
resp, err := s.masterDelete(url) resp, err := s.privilegedDelete(url)
if err != nil { if err != nil {
r.Fatalf("failed http get '%s': %v", url, err) r.Fatalf("failed http get '%s': %v", url, err)
} }
@ -486,7 +491,7 @@ func (s *TestServer) WaitForSerfCheck(t testing.TB) {
retry.Run(t, func(r *retry.R) { retry.Run(t, func(r *retry.R) {
// Query the API and check the status code. // Query the API and check the status code.
url := s.url("/v1/catalog/nodes?index=0") url := s.url("/v1/catalog/nodes?index=0")
resp, err := s.masterGet(url) resp, err := s.privilegedGet(url)
if err != nil { if err != nil {
r.Fatalf("failed http get: %v", err) r.Fatalf("failed http get: %v", err)
} }
@ -507,7 +512,7 @@ func (s *TestServer) WaitForSerfCheck(t testing.TB) {
// Ensure the serfHealth check is registered // Ensure the serfHealth check is registered
url = s.url(fmt.Sprintf("/v1/health/node/%s", payload[0]["Node"])) url = s.url(fmt.Sprintf("/v1/health/node/%s", payload[0]["Node"]))
resp, err = s.masterGet(url) resp, err = s.privilegedGet(url)
if err != nil { if err != nil {
r.Fatalf("failed http get: %v", err) r.Fatalf("failed http get: %v", err)
} }
@ -533,24 +538,24 @@ func (s *TestServer) WaitForSerfCheck(t testing.TB) {
}) })
} }
func (s *TestServer) masterGet(url string) (*http.Response, error) { func (s *TestServer) privilegedGet(url string) (*http.Response, error) {
req, err := http.NewRequest("GET", url, nil) req, err := http.NewRequest("GET", url, nil)
if err != nil { if err != nil {
return nil, err return nil, err
} }
if s.Config.ACL.Tokens.Master != "" { if s.Config.ACL.Tokens.InitialManagement != "" {
req.Header.Set("x-consul-token", s.Config.ACL.Tokens.Master) req.Header.Set("x-consul-token", s.Config.ACL.Tokens.InitialManagement)
} }
return s.HTTPClient.Do(req) return s.HTTPClient.Do(req)
} }
func (s *TestServer) masterDelete(url string) (*http.Response, error) { func (s *TestServer) privilegedDelete(url string) (*http.Response, error) {
req, err := http.NewRequest("DELETE", url, nil) req, err := http.NewRequest("DELETE", url, nil)
if err != nil { if err != nil {
return nil, err return nil, err
} }
if s.Config.ACL.Tokens.Master != "" { if s.Config.ACL.Tokens.InitialManagement != "" {
req.Header.Set("x-consul-token", s.Config.ACL.Tokens.Master) req.Header.Set("x-consul-token", s.Config.ACL.Tokens.InitialManagement)
} }
return s.HTTPClient.Do(req) return s.HTTPClient.Do(req)
} }

2
ui/packages/consul-ui/mock-api/v1/acl/list
View File

@ -20,7 +20,7 @@ ${
}, },
{ {
"ID":"secret", "ID":"secret",
"Name":"Master Token", "Name":"Initial Management Token",
"Type":"management", "Type":"management",
"Rules":"", "Rules":"",
"CreateIndex":5, "CreateIndex":5,