Modifies server reconcile path to not use the server's token for internal operations.
This commit is contained in:
parent
d198287a62
commit
16a9f6d671
|
@ -464,10 +464,9 @@ AFTER_CHECK:
|
|||
Status: structs.HealthPassing,
|
||||
Output: SerfCheckAliveOutput,
|
||||
},
|
||||
WriteRequest: structs.WriteRequest{Token: s.config.GetTokenForAgent()},
|
||||
}
|
||||
var out struct{}
|
||||
return s.endpoints.Catalog.Register(&req, &out)
|
||||
_, err = s.raftApply(structs.RegisterRequestType, &req)
|
||||
return err
|
||||
}
|
||||
|
||||
// handleFailedMember is used to mark the node's status
|
||||
|
@ -505,10 +504,9 @@ func (s *Server) handleFailedMember(member serf.Member) error {
|
|||
Status: structs.HealthCritical,
|
||||
Output: SerfCheckFailedOutput,
|
||||
},
|
||||
WriteRequest: structs.WriteRequest{Token: s.config.GetTokenForAgent()},
|
||||
}
|
||||
var out struct{}
|
||||
return s.endpoints.Catalog.Register(&req, &out)
|
||||
_, err = s.raftApply(structs.RegisterRequestType, &req)
|
||||
return err
|
||||
}
|
||||
|
||||
// handleLeftMember is used to handle members that gracefully
|
||||
|
@ -553,12 +551,11 @@ func (s *Server) handleDeregisterMember(reason string, member serf.Member) error
|
|||
// Deregister the node
|
||||
s.logger.Printf("[INFO] consul: member '%s' %s, deregistering", member.Name, reason)
|
||||
req := structs.DeregisterRequest{
|
||||
Datacenter: s.config.Datacenter,
|
||||
Node: member.Name,
|
||||
WriteRequest: structs.WriteRequest{Token: s.config.GetTokenForAgent()},
|
||||
Datacenter: s.config.Datacenter,
|
||||
Node: member.Name,
|
||||
}
|
||||
var out struct{}
|
||||
return s.endpoints.Catalog.Deregister(&req, &out)
|
||||
_, err = s.raftApply(structs.DeregisterRequestType, &req)
|
||||
return err
|
||||
}
|
||||
|
||||
// joinConsulServer is used to try to join another consul server
|
||||
|
@ -712,10 +709,9 @@ func (s *Server) removeConsulServer(m serf.Member, port int) error {
|
|||
func (s *Server) reapTombstones(index uint64) {
|
||||
defer metrics.MeasureSince([]string{"consul", "leader", "reapTombstones"}, time.Now())
|
||||
req := structs.TombstoneRequest{
|
||||
Datacenter: s.config.Datacenter,
|
||||
Op: structs.TombstoneReap,
|
||||
ReapIndex: index,
|
||||
WriteRequest: structs.WriteRequest{Token: s.config.GetTokenForAgent()},
|
||||
Datacenter: s.config.Datacenter,
|
||||
Op: structs.TombstoneReap,
|
||||
ReapIndex: index,
|
||||
}
|
||||
_, err := s.raftApply(structs.TombstoneRequestType, &req)
|
||||
if err != nil {
|
||||
|
|
|
@ -14,7 +14,12 @@ import (
|
|||
)
|
||||
|
||||
func TestLeader_RegisterMember(t *testing.T) {
|
||||
dir1, s1 := testServer(t)
|
||||
dir1, s1 := testServerWithConfig(t, func(c *Config) {
|
||||
c.ACLDatacenter = "dc1"
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLEnforceVersion8 = true
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
||||
|
@ -81,7 +86,12 @@ func TestLeader_RegisterMember(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestLeader_FailedMember(t *testing.T) {
|
||||
dir1, s1 := testServer(t)
|
||||
dir1, s1 := testServerWithConfig(t, func(c *Config) {
|
||||
c.ACLDatacenter = "dc1"
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLEnforceVersion8 = true
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
||||
|
@ -140,7 +150,12 @@ func TestLeader_FailedMember(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestLeader_LeftMember(t *testing.T) {
|
||||
dir1, s1 := testServer(t)
|
||||
dir1, s1 := testServerWithConfig(t, func(c *Config) {
|
||||
c.ACLDatacenter = "dc1"
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLEnforceVersion8 = true
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
||||
|
@ -185,7 +200,12 @@ func TestLeader_LeftMember(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestLeader_ReapMember(t *testing.T) {
|
||||
dir1, s1 := testServer(t)
|
||||
dir1, s1 := testServerWithConfig(t, func(c *Config) {
|
||||
c.ACLDatacenter = "dc1"
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLEnforceVersion8 = true
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
||||
|
@ -244,7 +264,12 @@ func TestLeader_ReapMember(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestLeader_Reconcile_ReapMember(t *testing.T) {
|
||||
dir1, s1 := testServer(t)
|
||||
dir1, s1 := testServerWithConfig(t, func(c *Config) {
|
||||
c.ACLDatacenter = "dc1"
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLEnforceVersion8 = true
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
||||
|
@ -261,6 +286,9 @@ func TestLeader_Reconcile_ReapMember(t *testing.T) {
|
|||
Name: SerfCheckName,
|
||||
Status: structs.HealthCritical,
|
||||
},
|
||||
WriteRequest: structs.WriteRequest{
|
||||
Token: "root",
|
||||
},
|
||||
}
|
||||
var out struct{}
|
||||
if err := s1.RPC("Catalog.Register", &dead, &out); err != nil {
|
||||
|
@ -284,7 +312,12 @@ func TestLeader_Reconcile_ReapMember(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestLeader_Reconcile(t *testing.T) {
|
||||
dir1, s1 := testServer(t)
|
||||
dir1, s1 := testServerWithConfig(t, func(c *Config) {
|
||||
c.ACLDatacenter = "dc1"
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLEnforceVersion8 = true
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
||||
|
@ -562,6 +595,9 @@ func TestLeader_TombstoneGC_Reset(t *testing.T) {
|
|||
|
||||
func TestLeader_ReapTombstones(t *testing.T) {
|
||||
dir1, s1 := testServerWithConfig(t, func(c *Config) {
|
||||
c.ACLDatacenter = "dc1"
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.TombstoneTTL = 50 * time.Millisecond
|
||||
c.TombstoneTTLGranularity = 10 * time.Millisecond
|
||||
})
|
||||
|
@ -579,6 +615,9 @@ func TestLeader_ReapTombstones(t *testing.T) {
|
|||
Key: "test",
|
||||
Value: []byte("test"),
|
||||
},
|
||||
WriteRequest: structs.WriteRequest{
|
||||
Token: "root",
|
||||
},
|
||||
}
|
||||
var out bool
|
||||
if err := msgpackrpc.CallWithCodec(codec, "KVS.Apply", &arg, &out); err != nil {
|
||||
|
|
|
@ -454,9 +454,8 @@ Consul will not enable TLS for the HTTP API unless the `https` port has been ass
|
|||
and servers to perform internal operations to the service catalog. If this isn't specified, then
|
||||
the <a href="#acl_token">`acl_token`</a> will be used. This was added in Consul 0.7.2.
|
||||
<br><br>
|
||||
For clients, this token must at least have write access to the node name it will register as. For
|
||||
servers, this must have write access to all nodes that are expected to join the cluster, as well
|
||||
as write access to the "consul" service, which will be registered automatically on its behalf.
|
||||
This token must at least have write access to the node name it will register as in order to set any
|
||||
of the node-level information in the catalog such as metadata, or the node's tagged addresses.
|
||||
|
||||
* <a name="acl_enforce_version_8"></a><a href="#acl_enforce_version_8">`acl_enforce_version_8`</a> -
|
||||
Used for clients and servers to determine if enforcement should occur for new ACL policies being
|
||||
|
|
|
@ -571,13 +571,9 @@ Two new configuration options are used once complete ACLs are enabled:
|
|||
tokens during normal operation.
|
||||
* [`acl_agent_token`](/docs/agent/options.html#acl_agent_token) is used internally by
|
||||
Consul agents to perform operations to the service catalog when registering themselves
|
||||
or sending network coordinates to the servers.
|
||||
<br>
|
||||
<br>
|
||||
For clients, this token must at least have `node` ACL policy `write` access to the node
|
||||
name it will register as. For servers, this must have `node` ACL policy `write` access to
|
||||
all nodes that are expected to join the cluster, as well as `service` ACL policy `write`
|
||||
access to the `consul` service, which will be registered automatically on its behalf.
|
||||
or sending network coordinates to the servers. This token must at least have `node` ACL
|
||||
policy `write` access to the node name it will register as in order to register any
|
||||
node-level information like metadata or tagged addresses.
|
||||
|
||||
Since clients now resolve ACLs locally, the [`acl_down_policy`](/docs/agent/options.html#acl_down_policy)
|
||||
now applies to Consul clients as well as Consul servers. This will determine what the
|
||||
|
|
Loading…
Reference in New Issue