Renames "prepared_query" ACL policy to "query".

This commit is contained in:
James Phillips 2016-02-24 16:57:55 -08:00
parent 3b91618d7d
commit 2f7eac8b86
5 changed files with 22 additions and 22 deletions

View file

@ -19,7 +19,7 @@ type Policy struct {
Keys []*KeyPolicy `hcl:"key,expand"` Keys []*KeyPolicy `hcl:"key,expand"`
Services []*ServicePolicy `hcl:"service,expand"` Services []*ServicePolicy `hcl:"service,expand"`
Events []*EventPolicy `hcl:"event,expand"` Events []*EventPolicy `hcl:"event,expand"`
PreparedQueries []*PreparedQueryPolicy `hcl:"prepared_query,expand"` PreparedQueries []*PreparedQueryPolicy `hcl:"query,expand"`
Keyring string `hcl:"keyring"` Keyring string `hcl:"keyring"`
} }
@ -116,7 +116,7 @@ func Parse(rules string) (*Policy, error) {
// Validate the prepared query policies // Validate the prepared query policies
for _, pq := range p.PreparedQueries { for _, pq := range p.PreparedQueries {
if !isPolicyValid(pq.Policy) { if !isPolicyValid(pq.Policy) {
return nil, fmt.Errorf("Invalid prepared_query policy: %#v", pq) return nil, fmt.Errorf("Invalid query policy: %#v", pq)
} }
} }

View file

@ -35,13 +35,13 @@ event "foo" {
event "bar" { event "bar" {
policy = "deny" policy = "deny"
} }
prepared_query "" { query "" {
policy = "read" policy = "read"
} }
prepared_query "foo" { query "foo" {
policy = "write" policy = "write"
} }
prepared_query "bar" { query "bar" {
policy = "deny" policy = "deny"
} }
keyring = "deny" keyring = "deny"
@ -151,7 +151,7 @@ func TestACLPolicy_Parse_JSON(t *testing.T) {
"policy": "deny" "policy": "deny"
} }
}, },
"prepared_query": { "query": {
"": { "": {
"policy": "read" "policy": "read"
}, },
@ -257,7 +257,7 @@ func TestACLPolicy_Bad_Policy(t *testing.T) {
`key "" { policy = "nope" }`, `key "" { policy = "nope" }`,
`service "" { policy = "nope" }`, `service "" { policy = "nope" }`,
`event "" { policy = "nope" }`, `event "" { policy = "nope" }`,
`prepared_query "" { policy = "nope" }`, `query "" { policy = "nope" }`,
`keyring = "nope"`, `keyring = "nope"`,
} }
for _, c := range cases { for _, c := range cases {

View file

@ -194,7 +194,7 @@ func TestPreparedQuery_Apply_ACLDeny(t *testing.T) {
var token string var token string
{ {
var rules = ` var rules = `
prepared_query "redis" { query "redis" {
policy = "write" policy = "write"
} }
` `
@ -585,7 +585,7 @@ func TestPreparedQuery_Get(t *testing.T) {
var token string var token string
{ {
var rules = ` var rules = `
prepared_query "redis" { query "redis" {
policy = "write" policy = "write"
} }
` `
@ -762,7 +762,7 @@ func TestPreparedQuery_List(t *testing.T) {
var token string var token string
{ {
var rules = ` var rules = `
prepared_query "redis" { query "redis" {
policy = "write" policy = "write"
} }
` `

View file

@ -48,7 +48,7 @@ its ID if it is created successfully.
By default, the datacenter of the agent is queried; however, the dc can be By default, the datacenter of the agent is queried; however, the dc can be
provided using the "?dc=" query parameter. provided using the "?dc=" query parameter.
If ACLs are enabled, then the client will need to supply a token with `prepared_query` If ACLs are enabled, then the client will need to supply a token with `query`
write privileges sufficient to match the service name being queried and the `Name` write privileges sufficient to match the service name being queried and the `Name`
given to the query, if any. See also the note about the `Token` field below. given to the query, if any. See also the note about the `Token` field below.
@ -166,7 +166,7 @@ provided using the "?dc=" query parameter. This endpoint supports blocking
queries and all consistency modes. queries and all consistency modes.
If ACLs are enabled, then the client will only see prepared queries for which their If ACLs are enabled, then the client will only see prepared queries for which their
token has `prepared_query` read privileges. A management token will be able to see all token has `query` read privileges. A management token will be able to see all
prepared queries. Tokens will be displayed as `<hidden>` unless a management token is prepared queries. Tokens will be displayed as `<hidden>` unless a management token is
used. used.
@ -211,7 +211,7 @@ The `PUT` method allows an existing prepared query to be updated.
By default, the datacenter of the agent is queried; however, the dc can be By default, the datacenter of the agent is queried; however, the dc can be
provided using the "?dc=" query parameter. provided using the "?dc=" query parameter.
If ACLs are enabled, then the client will need to supply a token with `prepared_query` If ACLs are enabled, then the client will need to supply a token with `query`
write privileges sufficient to match the service name being queried and the `Name` write privileges sufficient to match the service name being queried and the `Name`
given to the query, if any. given to the query, if any.
@ -232,7 +232,7 @@ only with a single item present. If the query does not exist then a 404
status code will be returned. status code will be returned.
If ACLs are enabled, then the client will only see prepared queries for which their If ACLs are enabled, then the client will only see prepared queries for which their
token has `prepared_query` read privileges. A management token will be able to see all token has `query` read privileges. A management token will be able to see all
prepared queries. Tokens will be displayed as `<hidden>` unless a management token is prepared queries. Tokens will be displayed as `<hidden>` unless a management token is
used. used.
@ -243,7 +243,7 @@ The `DELETE` method is used to delete a prepared query.
By default, the datacenter of the agent is queried; however, the dc can be By default, the datacenter of the agent is queried; however, the dc can be
provided using the "?dc=" query parameter. provided using the "?dc=" query parameter.
If ACLs are enabled, then the client will need to supply a token with `prepared_query` If ACLs are enabled, then the client will need to supply a token with `query`
write privileges sufficient to match the service name being queried and the `Name` write privileges sufficient to match the service name being queried and the `Name`
given to the query, if any. given to the query, if any.

View file

@ -150,7 +150,7 @@ access to each API token based on the events they should be able to fire.
### Blacklist mode and Prepared Queries ### Blacklist mode and Prepared Queries
After Consul 0.6.3, significant changes were made to ACLs for prepared queries, After Consul 0.6.3, significant changes were made to ACLs for prepared queries,
incuding a new `prepared_query` ACL policy. See [Prepared Query ACLs](#prepared_query_acls) below for more details. incuding a new `query` ACL policy. See [Prepared Query ACLs](#prepared_query_acls) below for more details.
### Blacklist mode and Keyring Operations ### Blacklist mode and Keyring Operations
@ -261,7 +261,7 @@ event "destroy-" {
} }
# Default prepared queries to read-only. # Default prepared queries to read-only.
prepared_query "" { query "" {
policy = "read" policy = "read"
} }
@ -300,7 +300,7 @@ This is equivalent to the following JSON input:
"policy": "deny" "policy": "deny"
} }
}, },
"prepared_query": { "query": {
"": { "": {
"policy": "read" "policy": "read"
} }
@ -375,7 +375,7 @@ These variations are covered here, with examples:
process to use via DNS. process to use via DNS.
* Static queries with a `Name` defined are controlled by the * Static queries with a `Name` defined are controlled by the
[`prepared_query`](/docs/internals/acl.html#prepared_query_acls) ACL policy. [`query`](/docs/internals/acl.html#prepared_query_acls) ACL policy.
Clients are required to have an ACL token with a prefix sufficient to cover Clients are required to have an ACL token with a prefix sufficient to cover
the name they are trying to manage, with a longest prefix match providing a the name they are trying to manage, with a longest prefix match providing a
way to define more specific policies. Clients can list or read queries for way to define more specific policies. Clients can list or read queries for
@ -431,7 +431,7 @@ These differences are outlined in the table below:
<tr> <tr>
<td>Create static query with `Name`</td> <td>Create static query with `Name`</td>
<td>The ACL Token used to create the prepared query is checked to make sure it can access the service being queried. This token is captured as the `Token` to use when executing the prepared query.</td> <td>The ACL Token used to create the prepared query is checked to make sure it can access the service being queried. This token is captured as the `Token` to use when executing the prepared query.</td>
<td>The client token's `prepared_query` ACL policy is used to determine if the client is allowed to register a query for the given `Name`. No `Token` is captured by default unless specifically supplied by the client when creating the query.</td> <td>The client token's `query` ACL policy is used to determine if the client is allowed to register a query for the given `Name`. No `Token` is captured by default unless specifically supplied by the client when creating the query.</td>
</tr> </tr>
<tr> <tr>
<td>Manage static query without `Name`</td> <td>Manage static query without `Name`</td>
@ -441,12 +441,12 @@ These differences are outlined in the table below:
<tr> <tr>
<td>Manage static query with a `Name`</td> <td>Manage static query with a `Name`</td>
<td>The ACL token used to create the query, or a management token must be supplied in order to perform these operations.</td> <td>The ACL token used to create the query, or a management token must be supplied in order to perform these operations.</td>
<td>Similar to create, the client token's `prepared_query` ACL policy is used to determine if these operations are allowed.</td> <td>Similar to create, the client token's `query` ACL policy is used to determine if these operations are allowed.</td>
</tr> </tr>
<tr> <tr>
<td>List queries</td> <td>List queries</td>
<td>A management token is required to list any queries.</td> <td>A management token is required to list any queries.</td>
<td>The client token's `prepared_query` ACL policy is used to determine which queries they can see. Only management tokens can see prepared queries without `Name`.</td> <td>The client token's `query` ACL policy is used to determine which queries they can see. Only management tokens can see prepared queries without `Name`.</td>
</tr> </tr>
<tr> <tr>
<td>Execute query</td> <td>Execute query</td>