luxolus
/
open-consul
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity

[OSS] Remove remaining references to master (#11827)

This commit is contained in:
Dan Upton 2022-01-20 12:47:50 +00:00 committed by GitHub
parent bc21e95909
commit 088ba2edaf
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
28 changed files with 600 additions and 572 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.changelog/11827.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:breaking-change
sdk: several changes to the testutil configuration structs (removed `ACLMasterToken`, renamed `Master` to `InitialManagement`, and `AgentMaster` to `AgentRecovery`)
```

16
agent/acl_endpoint_test.go
View File

@ -849,10 +849,10 @@ func TestACL_HTTP(t *testing.T) {
tokens, ok := raw.(structs.ACLTokenListStubs) tokens, ok := raw.(structs.ACLTokenListStubs)
require.True(t, ok) require.True(t, ok)
// 3 tokens created but 1 was deleted + master token + anon token // 3 tokens created but 1 was deleted + initial management token + anon token
require.Len(t, tokens, 4) require.Len(t, tokens, 4)
// this loop doesn't verify anything about the master token // this loop doesn't verify anything about the initial management token
for tokenID, expected := range tokenMap { for tokenID, expected := range tokenMap {
found := false found := false
for _, actual := range tokens { for _, actual := range tokens {
@ -1880,7 +1880,7 @@ func TestACL_Authorize(t *testing.T) {
var localToken structs.ACLToken var localToken structs.ACLToken
require.NoError(t, a2.RPC("ACL.TokenSet", &localTokenReq, &localToken)) require.NoError(t, a2.RPC("ACL.TokenSet", &localTokenReq, &localToken))
t.Run("master-token", func(t *testing.T) { t.Run("initial-management-token", func(t *testing.T) {
request := []structs.ACLAuthorizationRequest{ request := []structs.ACLAuthorizationRequest{
{ {
Resource: "acl", Resource: "acl",
@ -2016,7 +2016,7 @@ func TestACL_Authorize(t *testing.T) {
resp := responses[idx] resp := responses[idx]
require.Equal(t, req, resp.ACLAuthorizationRequest) require.Equal(t, req, resp.ACLAuthorizationRequest)
require.True(t, resp.Allow, "should have allowed all access for master token") require.True(t, resp.Allow, "should have allowed all access for initial management token")
} }
}) })
} }
@ -2277,7 +2277,7 @@ func TestACL_Authorize(t *testing.T) {
type rpcFn func(string, interface{}, interface{}) error type rpcFn func(string, interface{}, interface{}) error
func upsertTestCustomizedAuthMethod( func upsertTestCustomizedAuthMethod(
rpc rpcFn, masterToken string, datacenter string, rpc rpcFn, initialManagementToken string, datacenter string,
modify func(method *structs.ACLAuthMethod), modify func(method *structs.ACLAuthMethod),
) (*structs.ACLAuthMethod, error) { ) (*structs.ACLAuthMethod, error) {
name, err := uuid.GenerateUUID() name, err := uuid.GenerateUUID()
@ -2291,7 +2291,7 @@ func upsertTestCustomizedAuthMethod(
Name: "test-method-" + name, Name: "test-method-" + name,
Type: "testing", Type: "testing",
}, },
WriteRequest: structs.WriteRequest{Token: masterToken}, WriteRequest: structs.WriteRequest{Token: initialManagementToken},
} }
if modify != nil { if modify != nil {
@ -2308,11 +2308,11 @@ func upsertTestCustomizedAuthMethod(
return &out, nil return &out, nil
} }
func upsertTestCustomizedBindingRule(rpc rpcFn, masterToken string, datacenter string, modify func(rule *structs.ACLBindingRule)) (*structs.ACLBindingRule, error) { func upsertTestCustomizedBindingRule(rpc rpcFn, initialManagementToken string, datacenter string, modify func(rule *structs.ACLBindingRule)) (*structs.ACLBindingRule, error) {
req := structs.ACLBindingRuleSetRequest{ req := structs.ACLBindingRuleSetRequest{
Datacenter: datacenter, Datacenter: datacenter,
BindingRule: structs.ACLBindingRule{}, BindingRule: structs.ACLBindingRule{},
WriteRequest: structs.WriteRequest{Token: masterToken}, WriteRequest: structs.WriteRequest{Token: initialManagementToken},
} }
if modify != nil { if modify != nil {

3
agent/agent.go
View File

@ -209,9 +209,6 @@ type Agent struct {
// depending on the configuration // depending on the configuration
delegate delegate delegate delegate
// aclMasterAuthorizer is an object that helps manage local ACL enforcement.
aclMasterAuthorizer acl.Authorizer
// state stores a local representation of the node, // state stores a local representation of the node,
// services and checks. Used for anti-entropy. // services and checks. Used for anti-entropy.
State *local.State State *local.State

139
agent/agent_endpoint_test.go
View File

@ -85,7 +85,7 @@ func TestAgent_Services(t *testing.T) {
srv1 := &structs.NodeService{ srv1 := &structs.NodeService{
ID: "mysql", ID: "mysql",
Service: "mysql", Service: "mysql",
Tags: []string{"master"}, Tags: []string{"primary"},
Meta: map[string]string{ Meta: map[string]string{
"foo": "bar", "foo": "bar",
}, },
@ -120,7 +120,7 @@ func TestAgent_ServicesFiltered(t *testing.T) {
srv1 := &structs.NodeService{ srv1 := &structs.NodeService{
ID: "mysql", ID: "mysql",
Service: "mysql", Service: "mysql",
Tags: []string{"master"}, Tags: []string{"primary"},
Meta: map[string]string{ Meta: map[string]string{
"foo": "bar", "foo": "bar",
}, },
@ -1517,7 +1517,7 @@ func TestAgent_Self_ACLDeny(t *testing.T) {
require.Equal(t, http.StatusForbidden, resp.Code) require.Equal(t, http.StatusForbidden, resp.Code)
}) })
t.Run("agent master token", func(t *testing.T) { t.Run("agent recovery token", func(t *testing.T) {
req, _ := http.NewRequest("GET", "/v1/agent/self?token=towel", nil) req, _ := http.NewRequest("GET", "/v1/agent/self?token=towel", nil)
resp := httptest.NewRecorder() resp := httptest.NewRecorder()
a.srv.h.ServeHTTP(resp, req) a.srv.h.ServeHTTP(resp, req)
@ -1550,7 +1550,7 @@ func TestAgent_Metrics_ACLDeny(t *testing.T) {
require.Equal(t, http.StatusForbidden, resp.Code) require.Equal(t, http.StatusForbidden, resp.Code)
}) })
t.Run("agent master token", func(t *testing.T) { t.Run("agent recovery token", func(t *testing.T) {
req, _ := http.NewRequest("GET", "/v1/agent/metrics?token=towel", nil) req, _ := http.NewRequest("GET", "/v1/agent/metrics?token=towel", nil)
resp := httptest.NewRecorder() resp := httptest.NewRecorder()
a.srv.h.ServeHTTP(resp, req) a.srv.h.ServeHTTP(resp, req)
@ -2125,7 +2125,7 @@ func TestAgent_Join_ACLDeny(t *testing.T) {
require.Equal(t, http.StatusForbidden, resp.Code) require.Equal(t, http.StatusForbidden, resp.Code)
}) })
t.Run("agent master token", func(t *testing.T) { t.Run("agent recovery token", func(t *testing.T) {
req, _ := http.NewRequest("PUT", fmt.Sprintf("/v1/agent/join/%s?token=towel", addr), nil) req, _ := http.NewRequest("PUT", fmt.Sprintf("/v1/agent/join/%s?token=towel", addr), nil)
resp := httptest.NewRecorder() resp := httptest.NewRecorder()
a1.srv.h.ServeHTTP(resp, req) a1.srv.h.ServeHTTP(resp, req)
@ -2246,7 +2246,7 @@ func TestAgent_Leave_ACLDeny(t *testing.T) {
// this sub-test will change the state so that there is no leader. // this sub-test will change the state so that there is no leader.
// it must therefore be the last one in this list. // it must therefore be the last one in this list.
t.Run("agent master token", func(t *testing.T) { t.Run("agent recovery token", func(t *testing.T) {
req, _ := http.NewRequest("PUT", "/v1/agent/leave?token=towel", nil) req, _ := http.NewRequest("PUT", "/v1/agent/leave?token=towel", nil)
resp := httptest.NewRecorder() resp := httptest.NewRecorder()
a.srv.h.ServeHTTP(resp, req) a.srv.h.ServeHTTP(resp, req)
@ -2332,7 +2332,7 @@ func TestAgent_ForceLeave_ACLDeny(t *testing.T) {
require.Equal(t, http.StatusForbidden, resp.Code) require.Equal(t, http.StatusForbidden, resp.Code)
}) })
t.Run("agent master token", func(t *testing.T) { t.Run("agent recovery token", func(t *testing.T) {
req, _ := http.NewRequest("PUT", uri+"?token=towel", nil) req, _ := http.NewRequest("PUT", uri+"?token=towel", nil)
resp := httptest.NewRecorder() resp := httptest.NewRecorder()
a.srv.h.ServeHTTP(resp, req) a.srv.h.ServeHTTP(resp, req)
@ -3266,7 +3266,7 @@ func testAgent_RegisterService(t *testing.T, extraHCL string) {
args := &structs.ServiceDefinition{ args := &structs.ServiceDefinition{
Name: "test", Name: "test",
Meta: map[string]string{"hello": "world"}, Meta: map[string]string{"hello": "world"},
Tags: []string{"master"}, Tags: []string{"primary"},
Port: 8000, Port: 8000,
Check: structs.CheckType{ Check: structs.CheckType{
TTL: 15 * time.Second, TTL: 15 * time.Second,
@ -3353,7 +3353,7 @@ func testAgent_RegisterService_ReRegister(t *testing.T, extraHCL string) {
args := &structs.ServiceDefinition{ args := &structs.ServiceDefinition{
Name: "test", Name: "test",
Meta: map[string]string{"hello": "world"}, Meta: map[string]string{"hello": "world"},
Tags: []string{"master"}, Tags: []string{"primary"},
Port: 8000, Port: 8000,
Checks: []*structs.CheckType{ Checks: []*structs.CheckType{
{ {
@ -3378,7 +3378,7 @@ func testAgent_RegisterService_ReRegister(t *testing.T, extraHCL string) {
args = &structs.ServiceDefinition{ args = &structs.ServiceDefinition{
Name: "test", Name: "test",
Meta: map[string]string{"hello": "world"}, Meta: map[string]string{"hello": "world"},
Tags: []string{"master"}, Tags: []string{"primary"},
Port: 8000, Port: 8000,
Checks: []*structs.CheckType{ Checks: []*structs.CheckType{
{ {
@ -3434,7 +3434,7 @@ func testAgent_RegisterService_ReRegister_ReplaceExistingChecks(t *testing.T, ex
args := &structs.ServiceDefinition{ args := &structs.ServiceDefinition{
Name: "test", Name: "test",
Meta: map[string]string{"hello": "world"}, Meta: map[string]string{"hello": "world"},
Tags: []string{"master"}, Tags: []string{"primary"},
Port: 8000, Port: 8000,
Checks: []*structs.CheckType{ Checks: []*structs.CheckType{
{ {
@ -3460,7 +3460,7 @@ func testAgent_RegisterService_ReRegister_ReplaceExistingChecks(t *testing.T, ex
args = &structs.ServiceDefinition{ args = &structs.ServiceDefinition{
Name: "test", Name: "test",
Meta: map[string]string{"hello": "world"}, Meta: map[string]string{"hello": "world"},
Tags: []string{"master"}, Tags: []string{"primary"},
Port: 8000, Port: 8000,
Checks: []*structs.CheckType{ Checks: []*structs.CheckType{
{ {
@ -3740,7 +3740,7 @@ func testAgent_RegisterService_ACLDeny(t *testing.T, extraHCL string) {
args := &structs.ServiceDefinition{ args := &structs.ServiceDefinition{
Name: "test", Name: "test",
Tags: []string{"master"}, Tags: []string{"primary"},
Port: 8000, Port: 8000,
Check: structs.CheckType{ Check: structs.CheckType{
TTL: 15 * time.Second, TTL: 15 * time.Second,
@ -4588,7 +4588,7 @@ func testAgent_RegisterService_ScriptCheck_ExecDisable(t *testing.T, extraHCL st
args := &structs.ServiceDefinition{ args := &structs.ServiceDefinition{
Name: "test", Name: "test",
Meta: map[string]string{"hello": "world"}, Meta: map[string]string{"hello": "world"},
Tags: []string{"master"}, Tags: []string{"primary"},
Port: 8000, Port: 8000,
Check: structs.CheckType{ Check: structs.CheckType{
Name: "test-check", Name: "test-check",
@ -4640,7 +4640,7 @@ func testAgent_RegisterService_ScriptCheck_ExecRemoteDisable(t *testing.T, extra
args := &structs.ServiceDefinition{ args := &structs.ServiceDefinition{
Name: "test", Name: "test",
Meta: map[string]string{"hello": "world"}, Meta: map[string]string{"hello": "world"},
Tags: []string{"master"}, Tags: []string{"primary"},
Port: 8000, Port: 8000,
Check: structs.CheckType{ Check: structs.CheckType{
Name: "test-check", Name: "test-check",
@ -5379,7 +5379,7 @@ func TestAgent_TokenTriggersFullSync(t *testing.T) {
initial_management = "root" initial_management = "root"
default = "" default = ""
agent = "" agent = ""
agent_master = "" agent_recovery = ""
replication = "" replication = ""
} }
} }
@ -5427,7 +5427,7 @@ func TestAgent_Token(t *testing.T) {
initial_management = "root" initial_management = "root"
default = "" default = ""
agent = "" agent = ""
agent_master = "" agent_recovery = ""
replication = "" replication = ""
} }
} }
@ -5436,20 +5436,20 @@ func TestAgent_Token(t *testing.T) {
testrpc.WaitForLeader(t, a.RPC, "dc1") testrpc.WaitForLeader(t, a.RPC, "dc1")
type tokens struct { type tokens struct {
user string user string
userSource tokenStore.TokenSource userSource tokenStore.TokenSource
agent string agent string
agentSource tokenStore.TokenSource agentSource tokenStore.TokenSource
master string agentRecovery string
masterSource tokenStore.TokenSource agentRecoverySource tokenStore.TokenSource
repl string repl string
replSource tokenStore.TokenSource replSource tokenStore.TokenSource
} }
resetTokens := func(init tokens) { resetTokens := func(init tokens) {
a.tokens.UpdateUserToken(init.user, init.userSource) a.tokens.UpdateUserToken(init.user, init.userSource)
a.tokens.UpdateAgentToken(init.agent, init.agentSource) a.tokens.UpdateAgentToken(init.agent, init.agentSource)
a.tokens.UpdateAgentRecoveryToken(init.master, init.masterSource) a.tokens.UpdateAgentRecoveryToken(init.agentRecovery, init.agentRecoverySource)
a.tokens.UpdateReplicationToken(init.repl, init.replSource) a.tokens.UpdateReplicationToken(init.repl, init.replSource)
} }
@ -5531,8 +5531,8 @@ func TestAgent_Token(t *testing.T) {
url: "acl_agent_master_token?token=root", url: "acl_agent_master_token?token=root",
body: body("M"), body: body("M"),
code: http.StatusOK, code: http.StatusOK,
raw: tokens{master: "M", masterSource: tokenStore.TokenSourceAPI}, raw: tokens{agentRecovery: "M", agentRecoverySource: tokenStore.TokenSourceAPI},
effective: tokens{master: "M"}, effective: tokens{agentRecovery: "M"},
}, },
{ {
name: "set master", name: "set master",
@ -5540,8 +5540,8 @@ func TestAgent_Token(t *testing.T) {
url: "agent_master?token=root", url: "agent_master?token=root",
body: body("M"), body: body("M"),
code: http.StatusOK, code: http.StatusOK,
raw: tokens{master: "M", masterSource: tokenStore.TokenSourceAPI}, raw: tokens{agentRecovery: "M", agentRecoverySource: tokenStore.TokenSourceAPI},
effective: tokens{master: "M"}, effective: tokens{agentRecovery: "M"},
}, },
{ {
name: "set recovery", name: "set recovery",
@ -5549,8 +5549,8 @@ func TestAgent_Token(t *testing.T) {
url: "agent_recovery?token=root", url: "agent_recovery?token=root",
body: body("R"), body: body("R"),
code: http.StatusOK, code: http.StatusOK,
raw: tokens{master: "R", masterSource: tokenStore.TokenSourceAPI}, raw: tokens{agentRecovery: "R", agentRecoverySource: tokenStore.TokenSourceAPI},
effective: tokens{master: "R", masterSource: tokenStore.TokenSourceAPI}, effective: tokens{agentRecovery: "R", agentRecoverySource: tokenStore.TokenSourceAPI},
}, },
{ {
name: "set repl legacy", name: "set repl legacy",
@ -5612,8 +5612,8 @@ func TestAgent_Token(t *testing.T) {
url: "acl_agent_master_token?token=root", url: "acl_agent_master_token?token=root",
body: body(""), body: body(""),
code: http.StatusOK, code: http.StatusOK,
init: tokens{master: "M"}, init: tokens{agentRecovery: "M"},
raw: tokens{masterSource: tokenStore.TokenSourceAPI}, raw: tokens{agentRecoverySource: tokenStore.TokenSourceAPI},
}, },
{ {
name: "clear master", name: "clear master",
@ -5621,8 +5621,8 @@ func TestAgent_Token(t *testing.T) {
url: "agent_master?token=root", url: "agent_master?token=root",
body: body(""), body: body(""),
code: http.StatusOK, code: http.StatusOK,
init: tokens{master: "M"}, init: tokens{agentRecovery: "M"},
raw: tokens{masterSource: tokenStore.TokenSourceAPI}, raw: tokens{agentRecoverySource: tokenStore.TokenSourceAPI},
}, },
{ {
name: "clear recovery", name: "clear recovery",
@ -5630,8 +5630,8 @@ func TestAgent_Token(t *testing.T) {
url: "agent_recovery?token=root", url: "agent_recovery?token=root",
body: body(""), body: body(""),
code: http.StatusOK, code: http.StatusOK,
init: tokens{master: "R"}, init: tokens{agentRecovery: "R"},
raw: tokens{masterSource: tokenStore.TokenSourceAPI}, raw: tokens{agentRecoverySource: tokenStore.TokenSourceAPI},
}, },
{ {
name: "clear repl legacy", name: "clear repl legacy",
@ -5667,7 +5667,7 @@ func TestAgent_Token(t *testing.T) {
} }
require.Equal(t, tt.effective.user, a.tokens.UserToken()) require.Equal(t, tt.effective.user, a.tokens.UserToken())
require.Equal(t, tt.effective.agent, a.tokens.AgentToken()) require.Equal(t, tt.effective.agent, a.tokens.AgentToken())
require.Equal(t, tt.effective.master, a.tokens.AgentRecoveryToken()) require.Equal(t, tt.effective.agentRecovery, a.tokens.AgentRecoveryToken())
require.Equal(t, tt.effective.repl, a.tokens.ReplicationToken()) require.Equal(t, tt.effective.repl, a.tokens.ReplicationToken())
tok, src := a.tokens.UserTokenAndSource() tok, src := a.tokens.UserTokenAndSource()
@ -5679,8 +5679,8 @@ func TestAgent_Token(t *testing.T) {
require.Equal(t, tt.raw.agentSource, src) require.Equal(t, tt.raw.agentSource, src)
tok, src = a.tokens.AgentRecoveryTokenAndSource() tok, src = a.tokens.AgentRecoveryTokenAndSource()
require.Equal(t, tt.raw.master, tok) require.Equal(t, tt.raw.agentRecovery, tok)
require.Equal(t, tt.raw.masterSource, src) require.Equal(t, tt.raw.agentRecoverySource, src)
tok, src = a.tokens.ReplicationTokenAndSource() tok, src = a.tokens.ReplicationTokenAndSource()
require.Equal(t, tt.raw.repl, tok) require.Equal(t, tt.raw.repl, tok)
@ -7031,11 +7031,18 @@ func TestAgentConnectAuthorize_defaultAllow(t *testing.T) {
assert := assert.New(t) assert := assert.New(t)
dc1 := "dc1" dc1 := "dc1"
a := NewTestAgent(t, ` a := NewTestAgent(t, `
acl_datacenter = "`+dc1+`" primary_datacenter = "`+dc1+`"
acl_default_policy = "allow"
acl_master_token = "root" acl {
acl_agent_token = "root" enabled = true
acl_agent_master_token = "towel" default_policy = "allow"
tokens {
initial_management = "root"
agent = "root"
agent_recovery = "towel"
}
}
`) `)
defer a.Shutdown() defer a.Shutdown()
testrpc.WaitForTestAgent(t, a.RPC, dc1) testrpc.WaitForTestAgent(t, a.RPC, dc1)
@ -7066,16 +7073,23 @@ func TestAgent_Host(t *testing.T) {
dc1 := "dc1" dc1 := "dc1"
a := NewTestAgent(t, ` a := NewTestAgent(t, `
acl_datacenter = "`+dc1+`" primary_datacenter = "`+dc1+`"
acl_default_policy = "allow"
acl_master_token = "master" acl {
acl_agent_token = "agent" enabled = true
acl_agent_master_token = "towel" default_policy = "allow"
`)
tokens {
initial_management = "initial-management"
agent = "agent"
agent_recovery = "towel"
}
}
`)
defer a.Shutdown() defer a.Shutdown()
testrpc.WaitForLeader(t, a.RPC, "dc1") testrpc.WaitForLeader(t, a.RPC, "dc1")
req, _ := http.NewRequest("GET", "/v1/agent/host?token=master", nil) req, _ := http.NewRequest("GET", "/v1/agent/host?token=initial-management", nil)
resp := httptest.NewRecorder() resp := httptest.NewRecorder()
// TODO: AgentHost should write to response so that we can test using ServeHTTP() // TODO: AgentHost should write to response so that we can test using ServeHTTP()
respRaw, err := a.srv.AgentHost(resp, req) respRaw, err := a.srv.AgentHost(resp, req)
@ -7098,12 +7112,19 @@ func TestAgent_HostBadACL(t *testing.T) {
dc1 := "dc1" dc1 := "dc1"
a := NewTestAgent(t, ` a := NewTestAgent(t, `
acl_datacenter = "`+dc1+`" primary_datacenter = "`+dc1+`"
acl_default_policy = "deny"
acl_master_token = "root" acl {
acl_agent_token = "agent" enabled = true
acl_agent_master_token = "towel" default_policy = "deny"
`)
tokens {
initial_management = "root"
agent = "agent"
agent_recovery = "towel"
}
}
`)
defer a.Shutdown() defer a.Shutdown()
testrpc.WaitForLeader(t, a.RPC, "dc1") testrpc.WaitForLeader(t, a.RPC, "dc1")

32
agent/consul/acl.go
View File

@ -263,19 +263,19 @@ type ACLResolver struct {
// disabledLock synchronizes access to disabledUntil // disabledLock synchronizes access to disabledUntil
disabledLock sync.RWMutex disabledLock sync.RWMutex
agentMasterAuthz acl.Authorizer agentRecoveryAuthz acl.Authorizer
} }
func agentMasterAuthorizer(nodeName string, entMeta *structs.EnterpriseMeta, aclConf *acl.Config) (acl.Authorizer, error) { func agentRecoveryAuthorizer(nodeName string, entMeta *structs.EnterpriseMeta, aclConf *acl.Config) (acl.Authorizer, error) {
var conf acl.Config var conf acl.Config
if aclConf != nil { if aclConf != nil {
conf = *aclConf conf = *aclConf
} }
setEnterpriseConf(entMeta, &conf) setEnterpriseConf(entMeta, &conf)
// Build a policy for the agent master token. // Build a policy for the agent recovery token.
// //
// The builtin agent master policy allows reading any node information // The builtin agent recovery policy allows reading any node information
// and allows writes to the agent with the node name of the running agent // and allows writes to the agent with the node name of the running agent
// only. This used to allow a prefix match on agent names but that seems // only. This used to allow a prefix match on agent names but that seems
// entirely unnecessary so it is now using an exact match. // entirely unnecessary so it is now using an exact match.
@ -323,21 +323,21 @@ func NewACLResolver(config *ACLResolverConfig) (*ACLResolver, error) {
return nil, fmt.Errorf("invalid ACL down policy %q", config.Config.ACLDownPolicy) return nil, fmt.Errorf("invalid ACL down policy %q", config.Config.ACLDownPolicy)
} }
authz, err := agentMasterAuthorizer(config.Config.NodeName, &config.Config.EnterpriseMeta, config.ACLConfig) authz, err := agentRecoveryAuthorizer(config.Config.NodeName, &config.Config.EnterpriseMeta, config.ACLConfig)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to initialize the agent master authorizer") return nil, fmt.Errorf("failed to initialize the agent recovery authorizer")
} }
return &ACLResolver{ return &ACLResolver{
config: config.Config, config: config.Config,
logger: config.Logger.Named(logging.ACL), logger: config.Logger.Named(logging.ACL),
delegate: config.Delegate, delegate: config.Delegate,
aclConf: config.ACLConfig, aclConf: config.ACLConfig,
cache: cache, cache: cache,
disableDuration: config.DisableDuration, disableDuration: config.DisableDuration,
down: down, down: down,
tokens: config.Tokens, tokens: config.Tokens,
agentMasterAuthz: authz, agentRecoveryAuthz: authz,
}, nil }, nil
} }
@ -1049,7 +1049,7 @@ func (r *ACLResolver) resolveLocallyManagedToken(token string) (structs.ACLIdent
} }
if r.tokens.IsAgentRecoveryToken(token) { if r.tokens.IsAgentRecoveryToken(token) {
return structs.NewAgentMasterTokenIdentity(r.config.NodeName, token), r.agentMasterAuthz, true return structs.NewAgentRecoveryTokenIdentity(r.config.NodeName, token), r.agentRecoveryAuthz, true
} }
return r.resolveLocallyManagedEnterpriseToken(token) return r.resolveLocallyManagedEnterpriseToken(token)

714
agent/consul/acl_endpoint_test.go
View File

File diff suppressed because it is too large Load Diff

14
agent/consul/acl_test.go
View File

@ -4007,7 +4007,7 @@ func TestACL_LocalToken(t *testing.T) {
}) })
} }
func TestACLResolver_AgentMaster(t *testing.T) { func TestACLResolver_AgentRecovery(t *testing.T) {
var tokens token.Store var tokens token.Store
d := &ACLResolverTestDelegate{ d := &ACLResolverTestDelegate{
@ -4025,9 +4025,9 @@ func TestACLResolver_AgentMaster(t *testing.T) {
ident, authz, err := r.ResolveTokenToIdentityAndAuthorizer("9a184a11-5599-459e-b71a-550e5f9a5a23") ident, authz, err := r.ResolveTokenToIdentityAndAuthorizer("9a184a11-5599-459e-b71a-550e5f9a5a23")
require.NoError(t, err) require.NoError(t, err)
require.NotNil(t, ident) require.NotNil(t, ident)
require.Equal(t, "agent-master:foo", ident.ID()) require.Equal(t, "agent-recovery:foo", ident.ID())
require.NotNil(t, authz) require.NotNil(t, authz)
require.Equal(t, r.agentMasterAuthz, authz) require.Equal(t, r.agentRecoveryAuthz, authz)
require.Equal(t, acl.Allow, authz.AgentWrite("foo", nil)) require.Equal(t, acl.Allow, authz.AgentWrite("foo", nil))
require.Equal(t, acl.Allow, authz.NodeRead("bar", nil)) require.Equal(t, acl.Allow, authz.NodeRead("bar", nil))
require.Equal(t, acl.Deny, authz.NodeWrite("bar", nil)) require.Equal(t, acl.Deny, authz.NodeWrite("bar", nil))
@ -4106,7 +4106,7 @@ func TestACLResolver_ResolveTokenToIdentityAndAuthorizer_UpdatesPurgeTheCache(t
Name: "the-policy", Name: "the-policy",
Rules: `key_prefix "" { policy = "read"}`, Rules: `key_prefix "" { policy = "read"}`,
}, },
WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken},
} }
var respPolicy = structs.ACLPolicy{} var respPolicy = structs.ACLPolicy{}
err := msgpackrpc.CallWithCodec(codec, "ACL.PolicySet", &reqPolicy, &respPolicy) err := msgpackrpc.CallWithCodec(codec, "ACL.PolicySet", &reqPolicy, &respPolicy)
@ -4121,7 +4121,7 @@ func TestACLResolver_ResolveTokenToIdentityAndAuthorizer_UpdatesPurgeTheCache(t
SecretID: token, SecretID: token,
Policies: []structs.ACLTokenPolicyLink{{Name: "the-policy"}}, Policies: []structs.ACLTokenPolicyLink{{Name: "the-policy"}},
}, },
WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken},
} }
var respToken structs.ACLToken var respToken structs.ACLToken
err = msgpackrpc.CallWithCodec(codec, "ACL.TokenSet", &reqToken, &respToken) err = msgpackrpc.CallWithCodec(codec, "ACL.TokenSet", &reqToken, &respToken)
@ -4142,7 +4142,7 @@ func TestACLResolver_ResolveTokenToIdentityAndAuthorizer_UpdatesPurgeTheCache(t
Name: "the-policy", Name: "the-policy",
Rules: `{"key_prefix": {"": {"policy": "deny"}}}`, Rules: `{"key_prefix": {"": {"policy": "deny"}}}`,
}, },
WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken},
} }
err := msgpackrpc.CallWithCodec(codec, "ACL.PolicySet", &reqPolicy, &structs.ACLPolicy{}) err := msgpackrpc.CallWithCodec(codec, "ACL.PolicySet", &reqPolicy, &structs.ACLPolicy{})
require.NoError(t, err) require.NoError(t, err)
@ -4157,7 +4157,7 @@ func TestACLResolver_ResolveTokenToIdentityAndAuthorizer_UpdatesPurgeTheCache(t
req := structs.ACLTokenDeleteRequest{ req := structs.ACLTokenDeleteRequest{
Datacenter: "dc1", Datacenter: "dc1",
TokenID: respToken.AccessorID, TokenID: respToken.AccessorID,
WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken},
} }
var resp string var resp string
err := msgpackrpc.CallWithCodec(codec, "ACL.TokenDelete", &req, &resp) err := msgpackrpc.CallWithCodec(codec, "ACL.TokenDelete", &req, &resp)

8
agent/consul/acl_token_exp_test.go
View File

@ -58,7 +58,7 @@ func testACLTokenReap_Primary(t *testing.T, local, global bool) {
acl := ACL{srv: s1} acl := ACL{srv: s1}
masterTokenAccessorID, err := retrieveTestTokenAccessorForSecret(codec, "root", "dc1", "root") initialManagementTokenAccessorID, err := retrieveTestTokenAccessorForSecret(codec, "root", "dc1", "root")
require.NoError(t, err) require.NoError(t, err)
listTokens := func() (localTokens, globalTokens []string, err error) { listTokens := func() (localTokens, globalTokens []string, err error) {
@ -88,9 +88,9 @@ func testACLTokenReap_Primary(t *testing.T, local, global bool) {
t.Helper() t.Helper()
var expectLocal, expectGlobal []string var expectLocal, expectGlobal []string
// The master token and the anonymous token are always going to be // The initial management token and the anonymous token are always
// present and global. // going to be present and global.
expectGlobal = append(expectGlobal, masterTokenAccessorID) expectGlobal = append(expectGlobal, initialManagementTokenAccessorID)
expectGlobal = append(expectGlobal, structs.ACLTokenAnonymousID) expectGlobal = append(expectGlobal, structs.ACLTokenAnonymousID)
if local { if local {

2
agent/consul/auto_config_backend_test.go
View File

@ -41,7 +41,7 @@ func TestAutoConfigBackend_CreateACLToken(t *testing.T) {
waitForLeaderEstablishment(t, srv) waitForLeaderEstablishment(t, srv)
r1, err := upsertTestRole(codec, TestDefaultMasterToken, "dc1") r1, err := upsertTestRole(codec, TestDefaultInitialManagementToken, "dc1")
require.NoError(t, err) require.NoError(t, err)
t.Run("predefined-ids", func(t *testing.T) { t.Run("predefined-ids", func(t *testing.T) {

8
agent/consul/connect_ca_endpoint_test.go
View File

@ -163,7 +163,7 @@ func TestConnectCAConfig_GetSet_ACLDeny(t *testing.T) {
dir1, s1 := testServerWithConfig(t, func(c *Config) { dir1, s1 := testServerWithConfig(t, func(c *Config) {
c.PrimaryDatacenter = "dc1" c.PrimaryDatacenter = "dc1"
c.ACLsEnabled = true c.ACLsEnabled = true
c.ACLInitialManagementToken = TestDefaultMasterToken c.ACLInitialManagementToken = TestDefaultInitialManagementToken
c.ACLResolverSettings.ACLDefaultPolicy = "deny" c.ACLResolverSettings.ACLDefaultPolicy = "deny"
}) })
defer os.RemoveAll(dir1) defer os.RemoveAll(dir1)
@ -175,11 +175,11 @@ func TestConnectCAConfig_GetSet_ACLDeny(t *testing.T) {
testrpc.WaitForLeader(t, s1.RPC, "dc1") testrpc.WaitForLeader(t, s1.RPC, "dc1")
opReadToken, err := upsertTestTokenWithPolicyRules( opReadToken, err := upsertTestTokenWithPolicyRules(
codec, TestDefaultMasterToken, "dc1", `operator = "read"`) codec, TestDefaultInitialManagementToken, "dc1", `operator = "read"`)
require.NoError(t, err) require.NoError(t, err)
opWriteToken, err := upsertTestTokenWithPolicyRules( opWriteToken, err := upsertTestTokenWithPolicyRules(
codec, TestDefaultMasterToken, "dc1", `operator = "write"`) codec, TestDefaultInitialManagementToken, "dc1", `operator = "write"`)
require.NoError(t, err) require.NoError(t, err)
// Update a config value // Update a config value
@ -215,7 +215,7 @@ pY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=
args := &structs.CARequest{ args := &structs.CARequest{
Datacenter: "dc1", Datacenter: "dc1",
Config: newConfig, Config: newConfig,
WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken},
} }
var reply interface{} var reply interface{}
require.NoError(t, msgpackrpc.CallWithCodec(codec, "ConnectCA.ConfigurationSet", args, &reply)) require.NoError(t, msgpackrpc.CallWithCodec(codec, "ConnectCA.ConfigurationSet", args, &reply))

2
agent/consul/federation_state_endpoint_test.go
View File

@ -541,7 +541,7 @@ func TestFederationState_List_ACLDeny(t *testing.T) {
gwListEmpty: true, gwListEmpty: true,
gwFilteredByACLs: true, gwFilteredByACLs: true,
}, },
"master token": { "initial management token": {
token: "root", token: "root",
}, },
} }

10
agent/consul/fsm/commands_oss_test.go
View File

@ -105,7 +105,7 @@ func TestFSM_RegisterNode_Service(t *testing.T) {
Service: &structs.NodeService{ Service: &structs.NodeService{
ID: "db", ID: "db",
Service: "db", Service: "db",
Tags: []string{"master"}, Tags: []string{"primary"},
Port: 8000, Port: 8000,
}, },
Check: &structs.HealthCheck{ Check: &structs.HealthCheck{
@ -170,7 +170,7 @@ func TestFSM_DeregisterService(t *testing.T) {
Service: &structs.NodeService{ Service: &structs.NodeService{
ID: "db", ID: "db",
Service: "db", Service: "db",
Tags: []string{"master"}, Tags: []string{"primary"},
Port: 8000, Port: 8000,
}, },
} }
@ -296,7 +296,7 @@ func TestFSM_DeregisterNode(t *testing.T) {
Service: &structs.NodeService{ Service: &structs.NodeService{
ID: "db", ID: "db",
Service: "db", Service: "db",
Tags: []string{"master"}, Tags: []string{"primary"},
Port: 8000, Port: 8000,
}, },
Check: &structs.HealthCheck{ Check: &structs.HealthCheck{
@ -1429,7 +1429,7 @@ func TestFSM_Chunking_Lifecycle(t *testing.T) {
Service: &structs.NodeService{ Service: &structs.NodeService{
ID: "db", ID: "db",
Service: "db", Service: "db",
Tags: []string{"master"}, Tags: []string{"primary"},
Port: 8000, Port: 8000,
}, },
Check: &structs.HealthCheck{ Check: &structs.HealthCheck{
@ -1559,7 +1559,7 @@ func TestFSM_Chunking_TermChange(t *testing.T) {
Service: &structs.NodeService{ Service: &structs.NodeService{
ID: "db", ID: "db",
Service: "db", Service: "db",
Tags: []string{"master"}, Tags: []string{"primary"},
Port: 8000, Port: 8000,
}, },
Check: &structs.HealthCheck{ Check: &structs.HealthCheck{

30
agent/consul/intention_endpoint_test.go
View File

@ -937,17 +937,17 @@ func TestIntention_WildcardACLEnforcement(t *testing.T) {
// create some test policies. // create some test policies.
writeToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `service_prefix "" { policy = "deny" intentions = "write" }`) writeToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `service_prefix "" { policy = "deny" intentions = "write" }`)
require.NoError(t, err) require.NoError(t, err)
readToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `service_prefix "" { policy = "deny" intentions = "read" }`) readToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `service_prefix "" { policy = "deny" intentions = "read" }`)
require.NoError(t, err) require.NoError(t, err)
exactToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `service "*" { policy = "deny" intentions = "write" }`) exactToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `service "*" { policy = "deny" intentions = "write" }`)
require.NoError(t, err) require.NoError(t, err)
wildcardPrefixToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `service_prefix "*" { policy = "deny" intentions = "write" }`) wildcardPrefixToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `service_prefix "*" { policy = "deny" intentions = "write" }`)
require.NoError(t, err) require.NoError(t, err)
fooToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `service "foo" { policy = "deny" intentions = "write" }`) fooToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `service "foo" { policy = "deny" intentions = "write" }`)
require.NoError(t, err) require.NoError(t, err)
denyToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `service_prefix "" { policy = "deny" intentions = "deny" }`) denyToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `service_prefix "" { policy = "deny" intentions = "deny" }`)
require.NoError(t, err) require.NoError(t, err)
doIntentionCreate := func(t *testing.T, token string, dest string, deny bool) string { doIntentionCreate := func(t *testing.T, token string, dest string, deny bool) string {
@ -1607,7 +1607,7 @@ func TestIntentionList_acl(t *testing.T) {
waitForLeaderEstablishment(t, s1) waitForLeaderEstablishment(t, s1)
token, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `service_prefix "foo" { policy = "write" }`) token, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `service_prefix "foo" { policy = "write" }`)
require.NoError(t, err) require.NoError(t, err)
// Create a few records // Create a few records
@ -1620,7 +1620,7 @@ func TestIntentionList_acl(t *testing.T) {
ixn.Intention.SourceNS = "default" ixn.Intention.SourceNS = "default"
ixn.Intention.DestinationNS = "default" ixn.Intention.DestinationNS = "default"
ixn.Intention.DestinationName = name ixn.Intention.DestinationName = name
ixn.WriteRequest.Token = TestDefaultMasterToken ixn.WriteRequest.Token = TestDefaultInitialManagementToken
// Create // Create
var reply string var reply string
@ -1639,10 +1639,10 @@ func TestIntentionList_acl(t *testing.T) {
}) })
// Test with management token // Test with management token
t.Run("master-token", func(t *testing.T) { t.Run("initial-management-token", func(t *testing.T) {
req := &structs.IntentionListRequest{ req := &structs.IntentionListRequest{
Datacenter: "dc1", Datacenter: "dc1",
QueryOptions: structs.QueryOptions{Token: TestDefaultMasterToken}, QueryOptions: structs.QueryOptions{Token: TestDefaultInitialManagementToken},
} }
var resp structs.IndexedIntentions var resp structs.IndexedIntentions
require.NoError(t, msgpackrpc.CallWithCodec(codec, "Intention.List", req, &resp)) require.NoError(t, msgpackrpc.CallWithCodec(codec, "Intention.List", req, &resp))
@ -1666,7 +1666,7 @@ func TestIntentionList_acl(t *testing.T) {
req := &structs.IntentionListRequest{ req := &structs.IntentionListRequest{
Datacenter: "dc1", Datacenter: "dc1",
QueryOptions: structs.QueryOptions{ QueryOptions: structs.QueryOptions{
Token: TestDefaultMasterToken, Token: TestDefaultInitialManagementToken,
Filter: "DestinationName == foobar", Filter: "DestinationName == foobar",
}, },
} }
@ -1763,7 +1763,7 @@ func TestIntentionMatch_acl(t *testing.T) {
_, srv, codec := testACLServerWithConfig(t, nil, false) _, srv, codec := testACLServerWithConfig(t, nil, false)
waitForLeaderEstablishment(t, srv) waitForLeaderEstablishment(t, srv)
token, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `service "bar" { policy = "write" }`) token, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `service "bar" { policy = "write" }`)
require.NoError(t, err) require.NoError(t, err)
// Create some records // Create some records
@ -1781,7 +1781,7 @@ func TestIntentionMatch_acl(t *testing.T) {
Intention: structs.TestIntention(t), Intention: structs.TestIntention(t),
} }
ixn.Intention.DestinationName = v ixn.Intention.DestinationName = v
ixn.WriteRequest.Token = TestDefaultMasterToken ixn.WriteRequest.Token = TestDefaultInitialManagementToken
// Create // Create
var reply string var reply string
@ -1993,7 +1993,7 @@ func TestIntentionCheck_match(t *testing.T) {
_, srv, codec := testACLServerWithConfig(t, nil, false) _, srv, codec := testACLServerWithConfig(t, nil, false)
waitForLeaderEstablishment(t, srv) waitForLeaderEstablishment(t, srv)
token, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `service "api" { policy = "read" }`) token, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `service "api" { policy = "read" }`)
require.NoError(t, err) require.NoError(t, err)
// Create some intentions // Create some intentions
@ -2015,7 +2015,7 @@ func TestIntentionCheck_match(t *testing.T) {
DestinationName: v[1], DestinationName: v[1],
Action: structs.IntentionActionAllow, Action: structs.IntentionActionAllow,
}, },
WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken},
} }
// Create // Create
var reply string var reply string

26
agent/consul/internal_endpoint_test.go
View File

@ -1790,7 +1790,7 @@ func TestInternal_GatewayIntentions_aclDeny(t *testing.T) {
codec := rpcClient(t, s1) codec := rpcClient(t, s1)
defer codec.Close() defer codec.Close()
testrpc.WaitForTestAgent(t, s1.RPC, "dc1", testrpc.WithToken(TestDefaultMasterToken)) testrpc.WaitForTestAgent(t, s1.RPC, "dc1", testrpc.WithToken(TestDefaultInitialManagementToken))
// Register terminating gateway and config entry linking it to postgres + redis // Register terminating gateway and config entry linking it to postgres + redis
{ {
@ -1809,7 +1809,7 @@ func TestInternal_GatewayIntentions_aclDeny(t *testing.T) {
Status: api.HealthPassing, Status: api.HealthPassing,
ServiceID: "terminating-gateway", ServiceID: "terminating-gateway",
}, },
WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken},
} }
var regOutput struct{} var regOutput struct{}
require.NoError(t, msgpackrpc.CallWithCodec(codec, "Catalog.Register", &arg, &regOutput)) require.NoError(t, msgpackrpc.CallWithCodec(codec, "Catalog.Register", &arg, &regOutput))
@ -1834,7 +1834,7 @@ func TestInternal_GatewayIntentions_aclDeny(t *testing.T) {
Op: structs.ConfigEntryUpsert, Op: structs.ConfigEntryUpsert,
Datacenter: "dc1", Datacenter: "dc1",
Entry: args, Entry: args,
WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken},
} }
var configOutput bool var configOutput bool
require.NoError(t, msgpackrpc.CallWithCodec(codec, "ConfigEntry.Apply", &req, &configOutput)) require.NoError(t, msgpackrpc.CallWithCodec(codec, "ConfigEntry.Apply", &req, &configOutput))
@ -1848,7 +1848,7 @@ func TestInternal_GatewayIntentions_aclDeny(t *testing.T) {
Datacenter: "dc1", Datacenter: "dc1",
Op: structs.IntentionOpCreate, Op: structs.IntentionOpCreate,
Intention: structs.TestIntention(t), Intention: structs.TestIntention(t),
WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken},
} }
req.Intention.SourceName = "api" req.Intention.SourceName = "api"
req.Intention.DestinationName = v req.Intention.DestinationName = v
@ -1860,7 +1860,7 @@ func TestInternal_GatewayIntentions_aclDeny(t *testing.T) {
Datacenter: "dc1", Datacenter: "dc1",
Op: structs.IntentionOpCreate, Op: structs.IntentionOpCreate,
Intention: structs.TestIntention(t), Intention: structs.TestIntention(t),
WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken}, WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken},
} }
req.Intention.SourceName = v req.Intention.SourceName = v
req.Intention.DestinationName = "api" req.Intention.DestinationName = "api"
@ -1868,7 +1868,7 @@ func TestInternal_GatewayIntentions_aclDeny(t *testing.T) {
} }
} }
userToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", ` userToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `
service_prefix "redis" { policy = "read" } service_prefix "redis" { policy = "read" }
service_prefix "terminating-gateway" { policy = "read" } service_prefix "terminating-gateway" { policy = "read" }
`) `)
@ -2192,7 +2192,7 @@ func TestInternal_ServiceTopology_ACL(t *testing.T) {
dir1, s1 := testServerWithConfig(t, func(c *Config) { dir1, s1 := testServerWithConfig(t, func(c *Config) {
c.PrimaryDatacenter = "dc1" c.PrimaryDatacenter = "dc1"
c.ACLsEnabled = true c.ACLsEnabled = true
c.ACLInitialManagementToken = TestDefaultMasterToken c.ACLInitialManagementToken = TestDefaultInitialManagementToken
c.ACLResolverSettings.ACLDefaultPolicy = "deny" c.ACLResolverSettings.ACLDefaultPolicy = "deny"
}) })
defer os.RemoveAll(dir1) defer os.RemoveAll(dir1)
@ -2215,10 +2215,10 @@ func TestInternal_ServiceTopology_ACL(t *testing.T) {
// web -> redis exact intention // web -> redis exact intention
// redis and redis-proxy on node zip // redis and redis-proxy on node zip
registerTestTopologyEntries(t, codec, TestDefaultMasterToken) registerTestTopologyEntries(t, codec, TestDefaultInitialManagementToken)
// Token grants read to: foo/api, foo/api-proxy, bar/web, baz/web // Token grants read to: foo/api, foo/api-proxy, bar/web, baz/web
userToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", ` userToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `
node_prefix "" { policy = "read" } node_prefix "" { policy = "read" }
service_prefix "api" { policy = "read" } service_prefix "api" { policy = "read" }
service "web" { policy = "read" } service "web" { policy = "read" }
@ -2331,7 +2331,7 @@ func TestInternal_IntentionUpstreams_ACL(t *testing.T) {
dir1, s1 := testServerWithConfig(t, func(c *Config) { dir1, s1 := testServerWithConfig(t, func(c *Config) {
c.PrimaryDatacenter = "dc1" c.PrimaryDatacenter = "dc1"
c.ACLsEnabled = true c.ACLsEnabled = true
c.ACLInitialManagementToken = TestDefaultMasterToken c.ACLInitialManagementToken = TestDefaultInitialManagementToken
c.ACLResolverSettings.ACLDefaultPolicy = "deny" c.ACLResolverSettings.ACLDefaultPolicy = "deny"
}) })
defer os.RemoveAll(dir1) defer os.RemoveAll(dir1)
@ -2349,11 +2349,11 @@ func TestInternal_IntentionUpstreams_ACL(t *testing.T) {
// Intentions // Intentions
// * -> * (deny) intention // * -> * (deny) intention
// web -> api (allow) // web -> api (allow)
registerIntentionUpstreamEntries(t, codec, TestDefaultMasterToken) registerIntentionUpstreamEntries(t, codec, TestDefaultInitialManagementToken)
t.Run("valid token", func(t *testing.T) { t.Run("valid token", func(t *testing.T) {
// Token grants read to read api service // Token grants read to read api service
userToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", ` userToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `
service_prefix "api" { policy = "read" } service_prefix "api" { policy = "read" }
`) `)
require.NoError(t, err) require.NoError(t, err)
@ -2379,7 +2379,7 @@ service_prefix "api" { policy = "read" }
t.Run("invalid token filters results", func(t *testing.T) { t.Run("invalid token filters results", func(t *testing.T) {
// Token grants read to read an unrelated service, mongo // Token grants read to read an unrelated service, mongo
userToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", ` userToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `
service_prefix "mongo" { policy = "read" } service_prefix "mongo" { policy = "read" }
`) `)
require.NoError(t, err) require.NoError(t, err)

10
agent/consul/leader_connect_test.go
View File

@ -196,7 +196,7 @@ func TestCAManager_Initialize_Secondary(t *testing.T) {
for _, tc := range tests { for _, tc := range tests {
tc := tc tc := tc
t.Run(fmt.Sprintf("%s-%d", tc.keyType, tc.keyBits), func(t *testing.T) { t.Run(fmt.Sprintf("%s-%d", tc.keyType, tc.keyBits), func(t *testing.T) {
masterToken := "8a85f086-dd95-4178-b128-e10902767c5c" initialManagementToken := "8a85f086-dd95-4178-b128-e10902767c5c"
// Initialize primary as the primary DC // Initialize primary as the primary DC
dir1, s1 := testServerWithConfig(t, func(c *Config) { dir1, s1 := testServerWithConfig(t, func(c *Config) {
@ -204,7 +204,7 @@ func TestCAManager_Initialize_Secondary(t *testing.T) {
c.PrimaryDatacenter = "primary" c.PrimaryDatacenter = "primary"
c.Build = "1.6.0" c.Build = "1.6.0"
c.ACLsEnabled = true c.ACLsEnabled = true
c.ACLInitialManagementToken = masterToken c.ACLInitialManagementToken = initialManagementToken
c.ACLResolverSettings.ACLDefaultPolicy = "deny" c.ACLResolverSettings.ACLDefaultPolicy = "deny"
c.CAConfig.Config["PrivateKeyType"] = tc.keyType c.CAConfig.Config["PrivateKeyType"] = tc.keyType
c.CAConfig.Config["PrivateKeyBits"] = tc.keyBits c.CAConfig.Config["PrivateKeyBits"] = tc.keyBits
@ -213,7 +213,7 @@ func TestCAManager_Initialize_Secondary(t *testing.T) {
defer os.RemoveAll(dir1) defer os.RemoveAll(dir1)
defer s1.Shutdown() defer s1.Shutdown()
s1.tokens.UpdateAgentToken(masterToken, token.TokenSourceConfig) s1.tokens.UpdateAgentToken(initialManagementToken, token.TokenSourceConfig)
testrpc.WaitForLeader(t, s1.RPC, "primary") testrpc.WaitForLeader(t, s1.RPC, "primary")
@ -232,8 +232,8 @@ func TestCAManager_Initialize_Secondary(t *testing.T) {
defer os.RemoveAll(dir2) defer os.RemoveAll(dir2)
defer s2.Shutdown() defer s2.Shutdown()
s2.tokens.UpdateAgentToken(masterToken, token.TokenSourceConfig) s2.tokens.UpdateAgentToken(initialManagementToken, token.TokenSourceConfig)
s2.tokens.UpdateReplicationToken(masterToken, token.TokenSourceConfig) s2.tokens.UpdateReplicationToken(initialManagementToken, token.TokenSourceConfig)
// Create the WAN link // Create the WAN link
joinWAN(t, s2, s1) joinWAN(t, s2, s1)

24
agent/consul/leader_test.go
View File

@ -1162,15 +1162,15 @@ func TestLeader_ACL_Initialization(t *testing.T) {
t.Parallel() t.Parallel()
tests := []struct { tests := []struct {
name string name string
build string build string
master string initialManagement string
bootstrap bool bootstrap bool
}{ }{
{"old version, no master", "0.8.0", "", true}, {"old version, no initial management", "0.8.0", "", true},
{"old version, master", "0.8.0", "root", false}, {"old version, initial management", "0.8.0", "root", false},
{"new version, no master", "0.9.1", "", true}, {"new version, no initial management", "0.9.1", "", true},
{"new version, master", "0.9.1", "root", false}, {"new version, initial management", "0.9.1", "root", false},
} }
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
@ -1180,17 +1180,17 @@ func TestLeader_ACL_Initialization(t *testing.T) {
c.Datacenter = "dc1" c.Datacenter = "dc1"
c.PrimaryDatacenter = "dc1" c.PrimaryDatacenter = "dc1"
c.ACLsEnabled = true c.ACLsEnabled = true
c.ACLInitialManagementToken = tt.master c.ACLInitialManagementToken = tt.initialManagement
} }
dir1, s1 := testServerWithConfig(t, conf) dir1, s1 := testServerWithConfig(t, conf)
defer os.RemoveAll(dir1) defer os.RemoveAll(dir1)
defer s1.Shutdown() defer s1.Shutdown()
testrpc.WaitForTestAgent(t, s1.RPC, "dc1") testrpc.WaitForTestAgent(t, s1.RPC, "dc1")
if tt.master != "" { if tt.initialManagement != "" {
_, master, err := s1.fsm.State().ACLTokenGetBySecret(nil, tt.master, nil) _, initialManagement, err := s1.fsm.State().ACLTokenGetBySecret(nil, tt.initialManagement, nil)
require.NoError(t, err) require.NoError(t, err)
require.NotNil(t, master) require.NotNil(t, initialManagement)
} }
_, anon, err := s1.fsm.State().ACLTokenGetBySecret(nil, anonymousToken, nil) _, anon, err := s1.fsm.State().ACLTokenGetBySecret(nil, anonymousToken, nil)

10
agent/consul/prepared_query_endpoint_test.go
View File

@ -222,7 +222,7 @@ func TestPreparedQuery_Apply_ACLDeny(t *testing.T) {
Datacenter: "dc1", Datacenter: "dc1",
Op: structs.PreparedQueryCreate, Op: structs.PreparedQueryCreate,
Query: &structs.PreparedQuery{ Query: &structs.PreparedQuery{
Name: "redis-master", Name: "redis-primary",
Service: structs.ServiceQuery{ Service: structs.ServiceQuery{
Service: "the-redis", Service: "the-redis",
}, },
@ -503,7 +503,7 @@ func TestPreparedQuery_Apply_ForwardLeader(t *testing.T) {
Address: "127.0.0.1", Address: "127.0.0.1",
Service: &structs.NodeService{ Service: &structs.NodeService{
Service: "redis", Service: "redis",
Tags: []string{"master"}, Tags: []string{"primary"},
Port: 8000, Port: 8000,
}, },
} }
@ -853,7 +853,7 @@ func TestPreparedQuery_Get(t *testing.T) {
Datacenter: "dc1", Datacenter: "dc1",
Op: structs.PreparedQueryCreate, Op: structs.PreparedQueryCreate,
Query: &structs.PreparedQuery{ Query: &structs.PreparedQuery{
Name: "redis-master", Name: "redis-primary",
Service: structs.ServiceQuery{ Service: structs.ServiceQuery{
Service: "the-redis", Service: "the-redis",
}, },
@ -1110,7 +1110,7 @@ func TestPreparedQuery_List(t *testing.T) {
Datacenter: "dc1", Datacenter: "dc1",
Op: structs.PreparedQueryCreate, Op: structs.PreparedQueryCreate,
Query: &structs.PreparedQuery{ Query: &structs.PreparedQuery{
Name: "redis-master", Name: "redis-primary",
Token: "le-token", Token: "le-token",
Service: structs.ServiceQuery{ Service: structs.ServiceQuery{
Service: "the-redis", Service: "the-redis",
@ -2348,7 +2348,7 @@ func TestPreparedQuery_Execute_ForwardLeader(t *testing.T) {
Address: "127.0.0.1", Address: "127.0.0.1",
Service: &structs.NodeService{ Service: &structs.NodeService{
Service: "redis", Service: "redis",
Tags: []string{"master"}, Tags: []string{"primary"},
Port: 8000, Port: 8000,
}, },
} }

6
agent/consul/server_test.go
View File

@ -35,7 +35,7 @@ import (
) )
const ( const (
TestDefaultMasterToken = "d9f05e83-a7ae-47ce-839e-c0d53a68c00a" TestDefaultInitialManagementToken = "d9f05e83-a7ae-47ce-839e-c0d53a68c00a"
) )
// testTLSCertificates Generates a TLS CA and server key/cert and returns them // testTLSCertificates Generates a TLS CA and server key/cert and returns them
@ -70,7 +70,7 @@ func testTLSCertificates(serverName string) (cert string, key string, cacert str
func testServerACLConfig(c *Config) { func testServerACLConfig(c *Config) {
c.PrimaryDatacenter = "dc1" c.PrimaryDatacenter = "dc1"
c.ACLsEnabled = true c.ACLsEnabled = true
c.ACLInitialManagementToken = TestDefaultMasterToken c.ACLInitialManagementToken = TestDefaultInitialManagementToken
c.ACLResolverSettings.ACLDefaultPolicy = "deny" c.ACLResolverSettings.ACLDefaultPolicy = "deny"
} }
@ -245,7 +245,7 @@ func testACLServerWithConfig(t *testing.T, cb func(*Config), initReplicationToke
if initReplicationToken { if initReplicationToken {
// setup some tokens here so we get less warnings in the logs // setup some tokens here so we get less warnings in the logs
srv.tokens.UpdateReplicationToken(TestDefaultMasterToken, token.TokenSourceConfig) srv.tokens.UpdateReplicationToken(TestDefaultInitialManagementToken, token.TokenSourceConfig)
} }
codec := rpcClient(t, srv) codec := rpcClient(t, srv)

7
agent/consul/state/prepared_query_test.go
View File

@ -5,8 +5,9 @@ import (
"strings" "strings"
"testing" "testing"
"github.com/hashicorp/consul/agent/structs"
"github.com/hashicorp/go-memdb" "github.com/hashicorp/go-memdb"
"github.com/hashicorp/consul/agent/structs"
) )
func TestStateStore_PreparedQuery_isUUID(t *testing.T) { func TestStateStore_PreparedQuery_isUUID(t *testing.T) {
@ -663,7 +664,7 @@ func TestStateStore_PreparedQueryResolve(t *testing.T) {
Regexp: "^prod-(.*)$", Regexp: "^prod-(.*)$",
}, },
Service: structs.ServiceQuery{ Service: structs.ServiceQuery{
Service: "${match(1)}-master", Service: "${match(1)}-primary",
}, },
} }
if err := s.PreparedQuerySet(5, tmpl2); err != nil { if err := s.PreparedQuerySet(5, tmpl2); err != nil {
@ -705,7 +706,7 @@ func TestStateStore_PreparedQueryResolve(t *testing.T) {
Regexp: "^prod-(.*)$", Regexp: "^prod-(.*)$",
}, },
Service: structs.ServiceQuery{ Service: structs.ServiceQuery{
Service: "redis-foobar-master", Service: "redis-foobar-primary",
}, },
RaftIndex: structs.RaftIndex{ RaftIndex: structs.RaftIndex{
CreateIndex: 5, CreateIndex: 5,

12
agent/local/state_test.go
View File

@ -52,7 +52,7 @@ func TestAgentAntiEntropy_Services(t *testing.T) {
srv1 := &structs.NodeService{ srv1 := &structs.NodeService{
ID: "mysql", ID: "mysql",
Service: "mysql", Service: "mysql",
Tags: []string{"master"}, Tags: []string{"primary"},
Port: 5000, Port: 5000,
Weights: &structs.Weights{ Weights: &structs.Weights{
Passing: 1, Passing: 1,
@ -675,7 +675,7 @@ func TestAgentAntiEntropy_Services_WithChecks(t *testing.T) {
srv := &structs.NodeService{ srv := &structs.NodeService{
ID: "mysql", ID: "mysql",
Service: "mysql", Service: "mysql",
Tags: []string{"master"}, Tags: []string{"primary"},
Port: 5000, Port: 5000,
} }
a.State.AddService(srv, "") a.State.AddService(srv, "")
@ -725,7 +725,7 @@ func TestAgentAntiEntropy_Services_WithChecks(t *testing.T) {
srv := &structs.NodeService{ srv := &structs.NodeService{
ID: "redis", ID: "redis",
Service: "redis", Service: "redis",
Tags: []string{"master"}, Tags: []string{"primary"},
Port: 5000, Port: 5000,
} }
a.State.AddService(srv, "") a.State.AddService(srv, "")
@ -821,7 +821,7 @@ func TestAgentAntiEntropy_Services_ACLDeny(t *testing.T) {
srv1 := &structs.NodeService{ srv1 := &structs.NodeService{
ID: "mysql", ID: "mysql",
Service: "mysql", Service: "mysql",
Tags: []string{"master"}, Tags: []string{"primary"},
Port: 5000, Port: 5000,
Weights: &structs.Weights{ Weights: &structs.Weights{
Passing: 1, Passing: 1,
@ -1278,7 +1278,7 @@ func TestAgentAntiEntropy_Checks_ACLDeny(t *testing.T) {
srv1 := &structs.NodeService{ srv1 := &structs.NodeService{
ID: "mysql", ID: "mysql",
Service: "mysql", Service: "mysql",
Tags: []string{"master"}, Tags: []string{"primary"},
Port: 5000, Port: 5000,
Weights: &structs.Weights{ Weights: &structs.Weights{
Passing: 1, Passing: 1,
@ -1348,7 +1348,7 @@ func TestAgentAntiEntropy_Checks_ACLDeny(t *testing.T) {
Node: a.Config.NodeName, Node: a.Config.NodeName,
ServiceID: "mysql", ServiceID: "mysql",
ServiceName: "mysql", ServiceName: "mysql",
ServiceTags: []string{"master"}, ServiceTags: []string{"primary"},
CheckID: "mysql-check", CheckID: "mysql-check",
Name: "mysql", Name: "mysql",
Status: api.HealthPassing, Status: api.HealthPassing,

26
agent/structs/acl.go
View File

@ -1728,50 +1728,50 @@ func CreateACLAuthorizationResponses(authz acl.Authorizer, requests []ACLAuthori
return responses, nil return responses, nil
} }
type AgentMasterTokenIdentity struct { type AgentRecoveryTokenIdentity struct {
agent string agent string
secretID string secretID string
} }
func NewAgentMasterTokenIdentity(agent string, secretID string) *AgentMasterTokenIdentity { func NewAgentRecoveryTokenIdentity(agent string, secretID string) *AgentRecoveryTokenIdentity {
return &AgentMasterTokenIdentity{ return &AgentRecoveryTokenIdentity{
agent: agent, agent: agent,
secretID: secretID, secretID: secretID,
} }
} }
func (id *AgentMasterTokenIdentity) ID() string { func (id *AgentRecoveryTokenIdentity) ID() string {
return fmt.Sprintf("agent-master:%s", id.agent) return fmt.Sprintf("agent-recovery:%s", id.agent)
} }
func (id *AgentMasterTokenIdentity) SecretToken() string { func (id *AgentRecoveryTokenIdentity) SecretToken() string {
return id.secretID return id.secretID
} }
func (id *AgentMasterTokenIdentity) PolicyIDs() []string { func (id *AgentRecoveryTokenIdentity) PolicyIDs() []string {
return nil return nil
} }
func (id *AgentMasterTokenIdentity) RoleIDs() []string { func (id *AgentRecoveryTokenIdentity) RoleIDs() []string {
return nil return nil
} }
func (id *AgentMasterTokenIdentity) ServiceIdentityList() []*ACLServiceIdentity { func (id *AgentRecoveryTokenIdentity) ServiceIdentityList() []*ACLServiceIdentity {
return nil return nil
} }
func (id *AgentMasterTokenIdentity) NodeIdentityList() []*ACLNodeIdentity { func (id *AgentRecoveryTokenIdentity) NodeIdentityList() []*ACLNodeIdentity {
return nil return nil
} }
func (id *AgentMasterTokenIdentity) IsExpired(asOf time.Time) bool { func (id *AgentRecoveryTokenIdentity) IsExpired(asOf time.Time) bool {
return false return false
} }
func (id *AgentMasterTokenIdentity) IsLocal() bool { func (id *AgentRecoveryTokenIdentity) IsLocal() bool {
return true return true
} }
func (id *AgentMasterTokenIdentity) EnterpriseMetadata() *EnterpriseMeta { func (id *AgentRecoveryTokenIdentity) EnterpriseMetadata() *EnterpriseMeta {
return nil return nil
} }

16
api/acl_test.go
View File

@ -455,7 +455,7 @@ func TestAPI_ACLToken_List(t *testing.T) {
tokens, qm, err := acl.TokenList(nil) tokens, qm, err := acl.TokenList(nil)
require.NoError(t, err) require.NoError(t, err)
// 3 + anon + master // 3 + anon + initial management
require.Len(t, tokens, 5) require.Len(t, tokens, 5)
require.NotEqual(t, 0, qm.LastIndex) require.NotEqual(t, 0, qm.LastIndex)
require.True(t, qm.KnownLeader) require.True(t, qm.KnownLeader)
@ -500,7 +500,7 @@ func TestAPI_ACLToken_List(t *testing.T) {
require.True(t, ok) require.True(t, ok)
require.NotNil(t, token4) require.NotNil(t, token4)
// ensure the 5th token is the root master token // ensure the 5th token is the initial management token
root, _, err := acl.TokenReadSelf(nil) root, _, err := acl.TokenReadSelf(nil)
require.NoError(t, err) require.NoError(t, err)
require.NotNil(t, root) require.NotNil(t, root)
@ -516,17 +516,17 @@ func TestAPI_ACLToken_Clone(t *testing.T) {
acl := c.ACL() acl := c.ACL()
master, _, err := acl.TokenReadSelf(nil) initialManagement, _, err := acl.TokenReadSelf(nil)
require.NoError(t, err) require.NoError(t, err)
require.NotNil(t, master) require.NotNil(t, initialManagement)
cloned, _, err := acl.TokenClone(master.AccessorID, "cloned", nil) cloned, _, err := acl.TokenClone(initialManagement.AccessorID, "cloned", nil)
require.NoError(t, err) require.NoError(t, err)
require.NotNil(t, cloned) require.NotNil(t, cloned)
require.NotEqual(t, master.AccessorID, cloned.AccessorID) require.NotEqual(t, initialManagement.AccessorID, cloned.AccessorID)
require.NotEqual(t, master.SecretID, cloned.SecretID) require.NotEqual(t, initialManagement.SecretID, cloned.SecretID)
require.Equal(t, "cloned", cloned.Description) require.Equal(t, "cloned", cloned.Description)
require.ElementsMatch(t, master.Policies, cloned.Policies) require.ElementsMatch(t, initialManagement.Policies, cloned.Policies)
read, _, err := acl.TokenRead(cloned.AccessorID, nil) read, _, err := acl.TokenRead(cloned.AccessorID, nil)
require.NoError(t, err) require.NoError(t, err)

7
api/api_test.go
View File

@ -16,10 +16,11 @@ import (
"testing" "testing"
"time" "time"
"github.com/hashicorp/consul/sdk/testutil"
"github.com/hashicorp/consul/sdk/testutil/retry"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
"github.com/hashicorp/consul/sdk/testutil"
"github.com/hashicorp/consul/sdk/testutil/retry"
) )
type configCallback func(c *Config) type configCallback func(c *Config)
@ -39,7 +40,7 @@ func makeACLClient(t *testing.T) (*Client, *testutil.TestServer) {
clientConfig.Token = "root" clientConfig.Token = "root"
}, func(serverConfig *testutil.TestServerConfig) { }, func(serverConfig *testutil.TestServerConfig) {
serverConfig.PrimaryDatacenter = "dc1" serverConfig.PrimaryDatacenter = "dc1"
serverConfig.ACL.Tokens.Master = "root" serverConfig.ACL.Tokens.InitialManagement = "root"
serverConfig.ACL.Tokens.Agent = "root" serverConfig.ACL.Tokens.Agent = "root"
serverConfig.ACL.Enabled = true serverConfig.ACL.Enabled = true
serverConfig.ACL.DefaultPolicy = "deny" serverConfig.ACL.DefaultPolicy = "deny"

4
api/catalog_test.go
View File

@ -826,7 +826,7 @@ func TestAPI_CatalogRegistration(t *testing.T) {
service := &AgentService{ service := &AgentService{
ID: "redis1", ID: "redis1",
Service: "redis", Service: "redis",
Tags: []string{"master", "v1"}, Tags: []string{"primary", "v1"},
Port: 8000, Port: 8000,
} }
@ -1023,7 +1023,7 @@ func TestAPI_CatalogEnableTagOverride(t *testing.T) {
service := &AgentService{ service := &AgentService{
ID: "redis1", ID: "redis1",
Service: "redis", Service: "redis",
Tags: []string{"master", "v1"}, Tags: []string{"primary", "v1"},
Port: 8000, Port: 8000,
} }

2
api/prepared_query_test.go
View File

@ -24,7 +24,7 @@ func TestAPI_PreparedQuery(t *testing.T) {
Service: &AgentService{ Service: &AgentService{
ID: "redis1", ID: "redis1",
Service: "redis", Service: "redis",
Tags: []string{"master", "v1"}, Tags: []string{"primary", "v1"},
Meta: map[string]string{"redis-version": "4.0"}, Meta: map[string]string{"redis-version": "4.0"},
Port: 8000, Port: 8000,
}, },

4
sdk/testutil/README.md
View File

@ -56,10 +56,10 @@ func TestFoo_bar(t *testing.T) {
}) })
// Create a service // Create a service
srv1.AddService(t, "redis", structs.HealthPassing, []string{"master"}) srv1.AddService(t, "redis", structs.HealthPassing, []string{"primary"})
// Create a service that will be accessed in target source code // Create a service that will be accessed in target source code
srv1.AddAccessibleService("redis", structs.HealthPassing, "127.0.0.1", 6379, []string{"master"}) srv1.AddAccessibleService("redis", structs.HealthPassing, "127.0.0.1", 6379, []string{"primary"})
// Create a service check // Create a service check
srv1.AddCheck(t, "service:redis", "redis", structs.HealthPassing) srv1.AddCheck(t, "service:redis", "redis", structs.HealthPassing)

35
sdk/testutil/server.go
View File

@ -86,7 +86,6 @@ type TestServerConfig struct {
Addresses *TestAddressConfig `json:"addresses,omitempty"` Addresses *TestAddressConfig `json:"addresses,omitempty"`
Ports *TestPortConfig `json:"ports,omitempty"` Ports *TestPortConfig `json:"ports,omitempty"`
RaftProtocol int `json:"raft_protocol,omitempty"` RaftProtocol int `json:"raft_protocol,omitempty"`
ACLMasterToken string `json:"acl_master_token,omitempty"`
ACLDatacenter string `json:"acl_datacenter,omitempty"` ACLDatacenter string `json:"acl_datacenter,omitempty"`
PrimaryDatacenter string `json:"primary_datacenter,omitempty"` PrimaryDatacenter string `json:"primary_datacenter,omitempty"`
ACLDefaultPolicy string `json:"acl_default_policy,omitempty"` ACLDefaultPolicy string `json:"acl_default_policy,omitempty"`
@ -124,11 +123,17 @@ type TestACLs struct {
} }
type TestTokens struct { type TestTokens struct {
Master string `json:"master,omitempty"`
Replication string `json:"replication,omitempty"` Replication string `json:"replication,omitempty"`
AgentMaster string `json:"agent_master,omitempty"`
Default string `json:"default,omitempty"` Default string `json:"default,omitempty"`
Agent string `json:"agent,omitempty"` Agent string `json:"agent,omitempty"`
// Note: this field is marshaled as master for compatibility with
// versions of Consul prior to 1.11.
InitialManagement string `json:"master,omitempty"`
// Note: this field is marshaled as agent_master for compatibility with
// versions of Consul prior to 1.11.
AgentRecovery string `json:"agent_master,omitempty"`
} }
// ServerConfigCallback is a function interface which can be // ServerConfigCallback is a function interface which can be
@ -375,7 +380,7 @@ func (s *TestServer) waitForAPI() error {
time.Sleep(timer.Wait) time.Sleep(timer.Wait)
url := s.url("/v1/status/leader") url := s.url("/v1/status/leader")
resp, err := s.masterGet(url) resp, err := s.privilegedGet(url)
if err != nil { if err != nil {
failed = true failed = true
continue continue
@ -397,7 +402,7 @@ func (s *TestServer) WaitForLeader(t testing.TB) {
retry.Run(t, func(r *retry.R) { retry.Run(t, func(r *retry.R) {
// Query the API and check the status code. // Query the API and check the status code.
url := s.url("/v1/catalog/nodes") url := s.url("/v1/catalog/nodes")
resp, err := s.masterGet(url) resp, err := s.privilegedGet(url)
if err != nil { if err != nil {
r.Fatalf("failed http get '%s': %v", url, err) r.Fatalf("failed http get '%s': %v", url, err)
} }
@ -433,7 +438,7 @@ func (s *TestServer) WaitForActiveCARoot(t testing.TB) {
retry.Run(t, func(r *retry.R) { retry.Run(t, func(r *retry.R) {
// Query the API and check the status code. // Query the API and check the status code.
url := s.url("/v1/agent/connect/ca/roots") url := s.url("/v1/agent/connect/ca/roots")
resp, err := s.masterGet(url) resp, err := s.privilegedGet(url)
if err != nil { if err != nil {
r.Fatalf("failed http get '%s': %v", url, err) r.Fatalf("failed http get '%s': %v", url, err)
} }
@ -469,7 +474,7 @@ func (s *TestServer) WaitForServiceIntentions(t testing.TB) {
// preflightCheck call in agent/consul/config_endpoint.go will fail if // preflightCheck call in agent/consul/config_endpoint.go will fail if
// we aren't ready yet, vs just doing no work instead. // we aren't ready yet, vs just doing no work instead.
url := s.url("/v1/config/service-intentions/" + fakeConfigName) url := s.url("/v1/config/service-intentions/" + fakeConfigName)
resp, err := s.masterDelete(url) resp, err := s.privilegedDelete(url)
if err != nil { if err != nil {
r.Fatalf("failed http get '%s': %v", url, err) r.Fatalf("failed http get '%s': %v", url, err)
} }
@ -486,7 +491,7 @@ func (s *TestServer) WaitForSerfCheck(t testing.TB) {
retry.Run(t, func(r *retry.R) { retry.Run(t, func(r *retry.R) {
// Query the API and check the status code. // Query the API and check the status code.
url := s.url("/v1/catalog/nodes?index=0") url := s.url("/v1/catalog/nodes?index=0")
resp, err := s.masterGet(url) resp, err := s.privilegedGet(url)
if err != nil { if err != nil {
r.Fatalf("failed http get: %v", err) r.Fatalf("failed http get: %v", err)
} }
@ -507,7 +512,7 @@ func (s *TestServer) WaitForSerfCheck(t testing.TB) {
// Ensure the serfHealth check is registered // Ensure the serfHealth check is registered
url = s.url(fmt.Sprintf("/v1/health/node/%s", payload[0]["Node"])) url = s.url(fmt.Sprintf("/v1/health/node/%s", payload[0]["Node"]))
resp, err = s.masterGet(url) resp, err = s.privilegedGet(url)
if err != nil { if err != nil {
r.Fatalf("failed http get: %v", err) r.Fatalf("failed http get: %v", err)
} }
@ -533,24 +538,24 @@ func (s *TestServer) WaitForSerfCheck(t testing.TB) {
}) })
} }
func (s *TestServer) masterGet(url string) (*http.Response, error) { func (s *TestServer) privilegedGet(url string) (*http.Response, error) {
req, err := http.NewRequest("GET", url, nil) req, err := http.NewRequest("GET", url, nil)
if err != nil { if err != nil {
return nil, err return nil, err
} }
if s.Config.ACL.Tokens.Master != "" { if s.Config.ACL.Tokens.InitialManagement != "" {
req.Header.Set("x-consul-token", s.Config.ACL.Tokens.Master) req.Header.Set("x-consul-token", s.Config.ACL.Tokens.InitialManagement)
} }
return s.HTTPClient.Do(req) return s.HTTPClient.Do(req)
} }
func (s *TestServer) masterDelete(url string) (*http.Response, error) { func (s *TestServer) privilegedDelete(url string) (*http.Response, error) {
req, err := http.NewRequest("DELETE", url, nil) req, err := http.NewRequest("DELETE", url, nil)
if err != nil { if err != nil {
return nil, err return nil, err
} }
if s.Config.ACL.Tokens.Master != "" { if s.Config.ACL.Tokens.InitialManagement != "" {
req.Header.Set("x-consul-token", s.Config.ACL.Tokens.Master) req.Header.Set("x-consul-token", s.Config.ACL.Tokens.InitialManagement)
} }
return s.HTTPClient.Do(req) return s.HTTPClient.Do(req)
} }

2
ui/packages/consul-ui/mock-api/v1/acl/list
View File

@ -20,7 +20,7 @@ ${
}, },
{ {
"ID":"secret", "ID":"secret",
"Name":"Master Token", "Name":"Initial Management Token",
"Type":"management", "Type":"management",
"Rules":"", "Rules":"",
"CreateIndex":5, "CreateIndex":5,