acl: remove a couple legacy ACL operation constants

structs.ACLForceSet was deprecated 4 years ago, it should be safe to remove now.
ACLBootstrapNow was removed in a recent commit. While it is technically possible that a cluster with mixed version
could still attempt a legacy boostrap, we documented that the legacy system was deprecated in 1.4, so no
clusters that are being upgraded should be attempting a legacy boostrap.

agent/consul/fsm/commands_oss.go

@@ -260,24 +260,7 @@ func (c *FSM) applyACLOperation(buf []byte, index uint64) interface{} {
 			return err
 		}
 		return enabled
-	case structs.ACLBootstrapNow:
-		// This is a bootstrap request from a non-upgraded node
-		if err := c.state.ACLBootstrap(index, 0, req.ACL.Convert(), true); err != nil {
-			return err
-		}
-
-		// No need to check expiration times as those did not exist in legacy tokens.
-		if _, token, err := c.state.ACLTokenGetBySecret(nil, req.ACL.ID, nil); err != nil {
-			return err
-		} else {
-			acl, err := token.Convert()
-			if err != nil {
-				return err
-			}
-			return acl
-		}
-
-	case structs.ACLForceSet, structs.ACLSet:
+	case structs.ACLSet:
 		if err := c.state.ACLTokenSet(index, req.ACL.Convert(), true); err != nil {
 			return err
 		}

agent/consul/fsm/commands_oss_test.go

@@ -923,29 +923,6 @@ func TestFSM_ACL_CRUD(t *testing.T) {
 	if !canBootstrap {
 		t.Fatalf("bad: shouldn't be able to bootstrap")
 	}
-
-	// Do a bootstrap.
-	bootstrap := structs.ACLRequest{
-		Datacenter: "dc1",
-		Op:         structs.ACLBootstrapNow,
-		ACL: structs.ACL{
-			ID:   generateUUID(),
-			Name: "Bootstrap Token",
-			Type: structs.ACLTokenTypeManagement,
-		},
-	}
-	buf, err = structs.Encode(structs.ACLRequestType, bootstrap)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	resp = fsm.Apply(makeLog(buf))
-	respACL, ok := resp.(*structs.ACL)
-	if !ok {
-		t.Fatalf("resp: %v", resp)
-	}
-	bootstrap.ACL.CreateIndex = respACL.CreateIndex
-	bootstrap.ACL.ModifyIndex = respACL.ModifyIndex
-	require.Equal(t, &bootstrap.ACL, respACL)
 }
 
 func TestFSM_PreparedQuery_CRUD(t *testing.T) {

agent/structs/acl.go

@@ -91,9 +91,11 @@ func ACLIDReserved(id string) bool {
 
 const (
 	// ACLSet creates or updates a token.
+	// TODO(ACL-Legacy-Compat): remove
 	ACLSet ACLOp = "set"
 
 	// ACLDelete deletes a token.
+	// TODO(ACL-Legacy-Compat): remove
 	ACLDelete ACLOp = "delete"
 )
 

agent/structs/acl_legacy.go

@@ -7,7 +7,6 @@
 package structs
 
 import (
-	"errors"
 	"fmt"
 	"time"
 
@@ -18,21 +17,10 @@ const (
 	// ACLBootstrapInit is used to perform a scan for existing tokens which
 	// will decide whether bootstrapping is allowed for a cluster. This is
 	// initiated by the leader when it steps up, if necessary.
+	// TODO(ACL-Legacy-Compat): remove
 	ACLBootstrapInit ACLOp = "bootstrap-init"
-
-	// ACLBootstrapNow is used to perform a one-time ACL bootstrap operation on
-	// a cluster to get the first management token.
-	ACLBootstrapNow ACLOp = "bootstrap-now"
-
-	// ACLForceSet is deprecated, but left for backwards compatibility.
-	ACLForceSet ACLOp = "force-set"
 )
 
-// ACLBootstrapNotInitializedErr is returned when a bootstrap is attempted but
-// we haven't yet initialized ACL bootstrap. It provides some guidance to
-// operators on how to proceed.
-var ACLBootstrapNotInitializedErr = errors.New("ACL bootstrap not initialized, need to force a leader election and ensure all Consul servers support this feature")
-
 const (
 	// ACLTokenTypeClient tokens have rules applied
 	ACLTokenTypeClient = "client"
@@ -62,6 +50,7 @@ type ACLs []*ACL
 // equivalent. This will NOT fill in the other ACLToken fields or perform any other
 // upgrade (other than correcting an older HCL syntax that is no longer
 // supported).
+// TODO(ACL-Legacy-Compat): remove
 func (a *ACL) Convert() *ACLToken {
 	// Ensure that we correct any old HCL in legacy tokens to prevent old
 	// syntax from leaking elsewhere into the system.