acl: remove ACLResolver config fields from consul.Config

agent/agent.go

@@ -1115,21 +1115,7 @@ func newConsulConfig(runtimeCfg *config.RuntimeConfig, logger hclog.Logger) (*co
 	if runtimeCfg.ACLMasterToken != "" {
 		cfg.ACLMasterToken = runtimeCfg.ACLMasterToken
 	}
-	if runtimeCfg.ACLTokenTTL != 0 {
+	// TODO: cfg.ACLResolverSettings = runtimeCfg.ACLResolverSettings
-		cfg.ACLTokenTTL = runtimeCfg.ACLTokenTTL
-	}
-	if runtimeCfg.ACLPolicyTTL != 0 {
-		cfg.ACLPolicyTTL = runtimeCfg.ACLPolicyTTL
-	}
-	if runtimeCfg.ACLRoleTTL != 0 {
-		cfg.ACLRoleTTL = runtimeCfg.ACLRoleTTL
-	}
-	if runtimeCfg.ACLDefaultPolicy != "" {
-		cfg.ACLDefaultPolicy = runtimeCfg.ACLDefaultPolicy
-	}
-	if runtimeCfg.ACLDownPolicy != "" {
-		cfg.ACLDownPolicy = runtimeCfg.ACLDownPolicy
-	}
 	cfg.ACLTokenReplication = runtimeCfg.ACLTokenReplication
 	cfg.ACLsEnabled = runtimeCfg.ACLsEnabled
 	if runtimeCfg.ACLEnableKeyListPolicy {

agent/consul/acl.go

@@ -212,7 +212,6 @@ type ACLResolverConfig struct {
 	Tokens *token.Store
 }
 
-// TODO: remove these fields from consul.Config and config.RuntimeConfig
 // TODO: rename the fields to remove the ACL prefix
 type ACLResolverSettings struct {
 	ACLsEnabled      bool

agent/consul/acl_endpoint.go

@@ -1390,7 +1390,7 @@ func (a *ACL) GetPolicy(args *structs.ACLPolicyResolveLegacyRequest, reply *stru
 	}
 
 	// Get the policy via the cache
-	parent := a.srv.config.ACLDefaultPolicy
+	parent := a.srv.config.ACLResolverSettings.ACLDefaultPolicy
 
 	ident, policy, err := a.srv.acls.GetMergedPolicyForToken(args.ACL)
 	if err != nil {
@@ -1409,7 +1409,7 @@ func (a *ACL) GetPolicy(args *structs.ACLPolicyResolveLegacyRequest, reply *stru
 
 	// Setup the response
 	reply.ETag = etag
-	reply.TTL = a.srv.config.ACLTokenTTL
+	reply.TTL = a.srv.config.ACLResolverSettings.ACLTokenTTL
 	a.srv.setQueryMeta(&reply.QueryMeta)
 
 	// Only send the policy on an Etag mis-match

agent/consul/acl_test.go

@@ -718,21 +718,11 @@ func (d *ACLResolverTestDelegate) RPC(method string, args interface{}, reply int
 
 func newTestACLResolver(t *testing.T, delegate *ACLResolverTestDelegate, cb func(*ACLResolverConfig)) *ACLResolver {
 	config := DefaultConfig()
-	config.ACLDefaultPolicy = "deny"
+	config.ACLResolverSettings.ACLDefaultPolicy = "deny"
-	config.ACLDownPolicy = "extend-cache"
+	config.ACLResolverSettings.ACLDownPolicy = "extend-cache"
-	config.ACLsEnabled = delegate.enabled
+	config.ACLResolverSettings.ACLsEnabled = delegate.enabled
 	rconf := &ACLResolverConfig{
-		Config: ACLResolverSettings{
+		Config: config.ACLResolverSettings,
-			ACLsEnabled:      config.ACLsEnabled,
-			Datacenter:       config.Datacenter,
-			NodeName:         config.NodeName,
-			ACLPolicyTTL:     config.ACLPolicyTTL,
-			ACLTokenTTL:      config.ACLTokenTTL,
-			ACLRoleTTL:       config.ACLRoleTTL,
-			ACLDisabledTTL:   config.ACLDisabledTTL,
-			ACLDownPolicy:    config.ACLDownPolicy,
-			ACLDefaultPolicy: config.ACLDefaultPolicy,
-		},
 		Logger: testutil.Logger(t),
 		CacheConfig: &structs.ACLCachesConfig{
 			Identities:     4,
@@ -2215,7 +2205,7 @@ func TestACL_Replication(t *testing.T) {
 		dir2, s2 := testServerWithConfig(t, func(c *Config) {
 			c.Datacenter = "dc2"
 			c.PrimaryDatacenter = "dc1"
-			c.ACLDefaultPolicy = "deny"
+			c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 			c.ACLDownPolicy = aclDownPolicy
 			c.ACLTokenReplication = true
 			c.ACLReplicationRate = 100

agent/consul/auto_config_endpoint.go

@@ -188,12 +188,12 @@ func (ac *AutoConfig) updateTLSCertificatesInConfig(opts AutoConfigOptions, resp
 func (ac *AutoConfig) updateACLsInConfig(opts AutoConfigOptions, resp *pbautoconf.AutoConfigResponse) error {
 	acl := &pbconfig.ACL{
 		Enabled:             ac.config.ACLsEnabled,
-		PolicyTTL:           ac.config.ACLPolicyTTL.String(),
+		PolicyTTL:           ac.config.ACLResolverSettings.ACLPolicyTTL.String(),
-		RoleTTL:             ac.config.ACLRoleTTL.String(),
+		RoleTTL:             ac.config.ACLResolverSettings.ACLRoleTTL.String(),
-		TokenTTL:            ac.config.ACLTokenTTL.String(),
+		TokenTTL:            ac.config.ACLResolverSettings.ACLTokenTTL.String(),
-		DisabledTTL:         ac.config.ACLDisabledTTL.String(),
+		DisabledTTL:         ac.config.ACLResolverSettings.ACLDisabledTTL.String(),
-		DownPolicy:          ac.config.ACLDownPolicy,
+		DownPolicy:          ac.config.ACLResolverSettings.ACLDownPolicy,
-		DefaultPolicy:       ac.config.ACLDefaultPolicy,
+		DefaultPolicy:       ac.config.ACLResolverSettings.ACLDefaultPolicy,
 		EnableKeyListPolicy: ac.config.ACLEnableKeyListPolicy,
 	}
 

agent/consul/auto_config_endpoint_test.go

@@ -716,15 +716,17 @@ func TestAutoConfig_updateACLsInConfig(t *testing.T) {
 	cases := map[string]testCase{
 		"enabled": {
 			config: Config{
-				Datacenter:             testDC,
+				Datacenter:        testDC,
-				PrimaryDatacenter:      testDC,
+				PrimaryDatacenter: testDC,
-				ACLsEnabled:            true,
+				ACLsEnabled:       true,
-				ACLPolicyTTL:           7 * time.Second,
+				ACLResolverSettings: ACLResolverSettings{
-				ACLRoleTTL:             10 * time.Second,
+					ACLPolicyTTL:     7 * time.Second,
-				ACLTokenTTL:            12 * time.Second,
+					ACLRoleTTL:       10 * time.Second,
-				ACLDisabledTTL:         31 * time.Second,
+					ACLTokenTTL:      12 * time.Second,
-				ACLDefaultPolicy:       "allow",
+					ACLDisabledTTL:   31 * time.Second,
-				ACLDownPolicy:          "deny",
+					ACLDefaultPolicy: "allow",
+					ACLDownPolicy:    "deny",
+				},
 				ACLEnableKeyListPolicy: true,
 			},
 			expectACLToken: true,
@@ -748,15 +750,17 @@ func TestAutoConfig_updateACLsInConfig(t *testing.T) {
 		},
 		"disabled": {
 			config: Config{
-				Datacenter:             testDC,
+				Datacenter:        testDC,
-				PrimaryDatacenter:      testDC,
+				PrimaryDatacenter: testDC,
-				ACLsEnabled:            false,
+				ACLsEnabled:       false,
-				ACLPolicyTTL:           7 * time.Second,
+				ACLResolverSettings: ACLResolverSettings{
-				ACLRoleTTL:             10 * time.Second,
+					ACLPolicyTTL:     7 * time.Second,
-				ACLTokenTTL:            12 * time.Second,
+					ACLRoleTTL:       10 * time.Second,
-				ACLDisabledTTL:         31 * time.Second,
+					ACLTokenTTL:      12 * time.Second,
-				ACLDefaultPolicy:       "allow",
+					ACLDisabledTTL:   31 * time.Second,
-				ACLDownPolicy:          "deny",
+					ACLDefaultPolicy: "allow",
+					ACLDownPolicy:    "deny",
+				},
 				ACLEnableKeyListPolicy: true,
 			},
 			expectACLToken: false,

agent/consul/catalog_endpoint_test.go

@@ -183,7 +183,7 @@ func TestCatalog_Register_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -429,7 +429,7 @@ func TestCatalog_Register_ConnectProxy_ACLDestinationServiceName(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -558,7 +558,7 @@ func TestCatalog_Deregister_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -1298,7 +1298,7 @@ func TestCatalog_ListNodes_ACLFilter(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -2416,7 +2416,7 @@ func TestCatalog_ListServiceNodes_ConnectProxy_ACL(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -2711,7 +2711,7 @@ func testACLFilterServer(t *testing.T) (dir, token string, srv *Server, codec rp
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 
 	codec = rpcClient(t, srv)
@@ -2874,7 +2874,7 @@ func TestCatalog_NodeServices_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -3287,7 +3287,7 @@ func TestCatalog_GatewayServices_ACLFiltering(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()

agent/consul/client.go

@@ -123,17 +123,7 @@ func NewClient(config *Config, deps Deps) (*Client, error) {
 
 	c.useNewACLs = 0
 	aclConfig := ACLResolverConfig{
-		Config: ACLResolverSettings{
+		Config:      config.ACLResolverSettings,
-			ACLsEnabled:      config.ACLsEnabled,
-			Datacenter:       config.Datacenter,
-			NodeName:         config.NodeName,
-			ACLPolicyTTL:     config.ACLPolicyTTL,
-			ACLTokenTTL:      config.ACLTokenTTL,
-			ACLRoleTTL:       config.ACLRoleTTL,
-			ACLDisabledTTL:   config.ACLDisabledTTL,
-			ACLDownPolicy:    config.ACLDownPolicy,
-			ACLDefaultPolicy: config.ACLDefaultPolicy,
-		},
 		Delegate:    c,
 		Logger:      c.logger,
 		AutoDisable: true,

agent/consul/config.go

@@ -175,6 +175,8 @@ type Config struct {
 	// operators track which versions are actively deployed
 	Build string
 
+	ACLResolverSettings ACLResolverSettings
+
 	// ACLEnabled is used to enable ACLs
 	ACLsEnabled bool
 
@@ -183,25 +185,6 @@ type Config struct {
 	// that the Master token is available. This provides the initial token.
 	ACLMasterToken string
 
-	// ACLTokenTTL controls the time-to-live of cached ACL tokens.
-	// It can be set to zero to disable caching, but this adds
-	// a substantial cost.
-	ACLTokenTTL time.Duration
-
-	// ACLPolicyTTL controls the time-to-live of cached ACL policies.
-	// It can be set to zero to disable caching, but this adds
-	// a substantial cost.
-	ACLPolicyTTL time.Duration
-
-	// ACLRoleTTL controls the time-to-live of cached ACL roles.
-	// It can be set to zero to disable caching, but this adds
-	// a substantial cost.
-	ACLRoleTTL time.Duration
-
-	// ACLDisabledTTL is the time between checking if ACLs should be
-	// enabled. This
-	ACLDisabledTTL time.Duration
-
 	// ACLTokenReplication is used to enabled token replication.
 	//
 	// By default policy-only replication is enabled. When token
@@ -209,20 +192,6 @@ type Config struct {
 	// yet upgraded to the new ACLs no replication will be performed
 	ACLTokenReplication bool
 
-	// ACLDefaultPolicy is used to control the ACL interaction when
-	// there is no defined policy. This can be "allow" which means
-	// ACLs are used to deny-list, or "deny" which means ACLs are
-	// allow-lists.
-	ACLDefaultPolicy string
-
-	// ACLDownPolicy controls the behavior of ACLs if the PrimaryDatacenter
-	// cannot be contacted. It can be either "deny" to deny all requests,
-	// "extend-cache" or "async-cache" which ignores the ACLCacheInterval and
-	// uses cached policies.
-	// If a policy is not in the cache, it acts like deny.
-	// "allow" can be used to allow all requests. This is not recommended.
-	ACLDownPolicy string
-
 	// ACLReplicationRate is the max number of replication rounds that can
 	// be run per second. Note that either 1 or 2 RPCs are used during each replication
 	// round
@@ -438,19 +407,20 @@ func (c *Config) CheckProtocolVersion() error {
 }
 
 // CheckACL validates the ACL configuration.
+// TODO: move this to ACLResolverSettings
 func (c *Config) CheckACL() error {
-	switch c.ACLDefaultPolicy {
+	switch c.ACLResolverSettings.ACLDefaultPolicy {
 	case "allow":
 	case "deny":
 	default:
-		return fmt.Errorf("Unsupported default ACL policy: %s", c.ACLDefaultPolicy)
+		return fmt.Errorf("Unsupported default ACL policy: %s", c.ACLResolverSettings.ACLDefaultPolicy)
 	}
-	switch c.ACLDownPolicy {
+	switch c.ACLResolverSettings.ACLDownPolicy {
 	case "allow":
 	case "deny":
 	case "async-cache", "extend-cache":
 	default:
-		return fmt.Errorf("Unsupported down ACL policy: %s", c.ACLDownPolicy)
+		return fmt.Errorf("Unsupported down ACL policy: %s", c.ACLResolverSettings.ACLDownPolicy)
 	}
 	return nil
 }
@@ -463,21 +433,27 @@ func DefaultConfig() *Config {
 	}
 
 	conf := &Config{
-		Build:                                version.Version,
+		Build:             version.Version,
-		Datacenter:                           DefaultDC,
+		Datacenter:        DefaultDC,
-		NodeName:                             hostname,
+		NodeName:          hostname,
-		RPCAddr:                              DefaultRPCAddr,
+		RPCAddr:           DefaultRPCAddr,
-		RaftConfig:                           raft.DefaultConfig(),
+		RaftConfig:        raft.DefaultConfig(),
-		SerfLANConfig:                        libserf.DefaultConfig(),
+		SerfLANConfig:     libserf.DefaultConfig(),
-		SerfWANConfig:                        libserf.DefaultConfig(),
+		SerfWANConfig:     libserf.DefaultConfig(),
-		SerfFloodInterval:                    60 * time.Second,
+		SerfFloodInterval: 60 * time.Second,
-		ReconcileInterval:                    60 * time.Second,
+		ReconcileInterval: 60 * time.Second,
-		ProtocolVersion:                      ProtocolVersion2Compatible,
+		ProtocolVersion:   ProtocolVersion2Compatible,
-		ACLRoleTTL:                           30 * time.Second,
+		ACLResolverSettings: ACLResolverSettings{
-		ACLPolicyTTL:                         30 * time.Second,
+			ACLsEnabled:      false,
-		ACLTokenTTL:                          30 * time.Second,
+			Datacenter:       DefaultDC,
-		ACLDefaultPolicy:                     "allow",
+			NodeName:         hostname,
-		ACLDownPolicy:                        "extend-cache",
+			ACLPolicyTTL:     30 * time.Second,
+			ACLTokenTTL:      30 * time.Second,
+			ACLRoleTTL:       30 * time.Second,
+			ACLDisabledTTL:   30 * time.Second,
+			ACLDownPolicy:    "extend-cache",
+			ACLDefaultPolicy: "allow",
+		},
 		ACLReplicationRate:                   1,
 		ACLReplicationBurst:                  5,
 		ACLReplicationApplyLimit:             100, // ops / sec

agent/consul/config_endpoint_test.go

@@ -155,7 +155,7 @@ func TestConfigEntry_Apply_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -284,7 +284,7 @@ func TestConfigEntry_Get_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -497,7 +497,7 @@ func TestConfigEntry_List_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -582,7 +582,7 @@ func TestConfigEntry_ListAll_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -741,7 +741,7 @@ func TestConfigEntry_Delete_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -1963,7 +1963,7 @@ func TestConfigEntry_ResolveServiceConfig_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()

agent/consul/connect_ca_endpoint_test.go

@@ -164,7 +164,7 @@ func TestConnectCAConfig_GetSet_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = TestDefaultMasterToken
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -1109,7 +1109,7 @@ func TestConnectCASignValidation(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()

agent/consul/coordinate_endpoint_test.go

@@ -197,7 +197,7 @@ func TestCoordinate_Update_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -373,7 +373,7 @@ func TestCoordinate_ListNodes_ACLFilter(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -565,7 +565,7 @@ func TestCoordinate_Node_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()

agent/consul/discovery_chain_endpoint_test.go

@@ -27,7 +27,7 @@ func TestDiscoveryChainEndpoint_Get(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()

agent/consul/federation_state_endpoint_test.go

@@ -117,7 +117,7 @@ func TestFederationState_Apply_Upsert_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -238,7 +238,7 @@ func TestFederationState_Get_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -410,7 +410,7 @@ func TestFederationState_List_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -426,7 +426,7 @@ func TestFederationState_List_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir2)
 	defer s2.Shutdown()
@@ -686,7 +686,7 @@ func TestFederationState_Apply_Delete_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()

agent/consul/health_endpoint_test.go

@@ -984,7 +984,7 @@ func TestHealth_ServiceNodes_ConnectProxy_ACL(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -1298,7 +1298,7 @@ func TestHealth_ServiceNodes_Ingress_ACL(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()

agent/consul/intention_endpoint_test.go

@@ -863,7 +863,7 @@ func TestIntentionApply_aclDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -1268,7 +1268,7 @@ func TestIntentionApply_aclDelete(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -1349,7 +1349,7 @@ func TestIntentionApply_aclUpdate(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -1418,7 +1418,7 @@ func TestIntentionApply_aclManagement(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -1463,7 +1463,7 @@ func TestIntentionApply_aclUpdateChange(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -1528,7 +1528,7 @@ func TestIntentionGet_acl(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -1932,7 +1932,7 @@ func TestIntentionCheck_defaultACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -1968,7 +1968,7 @@ func TestIntentionCheck_defaultACLAllow(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "allow"
+		c.ACLResolverSettings.ACLDefaultPolicy = "allow"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -2004,7 +2004,7 @@ func TestIntentionCheck_aclDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()

agent/consul/internal_endpoint_test.go

@@ -563,8 +563,8 @@ func TestInternal_EventFire_Token(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDownPolicy = "deny"
+		c.ACLResolverSettings.ACLDownPolicy = "deny"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir)
 	defer srv.Shutdown()
@@ -962,7 +962,7 @@ func TestInternal_GatewayServiceDump_Terminating_ACL(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -1305,7 +1305,7 @@ func TestInternal_GatewayServiceDump_Ingress_ACL(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -1908,7 +1908,7 @@ func TestInternal_ServiceTopology_ACL(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = TestDefaultMasterToken
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -2045,7 +2045,7 @@ func TestInternal_IntentionUpstreams_ACL(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = TestDefaultMasterToken
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()

agent/consul/kvs_endpoint_test.go

@@ -85,7 +85,7 @@ func TestKVS_Apply_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -205,7 +205,7 @@ func TestKVS_Get_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -426,7 +426,7 @@ func TestKVSEndpoint_List_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -516,7 +516,7 @@ func TestKVSEndpoint_List_ACLEnableKeyListPolicy(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 		c.ACLEnableKeyListPolicy = true
 	})
 	defer os.RemoveAll(dir1)
@@ -719,7 +719,7 @@ func TestKVSEndpoint_ListKeys_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()

agent/consul/leader_connect_test.go

@@ -205,7 +205,7 @@ func TestLeader_SecondaryCA_Initialize(t *testing.T) {
 				c.Build = "1.6.0"
 				c.ACLsEnabled = true
 				c.ACLMasterToken = masterToken
-				c.ACLDefaultPolicy = "deny"
+				c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 				c.CAConfig.Config["PrivateKeyType"] = tc.keyType
 				c.CAConfig.Config["PrivateKeyBits"] = tc.keyBits
 				c.CAConfig.Config["test_state"] = dc1State
@@ -223,7 +223,7 @@ func TestLeader_SecondaryCA_Initialize(t *testing.T) {
 				c.PrimaryDatacenter = "primary"
 				c.Build = "1.6.0"
 				c.ACLsEnabled = true
-				c.ACLDefaultPolicy = "deny"
+				c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 				c.ACLTokenReplication = true
 				c.CAConfig.Config["PrivateKeyType"] = tc.keyType
 				c.CAConfig.Config["PrivateKeyBits"] = tc.keyBits

agent/consul/leader_federation_state_ae_test.go

@@ -360,7 +360,7 @@ func TestLeader_FederationStateAntiEntropyPruning_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -374,7 +374,7 @@ func TestLeader_FederationStateAntiEntropyPruning_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	testrpc.WaitForLeader(t, s2.RPC, "dc2")
 	defer os.RemoveAll(dir2)

agent/consul/leader_intentions_test.go

@@ -30,7 +30,7 @@ func TestLeader_ReplicateIntentions(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 		c.Build = "1.6.0"
 		c.OverrideInitialSerfTags = func(tags map[string]string) {
 			tags["ft_si"] = "0"
@@ -64,7 +64,7 @@ func TestLeader_ReplicateIntentions(t *testing.T) {
 		c.Datacenter = "dc2"
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 		c.ACLTokenReplication = false
 		c.Build = "1.6.0"
 		c.OverrideInitialSerfTags = func(tags map[string]string) {

agent/consul/leader_test.go

@@ -32,7 +32,7 @@ func TestLeader_RegisterMember(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -109,7 +109,7 @@ func TestLeader_FailedMember(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -175,7 +175,7 @@ func TestLeader_LeftMember(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -227,7 +227,7 @@ func TestLeader_ReapMember(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -294,7 +294,7 @@ func TestLeader_CheckServersMeta(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "allow"
+		c.ACLResolverSettings.ACLDefaultPolicy = "allow"
 		c.Bootstrap = true
 	})
 	defer os.RemoveAll(dir1)
@@ -304,7 +304,7 @@ func TestLeader_CheckServersMeta(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "allow"
+		c.ACLResolverSettings.ACLDefaultPolicy = "allow"
 		c.Bootstrap = false
 	})
 	defer os.RemoveAll(dir2)
@@ -314,7 +314,7 @@ func TestLeader_CheckServersMeta(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "allow"
+		c.ACLResolverSettings.ACLDefaultPolicy = "allow"
 		c.Bootstrap = false
 	})
 	defer os.RemoveAll(dir3)
@@ -402,7 +402,7 @@ func TestLeader_ReapServer(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "allow"
+		c.ACLResolverSettings.ACLDefaultPolicy = "allow"
 		c.Bootstrap = true
 	})
 	defer os.RemoveAll(dir1)
@@ -412,7 +412,7 @@ func TestLeader_ReapServer(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "allow"
+		c.ACLResolverSettings.ACLDefaultPolicy = "allow"
 		c.Bootstrap = false
 	})
 	defer os.RemoveAll(dir2)
@@ -422,7 +422,7 @@ func TestLeader_ReapServer(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "allow"
+		c.ACLResolverSettings.ACLDefaultPolicy = "allow"
 		c.Bootstrap = false
 	})
 	defer os.RemoveAll(dir3)
@@ -483,7 +483,7 @@ func TestLeader_Reconcile_ReapMember(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -537,7 +537,7 @@ func TestLeader_Reconcile(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -892,7 +892,7 @@ func TestLeader_ReapTombstones(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 		c.TombstoneTTL = 50 * time.Millisecond
 		c.TombstoneTTLGranularity = 10 * time.Millisecond
 	})

agent/consul/operator_autopilot_endpoint_test.go

@@ -55,7 +55,7 @@ func TestOperator_Autopilot_GetConfiguration_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 		c.AutopilotConfig.CleanupDeadServers = false
 	})
 	defer os.RemoveAll(dir1)
@@ -159,7 +159,7 @@ func TestOperator_Autopilot_SetConfiguration_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 		c.AutopilotConfig.CleanupDeadServers = false
 	})
 	defer os.RemoveAll(dir1)

agent/consul/operator_raft_endpoint_test.go

@@ -73,7 +73,7 @@ func TestOperator_RaftGetConfiguration_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -221,7 +221,7 @@ func TestOperator_RaftRemovePeerByAddress_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -350,7 +350,7 @@ func TestOperator_RaftRemovePeerByID_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 		c.RaftConfig.ProtocolVersion = 3
 	})
 	defer os.RemoveAll(dir1)

agent/consul/prepared_query_endpoint_test.go

@@ -201,7 +201,7 @@ func TestPreparedQuery_Apply_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -647,7 +647,7 @@ func TestPreparedQuery_ACLDeny_Catchall_Template(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -866,7 +866,7 @@ func TestPreparedQuery_Get(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -1124,7 +1124,7 @@ func TestPreparedQuery_List(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -1337,7 +1337,7 @@ func TestPreparedQuery_Explain(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -1478,7 +1478,7 @@ func TestPreparedQuery_Execute(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -1490,7 +1490,7 @@ func TestPreparedQuery_Execute(t *testing.T) {
 		c.Datacenter = "dc2"
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir2)
 	defer s2.Shutdown()
@@ -2784,7 +2784,7 @@ func TestPreparedQuery_Wrapper(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -2794,7 +2794,7 @@ func TestPreparedQuery_Wrapper(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir2)
 	defer s2.Shutdown()

agent/consul/rpc_test.go

@@ -829,7 +829,7 @@ func TestRPC_LocalTokenStrippedOnForward(t *testing.T) {
 	dir1, s1 := testServerWithConfig(t, func(c *Config) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 		c.ACLMasterToken = "root"
 	})
 	defer os.RemoveAll(dir1)
@@ -842,7 +842,7 @@ func TestRPC_LocalTokenStrippedOnForward(t *testing.T) {
 		c.Datacenter = "dc2"
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 		c.ACLTokenReplication = true
 		c.ACLReplicationRate = 100
 		c.ACLReplicationBurst = 100

agent/consul/server.go

@@ -426,17 +426,7 @@ func NewServer(config *Config, flat Deps) (*Server, error) {
 	s.aclConfig = newACLConfig(logger)
 	s.useNewACLs = 0
 	aclConfig := ACLResolverConfig{
-		Config: ACLResolverSettings{
+		Config:      config.ACLResolverSettings,
-			ACLsEnabled:      config.ACLsEnabled,
-			Datacenter:       config.Datacenter,
-			NodeName:         config.NodeName,
-			ACLPolicyTTL:     config.ACLPolicyTTL,
-			ACLTokenTTL:      config.ACLTokenTTL,
-			ACLRoleTTL:       config.ACLRoleTTL,
-			ACLDisabledTTL:   config.ACLDisabledTTL,
-			ACLDownPolicy:    config.ACLDownPolicy,
-			ACLDefaultPolicy: config.ACLDefaultPolicy,
-		},
 		Delegate:    s,
 		CacheConfig: serverACLCacheConfig,
 		AutoDisable: false,

agent/consul/server_test.go

@@ -77,7 +77,7 @@ func testServerACLConfig(cb func(*Config)) func(*Config) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = TestDefaultMasterToken
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 
 		if cb != nil {
 			cb(c)

agent/consul/session_endpoint_test.go

@@ -157,7 +157,7 @@ func TestSession_Apply_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -395,7 +395,7 @@ func TestSession_Get_List_NodeSessions_ACLFilter(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -754,7 +754,7 @@ func TestSession_Renew_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()

agent/consul/snapshot_endpoint_test.go

@@ -272,7 +272,7 @@ func TestSnapshot_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()

agent/consul/txn_endpoint_test.go

@@ -322,7 +322,7 @@ func TestTxn_Apply_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -857,7 +857,7 @@ func TestTxn_Read_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()