Remove artificial ACLTokenMaxTTL limit for configuring acl token expiry (#17066)

* Remove artificial ACLTokenMaxTTL limit for configuring acl token expiry

* Add changelog

* Remove test on default MaxTokenTTL

* Change to imperitive tense for changelog entry
This commit is contained in:
John Landa 2023-04-28 10:57:30 -05:00 committed by GitHub
parent 896c39d98c
commit b9cf6579e6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 45 additions and 25 deletions

3
.changelog/17066.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:improvement
command: Allow creating ACL Token TTL with greater than 24 hours with the -expires-ttl flag.
```

View File

@ -3261,21 +3261,6 @@ func TestACLEndpoint_AuthMethodSet(t *testing.T) {
err := aclEp.AuthMethodSet(&req, &resp)
testutil.RequireErrorContains(t, err, "MaxTokenTTL 1ms cannot be less than")
})
t.Run("Create with MaxTokenTTL too big", func(t *testing.T) {
reqMethod := newAuthMethod("test")
reqMethod.MaxTokenTTL = 25 * time.Hour
req := structs.ACLAuthMethodSetRequest{
Datacenter: "dc1",
AuthMethod: reqMethod,
WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken},
}
resp := structs.ACLAuthMethod{}
err := aclEp.AuthMethodSet(&req, &resp)
testutil.RequireErrorContains(t, err, "MaxTokenTTL 25h0m0s cannot be more than")
})
}
func TestACLEndpoint_AuthMethodDelete(t *testing.T) {

View File

@ -238,9 +238,9 @@ type Config struct {
AutoConfigAuthzAllowReuse bool
// TombstoneTTL is used to control how long KV tombstones are retained.
// This provides a window of time where the X-Consul-Index is monotonic.
// This provides a window of time when the X-Consul-Index is monotonic.
// Outside this window, the index may not be monotonic. This is a result
// of a few trade offs:
// of a few trade-offs:
// 1) The index is defined by the data view and not globally. This is a
// performance optimization that prevents any write from incrementing the
// index for all data views.
@ -248,10 +248,10 @@ type Config struct {
// is also monotonic. This prevents deletes from reducing the disk space
// used.
// In theory, neither of these are intrinsic limitations, however for the
// purposes of building a practical system, they are reasonable trade offs.
// purposes of building a practical system, they are reasonable trade-offs.
//
// It is also possible to set this to an incredibly long time, thereby
// simulating infinite retention. This is not recommended however.
// simulating infinite retention. This is not recommended, however.
//
TombstoneTTL time.Duration
@ -524,11 +524,13 @@ func DefaultConfig() *Config {
TombstoneTTLGranularity: 30 * time.Second,
SessionTTLMin: 10 * time.Second,
ACLTokenMinExpirationTTL: 1 * time.Minute,
ACLTokenMaxExpirationTTL: 24 * time.Hour,
// Duration is stored as an int64. Setting the default max
// to the max possible duration (approx 290 years).
ACLTokenMaxExpirationTTL: 1<<63 - 1,
// These are tuned to provide a total throughput of 128 updates
// per second. If you update these, you should update the client-
// side SyncCoordinateRateTarget parameter accordingly.
// per second. If you update these, you should update the client-side
// SyncCoordinateRateTarget parameter accordingly.
CoordinateUpdatePeriod: 5 * time.Second,
CoordinateUpdateBatchSize: 128,
CoordinateUpdateMaxBatches: 5,
@ -560,7 +562,7 @@ func DefaultConfig() *Config {
},
},
// Stay under the 10 second aggregation interval of
// Stay under the 10-second aggregation interval of
// go-metrics. This ensures we always report the
// usage metrics in each cycle.
MetricsReportingInterval: 9 * time.Second,

View File

@ -7,12 +7,14 @@ import (
"encoding/json"
"strings"
"testing"
"time"
"github.com/mitchellh/cli"
"github.com/stretchr/testify/require"
"github.com/hashicorp/consul/agent"
"github.com/hashicorp/consul/api"
"github.com/hashicorp/consul/testrpc"
"github.com/mitchellh/cli"
"github.com/stretchr/testify/require"
)
func TestTokenCreateCommand_noTabs(t *testing.T) {
@ -119,6 +121,34 @@ func TestTokenCreateCommand_Pretty(t *testing.T) {
require.Equal(t, "3d852bb8-5153-4388-a3ca-8ca78661889f", token.AccessorID)
require.Equal(t, "3a69a8d8-c4d4-485d-9b19-b5b61648ea0c", token.SecretID)
})
// create with an expires-ttl (<24h)
t.Run("expires-ttl_short", func(t *testing.T) {
token := run(t, []string{
"-http-addr=" + a.HTTPAddr(),
"-token=root",
"-policy-name=" + policy.Name,
"-description=test token",
"-expires-ttl=1h",
})
// check diff between creation and expires time since we
// always set the token.ExpirationTTL value to 0 at the moment
require.Equal(t, time.Hour, token.ExpirationTime.Sub(token.CreateTime))
})
// create with an expires-ttl long (>24h)
t.Run("expires-ttl_long", func(t *testing.T) {
token := run(t, []string{
"-http-addr=" + a.HTTPAddr(),
"-token=root",
"-policy-name=" + policy.Name,
"-description=test token",
"-expires-ttl=8760h",
})
require.Equal(t, 8760*time.Hour, token.ExpirationTime.Sub(token.CreateTime))
})
}
func TestTokenCreateCommand_JSON(t *testing.T) {