luxolus
/
open-consul
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity

[OSS] Remove remaining references to master (#11827)

This commit is contained in:
Dan Upton 2022-01-20 12:47:50 +00:00 committed by GitHub
parent bc21e95909
commit 088ba2edaf
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
28 changed files with 600 additions and 572 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.changelog/11827.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:breaking-change
sdk: several changes to the testutil configuration structs (removed `ACLMasterToken`, renamed `Master` to `InitialManagement`, and `AgentMaster` to `AgentRecovery`)
```

16
agent/acl_endpoint_test.go
View File

@ -849,10 +849,10 @@ func TestACL_HTTP(t *testing.T) {
tokens, ok := raw.(structs.ACLTokenListStubs)
require.True(t, ok)
// 3 tokens created but 1 was deleted + master token + anon token
// 3 tokens created but 1 was deleted + initial management token + anon token
require.Len(t, tokens, 4)
// this loop doesn't verify anything about the master token
// this loop doesn't verify anything about the initial management token
for tokenID, expected := range tokenMap {
found := false
for _, actual := range tokens {
@ -1880,7 +1880,7 @@ func TestACL_Authorize(t *testing.T) {
var localToken structs.ACLToken
require.NoError(t, a2.RPC("ACL.TokenSet", &localTokenReq, &localToken))
t.Run("master-token", func(t *testing.T) {
t.Run("initial-management-token", func(t *testing.T) {
request := []structs.ACLAuthorizationRequest{
{
Resource: "acl",
@ -2016,7 +2016,7 @@ func TestACL_Authorize(t *testing.T) {
resp := responses[idx]
require.Equal(t, req, resp.ACLAuthorizationRequest)
require.True(t, resp.Allow, "should have allowed all access for master token")
require.True(t, resp.Allow, "should have allowed all access for initial management token")
}
})
}
@ -2277,7 +2277,7 @@ func TestACL_Authorize(t *testing.T) {
type rpcFn func(string, interface{}, interface{}) error
func upsertTestCustomizedAuthMethod(
rpc rpcFn, masterToken string, datacenter string,
rpc rpcFn, initialManagementToken string, datacenter string,
modify func(method *structs.ACLAuthMethod),
) (*structs.ACLAuthMethod, error) {
name, err := uuid.GenerateUUID()
@ -2291,7 +2291,7 @@ func upsertTestCustomizedAuthMethod(
Name: "test-method-" + name,
Type: "testing",
},
WriteRequest: structs.WriteRequest{Token: masterToken},
WriteRequest: structs.WriteRequest{Token: initialManagementToken},
}
if modify != nil {
@ -2308,11 +2308,11 @@ func upsertTestCustomizedAuthMethod(
return &out, nil
}
func upsertTestCustomizedBindingRule(rpc rpcFn, masterToken string, datacenter string, modify func(rule *structs.ACLBindingRule)) (*structs.ACLBindingRule, error) {
func upsertTestCustomizedBindingRule(rpc rpcFn, initialManagementToken string, datacenter string, modify func(rule *structs.ACLBindingRule)) (*structs.ACLBindingRule, error) {
req := structs.ACLBindingRuleSetRequest{
Datacenter: datacenter,
BindingRule: structs.ACLBindingRule{},
WriteRequest: structs.WriteRequest{Token: masterToken},
WriteRequest: structs.WriteRequest{Token: initialManagementToken},
}
if modify != nil {

3
agent/agent.go
View File

@ -209,9 +209,6 @@ type Agent struct {
// depending on the configuration
delegate delegate
// aclMasterAuthorizer is an object that helps manage local ACL enforcement.
aclMasterAuthorizer acl.Authorizer
// state stores a local representation of the node,
// services and checks. Used for anti-entropy.
State *local.State

139
agent/agent_endpoint_test.go
View File

@ -85,7 +85,7 @@ func TestAgent_Services(t *testing.T) {
srv1 := &structs.NodeService{
ID: "mysql",
Service: "mysql",
Tags: []string{"master"},
Tags: []string{"primary"},
Meta: map[string]string{
"foo": "bar",
},
@ -120,7 +120,7 @@ func TestAgent_ServicesFiltered(t *testing.T) {
srv1 := &structs.NodeService{
ID: "mysql",
Service: "mysql",
Tags: []string{"master"},
Tags: []string{"primary"},
Meta: map[string]string{
"foo": "bar",
},
@ -1517,7 +1517,7 @@ func TestAgent_Self_ACLDeny(t *testing.T) {
require.Equal(t, http.StatusForbidden, resp.Code)
})
t.Run("agent master token", func(t *testing.T) {
t.Run("agent recovery token", func(t *testing.T) {
req, _ := http.NewRequest("GET", "/v1/agent/self?token=towel", nil)
resp := httptest.NewRecorder()
a.srv.h.ServeHTTP(resp, req)
@ -1550,7 +1550,7 @@ func TestAgent_Metrics_ACLDeny(t *testing.T) {
require.Equal(t, http.StatusForbidden, resp.Code)
})
t.Run("agent master token", func(t *testing.T) {
t.Run("agent recovery token", func(t *testing.T) {
req, _ := http.NewRequest("GET", "/v1/agent/metrics?token=towel", nil)
resp := httptest.NewRecorder()
a.srv.h.ServeHTTP(resp, req)
@ -2125,7 +2125,7 @@ func TestAgent_Join_ACLDeny(t *testing.T) {
require.Equal(t, http.StatusForbidden, resp.Code)
})
t.Run("agent master token", func(t *testing.T) {
t.Run("agent recovery token", func(t *testing.T) {
req, _ := http.NewRequest("PUT", fmt.Sprintf("/v1/agent/join/%s?token=towel", addr), nil)
resp := httptest.NewRecorder()
a1.srv.h.ServeHTTP(resp, req)
@ -2246,7 +2246,7 @@ func TestAgent_Leave_ACLDeny(t *testing.T) {
// this sub-test will change the state so that there is no leader.
// it must therefore be the last one in this list.
t.Run("agent master token", func(t *testing.T) {
t.Run("agent recovery token", func(t *testing.T) {
req, _ := http.NewRequest("PUT", "/v1/agent/leave?token=towel", nil)
resp := httptest.NewRecorder()
a.srv.h.ServeHTTP(resp, req)
@ -2332,7 +2332,7 @@ func TestAgent_ForceLeave_ACLDeny(t *testing.T) {
require.Equal(t, http.StatusForbidden, resp.Code)
})
t.Run("agent master token", func(t *testing.T) {
t.Run("agent recovery token", func(t *testing.T) {
req, _ := http.NewRequest("PUT", uri+"?token=towel", nil)
resp := httptest.NewRecorder()
a.srv.h.ServeHTTP(resp, req)
@ -3266,7 +3266,7 @@ func testAgent_RegisterService(t *testing.T, extraHCL string) {
args := &structs.ServiceDefinition{
Name: "test",
Meta: map[string]string{"hello": "world"},
Tags: []string{"master"},
Tags: []string{"primary"},
Port: 8000,
Check: structs.CheckType{
TTL: 15 * time.Second,
@ -3353,7 +3353,7 @@ func testAgent_RegisterService_ReRegister(t *testing.T, extraHCL string) {
args := &structs.ServiceDefinition{
Name: "test",
Meta: map[string]string{"hello": "world"},
Tags: []string{"master"},
Tags: []string{"primary"},
Port: 8000,
Checks: []*structs.CheckType{
{
@ -3378,7 +3378,7 @@ func testAgent_RegisterService_ReRegister(t *testing.T, extraHCL string) {
args = &structs.ServiceDefinition{
Name: "test",
Meta: map[string]string{"hello": "world"},
Tags: []string{"master"},
Tags: []string{"primary"},
Port: 8000,
Checks: []*structs.CheckType{
{
@ -3434,7 +3434,7 @@ func testAgent_RegisterService_ReRegister_ReplaceExistingChecks(t *testing.T, ex
args := &structs.ServiceDefinition{
Name: "test",
Meta: map[string]string{"hello": "world"},
Tags: []string{"master"},
Tags: []string{"primary"},
Port: 8000,
Checks: []*structs.CheckType{
{
@ -3460,7 +3460,7 @@ func testAgent_RegisterService_ReRegister_ReplaceExistingChecks(t *testing.T, ex
args = &structs.ServiceDefinition{
Name: "test",
Meta: map[string]string{"hello": "world"},
Tags: []string{"master"},
Tags: []string{"primary"},
Port: 8000,
Checks: []*structs.CheckType{
{
@ -3740,7 +3740,7 @@ func testAgent_RegisterService_ACLDeny(t *testing.T, extraHCL string) {
args := &structs.ServiceDefinition{
Name: "test",
Tags: []string{"master"},
Tags: []string{"primary"},
Port: 8000,
Check: structs.CheckType{
TTL: 15 * time.Second,
@ -4588,7 +4588,7 @@ func testAgent_RegisterService_ScriptCheck_ExecDisable(t *testing.T, extraHCL st
args := &structs.ServiceDefinition{
Name: "test",
Meta: map[string]string{"hello": "world"},
Tags: []string{"master"},
Tags: []string{"primary"},
Port: 8000,
Check: structs.CheckType{
Name: "test-check",
@ -4640,7 +4640,7 @@ func testAgent_RegisterService_ScriptCheck_ExecRemoteDisable(t *testing.T, extra
args := &structs.ServiceDefinition{
Name: "test",
Meta: map[string]string{"hello": "world"},
Tags: []string{"master"},
Tags: []string{"primary"},
Port: 8000,
Check: structs.CheckType{
Name: "test-check",
@ -5379,7 +5379,7 @@ func TestAgent_TokenTriggersFullSync(t *testing.T) {
initial_management = "root"
default = ""
agent = ""
agent_master = ""
agent_recovery = ""
replication = ""
}
}
@ -5427,7 +5427,7 @@ func TestAgent_Token(t *testing.T) {
initial_management = "root"
default = ""
agent = ""
agent_master = ""
agent_recovery = ""
replication = ""
}
}
@ -5436,20 +5436,20 @@ func TestAgent_Token(t *testing.T) {
testrpc.WaitForLeader(t, a.RPC, "dc1")
type tokens struct {
user string
userSource tokenStore.TokenSource
agent string
agentSource tokenStore.TokenSource
master string
masterSource tokenStore.TokenSource
repl string
replSource tokenStore.TokenSource
user string
userSource tokenStore.TokenSource
agent string
agentSource tokenStore.TokenSource
agentRecovery string
agentRecoverySource tokenStore.TokenSource
repl string
replSource tokenStore.TokenSource
}
resetTokens := func(init tokens) {
a.tokens.UpdateUserToken(init.user, init.userSource)
a.tokens.UpdateAgentToken(init.agent, init.agentSource)
a.tokens.UpdateAgentRecoveryToken(init.master, init.masterSource)
a.tokens.UpdateAgentRecoveryToken(init.agentRecovery, init.agentRecoverySource)
a.tokens.UpdateReplicationToken(init.repl, init.replSource)
}
@ -5531,8 +5531,8 @@ func TestAgent_Token(t *testing.T) {
url: "acl_agent_master_token?token=root",
body: body("M"),
code: http.StatusOK,
raw: tokens{master: "M", masterSource: tokenStore.TokenSourceAPI},
effective: tokens{master: "M"},
raw: tokens{agentRecovery: "M", agentRecoverySource: tokenStore.TokenSourceAPI},
effective: tokens{agentRecovery: "M"},
},
{
name: "set master",
@ -5540,8 +5540,8 @@ func TestAgent_Token(t *testing.T) {
url: "agent_master?token=root",
body: body("M"),
code: http.StatusOK,
raw: tokens{master: "M", masterSource: tokenStore.TokenSourceAPI},
effective: tokens{master: "M"},
raw: tokens{agentRecovery: "M", agentRecoverySource: tokenStore.TokenSourceAPI},
effective: tokens{agentRecovery: "M"},
},
{
name: "set recovery",
@ -5549,8 +5549,8 @@ func TestAgent_Token(t *testing.T) {
url: "agent_recovery?token=root",
body: body("R"),
code: http.StatusOK,
raw: tokens{master: "R", masterSource: tokenStore.TokenSourceAPI},
effective: tokens{master: "R", masterSource: tokenStore.TokenSourceAPI},
raw: tokens{agentRecovery: "R", agentRecoverySource: tokenStore.TokenSourceAPI},
effective: tokens{agentRecovery: "R", agentRecoverySource: tokenStore.TokenSourceAPI},
},
{
name: "set repl legacy",
@ -5612,8 +5612,8 @@ func TestAgent_Token(t *testing.T) {
url: "acl_agent_master_token?token=root",
body: body(""),
code: http.StatusOK,
init: tokens{master: "M"},
raw: tokens{masterSource: tokenStore.TokenSourceAPI},
init: tokens{agentRecovery: "M"},
raw: tokens{agentRecoverySource: tokenStore.TokenSourceAPI},
},
{
name: "clear master",
@ -5621,8 +5621,8 @@ func TestAgent_Token(t *testing.T) {
url: "agent_master?token=root",
body: body(""),
code: http.StatusOK,
init: tokens{master: "M"},
raw: tokens{masterSource: tokenStore.TokenSourceAPI},
init: tokens{agentRecovery: "M"},
raw: tokens{agentRecoverySource: tokenStore.TokenSourceAPI},
},
{
name: "clear recovery",
@ -5630,8 +5630,8 @@ func TestAgent_Token(t *testing.T) {
url: "agent_recovery?token=root",
body: body(""),
code: http.StatusOK,
init: tokens{master: "R"},
raw: tokens{masterSource: tokenStore.TokenSourceAPI},
init: tokens{agentRecovery: "R"},
raw: tokens{agentRecoverySource: tokenStore.TokenSourceAPI},
},
{
name: "clear repl legacy",
@ -5667,7 +5667,7 @@ func TestAgent_Token(t *testing.T) {
}
require.Equal(t, tt.effective.user, a.tokens.UserToken())
require.Equal(t, tt.effective.agent, a.tokens.AgentToken())
require.Equal(t, tt.effective.master, a.tokens.AgentRecoveryToken())
require.Equal(t, tt.effective.agentRecovery, a.tokens.AgentRecoveryToken())
require.Equal(t, tt.effective.repl, a.tokens.ReplicationToken())
tok, src := a.tokens.UserTokenAndSource()
@ -5679,8 +5679,8 @@ func TestAgent_Token(t *testing.T) {
require.Equal(t, tt.raw.agentSource, src)
tok, src = a.tokens.AgentRecoveryTokenAndSource()
require.Equal(t, tt.raw.master, tok)
require.Equal(t, tt.raw.masterSource, src)
require.Equal(t, tt.raw.agentRecovery, tok)
require.Equal(t, tt.raw.agentRecoverySource, src)
tok, src = a.tokens.ReplicationTokenAndSource()
require.Equal(t, tt.raw.repl, tok)
@ -7031,11 +7031,18 @@ func TestAgentConnectAuthorize_defaultAllow(t *testing.T) {
assert := assert.New(t)
dc1 := "dc1"
a := NewTestAgent(t, `
acl_datacenter = "`+dc1+`"
acl_default_policy = "allow"
acl_master_token = "root"
acl_agent_token = "root"
acl_agent_master_token = "towel"
primary_datacenter = "`+dc1+`"
acl {
enabled = true
default_policy = "allow"
tokens {
initial_management = "root"
agent = "root"
agent_recovery = "towel"
}
}
`)
defer a.Shutdown()
testrpc.WaitForTestAgent(t, a.RPC, dc1)
@ -7066,16 +7073,23 @@ func TestAgent_Host(t *testing.T) {
dc1 := "dc1"
a := NewTestAgent(t, `
acl_datacenter = "`+dc1+`"
acl_default_policy = "allow"
acl_master_token = "master"
acl_agent_token = "agent"
acl_agent_master_token = "towel"
`)
primary_datacenter = "`+dc1+`"
acl {
enabled = true
default_policy = "allow"
tokens {
initial_management = "initial-management"
agent = "agent"
agent_recovery = "towel"
}
}
`)
defer a.Shutdown()
testrpc.WaitForLeader(t, a.RPC, "dc1")
req, _ := http.NewRequest("GET", "/v1/agent/host?token=master", nil)
req, _ := http.NewRequest("GET", "/v1/agent/host?token=initial-management", nil)
resp := httptest.NewRecorder()
// TODO: AgentHost should write to response so that we can test using ServeHTTP()
respRaw, err := a.srv.AgentHost(resp, req)
@ -7098,12 +7112,19 @@ func TestAgent_HostBadACL(t *testing.T) {
dc1 := "dc1"
a := NewTestAgent(t, `
acl_datacenter = "`+dc1+`"
acl_default_policy = "deny"
acl_master_token = "root"
acl_agent_token = "agent"
acl_agent_master_token = "towel"
`)
primary_datacenter = "`+dc1+`"
acl {
enabled = true
default_policy = "deny"
tokens {
initial_management = "root"
agent = "agent"
agent_recovery = "towel"
}
}
`)
defer a.Shutdown()
testrpc.WaitForLeader(t, a.RPC, "dc1")

32
agent/consul/acl.go
View File

@ -263,19 +263,19 @@ type ACLResolver struct {
// disabledLock synchronizes access to disabledUntil
disabledLock sync.RWMutex
agentMasterAuthz acl.Authorizer
agentRecoveryAuthz acl.Authorizer
}
func agentMasterAuthorizer(nodeName string, entMeta *structs.EnterpriseMeta, aclConf *acl.Config) (acl.Authorizer, error) {
func agentRecoveryAuthorizer(nodeName string, entMeta *structs.EnterpriseMeta, aclConf *acl.Config) (acl.Authorizer, error) {
var conf acl.Config
if aclConf != nil {
conf = *aclConf
}
setEnterpriseConf(entMeta, &conf)
// Build a policy for the agent master token.
// Build a policy for the agent recovery token.
//
// The builtin agent master policy allows reading any node information
// The builtin agent recovery policy allows reading any node information
// and allows writes to the agent with the node name of the running agent
// only. This used to allow a prefix match on agent names but that seems
// entirely unnecessary so it is now using an exact match.
@ -323,21 +323,21 @@ func NewACLResolver(config *ACLResolverConfig) (*ACLResolver, error) {
return nil, fmt.Errorf("invalid ACL down policy %q", config.Config.ACLDownPolicy)
}
authz, err := agentMasterAuthorizer(config.Config.NodeName, &config.Config.EnterpriseMeta, config.ACLConfig)
authz, err := agentRecoveryAuthorizer(config.Config.NodeName, &config.Config.EnterpriseMeta, config.ACLConfig)
if err != nil {
return nil, fmt.Errorf("failed to initialize the agent master authorizer")
return nil, fmt.Errorf("failed to initialize the agent recovery authorizer")
}
return &ACLResolver{
config: config.Config,
logger: config.Logger.Named(logging.ACL),
delegate: config.Delegate,
aclConf: config.ACLConfig,
cache: cache,
disableDuration: config.DisableDuration,
down: down,
tokens: config.Tokens,
agentMasterAuthz: authz,
config: config.Config,
logger: config.Logger.Named(logging.ACL),
delegate: config.Delegate,
aclConf: config.ACLConfig,
cache: cache,
disableDuration: config.DisableDuration,
down: down,
tokens: config.Tokens,
agentRecoveryAuthz: authz,
}, nil
}
@ -1049,7 +1049,7 @@ func (r *ACLResolver) resolveLocallyManagedToken(token string) (structs.ACLIdent
}
if r.tokens.IsAgentRecoveryToken(token) {
return structs.NewAgentMasterTokenIdentity(r.config.NodeName, token), r.agentMasterAuthz, true
return structs.NewAgentRecoveryTokenIdentity(r.config.NodeName, token), r.agentRecoveryAuthz, true
}
return r.resolveLocallyManagedEnterpriseToken(token)

714
agent/consul/acl_endpoint_test.go
View File

File diff suppressed because it is too large Load Diff

14
agent/consul/acl_test.go
View File

@ -4007,7 +4007,7 @@ func TestACL_LocalToken(t *testing.T) {
})
}
func TestACLResolver_AgentMaster(t *testing.T) {
func TestACLResolver_AgentRecovery(t *testing.T) {
var tokens token.Store
d := &ACLResolverTestDelegate{
@ -4025,9 +4025,9 @@ func TestACLResolver_AgentMaster(t *testing.T) {
ident, authz, err := r.ResolveTokenToIdentityAndAuthorizer("9a184a11-5599-459e-b71a-550e5f9a5a23")
require.NoError(t, err)
require.NotNil(t, ident)
require.Equal(t, "agent-master:foo", ident.ID())
require.Equal(t, "agent-recovery:foo", ident.ID())
require.NotNil(t, authz)
require.Equal(t, r.agentMasterAuthz, authz)
require.Equal(t, r.agentRecoveryAuthz, authz)
require.Equal(t, acl.Allow, authz.AgentWrite("foo", nil))
require.Equal(t, acl.Allow, authz.NodeRead("bar", nil))
require.Equal(t, acl.Deny, authz.NodeWrite("bar", nil))
@ -4106,7 +4106,7 @@ func TestACLResolver_ResolveTokenToIdentityAndAuthorizer_UpdatesPurgeTheCache(t
Name: "the-policy",
Rules: `key_prefix "" { policy = "read"}`,
},
WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken},
WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken},
}
var respPolicy = structs.ACLPolicy{}
err := msgpackrpc.CallWithCodec(codec, "ACL.PolicySet", &reqPolicy, &respPolicy)
@ -4121,7 +4121,7 @@ func TestACLResolver_ResolveTokenToIdentityAndAuthorizer_UpdatesPurgeTheCache(t
SecretID: token,
Policies: []structs.ACLTokenPolicyLink{{Name: "the-policy"}},
},
WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken},
WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken},
}
var respToken structs.ACLToken
err = msgpackrpc.CallWithCodec(codec, "ACL.TokenSet", &reqToken, &respToken)
@ -4142,7 +4142,7 @@ func TestACLResolver_ResolveTokenToIdentityAndAuthorizer_UpdatesPurgeTheCache(t
Name: "the-policy",
Rules: `{"key_prefix": {"": {"policy": "deny"}}}`,
},
WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken},
WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken},
}
err := msgpackrpc.CallWithCodec(codec, "ACL.PolicySet", &reqPolicy, &structs.ACLPolicy{})
require.NoError(t, err)
@ -4157,7 +4157,7 @@ func TestACLResolver_ResolveTokenToIdentityAndAuthorizer_UpdatesPurgeTheCache(t
req := structs.ACLTokenDeleteRequest{
Datacenter: "dc1",
TokenID: respToken.AccessorID,
WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken},
WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken},
}
var resp string
err := msgpackrpc.CallWithCodec(codec, "ACL.TokenDelete", &req, &resp)

8
agent/consul/acl_token_exp_test.go
View File

@ -58,7 +58,7 @@ func testACLTokenReap_Primary(t *testing.T, local, global bool) {
acl := ACL{srv: s1}
masterTokenAccessorID, err := retrieveTestTokenAccessorForSecret(codec, "root", "dc1", "root")
initialManagementTokenAccessorID, err := retrieveTestTokenAccessorForSecret(codec, "root", "dc1", "root")
require.NoError(t, err)
listTokens := func() (localTokens, globalTokens []string, err error) {
@ -88,9 +88,9 @@ func testACLTokenReap_Primary(t *testing.T, local, global bool) {
t.Helper()
var expectLocal, expectGlobal []string
// The master token and the anonymous token are always going to be
// present and global.
expectGlobal = append(expectGlobal, masterTokenAccessorID)
// The initial management token and the anonymous token are always
// going to be present and global.
expectGlobal = append(expectGlobal, initialManagementTokenAccessorID)
expectGlobal = append(expectGlobal, structs.ACLTokenAnonymousID)
if local {

2
agent/consul/auto_config_backend_test.go
View File

@ -41,7 +41,7 @@ func TestAutoConfigBackend_CreateACLToken(t *testing.T) {
waitForLeaderEstablishment(t, srv)
r1, err := upsertTestRole(codec, TestDefaultMasterToken, "dc1")
r1, err := upsertTestRole(codec, TestDefaultInitialManagementToken, "dc1")
require.NoError(t, err)
t.Run("predefined-ids", func(t *testing.T) {

8
agent/consul/connect_ca_endpoint_test.go
View File

@ -163,7 +163,7 @@ func TestConnectCAConfig_GetSet_ACLDeny(t *testing.T) {
dir1, s1 := testServerWithConfig(t, func(c *Config) {
c.PrimaryDatacenter = "dc1"
c.ACLsEnabled = true
c.ACLInitialManagementToken = TestDefaultMasterToken
c.ACLInitialManagementToken = TestDefaultInitialManagementToken
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
})
defer os.RemoveAll(dir1)
@ -175,11 +175,11 @@ func TestConnectCAConfig_GetSet_ACLDeny(t *testing.T) {
testrpc.WaitForLeader(t, s1.RPC, "dc1")
opReadToken, err := upsertTestTokenWithPolicyRules(
codec, TestDefaultMasterToken, "dc1", `operator = "read"`)
codec, TestDefaultInitialManagementToken, "dc1", `operator = "read"`)
require.NoError(t, err)
opWriteToken, err := upsertTestTokenWithPolicyRules(
codec, TestDefaultMasterToken, "dc1", `operator = "write"`)
codec, TestDefaultInitialManagementToken, "dc1", `operator = "write"`)
require.NoError(t, err)
// Update a config value
@ -215,7 +215,7 @@ pY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=
args := &structs.CARequest{
Datacenter: "dc1",
Config: newConfig,
WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken},
WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken},
}
var reply interface{}
require.NoError(t, msgpackrpc.CallWithCodec(codec, "ConnectCA.ConfigurationSet", args, &reply))

2
agent/consul/federation_state_endpoint_test.go
View File

@ -541,7 +541,7 @@ func TestFederationState_List_ACLDeny(t *testing.T) {
gwListEmpty: true,
gwFilteredByACLs: true,
},
"master token": {
"initial management token": {
token: "root",
},
}

10
agent/consul/fsm/commands_oss_test.go
View File

@ -105,7 +105,7 @@ func TestFSM_RegisterNode_Service(t *testing.T) {
Service: &structs.NodeService{
ID: "db",
Service: "db",
Tags: []string{"master"},
Tags: []string{"primary"},
Port: 8000,
},
Check: &structs.HealthCheck{
@ -170,7 +170,7 @@ func TestFSM_DeregisterService(t *testing.T) {
Service: &structs.NodeService{
ID: "db",
Service: "db",
Tags: []string{"master"},
Tags: []string{"primary"},
Port: 8000,
},
}
@ -296,7 +296,7 @@ func TestFSM_DeregisterNode(t *testing.T) {
Service: &structs.NodeService{
ID: "db",
Service: "db",
Tags: []string{"master"},
Tags: []string{"primary"},
Port: 8000,
},
Check: &structs.HealthCheck{
@ -1429,7 +1429,7 @@ func TestFSM_Chunking_Lifecycle(t *testing.T) {
Service: &structs.NodeService{
ID: "db",
Service: "db",
Tags: []string{"master"},
Tags: []string{"primary"},
Port: 8000,
},
Check: &structs.HealthCheck{
@ -1559,7 +1559,7 @@ func TestFSM_Chunking_TermChange(t *testing.T) {
Service: &structs.NodeService{
ID: "db",
Service: "db",
Tags: []string{"master"},
Tags: []string{"primary"},
Port: 8000,
},
Check: &structs.HealthCheck{

30
agent/consul/intention_endpoint_test.go
View File

@ -937,17 +937,17 @@ func TestIntention_WildcardACLEnforcement(t *testing.T) {
// create some test policies.
writeToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `service_prefix "" { policy = "deny" intentions = "write" }`)
writeToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `service_prefix "" { policy = "deny" intentions = "write" }`)
require.NoError(t, err)
readToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `service_prefix "" { policy = "deny" intentions = "read" }`)
readToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `service_prefix "" { policy = "deny" intentions = "read" }`)
require.NoError(t, err)
exactToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `service "*" { policy = "deny" intentions = "write" }`)
exactToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `service "*" { policy = "deny" intentions = "write" }`)
require.NoError(t, err)
wildcardPrefixToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `service_prefix "*" { policy = "deny" intentions = "write" }`)
wildcardPrefixToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `service_prefix "*" { policy = "deny" intentions = "write" }`)
require.NoError(t, err)
fooToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `service "foo" { policy = "deny" intentions = "write" }`)
fooToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `service "foo" { policy = "deny" intentions = "write" }`)
require.NoError(t, err)
denyToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `service_prefix "" { policy = "deny" intentions = "deny" }`)
denyToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `service_prefix "" { policy = "deny" intentions = "deny" }`)
require.NoError(t, err)
doIntentionCreate := func(t *testing.T, token string, dest string, deny bool) string {
@ -1607,7 +1607,7 @@ func TestIntentionList_acl(t *testing.T) {
waitForLeaderEstablishment(t, s1)
token, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `service_prefix "foo" { policy = "write" }`)
token, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `service_prefix "foo" { policy = "write" }`)
require.NoError(t, err)
// Create a few records
@ -1620,7 +1620,7 @@ func TestIntentionList_acl(t *testing.T) {
ixn.Intention.SourceNS = "default"
ixn.Intention.DestinationNS = "default"
ixn.Intention.DestinationName = name
ixn.WriteRequest.Token = TestDefaultMasterToken
ixn.WriteRequest.Token = TestDefaultInitialManagementToken
// Create
var reply string
@ -1639,10 +1639,10 @@ func TestIntentionList_acl(t *testing.T) {
})
// Test with management token
t.Run("master-token", func(t *testing.T) {
t.Run("initial-management-token", func(t *testing.T) {
req := &structs.IntentionListRequest{
Datacenter: "dc1",
QueryOptions: structs.QueryOptions{Token: TestDefaultMasterToken},
QueryOptions: structs.QueryOptions{Token: TestDefaultInitialManagementToken},
}
var resp structs.IndexedIntentions
require.NoError(t, msgpackrpc.CallWithCodec(codec, "Intention.List", req, &resp))
@ -1666,7 +1666,7 @@ func TestIntentionList_acl(t *testing.T) {
req := &structs.IntentionListRequest{
Datacenter: "dc1",
QueryOptions: structs.QueryOptions{
Token: TestDefaultMasterToken,
Token: TestDefaultInitialManagementToken,
Filter: "DestinationName == foobar",
},
}
@ -1763,7 +1763,7 @@ func TestIntentionMatch_acl(t *testing.T) {
_, srv, codec := testACLServerWithConfig(t, nil, false)
waitForLeaderEstablishment(t, srv)
token, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `service "bar" { policy = "write" }`)
token, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `service "bar" { policy = "write" }`)
require.NoError(t, err)
// Create some records
@ -1781,7 +1781,7 @@ func TestIntentionMatch_acl(t *testing.T) {
Intention: structs.TestIntention(t),
}
ixn.Intention.DestinationName = v
ixn.WriteRequest.Token = TestDefaultMasterToken
ixn.WriteRequest.Token = TestDefaultInitialManagementToken
// Create
var reply string
@ -1993,7 +1993,7 @@ func TestIntentionCheck_match(t *testing.T) {
_, srv, codec := testACLServerWithConfig(t, nil, false)
waitForLeaderEstablishment(t, srv)
token, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `service "api" { policy = "read" }`)
token, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `service "api" { policy = "read" }`)
require.NoError(t, err)
// Create some intentions
@ -2015,7 +2015,7 @@ func TestIntentionCheck_match(t *testing.T) {
DestinationName: v[1],
Action: structs.IntentionActionAllow,
},
WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken},
WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken},
}
// Create
var reply string

26
agent/consul/internal_endpoint_test.go
View File

@ -1790,7 +1790,7 @@ func TestInternal_GatewayIntentions_aclDeny(t *testing.T) {
codec := rpcClient(t, s1)
defer codec.Close()
testrpc.WaitForTestAgent(t, s1.RPC, "dc1", testrpc.WithToken(TestDefaultMasterToken))
testrpc.WaitForTestAgent(t, s1.RPC, "dc1", testrpc.WithToken(TestDefaultInitialManagementToken))
// Register terminating gateway and config entry linking it to postgres + redis
{
@ -1809,7 +1809,7 @@ func TestInternal_GatewayIntentions_aclDeny(t *testing.T) {
Status: api.HealthPassing,
ServiceID: "terminating-gateway",
},
WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken},
WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken},
}
var regOutput struct{}
require.NoError(t, msgpackrpc.CallWithCodec(codec, "Catalog.Register", &arg, &regOutput))
@ -1834,7 +1834,7 @@ func TestInternal_GatewayIntentions_aclDeny(t *testing.T) {
Op: structs.ConfigEntryUpsert,
Datacenter: "dc1",
Entry: args,
WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken},
WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken},
}
var configOutput bool
require.NoError(t, msgpackrpc.CallWithCodec(codec, "ConfigEntry.Apply", &req, &configOutput))
@ -1848,7 +1848,7 @@ func TestInternal_GatewayIntentions_aclDeny(t *testing.T) {
Datacenter: "dc1",
Op: structs.IntentionOpCreate,
Intention: structs.TestIntention(t),
WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken},
WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken},
}
req.Intention.SourceName = "api"
req.Intention.DestinationName = v
@ -1860,7 +1860,7 @@ func TestInternal_GatewayIntentions_aclDeny(t *testing.T) {
Datacenter: "dc1",
Op: structs.IntentionOpCreate,
Intention: structs.TestIntention(t),
WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken},
WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken},
}
req.Intention.SourceName = v
req.Intention.DestinationName = "api"
@ -1868,7 +1868,7 @@ func TestInternal_GatewayIntentions_aclDeny(t *testing.T) {
}
}
userToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `
userToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `
service_prefix "redis" { policy = "read" }
service_prefix "terminating-gateway" { policy = "read" }
`)
@ -2192,7 +2192,7 @@ func TestInternal_ServiceTopology_ACL(t *testing.T) {
dir1, s1 := testServerWithConfig(t, func(c *Config) {
c.PrimaryDatacenter = "dc1"
c.ACLsEnabled = true
c.ACLInitialManagementToken = TestDefaultMasterToken
c.ACLInitialManagementToken = TestDefaultInitialManagementToken
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
})
defer os.RemoveAll(dir1)
@ -2215,10 +2215,10 @@ func TestInternal_ServiceTopology_ACL(t *testing.T) {
// web -> redis exact intention
// redis and redis-proxy on node zip
registerTestTopologyEntries(t, codec, TestDefaultMasterToken)
registerTestTopologyEntries(t, codec, TestDefaultInitialManagementToken)
// Token grants read to: foo/api, foo/api-proxy, bar/web, baz/web
userToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `
userToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `
node_prefix "" { policy = "read" }
service_prefix "api" { policy = "read" }
service "web" { policy = "read" }
@ -2331,7 +2331,7 @@ func TestInternal_IntentionUpstreams_ACL(t *testing.T) {
dir1, s1 := testServerWithConfig(t, func(c *Config) {
c.PrimaryDatacenter = "dc1"
c.ACLsEnabled = true
c.ACLInitialManagementToken = TestDefaultMasterToken
c.ACLInitialManagementToken = TestDefaultInitialManagementToken
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
})
defer os.RemoveAll(dir1)
@ -2349,11 +2349,11 @@ func TestInternal_IntentionUpstreams_ACL(t *testing.T) {
// Intentions
// * -> * (deny) intention
// web -> api (allow)
registerIntentionUpstreamEntries(t, codec, TestDefaultMasterToken)
registerIntentionUpstreamEntries(t, codec, TestDefaultInitialManagementToken)
t.Run("valid token", func(t *testing.T) {
// Token grants read to read api service
userToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `
userToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `
service_prefix "api" { policy = "read" }
`)
require.NoError(t, err)
@ -2379,7 +2379,7 @@ service_prefix "api" { policy = "read" }
t.Run("invalid token filters results", func(t *testing.T) {
// Token grants read to read an unrelated service, mongo
userToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `
userToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultInitialManagementToken, "dc1", `
service_prefix "mongo" { policy = "read" }
`)
require.NoError(t, err)

10
agent/consul/leader_connect_test.go
View File

@ -196,7 +196,7 @@ func TestCAManager_Initialize_Secondary(t *testing.T) {
for _, tc := range tests {
tc := tc
t.Run(fmt.Sprintf("%s-%d", tc.keyType, tc.keyBits), func(t *testing.T) {
masterToken := "8a85f086-dd95-4178-b128-e10902767c5c"
initialManagementToken := "8a85f086-dd95-4178-b128-e10902767c5c"
// Initialize primary as the primary DC
dir1, s1 := testServerWithConfig(t, func(c *Config) {
@ -204,7 +204,7 @@ func TestCAManager_Initialize_Secondary(t *testing.T) {
c.PrimaryDatacenter = "primary"
c.Build = "1.6.0"
c.ACLsEnabled = true
c.ACLInitialManagementToken = masterToken
c.ACLInitialManagementToken = initialManagementToken
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
c.CAConfig.Config["PrivateKeyType"] = tc.keyType
c.CAConfig.Config["PrivateKeyBits"] = tc.keyBits
@ -213,7 +213,7 @@ func TestCAManager_Initialize_Secondary(t *testing.T) {
defer os.RemoveAll(dir1)
defer s1.Shutdown()
s1.tokens.UpdateAgentToken(masterToken, token.TokenSourceConfig)
s1.tokens.UpdateAgentToken(initialManagementToken, token.TokenSourceConfig)
testrpc.WaitForLeader(t, s1.RPC, "primary")
@ -232,8 +232,8 @@ func TestCAManager_Initialize_Secondary(t *testing.T) {
defer os.RemoveAll(dir2)
defer s2.Shutdown()
s2.tokens.UpdateAgentToken(masterToken, token.TokenSourceConfig)
s2.tokens.UpdateReplicationToken(masterToken, token.TokenSourceConfig)
s2.tokens.UpdateAgentToken(initialManagementToken, token.TokenSourceConfig)
s2.tokens.UpdateReplicationToken(initialManagementToken, token.TokenSourceConfig)
// Create the WAN link
joinWAN(t, s2, s1)

24
agent/consul/leader_test.go
View File

@ -1162,15 +1162,15 @@ func TestLeader_ACL_Initialization(t *testing.T) {
t.Parallel()
tests := []struct {
name string
build string
master string
bootstrap bool
name string
build string
initialManagement string
bootstrap bool
}{
{"old version, no master", "0.8.0", "", true},
{"old version, master", "0.8.0", "root", false},
{"new version, no master", "0.9.1", "", true},
{"new version, master", "0.9.1", "root", false},
{"old version, no initial management", "0.8.0", "", true},
{"old version, initial management", "0.8.0", "root", false},
{"new version, no initial management", "0.9.1", "", true},
{"new version, initial management", "0.9.1", "root", false},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
@ -1180,17 +1180,17 @@ func TestLeader_ACL_Initialization(t *testing.T) {
c.Datacenter = "dc1"
c.PrimaryDatacenter = "dc1"
c.ACLsEnabled = true
c.ACLInitialManagementToken = tt.master
c.ACLInitialManagementToken = tt.initialManagement
}
dir1, s1 := testServerWithConfig(t, conf)
defer os.RemoveAll(dir1)
defer s1.Shutdown()
testrpc.WaitForTestAgent(t, s1.RPC, "dc1")
if tt.master != "" {
_, master, err := s1.fsm.State().ACLTokenGetBySecret(nil, tt.master, nil)
if tt.initialManagement != "" {
_, initialManagement, err := s1.fsm.State().ACLTokenGetBySecret(nil, tt.initialManagement, nil)
require.NoError(t, err)
require.NotNil(t, master)
require.NotNil(t, initialManagement)
}
_, anon, err := s1.fsm.State().ACLTokenGetBySecret(nil, anonymousToken, nil)

10
agent/consul/prepared_query_endpoint_test.go
View File

@ -222,7 +222,7 @@ func TestPreparedQuery_Apply_ACLDeny(t *testing.T) {
Datacenter: "dc1",
Op: structs.PreparedQueryCreate,
Query: &structs.PreparedQuery{
Name: "redis-master",
Name: "redis-primary",
Service: structs.ServiceQuery{
Service: "the-redis",
},
@ -503,7 +503,7 @@ func TestPreparedQuery_Apply_ForwardLeader(t *testing.T) {
Address: "127.0.0.1",
Service: &structs.NodeService{
Service: "redis",
Tags: []string{"master"},
Tags: []string{"primary"},
Port: 8000,
},
}
@ -853,7 +853,7 @@ func TestPreparedQuery_Get(t *testing.T) {
Datacenter: "dc1",
Op: structs.PreparedQueryCreate,
Query: &structs.PreparedQuery{
Name: "redis-master",
Name: "redis-primary",
Service: structs.ServiceQuery{
Service: "the-redis",
},
@ -1110,7 +1110,7 @@ func TestPreparedQuery_List(t *testing.T) {
Datacenter: "dc1",
Op: structs.PreparedQueryCreate,
Query: &structs.PreparedQuery{
Name: "redis-master",
Name: "redis-primary",
Token: "le-token",
Service: structs.ServiceQuery{
Service: "the-redis",
@ -2348,7 +2348,7 @@ func TestPreparedQuery_Execute_ForwardLeader(t *testing.T) {
Address: "127.0.0.1",
Service: &structs.NodeService{
Service: "redis",
Tags: []string{"master"},
Tags: []string{"primary"},
Port: 8000,
},
}

6
agent/consul/server_test.go
View File

@ -35,7 +35,7 @@ import (
)
const (
TestDefaultMasterToken = "d9f05e83-a7ae-47ce-839e-c0d53a68c00a"
TestDefaultInitialManagementToken = "d9f05e83-a7ae-47ce-839e-c0d53a68c00a"
)
// testTLSCertificates Generates a TLS CA and server key/cert and returns them
@ -70,7 +70,7 @@ func testTLSCertificates(serverName string) (cert string, key string, cacert str
func testServerACLConfig(c *Config) {
c.PrimaryDatacenter = "dc1"
c.ACLsEnabled = true
c.ACLInitialManagementToken = TestDefaultMasterToken
c.ACLInitialManagementToken = TestDefaultInitialManagementToken
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
}
@ -245,7 +245,7 @@ func testACLServerWithConfig(t *testing.T, cb func(*Config), initReplicationToke
if initReplicationToken {
// setup some tokens here so we get less warnings in the logs
srv.tokens.UpdateReplicationToken(TestDefaultMasterToken, token.TokenSourceConfig)
srv.tokens.UpdateReplicationToken(TestDefaultInitialManagementToken, token.TokenSourceConfig)
}
codec := rpcClient(t, srv)

7
agent/consul/state/prepared_query_test.go
View File

@ -5,8 +5,9 @@ import (
"strings"
"testing"
"github.com/hashicorp/consul/agent/structs"
"github.com/hashicorp/go-memdb"
"github.com/hashicorp/consul/agent/structs"
)
func TestStateStore_PreparedQuery_isUUID(t *testing.T) {
@ -663,7 +664,7 @@ func TestStateStore_PreparedQueryResolve(t *testing.T) {
Regexp: "^prod-(.*)$",
},
Service: structs.ServiceQuery{
Service: "${match(1)}-master",
Service: "${match(1)}-primary",
},
}
if err := s.PreparedQuerySet(5, tmpl2); err != nil {
@ -705,7 +706,7 @@ func TestStateStore_PreparedQueryResolve(t *testing.T) {
Regexp: "^prod-(.*)$",
},
Service: structs.ServiceQuery{
Service: "redis-foobar-master",
Service: "redis-foobar-primary",
},
RaftIndex: structs.RaftIndex{
CreateIndex: 5,

12
agent/local/state_test.go
View File

@ -52,7 +52,7 @@ func TestAgentAntiEntropy_Services(t *testing.T) {
srv1 := &structs.NodeService{
ID: "mysql",
Service: "mysql",
Tags: []string{"master"},
Tags: []string{"primary"},
Port: 5000,
Weights: &structs.Weights{
Passing: 1,
@ -675,7 +675,7 @@ func TestAgentAntiEntropy_Services_WithChecks(t *testing.T) {
srv := &structs.NodeService{
ID: "mysql",
Service: "mysql",
Tags: []string{"master"},
Tags: []string{"primary"},
Port: 5000,
}
a.State.AddService(srv, "")
@ -725,7 +725,7 @@ func TestAgentAntiEntropy_Services_WithChecks(t *testing.T) {
srv := &structs.NodeService{
ID: "redis",
Service: "redis",
Tags: []string{"master"},
Tags: []string{"primary"},
Port: 5000,
}
a.State.AddService(srv, "")
@ -821,7 +821,7 @@ func TestAgentAntiEntropy_Services_ACLDeny(t *testing.T) {
srv1 := &structs.NodeService{
ID: "mysql",
Service: "mysql",
Tags: []string{"master"},
Tags: []string{"primary"},
Port: 5000,
Weights: &structs.Weights{
Passing: 1,
@ -1278,7 +1278,7 @@ func TestAgentAntiEntropy_Checks_ACLDeny(t *testing.T) {
srv1 := &structs.NodeService{
ID: "mysql",
Service: "mysql",
Tags: []string{"master"},
Tags: []string{"primary"},
Port: 5000,
Weights: &structs.Weights{
Passing: 1,
@ -1348,7 +1348,7 @@ func TestAgentAntiEntropy_Checks_ACLDeny(t *testing.T) {
Node: a.Config.NodeName,
ServiceID: "mysql",
ServiceName: "mysql",
ServiceTags: []string{"master"},
ServiceTags: []string{"primary"},
CheckID: "mysql-check",
Name: "mysql",
Status: api.HealthPassing,

26
agent/structs/acl.go
View File

@ -1728,50 +1728,50 @@ func CreateACLAuthorizationResponses(authz acl.Authorizer, requests []ACLAuthori
return responses, nil
}
type AgentMasterTokenIdentity struct {
type AgentRecoveryTokenIdentity struct {
agent string
secretID string
}
func NewAgentMasterTokenIdentity(agent string, secretID string) *AgentMasterTokenIdentity {
return &AgentMasterTokenIdentity{
func NewAgentRecoveryTokenIdentity(agent string, secretID string) *AgentRecoveryTokenIdentity {
return &AgentRecoveryTokenIdentity{
agent: agent,
secretID: secretID,
}
}
func (id *AgentMasterTokenIdentity) ID() string {
return fmt.Sprintf("agent-master:%s", id.agent)
func (id *AgentRecoveryTokenIdentity) ID() string {
return fmt.Sprintf("agent-recovery:%s", id.agent)
}
func (id *AgentMasterTokenIdentity) SecretToken() string {
func (id *AgentRecoveryTokenIdentity) SecretToken() string {
return id.secretID
}
func (id *AgentMasterTokenIdentity) PolicyIDs() []string {
func (id *AgentRecoveryTokenIdentity) PolicyIDs() []string {
return nil
}
func (id *AgentMasterTokenIdentity) RoleIDs() []string {
func (id *AgentRecoveryTokenIdentity) RoleIDs() []string {
return nil
}
func (id *AgentMasterTokenIdentity) ServiceIdentityList() []*ACLServiceIdentity {
func (id *AgentRecoveryTokenIdentity) ServiceIdentityList() []*ACLServiceIdentity {
return nil
}
func (id *AgentMasterTokenIdentity) NodeIdentityList() []*ACLNodeIdentity {
func (id *AgentRecoveryTokenIdentity) NodeIdentityList() []*ACLNodeIdentity {
return nil
}
func (id *AgentMasterTokenIdentity) IsExpired(asOf time.Time) bool {
func (id *AgentRecoveryTokenIdentity) IsExpired(asOf time.Time) bool {
return false
}
func (id *AgentMasterTokenIdentity) IsLocal() bool {
func (id *AgentRecoveryTokenIdentity) IsLocal() bool {
return true
}
func (id *AgentMasterTokenIdentity) EnterpriseMetadata() *EnterpriseMeta {
func (id *AgentRecoveryTokenIdentity) EnterpriseMetadata() *EnterpriseMeta {
return nil
}

16
api/acl_test.go
View File

@ -455,7 +455,7 @@ func TestAPI_ACLToken_List(t *testing.T) {
tokens, qm, err := acl.TokenList(nil)
require.NoError(t, err)
// 3 + anon + master
// 3 + anon + initial management
require.Len(t, tokens, 5)
require.NotEqual(t, 0, qm.LastIndex)
require.True(t, qm.KnownLeader)
@ -500,7 +500,7 @@ func TestAPI_ACLToken_List(t *testing.T) {
require.True(t, ok)
require.NotNil(t, token4)
// ensure the 5th token is the root master token
// ensure the 5th token is the initial management token
root, _, err := acl.TokenReadSelf(nil)
require.NoError(t, err)
require.NotNil(t, root)
@ -516,17 +516,17 @@ func TestAPI_ACLToken_Clone(t *testing.T) {
acl := c.ACL()
master, _, err := acl.TokenReadSelf(nil)
initialManagement, _, err := acl.TokenReadSelf(nil)
require.NoError(t, err)
require.NotNil(t, master)
require.NotNil(t, initialManagement)
cloned, _, err := acl.TokenClone(master.AccessorID, "cloned", nil)
cloned, _, err := acl.TokenClone(initialManagement.AccessorID, "cloned", nil)
require.NoError(t, err)
require.NotNil(t, cloned)
require.NotEqual(t, master.AccessorID, cloned.AccessorID)
require.NotEqual(t, master.SecretID, cloned.SecretID)
require.NotEqual(t, initialManagement.AccessorID, cloned.AccessorID)
require.NotEqual(t, initialManagement.SecretID, cloned.SecretID)
require.Equal(t, "cloned", cloned.Description)
require.ElementsMatch(t, master.Policies, cloned.Policies)
require.ElementsMatch(t, initialManagement.Policies, cloned.Policies)
read, _, err := acl.TokenRead(cloned.AccessorID, nil)
require.NoError(t, err)

7
api/api_test.go
View File

@ -16,10 +16,11 @@ import (
"testing"
"time"
"github.com/hashicorp/consul/sdk/testutil"
"github.com/hashicorp/consul/sdk/testutil/retry"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/hashicorp/consul/sdk/testutil"
"github.com/hashicorp/consul/sdk/testutil/retry"
)
type configCallback func(c *Config)
@ -39,7 +40,7 @@ func makeACLClient(t *testing.T) (*Client, *testutil.TestServer) {
clientConfig.Token = "root"
}, func(serverConfig *testutil.TestServerConfig) {
serverConfig.PrimaryDatacenter = "dc1"
serverConfig.ACL.Tokens.Master = "root"
serverConfig.ACL.Tokens.InitialManagement = "root"
serverConfig.ACL.Tokens.Agent = "root"
serverConfig.ACL.Enabled = true
serverConfig.ACL.DefaultPolicy = "deny"

4
api/catalog_test.go
View File

@ -826,7 +826,7 @@ func TestAPI_CatalogRegistration(t *testing.T) {
service := &AgentService{
ID: "redis1",
Service: "redis",
Tags: []string{"master", "v1"},
Tags: []string{"primary", "v1"},
Port: 8000,
}
@ -1023,7 +1023,7 @@ func TestAPI_CatalogEnableTagOverride(t *testing.T) {
service := &AgentService{
ID: "redis1",
Service: "redis",
Tags: []string{"master", "v1"},
Tags: []string{"primary", "v1"},
Port: 8000,
}

2
api/prepared_query_test.go
View File

@ -24,7 +24,7 @@ func TestAPI_PreparedQuery(t *testing.T) {
Service: &AgentService{
ID: "redis1",
Service: "redis",
Tags: []string{"master", "v1"},
Tags: []string{"primary", "v1"},
Meta: map[string]string{"redis-version": "4.0"},
Port: 8000,
},

4
sdk/testutil/README.md
View File

@ -56,10 +56,10 @@ func TestFoo_bar(t *testing.T) {
})
// Create a service
srv1.AddService(t, "redis", structs.HealthPassing, []string{"master"})
srv1.AddService(t, "redis", structs.HealthPassing, []string{"primary"})
// Create a service that will be accessed in target source code
srv1.AddAccessibleService("redis", structs.HealthPassing, "127.0.0.1", 6379, []string{"master"})
srv1.AddAccessibleService("redis", structs.HealthPassing, "127.0.0.1", 6379, []string{"primary"})
// Create a service check
srv1.AddCheck(t, "service:redis", "redis", structs.HealthPassing)

35
sdk/testutil/server.go
View File

@ -86,7 +86,6 @@ type TestServerConfig struct {
Addresses *TestAddressConfig `json:"addresses,omitempty"`
Ports *TestPortConfig `json:"ports,omitempty"`
RaftProtocol int `json:"raft_protocol,omitempty"`
ACLMasterToken string `json:"acl_master_token,omitempty"`
ACLDatacenter string `json:"acl_datacenter,omitempty"`
PrimaryDatacenter string `json:"primary_datacenter,omitempty"`
ACLDefaultPolicy string `json:"acl_default_policy,omitempty"`
@ -124,11 +123,17 @@ type TestACLs struct {
}
type TestTokens struct {
Master string `json:"master,omitempty"`
Replication string `json:"replication,omitempty"`
AgentMaster string `json:"agent_master,omitempty"`
Default string `json:"default,omitempty"`
Agent string `json:"agent,omitempty"`
// Note: this field is marshaled as master for compatibility with
// versions of Consul prior to 1.11.
InitialManagement string `json:"master,omitempty"`
// Note: this field is marshaled as agent_master for compatibility with
// versions of Consul prior to 1.11.
AgentRecovery string `json:"agent_master,omitempty"`
}
// ServerConfigCallback is a function interface which can be
@ -375,7 +380,7 @@ func (s *TestServer) waitForAPI() error {
time.Sleep(timer.Wait)
url := s.url("/v1/status/leader")
resp, err := s.masterGet(url)
resp, err := s.privilegedGet(url)
if err != nil {
failed = true
continue
@ -397,7 +402,7 @@ func (s *TestServer) WaitForLeader(t testing.TB) {
retry.Run(t, func(r *retry.R) {
// Query the API and check the status code.
url := s.url("/v1/catalog/nodes")
resp, err := s.masterGet(url)
resp, err := s.privilegedGet(url)
if err != nil {
r.Fatalf("failed http get '%s': %v", url, err)
}
@ -433,7 +438,7 @@ func (s *TestServer) WaitForActiveCARoot(t testing.TB) {
retry.Run(t, func(r *retry.R) {
// Query the API and check the status code.
url := s.url("/v1/agent/connect/ca/roots")
resp, err := s.masterGet(url)
resp, err := s.privilegedGet(url)
if err != nil {
r.Fatalf("failed http get '%s': %v", url, err)
}
@ -469,7 +474,7 @@ func (s *TestServer) WaitForServiceIntentions(t testing.TB) {
// preflightCheck call in agent/consul/config_endpoint.go will fail if
// we aren't ready yet, vs just doing no work instead.
url := s.url("/v1/config/service-intentions/" + fakeConfigName)
resp, err := s.masterDelete(url)
resp, err := s.privilegedDelete(url)
if err != nil {
r.Fatalf("failed http get '%s': %v", url, err)
}
@ -486,7 +491,7 @@ func (s *TestServer) WaitForSerfCheck(t testing.TB) {
retry.Run(t, func(r *retry.R) {
// Query the API and check the status code.
url := s.url("/v1/catalog/nodes?index=0")
resp, err := s.masterGet(url)
resp, err := s.privilegedGet(url)
if err != nil {
r.Fatalf("failed http get: %v", err)
}
@ -507,7 +512,7 @@ func (s *TestServer) WaitForSerfCheck(t testing.TB) {
// Ensure the serfHealth check is registered
url = s.url(fmt.Sprintf("/v1/health/node/%s", payload[0]["Node"]))
resp, err = s.masterGet(url)
resp, err = s.privilegedGet(url)
if err != nil {
r.Fatalf("failed http get: %v", err)
}
@ -533,24 +538,24 @@ func (s *TestServer) WaitForSerfCheck(t testing.TB) {
})
}
func (s *TestServer) masterGet(url string) (*http.Response, error) {
func (s *TestServer) privilegedGet(url string) (*http.Response, error) {
req, err := http.NewRequest("GET", url, nil)
if err != nil {
return nil, err
}
if s.Config.ACL.Tokens.Master != "" {
req.Header.Set("x-consul-token", s.Config.ACL.Tokens.Master)
if s.Config.ACL.Tokens.InitialManagement != "" {
req.Header.Set("x-consul-token", s.Config.ACL.Tokens.InitialManagement)
}
return s.HTTPClient.Do(req)
}
func (s *TestServer) masterDelete(url string) (*http.Response, error) {
func (s *TestServer) privilegedDelete(url string) (*http.Response, error) {
req, err := http.NewRequest("DELETE", url, nil)
if err != nil {
return nil, err
}
if s.Config.ACL.Tokens.Master != "" {
req.Header.Set("x-consul-token", s.Config.ACL.Tokens.Master)
if s.Config.ACL.Tokens.InitialManagement != "" {
req.Header.Set("x-consul-token", s.Config.ACL.Tokens.InitialManagement)
}
return s.HTTPClient.Do(req)
}

2
ui/packages/consul-ui/mock-api/v1/acl/list
View File

@ -20,7 +20,7 @@ ${
},
{
"ID":"secret",
"Name":"Master Token",
"Name":"Initial Management Token",
"Type":"management",
"Rules":"",
"CreateIndex":5,