Modifies server reconcile path to not use the server's token for internal operations.

2017-03-23 13:34:30 -07:00 · 2017-03-23 13:34:30 -07:00 · 16a9f6d671
parent d198287a62
commit 16a9f6d671
4 changed files with 61 additions and 31 deletions
--- a/consul/leader.go
+++ b/consul/leader.go
@ -464,10 +464,9 @@ AFTER_CHECK:
 			Status:  structs.HealthPassing,
 			Output:  SerfCheckAliveOutput,
 		},
-		WriteRequest: structs.WriteRequest{Token: s.config.GetTokenForAgent()},
 	}
-	var out struct{}
-	return s.endpoints.Catalog.Register(&req, &out)
+	_, err = s.raftApply(structs.RegisterRequestType, &req)
+	return err
 }

 // handleFailedMember is used to mark the node's status
@ -505,10 +504,9 @@ func (s *Server) handleFailedMember(member serf.Member) error {
 			Status:  structs.HealthCritical,
 			Output:  SerfCheckFailedOutput,
 		},
-		WriteRequest: structs.WriteRequest{Token: s.config.GetTokenForAgent()},
 	}
-	var out struct{}
-	return s.endpoints.Catalog.Register(&req, &out)
+	_, err = s.raftApply(structs.RegisterRequestType, &req)
+	return err
 }

 // handleLeftMember is used to handle members that gracefully
@ -553,12 +551,11 @@ func (s *Server) handleDeregisterMember(reason string, member serf.Member) error
 	// Deregister the node
 	s.logger.Printf("[INFO] consul: member '%s' %s, deregistering", member.Name, reason)
 	req := structs.DeregisterRequest{
-		Datacenter:   s.config.Datacenter,
-		Node:         member.Name,
-		WriteRequest: structs.WriteRequest{Token: s.config.GetTokenForAgent()},
+		Datacenter: s.config.Datacenter,
+		Node:       member.Name,
 	}
-	var out struct{}
-	return s.endpoints.Catalog.Deregister(&req, &out)
+	_, err = s.raftApply(structs.DeregisterRequestType, &req)
+	return err
 }

 // joinConsulServer is used to try to join another consul server
@ -712,10 +709,9 @@ func (s *Server) removeConsulServer(m serf.Member, port int) error {
 func (s *Server) reapTombstones(index uint64) {
 	defer metrics.MeasureSince([]string{"consul", "leader", "reapTombstones"}, time.Now())
 	req := structs.TombstoneRequest{
-		Datacenter:   s.config.Datacenter,
-		Op:           structs.TombstoneReap,
-		ReapIndex:    index,
-		WriteRequest: structs.WriteRequest{Token: s.config.GetTokenForAgent()},
+		Datacenter: s.config.Datacenter,
+		Op:         structs.TombstoneReap,
+		ReapIndex:  index,
 	}
 	_, err := s.raftApply(structs.TombstoneRequestType, &req)
 	if err != nil {
--- a/consul/leader_test.go
+++ b/consul/leader_test.go
@ -14,7 +14,12 @@ import (
 )

 func TestLeader_RegisterMember(t *testing.T) {
-	dir1, s1 := testServer(t)
+	dir1, s1 := testServerWithConfig(t, func(c *Config) {
+		c.ACLDatacenter = "dc1"
+		c.ACLMasterToken = "root"
+		c.ACLDefaultPolicy = "deny"
+		c.ACLEnforceVersion8 = true
+	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()

@ -81,7 +86,12 @@ func TestLeader_RegisterMember(t *testing.T) {
 }

 func TestLeader_FailedMember(t *testing.T) {
-	dir1, s1 := testServer(t)
+	dir1, s1 := testServerWithConfig(t, func(c *Config) {
+		c.ACLDatacenter = "dc1"
+		c.ACLMasterToken = "root"
+		c.ACLDefaultPolicy = "deny"
+		c.ACLEnforceVersion8 = true
+	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()

@ -140,7 +150,12 @@ func TestLeader_FailedMember(t *testing.T) {
 }

 func TestLeader_LeftMember(t *testing.T) {
-	dir1, s1 := testServer(t)
+	dir1, s1 := testServerWithConfig(t, func(c *Config) {
+		c.ACLDatacenter = "dc1"
+		c.ACLMasterToken = "root"
+		c.ACLDefaultPolicy = "deny"
+		c.ACLEnforceVersion8 = true
+	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()

@ -185,7 +200,12 @@ func TestLeader_LeftMember(t *testing.T) {
 }

 func TestLeader_ReapMember(t *testing.T) {
-	dir1, s1 := testServer(t)
+	dir1, s1 := testServerWithConfig(t, func(c *Config) {
+		c.ACLDatacenter = "dc1"
+		c.ACLMasterToken = "root"
+		c.ACLDefaultPolicy = "deny"
+		c.ACLEnforceVersion8 = true
+	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()

@ -244,7 +264,12 @@ func TestLeader_ReapMember(t *testing.T) {
 }

 func TestLeader_Reconcile_ReapMember(t *testing.T) {
-	dir1, s1 := testServer(t)
+	dir1, s1 := testServerWithConfig(t, func(c *Config) {
+		c.ACLDatacenter = "dc1"
+		c.ACLMasterToken = "root"
+		c.ACLDefaultPolicy = "deny"
+		c.ACLEnforceVersion8 = true
+	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()

@ -261,6 +286,9 @@ func TestLeader_Reconcile_ReapMember(t *testing.T) {
 			Name:    SerfCheckName,
 			Status:  structs.HealthCritical,
 		},
+		WriteRequest: structs.WriteRequest{
+			Token: "root",
+		},
 	}
 	var out struct{}
 	if err := s1.RPC("Catalog.Register", &dead, &out); err != nil {
@ -284,7 +312,12 @@ func TestLeader_Reconcile_ReapMember(t *testing.T) {
 }

 func TestLeader_Reconcile(t *testing.T) {
-	dir1, s1 := testServer(t)
+	dir1, s1 := testServerWithConfig(t, func(c *Config) {
+		c.ACLDatacenter = "dc1"
+		c.ACLMasterToken = "root"
+		c.ACLDefaultPolicy = "deny"
+		c.ACLEnforceVersion8 = true
+	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()

@ -562,6 +595,9 @@ func TestLeader_TombstoneGC_Reset(t *testing.T) {

 func TestLeader_ReapTombstones(t *testing.T) {
 	dir1, s1 := testServerWithConfig(t, func(c *Config) {
+		c.ACLDatacenter = "dc1"
+		c.ACLMasterToken = "root"
+		c.ACLDefaultPolicy = "deny"
 		c.TombstoneTTL = 50 * time.Millisecond
 		c.TombstoneTTLGranularity = 10 * time.Millisecond
 	})
@ -579,6 +615,9 @@ func TestLeader_ReapTombstones(t *testing.T) {
 			Key:   "test",
 			Value: []byte("test"),
 		},
+		WriteRequest: structs.WriteRequest{
+			Token: "root",
+		},
 	}
 	var out bool
 	if err := msgpackrpc.CallWithCodec(codec, "KVS.Apply", &arg, &out); err != nil {
--- a/website/source/docs/agent/options.html.markdown
+++ b/website/source/docs/agent/options.html.markdown
@ -454,9 +454,8 @@ Consul will not enable TLS for the HTTP API unless the `https` port has been ass
  and servers to perform internal operations to the service catalog. If this isn't specified, then
  the <a href="#acl_token">`acl_token`</a> will be used. This was added in Consul 0.7.2.
  <br><br>
-  For clients, this token must at least have write access to the node name it will register as. For
-  servers, this must have write access to all nodes that are expected to join the cluster, as well
-  as write access to the "consul" service, which will be registered automatically on its behalf.
+  This token must at least have write access to the node name it will register as in order to set any
+  of the node-level information in the catalog such as metadata, or the node's tagged addresses.

 * <a name="acl_enforce_version_8"></a><a href="#acl_enforce_version_8">`acl_enforce_version_8`</a> -
  Used for clients and servers to determine if enforcement should occur for new ACL policies being
--- a/website/source/docs/internals/acl.html.markdown
+++ b/website/source/docs/internals/acl.html.markdown
@ -571,13 +571,9 @@ Two new configuration options are used once complete ACLs are enabled:
  tokens during normal operation.
 * [`acl_agent_token`](/docs/agent/options.html#acl_agent_token) is used internally by
  Consul agents to perform operations to the service catalog when registering themselves
-  or sending network coordinates to the servers.
-  <br>
-  <br>
-  For clients, this token must at least have `node` ACL policy `write` access to the node
-  name it will register as. For servers, this must have `node` ACL policy `write` access to
-  all nodes that are expected to join the cluster, as well as `service` ACL policy `write`
-  access to the `consul` service, which will be registered automatically on its behalf.
+  or sending network coordinates to the servers. This token must at least have `node` ACL
+  policy `write` access to the node name it will register as in order to register any
+  node-level information like metadata or tagged addresses.

 Since clients now resolve ACLs locally, the [`acl_down_policy`](/docs/agent/options.html#acl_down_policy)
 now applies to Consul clients as well as Consul servers. This will determine what the