Merge pull request #10814 from hashicorp/dnephin/acl-resolver-4

acl: remove ACLDisabledTTL
This commit is contained in:
Daniel Nephin 2021-08-17 14:19:00 -04:00 committed by GitHub
commit 9c99249427
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
17 changed files with 179 additions and 133 deletions

View File

@ -3,13 +3,14 @@ package autoconf
import (
"fmt"
"github.com/mitchellh/mapstructure"
"github.com/hashicorp/consul/agent/config"
"github.com/hashicorp/consul/agent/structs"
"github.com/hashicorp/consul/proto"
"github.com/hashicorp/consul/proto/pbautoconf"
"github.com/hashicorp/consul/proto/pbconfig"
"github.com/hashicorp/consul/proto/pbconnect"
"github.com/mitchellh/mapstructure"
)
// translateAgentConfig is meant to take in a proto/pbconfig.Config type
@ -48,7 +49,6 @@ func translateConfig(c *pbconfig.Config) config.Config {
DownPolicy: stringPtrOrNil(a.DownPolicy),
DefaultPolicy: stringPtrOrNil(a.DefaultPolicy),
EnableKeyListPolicy: &a.EnableKeyListPolicy,
DisabledTTL: stringPtrOrNil(a.DisabledTTL),
EnableTokenPersistence: &a.EnableTokenPersistence,
}

View File

@ -4,11 +4,12 @@ import (
"fmt"
"testing"
"github.com/stretchr/testify/require"
"github.com/hashicorp/consul/agent/config"
"github.com/hashicorp/consul/agent/structs"
pbconfig "github.com/hashicorp/consul/proto/pbconfig"
"github.com/hashicorp/consul/proto/pbconnect"
"github.com/stretchr/testify/require"
)
func stringPointer(s string) *string {
@ -65,7 +66,6 @@ func TestTranslateConfig(t *testing.T) {
DownPolicy: "deny",
DefaultPolicy: "deny",
EnableKeyListPolicy: true,
DisabledTTL: "4s",
EnableTokenPersistence: true,
MSPDisableBootstrap: false,
Tokens: &pbconfig.ACLTokens{
@ -127,7 +127,6 @@ func TestTranslateConfig(t *testing.T) {
DownPolicy: stringPointer("deny"),
DefaultPolicy: stringPointer("deny"),
EnableKeyListPolicy: boolPointer(true),
DisabledTTL: stringPointer("4s"),
EnableTokenPersistence: boolPointer(true),
Tokens: config.Tokens{
Master: stringPointer("99e7e490-6baf-43fc-9010-78b6aa9a6813"),

View File

@ -873,7 +873,6 @@ func (b *builder) build() (rt RuntimeConfig, err error) {
ACLPolicyTTL: b.durationVal("acl.policy_ttl", c.ACL.PolicyTTL),
ACLTokenTTL: b.durationValWithDefault("acl.token_ttl", c.ACL.TokenTTL, b.durationVal("acl_ttl", c.ACLTTL)),
ACLRoleTTL: b.durationVal("acl.role_ttl", c.ACL.RoleTTL),
ACLDisabledTTL: b.durationVal("acl.disabled_ttl", c.ACL.DisabledTTL),
ACLDownPolicy: stringValWithDefault(c.ACL.DownPolicy, stringVal(c.ACLDownPolicy)),
ACLDefaultPolicy: stringValWithDefault(c.ACL.DefaultPolicy, stringVal(c.ACLDefaultPolicy)),
},

View File

@ -268,8 +268,6 @@ type Config struct {
SnapshotAgent map[string]interface{} `mapstructure:"snapshot_agent"`
// non-user configurable values
// DEPRECATED (ACL-Legacy-Compat) - moved into the "acl" stanza
ACLDisabledTTL *string `mapstructure:"acl_disabled_ttl"`
AEInterval *string `mapstructure:"ae_interval"`
CheckDeregisterIntervalMin *string `mapstructure:"check_deregister_interval_min"`
CheckReapInterval *string `mapstructure:"check_reap_interval"`
@ -741,7 +739,6 @@ type ACL struct {
DefaultPolicy *string `mapstructure:"default_policy"`
EnableKeyListPolicy *bool `mapstructure:"enable_key_list_policy"`
Tokens Tokens `mapstructure:"tokens"`
DisabledTTL *string `mapstructure:"disabled_ttl"`
EnableTokenPersistence *bool `mapstructure:"enable_token_persistence"`
// Enterprise Only

View File

@ -184,9 +184,6 @@ func NonUserSource() Source {
Name: "non-user",
Format: "hcl",
Data: `
acl = {
disabled_ttl = "120s"
}
check_deregister_interval_min = "1m"
check_reap_interval = "30s"
ae_interval = "1m"

View File

@ -5241,7 +5241,6 @@ func TestLoad_FullConfig(t *testing.T) {
ACLsEnabled: true,
Datacenter: "rzo029wg",
NodeName: "otlLxGaI",
ACLDisabledTTL: 120 * time.Second,
ACLDefaultPolicy: "72c2e7a0",
ACLDownPolicy: "03eb2aee",
ACLTokenTTL: 3321 * time.Second,

View File

@ -3,7 +3,6 @@
"ACLMasterToken": "hidden",
"ACLResolverSettings": {
"ACLDefaultPolicy": "",
"ACLDisabledTTL": "0s",
"ACLDownPolicy": "",
"ACLPolicyTTL": "0s",
"ACLRoleTTL": "0s",

View File

@ -199,10 +199,11 @@ type ACLResolverConfig struct {
// Delegate that implements some helper functionality that is server/client specific
Delegate ACLResolverDelegate
// AutoDisable indicates that RPC responses should be checked and if they indicate ACLs are disabled
// remotely then disable them locally as well. This is particularly useful for the client agent
// so that it can detect when the servers have gotten ACLs enabled.
AutoDisable bool
// DisableDuration is the length of time to leave ACLs disabled when an RPC
// request to a server indicates that the ACL system is disabled. If set to
// 0 then ACLs will not be disabled locally. This value is always set to 0 on
// Servers.
DisableDuration time.Duration
// ACLConfig is the configuration necessary to pass through to the acl package when creating authorizers
// and when authorizing access
@ -212,6 +213,8 @@ type ACLResolverConfig struct {
Tokens *token.Store
}
const aclClientDisabledTTL = 30 * time.Second
// TODO: rename the fields to remove the ACL prefix
type ACLResolverSettings struct {
ACLsEnabled bool
@ -228,11 +231,6 @@ type ACLResolverSettings struct {
// a major impact on performance. By default, it is set to 30 seconds.
ACLRoleTTL time.Duration
// ACLDisabledTTL is used by agents to determine how long they will
// wait to check again with the servers if they discover ACLs are not
// enabled. (not user configurable)
ACLDisabledTTL time.Duration
// ACLDownPolicy is used to control the ACL interaction when we cannot
// reach the PrimaryDatacenter and the token is not in the cache.
// There are the following modes:
@ -295,8 +293,9 @@ type ACLResolver struct {
down acl.Authorizer
autoDisable bool
disabled time.Time
disableDuration time.Duration
disabledUntil time.Time
// disabledLock synchronizes access to disabledUntil
disabledLock sync.RWMutex
agentMasterAuthz acl.Authorizer
@ -367,7 +366,7 @@ func NewACLResolver(config *ACLResolverConfig) (*ACLResolver, error) {
delegate: config.Delegate,
aclConf: config.ACLConfig,
cache: cache,
autoDisable: config.AutoDisable,
disableDuration: config.DisableDuration,
down: down,
tokens: config.Tokens,
agentMasterAuthz: authz,
@ -1195,17 +1194,15 @@ func (r *ACLResolver) resolveTokenToIdentityAndRoles(token string) (structs.ACLI
return lastIdentity, nil, lastErr
}
func (r *ACLResolver) disableACLsWhenUpstreamDisabled(err error) error {
if !r.autoDisable || err == nil || !acl.IsErrDisabled(err) {
return err
func (r *ACLResolver) handleACLDisabledError(err error) {
if r.disableDuration == 0 || err == nil || !acl.IsErrDisabled(err) {
return
}
r.logger.Debug("ACLs disabled on upstream servers, will retry", "retry_interval", r.config.ACLDisabledTTL)
r.logger.Debug("ACLs disabled on servers, will retry", "retry_interval", r.disableDuration)
r.disabledLock.Lock()
r.disabled = time.Now().Add(r.config.ACLDisabledTTL)
r.disabledUntil = time.Now().Add(r.disableDuration)
r.disabledLock.Unlock()
return err
}
func (r *ACLResolver) resolveLocallyManagedToken(token string) (structs.ACLIdentity, acl.Authorizer, bool) {
@ -1241,14 +1238,15 @@ func (r *ACLResolver) ResolveTokenToIdentityAndAuthorizer(token string) (structs
if r.delegate.UseLegacyACLs() {
identity, authorizer, err := r.resolveTokenLegacy(token)
return identity, authorizer, r.disableACLsWhenUpstreamDisabled(err)
r.handleACLDisabledError(err)
return identity, authorizer, err
}
defer metrics.MeasureSince([]string{"acl", "ResolveToken"}, time.Now())
identity, policies, err := r.resolveTokenToIdentityAndPolicies(token)
if err != nil {
r.disableACLsWhenUpstreamDisabled(err)
r.handleACLDisabledError(err)
if IsACLRemoteError(err) {
r.logger.Error("Error resolving token", "error", err)
return &missingIdentity{reason: "primary-dc-down", token: token}, r.down, nil
@ -1305,7 +1303,8 @@ func (r *ACLResolver) ResolveTokenToIdentity(token string) (structs.ACLIdentity,
if r.delegate.UseLegacyACLs() {
identity, _, err := r.resolveTokenLegacy(token)
return identity, r.disableACLsWhenUpstreamDisabled(err)
r.handleACLDisabledError(err)
return identity, err
}
defer metrics.MeasureSince([]string{"acl", "ResolveTokenToIdentity"}, time.Now())
@ -1319,11 +1318,11 @@ func (r *ACLResolver) ACLsEnabled() bool {
return false
}
if r.autoDisable {
if r.disableDuration != 0 {
// Whether ACLs are disabled according to RPCs failing with a ACLs Disabled error
r.disabledLock.RLock()
defer r.disabledLock.RUnlock()
return !time.Now().Before(r.disabled)
return time.Now().After(r.disabledUntil)
}
return true

View File

@ -731,8 +731,8 @@ func newTestACLResolver(t *testing.T, delegate *ACLResolverTestDelegate, cb func
Authorizers: 4,
Roles: 4,
},
AutoDisable: true,
Delegate: delegate,
DisableDuration: aclClientDisabledTTL,
Delegate: delegate,
}
if cb != nil {
@ -3565,7 +3565,7 @@ func TestACLResolver_AgentMaster(t *testing.T) {
r := newTestACLResolver(t, d, func(cfg *ACLResolverConfig) {
cfg.Tokens = &tokens
cfg.Config.NodeName = "foo"
cfg.AutoDisable = false
cfg.DisableDuration = 0
})
tokens.UpdateAgentMasterToken("9a184a11-5599-459e-b71a-550e5f9a5a23", token.TokenSourceConfig)
@ -3580,3 +3580,61 @@ func TestACLResolver_AgentMaster(t *testing.T) {
require.Equal(t, acl.Allow, authz.NodeRead("bar", nil))
require.Equal(t, acl.Deny, authz.NodeWrite("bar", nil))
}
func TestACLResolver_ACLsEnabled(t *testing.T) {
type testCase struct {
name string
resolver *ACLResolver
enabled bool
}
run := func(t *testing.T, tc testCase) {
require.Equal(t, tc.enabled, tc.resolver.ACLsEnabled())
}
var testCases = []testCase{
{
name: "config disabled",
resolver: &ACLResolver{},
},
{
name: "config enabled, disableDuration=0 (Server)",
resolver: &ACLResolver{
config: ACLResolverSettings{ACLsEnabled: true},
},
enabled: true,
},
{
name: "config enabled, disabled by RPC (Client)",
resolver: &ACLResolver{
config: ACLResolverSettings{ACLsEnabled: true},
disableDuration: 10 * time.Second,
disabledUntil: time.Now().Add(5 * time.Second),
},
},
{
name: "config enabled, past disabledUntil (Client)",
resolver: &ACLResolver{
config: ACLResolverSettings{ACLsEnabled: true},
disableDuration: 10 * time.Second,
disabledUntil: time.Now().Add(-5 * time.Second),
},
enabled: true,
},
{
name: "config enabled, no disabledUntil (Client)",
resolver: &ACLResolver{
config: ACLResolverSettings{ACLsEnabled: true},
disableDuration: 10 * time.Second,
},
enabled: true,
},
}
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
run(t, tc)
})
}
}

View File

@ -191,7 +191,6 @@ func (ac *AutoConfig) updateACLsInConfig(opts AutoConfigOptions, resp *pbautocon
PolicyTTL: ac.config.ACLResolverSettings.ACLPolicyTTL.String(),
RoleTTL: ac.config.ACLResolverSettings.ACLRoleTTL.String(),
TokenTTL: ac.config.ACLResolverSettings.ACLTokenTTL.String(),
DisabledTTL: ac.config.ACLResolverSettings.ACLDisabledTTL.String(),
DownPolicy: ac.config.ACLResolverSettings.ACLDownPolicy,
DefaultPolicy: ac.config.ACLResolverSettings.ACLDefaultPolicy,
EnableKeyListPolicy: ac.config.ACLEnableKeyListPolicy,

View File

@ -153,8 +153,6 @@ func TestAutoConfigInitialConfiguration(t *testing.T) {
}
c.AutoConfigAuthzAllowReuse = true
c.ACLResolverSettings.ACLDisabledTTL = 12 * time.Second
cafile := path.Join(c.DataDir, "cacert.pem")
err := ioutil.WriteFile(cafile, []byte(cacert), 0600)
require.NoError(t, err)
@ -265,7 +263,6 @@ func TestAutoConfigInitialConfiguration(t *testing.T) {
PolicyTTL: "30s",
TokenTTL: "30s",
RoleTTL: "30s",
DisabledTTL: "12s",
DownPolicy: "extend-cache",
DefaultPolicy: "deny",
Tokens: &pbconfig.ACLTokens{
@ -725,7 +722,6 @@ func TestAutoConfig_updateACLsInConfig(t *testing.T) {
ACLPolicyTTL: 7 * time.Second,
ACLRoleTTL: 10 * time.Second,
ACLTokenTTL: 12 * time.Second,
ACLDisabledTTL: 31 * time.Second,
ACLDefaultPolicy: "allow",
ACLDownPolicy: "deny",
},
@ -739,7 +735,6 @@ func TestAutoConfig_updateACLsInConfig(t *testing.T) {
PolicyTTL: "7s",
RoleTTL: "10s",
TokenTTL: "12s",
DisabledTTL: "31s",
DownPolicy: "deny",
DefaultPolicy: "allow",
EnableKeyListPolicy: true,
@ -759,7 +754,6 @@ func TestAutoConfig_updateACLsInConfig(t *testing.T) {
ACLPolicyTTL: 7 * time.Second,
ACLRoleTTL: 10 * time.Second,
ACLTokenTTL: 12 * time.Second,
ACLDisabledTTL: 31 * time.Second,
ACLDefaultPolicy: "allow",
ACLDownPolicy: "deny",
},
@ -773,7 +767,6 @@ func TestAutoConfig_updateACLsInConfig(t *testing.T) {
PolicyTTL: "7s",
RoleTTL: "10s",
TokenTTL: "12s",
DisabledTTL: "31s",
DownPolicy: "deny",
DefaultPolicy: "allow",
EnableKeyListPolicy: true,

View File

@ -123,13 +123,13 @@ func NewClient(config *Config, deps Deps) (*Client, error) {
c.useNewACLs = 0
aclConfig := ACLResolverConfig{
Config: config.ACLResolverSettings,
Delegate: c,
Logger: c.logger,
AutoDisable: true,
CacheConfig: clientACLCacheConfig,
ACLConfig: newACLConfig(c.logger),
Tokens: deps.Tokens,
Config: config.ACLResolverSettings,
Delegate: c,
Logger: c.logger,
DisableDuration: aclClientDisabledTTL,
CacheConfig: clientACLCacheConfig,
ACLConfig: newACLConfig(c.logger),
Tokens: deps.Tokens,
}
var err error
if c.acls, err = NewACLResolver(&aclConfig); err != nil {

View File

@ -450,7 +450,6 @@ func DefaultConfig() *Config {
ACLPolicyTTL: 30 * time.Second,
ACLTokenTTL: 30 * time.Second,
ACLRoleTTL: 30 * time.Second,
ACLDisabledTTL: 30 * time.Second,
ACLDownPolicy: "extend-cache",
ACLDefaultPolicy: "allow",
},

View File

@ -345,6 +345,9 @@ func TestCAManager_UpdateConfigWhileRenewIntermediate(t *testing.T) {
}
func TestCAManager_SignLeafWithExpiredCert(t *testing.T) {
if testing.Short() {
t.Skip("too slow for testing.Short")
}
args := []struct {
testName string

View File

@ -429,7 +429,6 @@ func NewServer(config *Config, flat Deps) (*Server, error) {
Config: config.ACLResolverSettings,
Delegate: s,
CacheConfig: serverACLCacheConfig,
AutoDisable: false,
Logger: logger,
ACLConfig: s.aclConfig,
Tokens: flat.Tokens,

View File

@ -323,20 +323,22 @@ func (m *TLS) GetPreferServerCipherSuites() bool {
}
type ACL struct {
Enabled bool `protobuf:"varint,1,opt,name=Enabled,proto3" json:"Enabled,omitempty"`
PolicyTTL string `protobuf:"bytes,2,opt,name=PolicyTTL,proto3" json:"PolicyTTL,omitempty"`
RoleTTL string `protobuf:"bytes,3,opt,name=RoleTTL,proto3" json:"RoleTTL,omitempty"`
TokenTTL string `protobuf:"bytes,4,opt,name=TokenTTL,proto3" json:"TokenTTL,omitempty"`
DownPolicy string `protobuf:"bytes,5,opt,name=DownPolicy,proto3" json:"DownPolicy,omitempty"`
DefaultPolicy string `protobuf:"bytes,6,opt,name=DefaultPolicy,proto3" json:"DefaultPolicy,omitempty"`
EnableKeyListPolicy bool `protobuf:"varint,7,opt,name=EnableKeyListPolicy,proto3" json:"EnableKeyListPolicy,omitempty"`
Tokens *ACLTokens `protobuf:"bytes,8,opt,name=Tokens,proto3" json:"Tokens,omitempty"`
DisabledTTL string `protobuf:"bytes,9,opt,name=DisabledTTL,proto3" json:"DisabledTTL,omitempty"`
EnableTokenPersistence bool `protobuf:"varint,10,opt,name=EnableTokenPersistence,proto3" json:"EnableTokenPersistence,omitempty"`
MSPDisableBootstrap bool `protobuf:"varint,11,opt,name=MSPDisableBootstrap,proto3" json:"MSPDisableBootstrap,omitempty"`
XXX_NoUnkeyedLiteral struct{} `json:"-"`
XXX_unrecognized []byte `json:"-"`
XXX_sizecache int32 `json:"-"`
Enabled bool `protobuf:"varint,1,opt,name=Enabled,proto3" json:"Enabled,omitempty"`
PolicyTTL string `protobuf:"bytes,2,opt,name=PolicyTTL,proto3" json:"PolicyTTL,omitempty"`
RoleTTL string `protobuf:"bytes,3,opt,name=RoleTTL,proto3" json:"RoleTTL,omitempty"`
TokenTTL string `protobuf:"bytes,4,opt,name=TokenTTL,proto3" json:"TokenTTL,omitempty"`
DownPolicy string `protobuf:"bytes,5,opt,name=DownPolicy,proto3" json:"DownPolicy,omitempty"`
DefaultPolicy string `protobuf:"bytes,6,opt,name=DefaultPolicy,proto3" json:"DefaultPolicy,omitempty"`
EnableKeyListPolicy bool `protobuf:"varint,7,opt,name=EnableKeyListPolicy,proto3" json:"EnableKeyListPolicy,omitempty"`
Tokens *ACLTokens `protobuf:"bytes,8,opt,name=Tokens,proto3" json:"Tokens,omitempty"`
// Deprecated_DisabledTTL is deprecated. It is no longer populated and should
// be ignored by clients.
Deprecated_DisabledTTL string `protobuf:"bytes,9,opt,name=Deprecated_DisabledTTL,json=DeprecatedDisabledTTL,proto3" json:"Deprecated_DisabledTTL,omitempty"` // Deprecated: Do not use.
EnableTokenPersistence bool `protobuf:"varint,10,opt,name=EnableTokenPersistence,proto3" json:"EnableTokenPersistence,omitempty"`
MSPDisableBootstrap bool `protobuf:"varint,11,opt,name=MSPDisableBootstrap,proto3" json:"MSPDisableBootstrap,omitempty"`
XXX_NoUnkeyedLiteral struct{} `json:"-"`
XXX_unrecognized []byte `json:"-"`
XXX_sizecache int32 `json:"-"`
}
func (m *ACL) Reset() { *m = ACL{} }
@ -428,9 +430,10 @@ func (m *ACL) GetTokens() *ACLTokens {
return nil
}
func (m *ACL) GetDisabledTTL() string {
// Deprecated: Do not use.
func (m *ACL) GetDeprecated_DisabledTTL() string {
if m != nil {
return m.DisabledTTL
return m.Deprecated_DisabledTTL
}
return ""
}
@ -676,57 +679,58 @@ func init() {
func init() { proto.RegisterFile("proto/pbconfig/config.proto", fileDescriptor_aefa824db7b74d77) }
var fileDescriptor_aefa824db7b74d77 = []byte{
// 787 bytes of a gzipped FileDescriptorProto
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x74, 0x55, 0xdd, 0x6e, 0xe2, 0x46,
0x14, 0xae, 0xe3, 0xc4, 0x09, 0x43, 0x1b, 0x25, 0x93, 0x88, 0x5a, 0xfd, 0xa1, 0xc8, 0xaa, 0x22,
0x5a, 0x55, 0xa1, 0xa2, 0x6a, 0x55, 0x55, 0xbd, 0x21, 0x10, 0xb5, 0x34, 0x40, 0x91, 0x4d, 0x53,
0xa9, 0x77, 0xc6, 0x0c, 0x30, 0xaa, 0x99, 0xb1, 0xc6, 0x43, 0x22, 0xde, 0xa4, 0xd7, 0x7d, 0x83,
0x7d, 0x8b, 0xbd, 0xdc, 0x47, 0xd8, 0xcd, 0xbe, 0xc0, 0x3e, 0xc2, 0xea, 0xcc, 0x8c, 0x8d, 0x9d,
0x85, 0x2b, 0x38, 0xdf, 0xf7, 0xcd, 0x99, 0x6f, 0xe6, 0x9c, 0x33, 0x46, 0x9f, 0x27, 0x82, 0x4b,
0xde, 0x4a, 0xa6, 0x11, 0x67, 0x73, 0xba, 0x68, 0xe9, 0x9f, 0x6b, 0x85, 0x62, 0x47, 0x47, 0xde,
0x8b, 0x03, 0xe4, 0x74, 0xd5, 0x5f, 0x5c, 0x47, 0xa8, 0x17, 0xca, 0x30, 0x22, 0x4c, 0x12, 0xe1,
0x5a, 0x0d, 0xab, 0x59, 0xf1, 0x0b, 0x08, 0xfe, 0x0e, 0x9d, 0x8f, 0x05, 0x5d, 0x85, 0x62, 0x53,
0x90, 0x1d, 0x28, 0xd9, 0x87, 0x04, 0xfe, 0x0c, 0x9d, 0x8c, 0xf8, 0x8c, 0x8c, 0xc2, 0x15, 0x71,
0x6d, 0x25, 0xca, 0x63, 0xdc, 0x40, 0xd5, 0x80, 0x2c, 0x56, 0x84, 0x49, 0x45, 0x1f, 0x2a, 0xba,
0x08, 0xe1, 0x2f, 0x91, 0xdd, 0xe9, 0x0e, 0xdc, 0xa3, 0x86, 0xd5, 0xac, 0xb6, 0xab, 0xd7, 0xc6,
0x7a, 0xa7, 0x3b, 0xf0, 0x01, 0xc7, 0x3f, 0xa2, 0x6a, 0x67, 0x2d, 0xf9, 0x2d, 0x8b, 0xc4, 0x26,
0x91, 0xae, 0xa3, 0x64, 0x17, 0xb9, 0x6c, 0x4b, 0xf9, 0x45, 0x1d, 0xbe, 0x42, 0xce, 0x6f, 0x3c,
0x4d, 0x69, 0xe2, 0x1e, 0xab, 0x15, 0xa7, 0xd9, 0x0a, 0x8d, 0xfa, 0x86, 0x85, 0xdd, 0x27, 0x83,
0xc0, 0x3d, 0x29, 0xef, 0x3e, 0x19, 0x04, 0x3e, 0xe0, 0xde, 0x3c, 0x4b, 0x83, 0x7f, 0x46, 0xc8,
0xe4, 0xa6, 0x9c, 0xa9, 0x2b, 0xab, 0xb6, 0xdd, 0x72, 0xd2, 0x2d, 0xef, 0x17, 0xb4, 0xd8, 0x43,
0x1f, 0xfb, 0x44, 0x8a, 0xcd, 0x1f, 0x9c, 0xb2, 0x41, 0x67, 0xe4, 0x1e, 0x34, 0xec, 0x66, 0xc5,
0x2f, 0x61, 0x9e, 0x44, 0x67, 0xcf, 0x73, 0xe0, 0x33, 0x64, 0xdf, 0x91, 0x8d, 0xa9, 0x0e, 0xfc,
0xc5, 0x57, 0xe8, 0xf4, 0x9e, 0x08, 0x3a, 0xdf, 0xf4, 0x59, 0xc4, 0x57, 0x94, 0x2d, 0x54, 0x4d,
0x4e, 0xfc, 0x67, 0xe8, 0x56, 0xf7, 0xe7, 0x5a, 0x2e, 0x38, 0xe8, 0xec, 0xa2, 0x2e, 0x43, 0xbd,
0x37, 0x96, 0x3a, 0xfd, 0x0e, 0xbd, 0xb5, 0x4b, 0x8f, 0xdb, 0xe8, 0x52, 0x23, 0x01, 0x11, 0x0f,
0x44, 0xfc, 0xce, 0x53, 0xc9, 0xa0, 0xaa, 0xda, 0xc5, 0x4e, 0x0e, 0x4e, 0xdf, 0xa5, 0xc9, 0x92,
0x88, 0x60, 0x4d, 0x25, 0x49, 0x4d, 0x83, 0x94, 0x30, 0x68, 0xc7, 0x21, 0x65, 0xf7, 0x44, 0xa4,
0x70, 0xb7, 0xba, 0x47, 0x0a, 0x08, 0xfe, 0x05, 0xb9, 0x63, 0x41, 0xe6, 0x44, 0xe8, 0xdc, 0xa5,
0x7c, 0x47, 0x6a, 0xef, 0xbd, 0xbc, 0xf7, 0xbf, 0xad, 0xfa, 0x0b, 0xbb, 0xe8, 0xf8, 0x96, 0x85,
0xd3, 0x98, 0xcc, 0xcc, 0xe1, 0xb2, 0x10, 0x7f, 0x81, 0x2a, 0x63, 0x1e, 0xd3, 0x68, 0x33, 0x99,
0x0c, 0x4c, 0x93, 0x6f, 0x01, 0x58, 0xe7, 0xf3, 0x98, 0x00, 0xa7, 0xad, 0x67, 0x21, 0xb4, 0xfd,
0x84, 0xff, 0x4b, 0x18, 0x50, 0xda, 0x73, 0x1e, 0xab, 0x01, 0xe3, 0x8f, 0x4c, 0xa7, 0x51, 0x1e,
0x61, 0xc0, 0x72, 0x04, 0x7f, 0x8d, 0x3e, 0xe9, 0x91, 0x79, 0xb8, 0x8e, 0xa5, 0x91, 0x38, 0x4a,
0x52, 0x06, 0xf1, 0xf7, 0xe8, 0x42, 0x9b, 0xbc, 0x23, 0x9b, 0x01, 0x4d, 0x33, 0xed, 0xb1, 0xf2,
0xbf, 0x8b, 0xc2, 0xdf, 0x20, 0x47, 0x79, 0x48, 0x4d, 0x47, 0x9f, 0x17, 0xe6, 0x49, 0x13, 0xbe,
0x11, 0xc0, 0x64, 0xf6, 0x68, 0xaa, 0xae, 0x00, 0x4e, 0x50, 0xd1, 0x93, 0x59, 0x80, 0xf0, 0x4f,
0xa8, 0xa6, 0xf7, 0x50, 0x2b, 0xc6, 0x50, 0x8c, 0x54, 0x12, 0x16, 0x11, 0x17, 0x29, 0x07, 0x7b,
0x58, 0xb0, 0x3d, 0x0c, 0xc6, 0x26, 0xd3, 0x0d, 0xe7, 0x32, 0x95, 0x22, 0x4c, 0xdc, 0xaa, 0xb6,
0xbd, 0x83, 0xf2, 0xde, 0x59, 0xa8, 0x92, 0x3b, 0xc4, 0x35, 0xe4, 0x0c, 0xc3, 0x74, 0xfb, 0x32,
0x99, 0x08, 0x1c, 0xfb, 0x24, 0x89, 0x69, 0x14, 0xaa, 0x19, 0xd4, 0xa5, 0x2a, 0x42, 0xa0, 0xe8,
0x2c, 0x08, 0x93, 0x66, 0xb9, 0x2e, 0x58, 0x11, 0x82, 0x72, 0x9a, 0x3b, 0x36, 0x35, 0xcb, 0x42,
0x7c, 0x89, 0x8e, 0x94, 0xd0, 0x54, 0x4b, 0x07, 0xf8, 0x6f, 0x54, 0x1b, 0x86, 0x2c, 0x5c, 0x90,
0x19, 0xf4, 0x16, 0x8d, 0xc8, 0x58, 0xf0, 0x07, 0x3a, 0x23, 0xc2, 0x75, 0x1a, 0x76, 0xb3, 0xda,
0xfe, 0xaa, 0x70, 0xc1, 0xcf, 0x14, 0xea, 0x34, 0xfe, 0x9e, 0xe5, 0xde, 0x5f, 0xe8, 0xd3, 0x3d,
0x4b, 0xa0, 0x79, 0x3a, 0x51, 0x44, 0xd2, 0x94, 0x8b, 0x7e, 0x2f, 0x7b, 0x9d, 0xb7, 0x08, 0x34,
0x5e, 0x40, 0x22, 0x41, 0x64, 0xbf, 0x67, 0x2e, 0x21, 0x8f, 0x3d, 0x5a, 0x7a, 0x2e, 0xe1, 0x0d,
0x81, 0xe7, 0x4d, 0x77, 0xbc, 0x9a, 0xf5, 0x1a, 0x72, 0x7a, 0xa3, 0x20, 0xc8, 0xdf, 0x21, 0x13,
0xc1, 0xf1, 0xfb, 0x63, 0x80, 0x6d, 0x05, 0xeb, 0x00, 0xb6, 0xea, 0xc4, 0x31, 0x7f, 0x84, 0x24,
0x87, 0x2a, 0x49, 0x1e, 0xdf, 0xfc, 0xfa, 0xf2, 0xa9, 0x6e, 0xbd, 0x7a, 0xaa, 0x5b, 0xaf, 0x9f,
0xea, 0xd6, 0x7f, 0x6f, 0xeb, 0x1f, 0xfd, 0xf3, 0xed, 0x82, 0xca, 0xe5, 0x7a, 0x7a, 0x1d, 0xf1,
0x55, 0x6b, 0x19, 0xa6, 0x4b, 0x1a, 0x71, 0x91, 0xc0, 0xc7, 0x28, 0x5d, 0xc7, 0xad, 0xf2, 0x27,
0x6a, 0xea, 0xa8, 0xf8, 0x87, 0xf7, 0x01, 0x00, 0x00, 0xff, 0xff, 0x5a, 0xef, 0x32, 0xac, 0xbb,
0x06, 0x00, 0x00,
// 802 bytes of a gzipped FileDescriptorProto
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x74, 0x55, 0xdd, 0x8e, 0x22, 0x45,
0x14, 0xb6, 0xa7, 0x77, 0x7a, 0x86, 0x83, 0x6e, 0x76, 0x6b, 0x57, 0xec, 0xf8, 0x83, 0xa4, 0x63,
0x36, 0xa3, 0x31, 0x83, 0xc1, 0x68, 0xd4, 0x78, 0xc3, 0xc0, 0x46, 0x71, 0x01, 0x49, 0x37, 0xae,
0x89, 0x37, 0xa6, 0x69, 0x0e, 0x50, 0xb1, 0xa9, 0xea, 0x54, 0x17, 0x3b, 0xe1, 0x4d, 0x7c, 0x0d,
0xaf, 0x7d, 0x01, 0x2f, 0x7d, 0x04, 0x1d, 0x5f, 0xc0, 0x47, 0x30, 0xf5, 0xd3, 0x4d, 0xf7, 0x08,
0x57, 0x70, 0xbe, 0xef, 0xab, 0x53, 0xe7, 0xaf, 0x4e, 0xc3, 0x3b, 0x99, 0xe0, 0x92, 0x77, 0xb3,
0x45, 0xc2, 0xd9, 0x8a, 0xae, 0xbb, 0xe6, 0xe7, 0x5a, 0xa3, 0xc4, 0x33, 0x56, 0xf0, 0xdb, 0x19,
0x78, 0x03, 0xfd, 0x97, 0xb4, 0x01, 0x86, 0xb1, 0x8c, 0x13, 0x64, 0x12, 0x85, 0xef, 0x74, 0x9c,
0xab, 0x46, 0x58, 0x41, 0xc8, 0xc7, 0xf0, 0x78, 0x26, 0xe8, 0x36, 0x16, 0xfb, 0x8a, 0xec, 0x4c,
0xcb, 0xfe, 0x4f, 0x90, 0xb7, 0xe1, 0x72, 0xca, 0x97, 0x38, 0x8d, 0xb7, 0xe8, 0xbb, 0x5a, 0x54,
0xda, 0xa4, 0x03, 0xcd, 0x08, 0xd7, 0x5b, 0x64, 0x52, 0xd3, 0x0f, 0x34, 0x5d, 0x85, 0xc8, 0x7b,
0xe0, 0xf6, 0x07, 0x63, 0xff, 0xbc, 0xe3, 0x5c, 0x35, 0x7b, 0xcd, 0x6b, 0x1b, 0x7a, 0x7f, 0x30,
0x0e, 0x15, 0x4e, 0x3e, 0x83, 0x66, 0x7f, 0x27, 0xf9, 0x73, 0x96, 0x88, 0x7d, 0x26, 0x7d, 0x4f,
0xcb, 0x9e, 0x94, 0xb2, 0x03, 0x15, 0x56, 0x75, 0xe4, 0x19, 0x78, 0xdf, 0xf0, 0x3c, 0xa7, 0x99,
0x7f, 0xa1, 0x4f, 0x3c, 0x2c, 0x4e, 0x18, 0x34, 0xb4, 0xac, 0xba, 0x7d, 0x3e, 0x8e, 0xfc, 0xcb,
0xfa, 0xed, 0xf3, 0x71, 0x14, 0x2a, 0x3c, 0x58, 0x15, 0x6e, 0xc8, 0x17, 0x00, 0xd6, 0x37, 0xe5,
0x4c, 0x97, 0xac, 0xd9, 0xf3, 0xeb, 0x4e, 0x0f, 0x7c, 0x58, 0xd1, 0x92, 0x00, 0x5e, 0x0f, 0x51,
0x8a, 0xfd, 0x77, 0x9c, 0xb2, 0x71, 0x7f, 0xea, 0x9f, 0x75, 0xdc, 0xab, 0x46, 0x58, 0xc3, 0x02,
0x09, 0x8f, 0xee, 0xfb, 0x20, 0x8f, 0xc0, 0x7d, 0x81, 0x7b, 0xdb, 0x1d, 0xf5, 0x97, 0x3c, 0x83,
0x87, 0x2f, 0x51, 0xd0, 0xd5, 0x7e, 0xc4, 0x12, 0xbe, 0xa5, 0x6c, 0xad, 0x7b, 0x72, 0x19, 0xde,
0x43, 0x0f, 0xba, 0xef, 0x77, 0x72, 0xcd, 0x95, 0xce, 0xad, 0xea, 0x0a, 0x34, 0xf8, 0xdb, 0xd1,
0xd9, 0x1f, 0xd1, 0x3b, 0xc7, 0xf4, 0xa4, 0x07, 0x4f, 0x0d, 0x12, 0xa1, 0x78, 0x85, 0xe2, 0x5b,
0x9e, 0x4b, 0xa6, 0xba, 0x6a, 0xa2, 0x38, 0xca, 0xa9, 0xec, 0x07, 0x34, 0xdb, 0xa0, 0x88, 0x76,
0x54, 0x62, 0x6e, 0x07, 0xa4, 0x86, 0xa9, 0x71, 0x9c, 0x50, 0xf6, 0x12, 0x45, 0xae, 0x6a, 0x6b,
0x66, 0xa4, 0x82, 0x90, 0xaf, 0xc0, 0x9f, 0x09, 0x5c, 0xa1, 0x30, 0xbe, 0x6b, 0xfe, 0xce, 0xf5,
0xdd, 0x27, 0xf9, 0xe0, 0x77, 0x57, 0xcf, 0x17, 0xf1, 0xe1, 0xe2, 0x39, 0x8b, 0x17, 0x29, 0x2e,
0x6d, 0x72, 0x85, 0x49, 0xde, 0x85, 0xc6, 0x8c, 0xa7, 0x34, 0xd9, 0xcf, 0xe7, 0x63, 0x3b, 0xe4,
0x07, 0x40, 0x9d, 0x0b, 0x79, 0x8a, 0x8a, 0x33, 0xa1, 0x17, 0xa6, 0x1a, 0xfb, 0x39, 0xff, 0x05,
0x99, 0xa2, 0x4c, 0xcc, 0xa5, 0xad, 0x1f, 0x18, 0xbf, 0x65, 0xc6, 0x8d, 0x8e, 0x51, 0x3d, 0xb0,
0x12, 0x21, 0x1f, 0xc0, 0x1b, 0x43, 0x5c, 0xc5, 0xbb, 0x54, 0x5a, 0x89, 0xa7, 0x25, 0x75, 0x90,
0x7c, 0x02, 0x4f, 0x4c, 0x90, 0x2f, 0x70, 0x3f, 0xa6, 0x79, 0xa1, 0xbd, 0xd0, 0xf1, 0x1f, 0xa3,
0xc8, 0x87, 0xe0, 0xe9, 0x18, 0x72, 0x3b, 0xd1, 0x8f, 0x2b, 0xef, 0xc9, 0x10, 0xa1, 0x15, 0x90,
0x2f, 0xa1, 0x35, 0xc4, 0x4c, 0x60, 0x12, 0x4b, 0x5c, 0xfe, 0x3c, 0xa4, 0xb9, 0xae, 0x86, 0x4a,
0xa6, 0xa1, 0x62, 0xb9, 0x39, 0xf3, 0x9d, 0xf0, 0xcd, 0x83, 0xa2, 0x22, 0x20, 0x9f, 0x43, 0xcb,
0x5c, 0xae, 0x5d, 0xcd, 0x54, 0x97, 0x72, 0x89, 0x2c, 0x41, 0x1f, 0x74, 0x68, 0x27, 0x58, 0x95,
0xcf, 0x24, 0x9a, 0x59, 0x4f, 0x37, 0x9c, 0xcb, 0x5c, 0x8a, 0x38, 0xf3, 0x9b, 0x26, 0x9f, 0x23,
0x54, 0xf0, 0xaf, 0x03, 0x8d, 0x32, 0x74, 0xd2, 0x02, 0x6f, 0x12, 0xe7, 0x87, 0x95, 0x65, 0x2d,
0xb5, 0x64, 0x42, 0xcc, 0x52, 0x9a, 0xc4, 0xfa, 0x71, 0x9a, 0x1e, 0x56, 0x21, 0xa5, 0xe8, 0xaf,
0x91, 0x49, 0x7b, 0xdc, 0x74, 0xb2, 0x0a, 0xa9, 0x3e, 0xdb, 0xe2, 0xdb, 0x66, 0x16, 0x26, 0x79,
0x0a, 0xe7, 0x5a, 0x68, 0xdb, 0x68, 0x0c, 0xf2, 0x23, 0xb4, 0x26, 0x31, 0x8b, 0xd7, 0xb8, 0x54,
0x43, 0x47, 0x13, 0x9c, 0x09, 0xfe, 0x8a, 0x2e, 0x51, 0xf8, 0x5e, 0xc7, 0xbd, 0x6a, 0xf6, 0xde,
0xaf, 0x54, 0xfe, 0x9e, 0x42, 0x67, 0x13, 0x9e, 0x38, 0x1e, 0xfc, 0x00, 0x6f, 0x9d, 0x38, 0xa2,
0xa6, 0xaa, 0x9f, 0x24, 0x98, 0xe7, 0x5c, 0x8c, 0x86, 0xc5, 0xda, 0x3e, 0x20, 0x6a, 0x22, 0x23,
0x4c, 0x04, 0xca, 0xd1, 0xd0, 0x16, 0xa1, 0xb4, 0x03, 0x5a, 0xdb, 0xa3, 0x6a, 0xb9, 0xa8, 0xbd,
0x67, 0x9e, 0x82, 0x5e, 0x02, 0x2d, 0xf0, 0x86, 0xd3, 0x28, 0x2a, 0x17, 0x94, 0xb5, 0x54, 0xfa,
0xa3, 0x99, 0x82, 0x5d, 0x0d, 0x1b, 0x43, 0x5d, 0xd5, 0x4f, 0x53, 0x7e, 0xab, 0x9c, 0x3c, 0xd0,
0x4e, 0x4a, 0xfb, 0xe6, 0xeb, 0x3f, 0xee, 0xda, 0xce, 0x9f, 0x77, 0x6d, 0xe7, 0xaf, 0xbb, 0xb6,
0xf3, 0xeb, 0x3f, 0xed, 0xd7, 0x7e, 0xfa, 0x68, 0x4d, 0xe5, 0x66, 0xb7, 0xb8, 0x4e, 0xf8, 0xb6,
0xbb, 0x89, 0xf3, 0x0d, 0x4d, 0xb8, 0xc8, 0xd4, 0x57, 0x2a, 0xdf, 0xa5, 0xdd, 0xfa, 0xb7, 0x6b,
0xe1, 0x69, 0xfb, 0xd3, 0xff, 0x02, 0x00, 0x00, 0xff, 0xff, 0x54, 0x4a, 0x4e, 0xf1, 0xd4, 0x06,
0x00, 0x00,
}
func (m *Config) Marshal() (dAtA []byte, err error) {
@ -1049,10 +1053,10 @@ func (m *ACL) MarshalToSizedBuffer(dAtA []byte) (int, error) {
i--
dAtA[i] = 0x50
}
if len(m.DisabledTTL) > 0 {
i -= len(m.DisabledTTL)
copy(dAtA[i:], m.DisabledTTL)
i = encodeVarintConfig(dAtA, i, uint64(len(m.DisabledTTL)))
if len(m.Deprecated_DisabledTTL) > 0 {
i -= len(m.Deprecated_DisabledTTL)
copy(dAtA[i:], m.Deprecated_DisabledTTL)
i = encodeVarintConfig(dAtA, i, uint64(len(m.Deprecated_DisabledTTL)))
i--
dAtA[i] = 0x4a
}
@ -1472,7 +1476,7 @@ func (m *ACL) Size() (n int) {
l = m.Tokens.Size()
n += 1 + l + sovConfig(uint64(l))
}
l = len(m.DisabledTTL)
l = len(m.Deprecated_DisabledTTL)
if l > 0 {
n += 1 + l + sovConfig(uint64(l))
}
@ -2589,7 +2593,7 @@ func (m *ACL) Unmarshal(dAtA []byte) error {
iNdEx = postIndex
case 9:
if wireType != 2 {
return fmt.Errorf("proto: wrong wireType = %d for field DisabledTTL", wireType)
return fmt.Errorf("proto: wrong wireType = %d for field Deprecated_DisabledTTL", wireType)
}
var stringLen uint64
for shift := uint(0); ; shift += 7 {
@ -2617,7 +2621,7 @@ func (m *ACL) Unmarshal(dAtA []byte) error {
if postIndex > l {
return io.ErrUnexpectedEOF
}
m.DisabledTTL = string(dAtA[iNdEx:postIndex])
m.Deprecated_DisabledTTL = string(dAtA[iNdEx:postIndex])
iNdEx = postIndex
case 10:
if wireType != 0 {

View File

@ -43,7 +43,9 @@ message ACL {
string DefaultPolicy = 6;
bool EnableKeyListPolicy = 7;
ACLTokens Tokens = 8;
string DisabledTTL = 9;
// Deprecated_DisabledTTL is deprecated. It is no longer populated and should
// be ignored by clients.
string Deprecated_DisabledTTL = 9 [deprecated = true];
bool EnableTokenPersistence = 10;
bool MSPDisableBootstrap = 11;
}