Merge pull request #10814 from hashicorp/dnephin/acl-resolver-4

acl: remove ACLDisabledTTL

agent/auto-config/config_translate.go

@@ -3,13 +3,14 @@ package autoconf
 import (
 	"fmt"
 
+	"github.com/mitchellh/mapstructure"
+
 	"github.com/hashicorp/consul/agent/config"
 	"github.com/hashicorp/consul/agent/structs"
 	"github.com/hashicorp/consul/proto"
 	"github.com/hashicorp/consul/proto/pbautoconf"
 	"github.com/hashicorp/consul/proto/pbconfig"
 	"github.com/hashicorp/consul/proto/pbconnect"
-	"github.com/mitchellh/mapstructure"
 )
 
 // translateAgentConfig is meant to take in a proto/pbconfig.Config type
@@ -48,7 +49,6 @@ func translateConfig(c *pbconfig.Config) config.Config {
 			DownPolicy:             stringPtrOrNil(a.DownPolicy),
 			DefaultPolicy:          stringPtrOrNil(a.DefaultPolicy),
 			EnableKeyListPolicy:    &a.EnableKeyListPolicy,
-			DisabledTTL:            stringPtrOrNil(a.DisabledTTL),
 			EnableTokenPersistence: &a.EnableTokenPersistence,
 		}
 

agent/auto-config/config_translate_test.go

@@ -4,11 +4,12 @@ import (
 	"fmt"
 	"testing"
 
+	"github.com/stretchr/testify/require"
+
 	"github.com/hashicorp/consul/agent/config"
 	"github.com/hashicorp/consul/agent/structs"
 	pbconfig "github.com/hashicorp/consul/proto/pbconfig"
 	"github.com/hashicorp/consul/proto/pbconnect"
-	"github.com/stretchr/testify/require"
 )
 
 func stringPointer(s string) *string {
@@ -65,7 +66,6 @@ func TestTranslateConfig(t *testing.T) {
 			DownPolicy:             "deny",
 			DefaultPolicy:          "deny",
 			EnableKeyListPolicy:    true,
-			DisabledTTL:            "4s",
 			EnableTokenPersistence: true,
 			MSPDisableBootstrap:    false,
 			Tokens: &pbconfig.ACLTokens{
@@ -127,7 +127,6 @@ func TestTranslateConfig(t *testing.T) {
 			DownPolicy:             stringPointer("deny"),
 			DefaultPolicy:          stringPointer("deny"),
 			EnableKeyListPolicy:    boolPointer(true),
-			DisabledTTL:            stringPointer("4s"),
 			EnableTokenPersistence: boolPointer(true),
 			Tokens: config.Tokens{
 				Master:      stringPointer("99e7e490-6baf-43fc-9010-78b6aa9a6813"),

agent/config/builder.go

@@ -873,7 +873,6 @@ func (b *builder) build() (rt RuntimeConfig, err error) {
 			ACLPolicyTTL:     b.durationVal("acl.policy_ttl", c.ACL.PolicyTTL),
 			ACLTokenTTL:      b.durationValWithDefault("acl.token_ttl", c.ACL.TokenTTL, b.durationVal("acl_ttl", c.ACLTTL)),
 			ACLRoleTTL:       b.durationVal("acl.role_ttl", c.ACL.RoleTTL),
-			ACLDisabledTTL:   b.durationVal("acl.disabled_ttl", c.ACL.DisabledTTL),
 			ACLDownPolicy:    stringValWithDefault(c.ACL.DownPolicy, stringVal(c.ACLDownPolicy)),
 			ACLDefaultPolicy: stringValWithDefault(c.ACL.DefaultPolicy, stringVal(c.ACLDefaultPolicy)),
 		},

agent/config/config.go

@@ -268,8 +268,6 @@ type Config struct {
 	SnapshotAgent map[string]interface{} `mapstructure:"snapshot_agent"`
 
 	// non-user configurable values
-	// DEPRECATED (ACL-Legacy-Compat) - moved into the "acl" stanza
-	ACLDisabledTTL             *string  `mapstructure:"acl_disabled_ttl"`
 	AEInterval                 *string  `mapstructure:"ae_interval"`
 	CheckDeregisterIntervalMin *string  `mapstructure:"check_deregister_interval_min"`
 	CheckReapInterval          *string  `mapstructure:"check_reap_interval"`
@@ -741,7 +739,6 @@ type ACL struct {
 	DefaultPolicy          *string `mapstructure:"default_policy"`
 	EnableKeyListPolicy    *bool   `mapstructure:"enable_key_list_policy"`
 	Tokens                 Tokens  `mapstructure:"tokens"`
-	DisabledTTL            *string `mapstructure:"disabled_ttl"`
 	EnableTokenPersistence *bool   `mapstructure:"enable_token_persistence"`
 
 	// Enterprise Only

agent/config/default.go

@@ -184,9 +184,6 @@ func NonUserSource() Source {
 		Name:   "non-user",
 		Format: "hcl",
 		Data: `
-		acl = {
-			disabled_ttl = "120s"
-		}
 		check_deregister_interval_min = "1m"
 		check_reap_interval = "30s"
 		ae_interval = "1m"

agent/config/runtime_test.go

@@ -5241,7 +5241,6 @@ func TestLoad_FullConfig(t *testing.T) {
 			ACLsEnabled:      true,
 			Datacenter:       "rzo029wg",
 			NodeName:         "otlLxGaI",
-			ACLDisabledTTL:   120 * time.Second,
 			ACLDefaultPolicy: "72c2e7a0",
 			ACLDownPolicy:    "03eb2aee",
 			ACLTokenTTL:      3321 * time.Second,

agent/config/testdata/TestRuntimeConfig_Sanitize.golden

@@ -3,7 +3,6 @@
     "ACLMasterToken": "hidden",
     "ACLResolverSettings": {
         "ACLDefaultPolicy": "",
-        "ACLDisabledTTL": "0s",
         "ACLDownPolicy": "",
         "ACLPolicyTTL": "0s",
         "ACLRoleTTL": "0s",

agent/consul/acl.go

@@ -199,10 +199,11 @@ type ACLResolverConfig struct {
 	// Delegate that implements some helper functionality that is server/client specific
 	Delegate ACLResolverDelegate
 
-	// AutoDisable indicates that RPC responses should be checked and if they indicate ACLs are disabled
+	// DisableDuration is the length of time to leave ACLs disabled when an RPC
-	// remotely then disable them locally as well. This is particularly useful for the client agent
+	// request to a server indicates that the ACL system is disabled. If set to
-	// so that it can detect when the servers have gotten ACLs enabled.
+	// 0 then ACLs will not be disabled locally. This value is always set to 0 on
-	AutoDisable bool
+	// Servers.
+	DisableDuration time.Duration
 
 	// ACLConfig is the configuration necessary to pass through to the acl package when creating authorizers
 	// and when authorizing access
@@ -212,6 +213,8 @@ type ACLResolverConfig struct {
 	Tokens *token.Store
 }
 
+const aclClientDisabledTTL = 30 * time.Second
+
 // TODO: rename the fields to remove the ACL prefix
 type ACLResolverSettings struct {
 	ACLsEnabled bool
@@ -228,11 +231,6 @@ type ACLResolverSettings struct {
 	// a major impact on performance. By default, it is set to 30 seconds.
 	ACLRoleTTL time.Duration
 
-	// ACLDisabledTTL is used by agents to determine how long they will
-	// wait to check again with the servers if they discover ACLs are not
-	// enabled. (not user configurable)
-	ACLDisabledTTL time.Duration
-
 	// ACLDownPolicy is used to control the ACL interaction when we cannot
 	// reach the PrimaryDatacenter and the token is not in the cache.
 	// There are the following modes:
@@ -295,8 +293,9 @@ type ACLResolver struct {
 
 	down acl.Authorizer
 
-	autoDisable  bool
+	disableDuration time.Duration
-	disabled     time.Time
+	disabledUntil   time.Time
+	// disabledLock synchronizes access to disabledUntil
 	disabledLock sync.RWMutex
 
 	agentMasterAuthz acl.Authorizer
@@ -367,7 +366,7 @@ func NewACLResolver(config *ACLResolverConfig) (*ACLResolver, error) {
 		delegate:         config.Delegate,
 		aclConf:          config.ACLConfig,
 		cache:            cache,
-		autoDisable:      config.AutoDisable,
+		disableDuration:  config.DisableDuration,
 		down:             down,
 		tokens:           config.Tokens,
 		agentMasterAuthz: authz,
@@ -1195,17 +1194,15 @@ func (r *ACLResolver) resolveTokenToIdentityAndRoles(token string) (structs.ACLI
 	return lastIdentity, nil, lastErr
 }
 
-func (r *ACLResolver) disableACLsWhenUpstreamDisabled(err error) error {
+func (r *ACLResolver) handleACLDisabledError(err error) {
-	if !r.autoDisable || err == nil || !acl.IsErrDisabled(err) {
+	if r.disableDuration == 0 || err == nil || !acl.IsErrDisabled(err) {
-		return err
+		return
 	}
 
-	r.logger.Debug("ACLs disabled on upstream servers, will retry", "retry_interval", r.config.ACLDisabledTTL)
+	r.logger.Debug("ACLs disabled on servers, will retry", "retry_interval", r.disableDuration)
 	r.disabledLock.Lock()
-	r.disabled = time.Now().Add(r.config.ACLDisabledTTL)
+	r.disabledUntil = time.Now().Add(r.disableDuration)
 	r.disabledLock.Unlock()
-
-	return err
 }
 
 func (r *ACLResolver) resolveLocallyManagedToken(token string) (structs.ACLIdentity, acl.Authorizer, bool) {
@@ -1241,14 +1238,15 @@ func (r *ACLResolver) ResolveTokenToIdentityAndAuthorizer(token string) (structs
 
 	if r.delegate.UseLegacyACLs() {
 		identity, authorizer, err := r.resolveTokenLegacy(token)
-		return identity, authorizer, r.disableACLsWhenUpstreamDisabled(err)
+		r.handleACLDisabledError(err)
+		return identity, authorizer, err
 	}
 
 	defer metrics.MeasureSince([]string{"acl", "ResolveToken"}, time.Now())
 
 	identity, policies, err := r.resolveTokenToIdentityAndPolicies(token)
 	if err != nil {
-		r.disableACLsWhenUpstreamDisabled(err)
+		r.handleACLDisabledError(err)
 		if IsACLRemoteError(err) {
 			r.logger.Error("Error resolving token", "error", err)
 			return &missingIdentity{reason: "primary-dc-down", token: token}, r.down, nil
@@ -1305,7 +1303,8 @@ func (r *ACLResolver) ResolveTokenToIdentity(token string) (structs.ACLIdentity,
 
 	if r.delegate.UseLegacyACLs() {
 		identity, _, err := r.resolveTokenLegacy(token)
-		return identity, r.disableACLsWhenUpstreamDisabled(err)
+		r.handleACLDisabledError(err)
+		return identity, err
 	}
 
 	defer metrics.MeasureSince([]string{"acl", "ResolveTokenToIdentity"}, time.Now())
@@ -1319,11 +1318,11 @@ func (r *ACLResolver) ACLsEnabled() bool {
 		return false
 	}
 
-	if r.autoDisable {
+	if r.disableDuration != 0 {
 		// Whether ACLs are disabled according to RPCs failing with a ACLs Disabled error
 		r.disabledLock.RLock()
 		defer r.disabledLock.RUnlock()
-		return !time.Now().Before(r.disabled)
+		return time.Now().After(r.disabledUntil)
 	}
 
 	return true

agent/consul/acl_test.go

@@ -731,8 +731,8 @@ func newTestACLResolver(t *testing.T, delegate *ACLResolverTestDelegate, cb func
 			Authorizers:    4,
 			Roles:          4,
 		},
-		AutoDisable: true,
+		DisableDuration: aclClientDisabledTTL,
-		Delegate:    delegate,
+		Delegate:        delegate,
 	}
 
 	if cb != nil {
@@ -3565,7 +3565,7 @@ func TestACLResolver_AgentMaster(t *testing.T) {
 	r := newTestACLResolver(t, d, func(cfg *ACLResolverConfig) {
 		cfg.Tokens = &tokens
 		cfg.Config.NodeName = "foo"
-		cfg.AutoDisable = false
+		cfg.DisableDuration = 0
 	})
 
 	tokens.UpdateAgentMasterToken("9a184a11-5599-459e-b71a-550e5f9a5a23", token.TokenSourceConfig)
@@ -3580,3 +3580,61 @@ func TestACLResolver_AgentMaster(t *testing.T) {
 	require.Equal(t, acl.Allow, authz.NodeRead("bar", nil))
 	require.Equal(t, acl.Deny, authz.NodeWrite("bar", nil))
 }
+
+func TestACLResolver_ACLsEnabled(t *testing.T) {
+	type testCase struct {
+		name     string
+		resolver *ACLResolver
+		enabled  bool
+	}
+
+	run := func(t *testing.T, tc testCase) {
+		require.Equal(t, tc.enabled, tc.resolver.ACLsEnabled())
+	}
+
+	var testCases = []testCase{
+		{
+			name:     "config disabled",
+			resolver: &ACLResolver{},
+		},
+		{
+			name: "config enabled, disableDuration=0 (Server)",
+			resolver: &ACLResolver{
+				config: ACLResolverSettings{ACLsEnabled: true},
+			},
+			enabled: true,
+		},
+		{
+			name: "config enabled, disabled by RPC (Client)",
+			resolver: &ACLResolver{
+				config:          ACLResolverSettings{ACLsEnabled: true},
+				disableDuration: 10 * time.Second,
+				disabledUntil:   time.Now().Add(5 * time.Second),
+			},
+		},
+		{
+			name: "config enabled, past disabledUntil (Client)",
+			resolver: &ACLResolver{
+				config:          ACLResolverSettings{ACLsEnabled: true},
+				disableDuration: 10 * time.Second,
+				disabledUntil:   time.Now().Add(-5 * time.Second),
+			},
+			enabled: true,
+		},
+		{
+			name: "config enabled, no disabledUntil (Client)",
+			resolver: &ACLResolver{
+				config:          ACLResolverSettings{ACLsEnabled: true},
+				disableDuration: 10 * time.Second,
+			},
+			enabled: true,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			run(t, tc)
+		})
+	}
+
+}

agent/consul/auto_config_endpoint.go

@@ -191,7 +191,6 @@ func (ac *AutoConfig) updateACLsInConfig(opts AutoConfigOptions, resp *pbautocon
 		PolicyTTL:           ac.config.ACLResolverSettings.ACLPolicyTTL.String(),
 		RoleTTL:             ac.config.ACLResolverSettings.ACLRoleTTL.String(),
 		TokenTTL:            ac.config.ACLResolverSettings.ACLTokenTTL.String(),
-		DisabledTTL:         ac.config.ACLResolverSettings.ACLDisabledTTL.String(),
 		DownPolicy:          ac.config.ACLResolverSettings.ACLDownPolicy,
 		DefaultPolicy:       ac.config.ACLResolverSettings.ACLDefaultPolicy,
 		EnableKeyListPolicy: ac.config.ACLEnableKeyListPolicy,

agent/consul/auto_config_endpoint_test.go

@@ -153,8 +153,6 @@ func TestAutoConfigInitialConfiguration(t *testing.T) {
 		}
 		c.AutoConfigAuthzAllowReuse = true
 
-		c.ACLResolverSettings.ACLDisabledTTL = 12 * time.Second
-
 		cafile := path.Join(c.DataDir, "cacert.pem")
 		err := ioutil.WriteFile(cafile, []byte(cacert), 0600)
 		require.NoError(t, err)
@@ -265,7 +263,6 @@ func TestAutoConfigInitialConfiguration(t *testing.T) {
 						PolicyTTL:     "30s",
 						TokenTTL:      "30s",
 						RoleTTL:       "30s",
-						DisabledTTL:   "12s",
 						DownPolicy:    "extend-cache",
 						DefaultPolicy: "deny",
 						Tokens: &pbconfig.ACLTokens{
@@ -725,7 +722,6 @@ func TestAutoConfig_updateACLsInConfig(t *testing.T) {
 					ACLPolicyTTL:     7 * time.Second,
 					ACLRoleTTL:       10 * time.Second,
 					ACLTokenTTL:      12 * time.Second,
-					ACLDisabledTTL:   31 * time.Second,
 					ACLDefaultPolicy: "allow",
 					ACLDownPolicy:    "deny",
 				},
@@ -739,7 +735,6 @@ func TestAutoConfig_updateACLsInConfig(t *testing.T) {
 						PolicyTTL:           "7s",
 						RoleTTL:             "10s",
 						TokenTTL:            "12s",
-						DisabledTTL:         "31s",
 						DownPolicy:          "deny",
 						DefaultPolicy:       "allow",
 						EnableKeyListPolicy: true,
@@ -759,7 +754,6 @@ func TestAutoConfig_updateACLsInConfig(t *testing.T) {
 					ACLPolicyTTL:     7 * time.Second,
 					ACLRoleTTL:       10 * time.Second,
 					ACLTokenTTL:      12 * time.Second,
-					ACLDisabledTTL:   31 * time.Second,
 					ACLDefaultPolicy: "allow",
 					ACLDownPolicy:    "deny",
 				},
@@ -773,7 +767,6 @@ func TestAutoConfig_updateACLsInConfig(t *testing.T) {
 						PolicyTTL:           "7s",
 						RoleTTL:             "10s",
 						TokenTTL:            "12s",
-						DisabledTTL:         "31s",
 						DownPolicy:          "deny",
 						DefaultPolicy:       "allow",
 						EnableKeyListPolicy: true,

agent/consul/client.go

@@ -123,13 +123,13 @@ func NewClient(config *Config, deps Deps) (*Client, error) {
 
 	c.useNewACLs = 0
 	aclConfig := ACLResolverConfig{
-		Config:      config.ACLResolverSettings,
+		Config:          config.ACLResolverSettings,
-		Delegate:    c,
+		Delegate:        c,
-		Logger:      c.logger,
+		Logger:          c.logger,
-		AutoDisable: true,
+		DisableDuration: aclClientDisabledTTL,
-		CacheConfig: clientACLCacheConfig,
+		CacheConfig:     clientACLCacheConfig,
-		ACLConfig:   newACLConfig(c.logger),
+		ACLConfig:       newACLConfig(c.logger),
-		Tokens:      deps.Tokens,
+		Tokens:          deps.Tokens,
 	}
 	var err error
 	if c.acls, err = NewACLResolver(&aclConfig); err != nil {

agent/consul/config.go

@@ -450,7 +450,6 @@ func DefaultConfig() *Config {
 			ACLPolicyTTL:     30 * time.Second,
 			ACLTokenTTL:      30 * time.Second,
 			ACLRoleTTL:       30 * time.Second,
-			ACLDisabledTTL:   30 * time.Second,
 			ACLDownPolicy:    "extend-cache",
 			ACLDefaultPolicy: "allow",
 		},

agent/consul/leader_connect_ca_test.go

@@ -345,6 +345,9 @@ func TestCAManager_UpdateConfigWhileRenewIntermediate(t *testing.T) {
 }
 
 func TestCAManager_SignLeafWithExpiredCert(t *testing.T) {
+	if testing.Short() {
+		t.Skip("too slow for testing.Short")
+	}
 
 	args := []struct {
 		testName              string

agent/consul/server.go

@@ -429,7 +429,6 @@ func NewServer(config *Config, flat Deps) (*Server, error) {
 		Config:      config.ACLResolverSettings,
 		Delegate:    s,
 		CacheConfig: serverACLCacheConfig,
-		AutoDisable: false,
 		Logger:      logger,
 		ACLConfig:   s.aclConfig,
 		Tokens:      flat.Tokens,

proto/pbconfig/config.pb.go

@@ -323,20 +323,22 @@ func (m *TLS) GetPreferServerCipherSuites() bool {
 }
 
 type ACL struct {
-	Enabled                bool       `protobuf:"varint,1,opt,name=Enabled,proto3" json:"Enabled,omitempty"`
+	Enabled             bool       `protobuf:"varint,1,opt,name=Enabled,proto3" json:"Enabled,omitempty"`
-	PolicyTTL              string     `protobuf:"bytes,2,opt,name=PolicyTTL,proto3" json:"PolicyTTL,omitempty"`
+	PolicyTTL           string     `protobuf:"bytes,2,opt,name=PolicyTTL,proto3" json:"PolicyTTL,omitempty"`
-	RoleTTL                string     `protobuf:"bytes,3,opt,name=RoleTTL,proto3" json:"RoleTTL,omitempty"`
+	RoleTTL             string     `protobuf:"bytes,3,opt,name=RoleTTL,proto3" json:"RoleTTL,omitempty"`
-	TokenTTL               string     `protobuf:"bytes,4,opt,name=TokenTTL,proto3" json:"TokenTTL,omitempty"`
+	TokenTTL            string     `protobuf:"bytes,4,opt,name=TokenTTL,proto3" json:"TokenTTL,omitempty"`
-	DownPolicy             string     `protobuf:"bytes,5,opt,name=DownPolicy,proto3" json:"DownPolicy,omitempty"`
+	DownPolicy          string     `protobuf:"bytes,5,opt,name=DownPolicy,proto3" json:"DownPolicy,omitempty"`
-	DefaultPolicy          string     `protobuf:"bytes,6,opt,name=DefaultPolicy,proto3" json:"DefaultPolicy,omitempty"`
+	DefaultPolicy       string     `protobuf:"bytes,6,opt,name=DefaultPolicy,proto3" json:"DefaultPolicy,omitempty"`
-	EnableKeyListPolicy    bool       `protobuf:"varint,7,opt,name=EnableKeyListPolicy,proto3" json:"EnableKeyListPolicy,omitempty"`
+	EnableKeyListPolicy bool       `protobuf:"varint,7,opt,name=EnableKeyListPolicy,proto3" json:"EnableKeyListPolicy,omitempty"`
-	Tokens                 *ACLTokens `protobuf:"bytes,8,opt,name=Tokens,proto3" json:"Tokens,omitempty"`
+	Tokens              *ACLTokens `protobuf:"bytes,8,opt,name=Tokens,proto3" json:"Tokens,omitempty"`
-	DisabledTTL            string     `protobuf:"bytes,9,opt,name=DisabledTTL,proto3" json:"DisabledTTL,omitempty"`
+	// Deprecated_DisabledTTL is deprecated. It is no longer populated and should
-	EnableTokenPersistence bool       `protobuf:"varint,10,opt,name=EnableTokenPersistence,proto3" json:"EnableTokenPersistence,omitempty"`
+	// be ignored by clients.
-	MSPDisableBootstrap    bool       `protobuf:"varint,11,opt,name=MSPDisableBootstrap,proto3" json:"MSPDisableBootstrap,omitempty"`
+	Deprecated_DisabledTTL string   `protobuf:"bytes,9,opt,name=Deprecated_DisabledTTL,json=DeprecatedDisabledTTL,proto3" json:"Deprecated_DisabledTTL,omitempty"` // Deprecated: Do not use.
-	XXX_NoUnkeyedLiteral   struct{}   `json:"-"`
+	EnableTokenPersistence bool     `protobuf:"varint,10,opt,name=EnableTokenPersistence,proto3" json:"EnableTokenPersistence,omitempty"`
-	XXX_unrecognized       []byte     `json:"-"`
+	MSPDisableBootstrap    bool     `protobuf:"varint,11,opt,name=MSPDisableBootstrap,proto3" json:"MSPDisableBootstrap,omitempty"`
-	XXX_sizecache          int32      `json:"-"`
+	XXX_NoUnkeyedLiteral   struct{} `json:"-"`
+	XXX_unrecognized       []byte   `json:"-"`
+	XXX_sizecache          int32    `json:"-"`
 }
 
 func (m *ACL) Reset()         { *m = ACL{} }
@@ -428,9 +430,10 @@ func (m *ACL) GetTokens() *ACLTokens {
 	return nil
 }
 
-func (m *ACL) GetDisabledTTL() string {
+// Deprecated: Do not use.
+func (m *ACL) GetDeprecated_DisabledTTL() string {
 	if m != nil {
-		return m.DisabledTTL
+		return m.Deprecated_DisabledTTL
 	}
 	return ""
 }
@@ -676,57 +679,58 @@ func init() {
 func init() { proto.RegisterFile("proto/pbconfig/config.proto", fileDescriptor_aefa824db7b74d77) }
 
 var fileDescriptor_aefa824db7b74d77 = []byte{
-	// 787 bytes of a gzipped FileDescriptorProto
+	// 802 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x74, 0x55, 0xdd, 0x6e, 0xe2, 0x46,
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x74, 0x55, 0xdd, 0x8e, 0x22, 0x45,
-	0x14, 0xae, 0xe3, 0xc4, 0x09, 0x43, 0x1b, 0x25, 0x93, 0x88, 0x5a, 0xfd, 0xa1, 0xc8, 0xaa, 0x22,
+	0x14, 0xb6, 0xa7, 0x77, 0x7a, 0x86, 0x83, 0x6e, 0x76, 0x6b, 0x57, 0xec, 0xf8, 0x83, 0xa4, 0x63,
-	0x5a, 0x55, 0xa1, 0xa2, 0x6a, 0x55, 0x55, 0xbd, 0x21, 0x10, 0xb5, 0x34, 0x40, 0x91, 0x4d, 0x53,
+	0x36, 0xa3, 0x31, 0x83, 0xc1, 0x68, 0xd4, 0x78, 0xc3, 0xc0, 0x46, 0x71, 0x01, 0x49, 0x37, 0xae,
-	0xa9, 0x77, 0xc6, 0x0c, 0x30, 0xaa, 0x99, 0xb1, 0xc6, 0x43, 0x22, 0xde, 0xa4, 0xd7, 0x7d, 0x83,
+	0x89, 0x37, 0xa6, 0x69, 0x0e, 0x50, 0xb1, 0xa9, 0xea, 0x54, 0x17, 0x3b, 0xe1, 0x4d, 0x7c, 0x0d,
-	0x7d, 0x8b, 0xbd, 0xdc, 0x47, 0xd8, 0xcd, 0xbe, 0xc0, 0x3e, 0xc2, 0xea, 0xcc, 0x8c, 0x8d, 0x9d,
+	0xaf, 0x7d, 0x01, 0x2f, 0x7d, 0x04, 0x1d, 0x5f, 0xc0, 0x47, 0x30, 0xf5, 0xd3, 0x4d, 0xf7, 0x08,
-	0x85, 0x2b, 0x38, 0xdf, 0xf7, 0xcd, 0x99, 0x6f, 0xe6, 0x9c, 0x33, 0x46, 0x9f, 0x27, 0x82, 0x4b,
+	0x57, 0x70, 0xbe, 0xef, 0xab, 0x53, 0xe7, 0xaf, 0x4e, 0xc3, 0x3b, 0x99, 0xe0, 0x92, 0x77, 0xb3,
-	0xde, 0x4a, 0xa6, 0x11, 0x67, 0x73, 0xba, 0x68, 0xe9, 0x9f, 0x6b, 0x85, 0x62, 0x47, 0x47, 0xde,
+	0x45, 0xc2, 0xd9, 0x8a, 0xae, 0xbb, 0xe6, 0xe7, 0x5a, 0xa3, 0xc4, 0x33, 0x56, 0xf0, 0xdb, 0x19,
-	0x8b, 0x03, 0xe4, 0x74, 0xd5, 0x5f, 0x5c, 0x47, 0xa8, 0x17, 0xca, 0x30, 0x22, 0x4c, 0x12, 0xe1,
+	0x78, 0x03, 0xfd, 0x97, 0xb4, 0x01, 0x86, 0xb1, 0x8c, 0x13, 0x64, 0x12, 0x85, 0xef, 0x74, 0x9c,
-	0x5a, 0x0d, 0xab, 0x59, 0xf1, 0x0b, 0x08, 0xfe, 0x0e, 0x9d, 0x8f, 0x05, 0x5d, 0x85, 0x62, 0x53,
+	0xab, 0x46, 0x58, 0x41, 0xc8, 0xc7, 0xf0, 0x78, 0x26, 0xe8, 0x36, 0x16, 0xfb, 0x8a, 0xec, 0x4c,
-	0x90, 0x1d, 0x28, 0xd9, 0x87, 0x04, 0xfe, 0x0c, 0x9d, 0x8c, 0xf8, 0x8c, 0x8c, 0xc2, 0x15, 0x71,
+	0xcb, 0xfe, 0x4f, 0x90, 0xb7, 0xe1, 0x72, 0xca, 0x97, 0x38, 0x8d, 0xb7, 0xe8, 0xbb, 0x5a, 0x54,
-	0x6d, 0x25, 0xca, 0x63, 0xdc, 0x40, 0xd5, 0x80, 0x2c, 0x56, 0x84, 0x49, 0x45, 0x1f, 0x2a, 0xba,
+	0xda, 0xa4, 0x03, 0xcd, 0x08, 0xd7, 0x5b, 0x64, 0x52, 0xd3, 0x0f, 0x34, 0x5d, 0x85, 0xc8, 0x7b,
-	0x08, 0xe1, 0x2f, 0x91, 0xdd, 0xe9, 0x0e, 0xdc, 0xa3, 0x86, 0xd5, 0xac, 0xb6, 0xab, 0xd7, 0xc6,
+	0xe0, 0xf6, 0x07, 0x63, 0xff, 0xbc, 0xe3, 0x5c, 0x35, 0x7b, 0xcd, 0x6b, 0x1b, 0x7a, 0x7f, 0x30,
-	0x7a, 0xa7, 0x3b, 0xf0, 0x01, 0xc7, 0x3f, 0xa2, 0x6a, 0x67, 0x2d, 0xf9, 0x2d, 0x8b, 0xc4, 0x26,
+	0x0e, 0x15, 0x4e, 0x3e, 0x83, 0x66, 0x7f, 0x27, 0xf9, 0x73, 0x96, 0x88, 0x7d, 0x26, 0x7d, 0x4f,
-	0x91, 0xae, 0xa3, 0x64, 0x17, 0xb9, 0x6c, 0x4b, 0xf9, 0x45, 0x1d, 0xbe, 0x42, 0xce, 0x6f, 0x3c,
+	0xcb, 0x9e, 0x94, 0xb2, 0x03, 0x15, 0x56, 0x75, 0xe4, 0x19, 0x78, 0xdf, 0xf0, 0x3c, 0xa7, 0x99,
-	0x4d, 0x69, 0xe2, 0x1e, 0xab, 0x15, 0xa7, 0xd9, 0x0a, 0x8d, 0xfa, 0x86, 0x85, 0xdd, 0x27, 0x83,
+	0x7f, 0xa1, 0x4f, 0x3c, 0x2c, 0x4e, 0x18, 0x34, 0xb4, 0xac, 0xba, 0x7d, 0x3e, 0x8e, 0xfc, 0xcb,
-	0xc0, 0x3d, 0x29, 0xef, 0x3e, 0x19, 0x04, 0x3e, 0xe0, 0xde, 0x3c, 0x4b, 0x83, 0x7f, 0x46, 0xc8,
+	0xfa, 0xed, 0xf3, 0x71, 0x14, 0x2a, 0x3c, 0x58, 0x15, 0x6e, 0xc8, 0x17, 0x00, 0xd6, 0x37, 0xe5,
-	0xe4, 0xa6, 0x9c, 0xa9, 0x2b, 0xab, 0xb6, 0xdd, 0x72, 0xd2, 0x2d, 0xef, 0x17, 0xb4, 0xd8, 0x43,
+	0x4c, 0x97, 0xac, 0xd9, 0xf3, 0xeb, 0x4e, 0x0f, 0x7c, 0x58, 0xd1, 0x92, 0x00, 0x5e, 0x0f, 0x51,
-	0x1f, 0xfb, 0x44, 0x8a, 0xcd, 0x1f, 0x9c, 0xb2, 0x41, 0x67, 0xe4, 0x1e, 0x34, 0xec, 0x66, 0xc5,
+	0x8a, 0xfd, 0x77, 0x9c, 0xb2, 0x71, 0x7f, 0xea, 0x9f, 0x75, 0xdc, 0xab, 0x46, 0x58, 0xc3, 0x02,
-	0x2f, 0x61, 0x9e, 0x44, 0x67, 0xcf, 0x73, 0xe0, 0x33, 0x64, 0xdf, 0x91, 0x8d, 0xa9, 0x0e, 0xfc,
+	0x09, 0x8f, 0xee, 0xfb, 0x20, 0x8f, 0xc0, 0x7d, 0x81, 0x7b, 0xdb, 0x1d, 0xf5, 0x97, 0x3c, 0x83,
-	0xc5, 0x57, 0xe8, 0xf4, 0x9e, 0x08, 0x3a, 0xdf, 0xf4, 0x59, 0xc4, 0x57, 0x94, 0x2d, 0x54, 0x4d,
+	0x87, 0x2f, 0x51, 0xd0, 0xd5, 0x7e, 0xc4, 0x12, 0xbe, 0xa5, 0x6c, 0xad, 0x7b, 0x72, 0x19, 0xde,
-	0x4e, 0xfc, 0x67, 0xe8, 0x56, 0xf7, 0xe7, 0x5a, 0x2e, 0x38, 0xe8, 0xec, 0xa2, 0x2e, 0x43, 0xbd,
+	0x43, 0x0f, 0xba, 0xef, 0x77, 0x72, 0xcd, 0x95, 0xce, 0xad, 0xea, 0x0a, 0x34, 0xf8, 0xdb, 0xd1,
-	0x37, 0x96, 0x3a, 0xfd, 0x0e, 0xbd, 0xb5, 0x4b, 0x8f, 0xdb, 0xe8, 0x52, 0x23, 0x01, 0x11, 0x0f,
+	0xd9, 0x1f, 0xd1, 0x3b, 0xc7, 0xf4, 0xa4, 0x07, 0x4f, 0x0d, 0x12, 0xa1, 0x78, 0x85, 0xe2, 0x5b,
-	0x44, 0xfc, 0xce, 0x53, 0xc9, 0xa0, 0xaa, 0xda, 0xc5, 0x4e, 0x0e, 0x4e, 0xdf, 0xa5, 0xc9, 0x92,
+	0x9e, 0x4b, 0xa6, 0xba, 0x6a, 0xa2, 0x38, 0xca, 0xa9, 0xec, 0x07, 0x34, 0xdb, 0xa0, 0x88, 0x76,
-	0x88, 0x60, 0x4d, 0x25, 0x49, 0x4d, 0x83, 0x94, 0x30, 0x68, 0xc7, 0x21, 0x65, 0xf7, 0x44, 0xa4,
+	0x54, 0x62, 0x6e, 0x07, 0xa4, 0x86, 0xa9, 0x71, 0x9c, 0x50, 0xf6, 0x12, 0x45, 0xae, 0x6a, 0x6b,
-	0x70, 0xb7, 0xba, 0x47, 0x0a, 0x08, 0xfe, 0x05, 0xb9, 0x63, 0x41, 0xe6, 0x44, 0xe8, 0xdc, 0xa5,
+	0x66, 0xa4, 0x82, 0x90, 0xaf, 0xc0, 0x9f, 0x09, 0x5c, 0xa1, 0x30, 0xbe, 0x6b, 0xfe, 0xce, 0xf5,
-	0x7c, 0x47, 0x6a, 0xef, 0xbd, 0xbc, 0xf7, 0xbf, 0xad, 0xfa, 0x0b, 0xbb, 0xe8, 0xf8, 0x96, 0x85,
+	0xdd, 0x27, 0xf9, 0xe0, 0x77, 0x57, 0xcf, 0x17, 0xf1, 0xe1, 0xe2, 0x39, 0x8b, 0x17, 0x29, 0x2e,
-	0xd3, 0x98, 0xcc, 0xcc, 0xe1, 0xb2, 0x10, 0x7f, 0x81, 0x2a, 0x63, 0x1e, 0xd3, 0x68, 0x33, 0x99,
+	0x6d, 0x72, 0x85, 0x49, 0xde, 0x85, 0xc6, 0x8c, 0xa7, 0x34, 0xd9, 0xcf, 0xe7, 0x63, 0x3b, 0xe4,
-	0x0c, 0x4c, 0x93, 0x6f, 0x01, 0x58, 0xe7, 0xf3, 0x98, 0x00, 0xa7, 0xad, 0x67, 0x21, 0xb4, 0xfd,
+	0x07, 0x40, 0x9d, 0x0b, 0x79, 0x8a, 0x8a, 0x33, 0xa1, 0x17, 0xa6, 0x1a, 0xfb, 0x39, 0xff, 0x05,
-	0x84, 0xff, 0x4b, 0x18, 0x50, 0xda, 0x73, 0x1e, 0xab, 0x01, 0xe3, 0x8f, 0x4c, 0xa7, 0x51, 0x1e,
+	0x99, 0xa2, 0x4c, 0xcc, 0xa5, 0xad, 0x1f, 0x18, 0xbf, 0x65, 0xc6, 0x8d, 0x8e, 0x51, 0x3d, 0xb0,
-	0x61, 0xc0, 0x72, 0x04, 0x7f, 0x8d, 0x3e, 0xe9, 0x91, 0x79, 0xb8, 0x8e, 0xa5, 0x91, 0x38, 0x4a,
+	0x12, 0x21, 0x1f, 0xc0, 0x1b, 0x43, 0x5c, 0xc5, 0xbb, 0x54, 0x5a, 0x89, 0xa7, 0x25, 0x75, 0x90,
-	0x52, 0x06, 0xf1, 0xf7, 0xe8, 0x42, 0x9b, 0xbc, 0x23, 0x9b, 0x01, 0x4d, 0x33, 0xed, 0xb1, 0xf2,
+	0x7c, 0x02, 0x4f, 0x4c, 0x90, 0x2f, 0x70, 0x3f, 0xa6, 0x79, 0xa1, 0xbd, 0xd0, 0xf1, 0x1f, 0xa3,
-	0xbf, 0x8b, 0xc2, 0xdf, 0x20, 0x47, 0x79, 0x48, 0x4d, 0x47, 0x9f, 0x17, 0xe6, 0x49, 0x13, 0xbe,
+	0xc8, 0x87, 0xe0, 0xe9, 0x18, 0x72, 0x3b, 0xd1, 0x8f, 0x2b, 0xef, 0xc9, 0x10, 0xa1, 0x15, 0x90,
-	0x11, 0xc0, 0x64, 0xf6, 0x68, 0xaa, 0xae, 0x00, 0x4e, 0x50, 0xd1, 0x93, 0x59, 0x80, 0xf0, 0x4f,
+	0x2f, 0xa1, 0x35, 0xc4, 0x4c, 0x60, 0x12, 0x4b, 0x5c, 0xfe, 0x3c, 0xa4, 0xb9, 0xae, 0x86, 0x4a,
-	0xa8, 0xa6, 0xf7, 0x50, 0x2b, 0xc6, 0x50, 0x8c, 0x54, 0x12, 0x16, 0x11, 0x17, 0x29, 0x07, 0x7b,
+	0xa6, 0xa1, 0x62, 0xb9, 0x39, 0xf3, 0x9d, 0xf0, 0xcd, 0x83, 0xa2, 0x22, 0x20, 0x9f, 0x43, 0xcb,
-	0x58, 0xb0, 0x3d, 0x0c, 0xc6, 0x26, 0xd3, 0x0d, 0xe7, 0x32, 0x95, 0x22, 0x4c, 0xdc, 0xaa, 0xb6,
+	0x5c, 0xae, 0x5d, 0xcd, 0x54, 0x97, 0x72, 0x89, 0x2c, 0x41, 0x1f, 0x74, 0x68, 0x27, 0x58, 0x95,
-	0xbd, 0x83, 0xf2, 0xde, 0x59, 0xa8, 0x92, 0x3b, 0xc4, 0x35, 0xe4, 0x0c, 0xc3, 0x74, 0xfb, 0x32,
+	0xcf, 0x24, 0x9a, 0x59, 0x4f, 0x37, 0x9c, 0xcb, 0x5c, 0x8a, 0x38, 0xf3, 0x9b, 0x26, 0x9f, 0x23,
-	0x99, 0x08, 0x1c, 0xfb, 0x24, 0x89, 0x69, 0x14, 0xaa, 0x19, 0xd4, 0xa5, 0x2a, 0x42, 0xa0, 0xe8,
+	0x54, 0xf0, 0xaf, 0x03, 0x8d, 0x32, 0x74, 0xd2, 0x02, 0x6f, 0x12, 0xe7, 0x87, 0x95, 0x65, 0x2d,
-	0x2c, 0x08, 0x93, 0x66, 0xb9, 0x2e, 0x58, 0x11, 0x82, 0x72, 0x9a, 0x3b, 0x36, 0x35, 0xcb, 0x42,
+	0xb5, 0x64, 0x42, 0xcc, 0x52, 0x9a, 0xc4, 0xfa, 0x71, 0x9a, 0x1e, 0x56, 0x21, 0xa5, 0xe8, 0xaf,
-	0x7c, 0x89, 0x8e, 0x94, 0xd0, 0x54, 0x4b, 0x07, 0xf8, 0x6f, 0x54, 0x1b, 0x86, 0x2c, 0x5c, 0x90,
+	0x91, 0x49, 0x7b, 0xdc, 0x74, 0xb2, 0x0a, 0xa9, 0x3e, 0xdb, 0xe2, 0xdb, 0x66, 0x16, 0x26, 0x79,
-	0x19, 0xf4, 0x16, 0x8d, 0xc8, 0x58, 0xf0, 0x07, 0x3a, 0x23, 0xc2, 0x75, 0x1a, 0x76, 0xb3, 0xda,
+	0x0a, 0xe7, 0x5a, 0x68, 0xdb, 0x68, 0x0c, 0xf2, 0x23, 0xb4, 0x26, 0x31, 0x8b, 0xd7, 0xb8, 0x54,
-	0xfe, 0xaa, 0x70, 0xc1, 0xcf, 0x14, 0xea, 0x34, 0xfe, 0x9e, 0xe5, 0xde, 0x5f, 0xe8, 0xd3, 0x3d,
+	0x43, 0x47, 0x13, 0x9c, 0x09, 0xfe, 0x8a, 0x2e, 0x51, 0xf8, 0x5e, 0xc7, 0xbd, 0x6a, 0xf6, 0xde,
-	0x4b, 0xa0, 0x79, 0x3a, 0x51, 0x44, 0xd2, 0x94, 0x8b, 0x7e, 0x2f, 0x7b, 0x9d, 0xb7, 0x08, 0x34,
+	0xaf, 0x54, 0xfe, 0x9e, 0x42, 0x67, 0x13, 0x9e, 0x38, 0x1e, 0xfc, 0x00, 0x6f, 0x9d, 0x38, 0xa2,
-	0x5e, 0x40, 0x22, 0x41, 0x64, 0xbf, 0x67, 0x2e, 0x21, 0x8f, 0x3d, 0x5a, 0x7a, 0x2e, 0xe1, 0x0d,
+	0xa6, 0xaa, 0x9f, 0x24, 0x98, 0xe7, 0x5c, 0x8c, 0x86, 0xc5, 0xda, 0x3e, 0x20, 0x6a, 0x22, 0x23,
-	0x81, 0xe7, 0x4d, 0x77, 0xbc, 0x9a, 0xf5, 0x1a, 0x72, 0x7a, 0xa3, 0x20, 0xc8, 0xdf, 0x21, 0x13,
+	0x4c, 0x04, 0xca, 0xd1, 0xd0, 0x16, 0xa1, 0xb4, 0x03, 0x5a, 0xdb, 0xa3, 0x6a, 0xb9, 0xa8, 0xbd,
-	0xc1, 0xf1, 0xfb, 0x63, 0x80, 0x6d, 0x05, 0xeb, 0x00, 0xb6, 0xea, 0xc4, 0x31, 0x7f, 0x84, 0x24,
+	0x67, 0x9e, 0x82, 0x5e, 0x02, 0x2d, 0xf0, 0x86, 0xd3, 0x28, 0x2a, 0x17, 0x94, 0xb5, 0x54, 0xfa,
-	0x87, 0x2a, 0x49, 0x1e, 0xdf, 0xfc, 0xfa, 0xf2, 0xa9, 0x6e, 0xbd, 0x7a, 0xaa, 0x5b, 0xaf, 0x9f,
+	0xa3, 0x99, 0x82, 0x5d, 0x0d, 0x1b, 0x43, 0x5d, 0xd5, 0x4f, 0x53, 0x7e, 0xab, 0x9c, 0x3c, 0xd0,
-	0xea, 0xd6, 0x7f, 0x6f, 0xeb, 0x1f, 0xfd, 0xf3, 0xed, 0x82, 0xca, 0xe5, 0x7a, 0x7a, 0x1d, 0xf1,
+	0x4e, 0x4a, 0xfb, 0xe6, 0xeb, 0x3f, 0xee, 0xda, 0xce, 0x9f, 0x77, 0x6d, 0xe7, 0xaf, 0xbb, 0xb6,
-	0x55, 0x6b, 0x19, 0xa6, 0x4b, 0x1a, 0x71, 0x91, 0xc0, 0xc7, 0x28, 0x5d, 0xc7, 0xad, 0xf2, 0x27,
+	0xf3, 0xeb, 0x3f, 0xed, 0xd7, 0x7e, 0xfa, 0x68, 0x4d, 0xe5, 0x66, 0xb7, 0xb8, 0x4e, 0xf8, 0xb6,
-	0x6a, 0xea, 0xa8, 0xf8, 0x87, 0xf7, 0x01, 0x00, 0x00, 0xff, 0xff, 0x5a, 0xef, 0x32, 0xac, 0xbb,
+	0xbb, 0x89, 0xf3, 0x0d, 0x4d, 0xb8, 0xc8, 0xd4, 0x57, 0x2a, 0xdf, 0xa5, 0xdd, 0xfa, 0xb7, 0x6b,
-	0x06, 0x00, 0x00,
+	0xe1, 0x69, 0xfb, 0xd3, 0xff, 0x02, 0x00, 0x00, 0xff, 0xff, 0x54, 0x4a, 0x4e, 0xf1, 0xd4, 0x06,
+	0x00, 0x00,
 }
 
 func (m *Config) Marshal() (dAtA []byte, err error) {
@@ -1049,10 +1053,10 @@ func (m *ACL) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		i--
 		dAtA[i] = 0x50
 	}
-	if len(m.DisabledTTL) > 0 {
+	if len(m.Deprecated_DisabledTTL) > 0 {
-		i -= len(m.DisabledTTL)
+		i -= len(m.Deprecated_DisabledTTL)
-		copy(dAtA[i:], m.DisabledTTL)
+		copy(dAtA[i:], m.Deprecated_DisabledTTL)
-		i = encodeVarintConfig(dAtA, i, uint64(len(m.DisabledTTL)))
+		i = encodeVarintConfig(dAtA, i, uint64(len(m.Deprecated_DisabledTTL)))
 		i--
 		dAtA[i] = 0x4a
 	}
@@ -1472,7 +1476,7 @@ func (m *ACL) Size() (n int) {
 		l = m.Tokens.Size()
 		n += 1 + l + sovConfig(uint64(l))
 	}
-	l = len(m.DisabledTTL)
+	l = len(m.Deprecated_DisabledTTL)
 	if l > 0 {
 		n += 1 + l + sovConfig(uint64(l))
 	}
@@ -2589,7 +2593,7 @@ func (m *ACL) Unmarshal(dAtA []byte) error {
 			iNdEx = postIndex
 		case 9:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field DisabledTTL", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field Deprecated_DisabledTTL", wireType)
 			}
 			var stringLen uint64
 			for shift := uint(0); ; shift += 7 {
@@ -2617,7 +2621,7 @@ func (m *ACL) Unmarshal(dAtA []byte) error {
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			m.DisabledTTL = string(dAtA[iNdEx:postIndex])
+			m.Deprecated_DisabledTTL = string(dAtA[iNdEx:postIndex])
 			iNdEx = postIndex
 		case 10:
 			if wireType != 0 {

proto/pbconfig/config.proto

@@ -43,7 +43,9 @@ message ACL {
    string    DefaultPolicy = 6;
    bool      EnableKeyListPolicy = 7;
    ACLTokens Tokens = 8;
-   string    DisabledTTL = 9;
+   // Deprecated_DisabledTTL is deprecated. It is no longer populated and should
+   // be ignored by clients.
+   string    Deprecated_DisabledTTL = 9 [deprecated = true];
    bool      EnableTokenPersistence = 10;
    bool      MSPDisableBootstrap = 11;
 }