Rename `agent_master` ACL token in the API and CLI (#11669)
This commit is contained in:
parent
8789308d2d
commit
eff3dc09b6
|
@ -0,0 +1,6 @@
|
||||||
|
```release-note:deprecation
|
||||||
|
api: `/v1/agent/token/agent_master` is deprecated and will be removed in a future major release - use `/v1/agent/token/agent_recovery` instead
|
||||||
|
```
|
||||||
|
```release-note:breaking-change
|
||||||
|
cli: `consul acl set-agent-token master` has been replaced with `consul acl set-agent-token recovery`
|
||||||
|
```
|
|
@ -1444,7 +1444,7 @@ func (s *HTTPHandlers) AgentToken(resp http.ResponseWriter, req *http.Request) (
|
||||||
triggerAntiEntropySync = true
|
triggerAntiEntropySync = true
|
||||||
}
|
}
|
||||||
|
|
||||||
case "acl_agent_master_token", "agent_master":
|
case "acl_agent_master_token", "agent_master", "agent_recovery":
|
||||||
s.agent.tokens.UpdateAgentMasterToken(args.Token, token_store.TokenSourceAPI)
|
s.agent.tokens.UpdateAgentMasterToken(args.Token, token_store.TokenSourceAPI)
|
||||||
|
|
||||||
case "acl_replication_token", "replication":
|
case "acl_replication_token", "replication":
|
||||||
|
|
|
@ -5308,7 +5308,7 @@ func TestAgent_Token(t *testing.T) {
|
||||||
effective: tokens{master: "M"},
|
effective: tokens{master: "M"},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "set master ",
|
name: "set master",
|
||||||
method: "PUT",
|
method: "PUT",
|
||||||
url: "agent_master?token=root",
|
url: "agent_master?token=root",
|
||||||
body: body("M"),
|
body: body("M"),
|
||||||
|
@ -5316,6 +5316,15 @@ func TestAgent_Token(t *testing.T) {
|
||||||
raw: tokens{master: "M", masterSource: tokenStore.TokenSourceAPI},
|
raw: tokens{master: "M", masterSource: tokenStore.TokenSourceAPI},
|
||||||
effective: tokens{master: "M"},
|
effective: tokens{master: "M"},
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
name: "set recovery",
|
||||||
|
method: "PUT",
|
||||||
|
url: "agent_recovery?token=root",
|
||||||
|
body: body("R"),
|
||||||
|
code: http.StatusOK,
|
||||||
|
raw: tokens{master: "R", masterSource: tokenStore.TokenSourceAPI},
|
||||||
|
effective: tokens{master: "R", masterSource: tokenStore.TokenSourceAPI},
|
||||||
|
},
|
||||||
{
|
{
|
||||||
name: "set repl legacy",
|
name: "set repl legacy",
|
||||||
method: "PUT",
|
method: "PUT",
|
||||||
|
@ -5388,6 +5397,15 @@ func TestAgent_Token(t *testing.T) {
|
||||||
init: tokens{master: "M"},
|
init: tokens{master: "M"},
|
||||||
raw: tokens{masterSource: tokenStore.TokenSourceAPI},
|
raw: tokens{masterSource: tokenStore.TokenSourceAPI},
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
name: "clear recovery",
|
||||||
|
method: "PUT",
|
||||||
|
url: "agent_recovery?token=root",
|
||||||
|
body: body(""),
|
||||||
|
code: http.StatusOK,
|
||||||
|
init: tokens{master: "R"},
|
||||||
|
raw: tokens{masterSource: tokenStore.TokenSourceAPI},
|
||||||
|
},
|
||||||
{
|
{
|
||||||
name: "clear repl legacy",
|
name: "clear repl legacy",
|
||||||
method: "PUT",
|
method: "PUT",
|
||||||
|
|
37
api/agent.go
37
api/agent.go
|
@ -1287,25 +1287,33 @@ func (a *Agent) UpdateACLReplicationToken(token string, q *WriteOptions) (*Write
|
||||||
// UpdateDefaultACLToken updates the agent's "default" token. See updateToken
|
// UpdateDefaultACLToken updates the agent's "default" token. See updateToken
|
||||||
// for more details
|
// for more details
|
||||||
func (a *Agent) UpdateDefaultACLToken(token string, q *WriteOptions) (*WriteMeta, error) {
|
func (a *Agent) UpdateDefaultACLToken(token string, q *WriteOptions) (*WriteMeta, error) {
|
||||||
return a.updateTokenFallback("default", "acl_token", token, q)
|
return a.updateTokenFallback(token, q, "default", "acl_token")
|
||||||
}
|
}
|
||||||
|
|
||||||
// UpdateAgentACLToken updates the agent's "agent" token. See updateToken
|
// UpdateAgentACLToken updates the agent's "agent" token. See updateToken
|
||||||
// for more details
|
// for more details
|
||||||
func (a *Agent) UpdateAgentACLToken(token string, q *WriteOptions) (*WriteMeta, error) {
|
func (a *Agent) UpdateAgentACLToken(token string, q *WriteOptions) (*WriteMeta, error) {
|
||||||
return a.updateTokenFallback("agent", "acl_agent_token", token, q)
|
return a.updateTokenFallback(token, q, "agent", "acl_agent_token")
|
||||||
|
}
|
||||||
|
|
||||||
|
// UpdateAgentRecoveryACLToken updates the agent's "agent_recovery" token. See updateToken
|
||||||
|
// for more details.
|
||||||
|
func (a *Agent) UpdateAgentRecoveryACLToken(token string, q *WriteOptions) (*WriteMeta, error) {
|
||||||
|
return a.updateTokenFallback(token, q, "agent_recovery", "agent_master", "acl_agent_master_token")
|
||||||
}
|
}
|
||||||
|
|
||||||
// UpdateAgentMasterACLToken updates the agent's "agent_master" token. See updateToken
|
// UpdateAgentMasterACLToken updates the agent's "agent_master" token. See updateToken
|
||||||
// for more details
|
// for more details.
|
||||||
|
//
|
||||||
|
// DEPRECATED - Prefer UpdateAgentRecoveryACLToken for v1.11 and above.
|
||||||
func (a *Agent) UpdateAgentMasterACLToken(token string, q *WriteOptions) (*WriteMeta, error) {
|
func (a *Agent) UpdateAgentMasterACLToken(token string, q *WriteOptions) (*WriteMeta, error) {
|
||||||
return a.updateTokenFallback("agent_master", "acl_agent_master_token", token, q)
|
return a.updateTokenFallback(token, q, "agent_master", "acl_agent_master_token")
|
||||||
}
|
}
|
||||||
|
|
||||||
// UpdateReplicationACLToken updates the agent's "replication" token. See updateToken
|
// UpdateReplicationACLToken updates the agent's "replication" token. See updateToken
|
||||||
// for more details
|
// for more details
|
||||||
func (a *Agent) UpdateReplicationACLToken(token string, q *WriteOptions) (*WriteMeta, error) {
|
func (a *Agent) UpdateReplicationACLToken(token string, q *WriteOptions) (*WriteMeta, error) {
|
||||||
return a.updateTokenFallback("replication", "acl_replication_token", token, q)
|
return a.updateTokenFallback(token, q, "replication", "acl_replication_token")
|
||||||
}
|
}
|
||||||
|
|
||||||
// updateToken can be used to update one of an agent's ACL tokens after the agent has
|
// updateToken can be used to update one of an agent's ACL tokens after the agent has
|
||||||
|
@ -1316,10 +1324,21 @@ func (a *Agent) updateToken(target, token string, q *WriteOptions) (*WriteMeta,
|
||||||
return meta, err
|
return meta, err
|
||||||
}
|
}
|
||||||
|
|
||||||
func (a *Agent) updateTokenFallback(target, fallback, token string, q *WriteOptions) (*WriteMeta, error) {
|
func (a *Agent) updateTokenFallback(token string, q *WriteOptions, targets ...string) (*WriteMeta, error) {
|
||||||
meta, status, err := a.updateTokenOnce(target, token, q)
|
if len(targets) == 0 {
|
||||||
if err != nil && status == 404 {
|
panic("targets must not be empty")
|
||||||
meta, _, err = a.updateTokenOnce(fallback, token, q)
|
}
|
||||||
|
|
||||||
|
var (
|
||||||
|
meta *WriteMeta
|
||||||
|
err error
|
||||||
|
)
|
||||||
|
for _, target := range targets {
|
||||||
|
var status int
|
||||||
|
meta, status, err = a.updateTokenOnce(target, token, q)
|
||||||
|
if err == nil && status != http.StatusNotFound {
|
||||||
|
return meta, err
|
||||||
|
}
|
||||||
}
|
}
|
||||||
return meta, err
|
return meta, err
|
||||||
}
|
}
|
||||||
|
|
|
@ -1518,6 +1518,10 @@ func TestAPI_AgentUpdateToken(t *testing.T) {
|
||||||
t.Fatalf("err: %v", err)
|
t.Fatalf("err: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if _, err := agent.UpdateAgentRecoveryACLToken("root", nil); err != nil {
|
||||||
|
t.Fatalf("err: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
if _, err := agent.UpdateReplicationACLToken("root", nil); err != nil {
|
if _, err := agent.UpdateReplicationACLToken("root", nil); err != nil {
|
||||||
t.Fatalf("err: %v", err)
|
t.Fatalf("err: %v", err)
|
||||||
}
|
}
|
||||||
|
@ -1570,6 +1574,9 @@ func TestAPI_AgentUpdateToken(t *testing.T) {
|
||||||
_, err = agent.UpdateAgentMasterACLToken("root", nil)
|
_, err = agent.UpdateAgentMasterACLToken("root", nil)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
|
_, err = agent.UpdateAgentRecoveryACLToken("root", nil)
|
||||||
|
require.NoError(t, err)
|
||||||
|
|
||||||
_, err = agent.UpdateReplicationACLToken("root", nil)
|
_, err = agent.UpdateReplicationACLToken("root", nil)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
})
|
})
|
||||||
|
|
|
@ -54,8 +54,8 @@ func (c *cmd) Run(args []string) int {
|
||||||
_, err = client.Agent().UpdateDefaultACLToken(token, nil)
|
_, err = client.Agent().UpdateDefaultACLToken(token, nil)
|
||||||
case "agent":
|
case "agent":
|
||||||
_, err = client.Agent().UpdateAgentACLToken(token, nil)
|
_, err = client.Agent().UpdateAgentACLToken(token, nil)
|
||||||
case "master":
|
case "recovery":
|
||||||
_, err = client.Agent().UpdateAgentMasterACLToken(token, nil)
|
_, err = client.Agent().UpdateAgentRecoveryACLToken(token, nil)
|
||||||
case "replication":
|
case "replication":
|
||||||
_, err = client.Agent().UpdateReplicationACLToken(token, nil)
|
_, err = client.Agent().UpdateReplicationACLToken(token, nil)
|
||||||
default:
|
default:
|
||||||
|
@ -78,7 +78,7 @@ func (c *cmd) dataFromArgs(args []string) (string, string, error) {
|
||||||
return "", "", fmt.Errorf("Missing TYPE and TOKEN arguments")
|
return "", "", fmt.Errorf("Missing TYPE and TOKEN arguments")
|
||||||
case 1:
|
case 1:
|
||||||
switch args[0] {
|
switch args[0] {
|
||||||
case "default", "agent", "master", "replication":
|
case "default", "agent", "recovery", "replication":
|
||||||
return "", "", fmt.Errorf("Missing TOKEN argument")
|
return "", "", fmt.Errorf("Missing TOKEN argument")
|
||||||
default:
|
default:
|
||||||
return "", "", fmt.Errorf("MISSING TYPE argument")
|
return "", "", fmt.Errorf("MISSING TYPE argument")
|
||||||
|
@ -121,7 +121,7 @@ Usage: consul acl set-agent-token [options] TYPE TOKEN
|
||||||
agent The token that the agent will use for internal agent operations.
|
agent The token that the agent will use for internal agent operations.
|
||||||
If not given then the default token is used for these operations.
|
If not given then the default token is used for these operations.
|
||||||
|
|
||||||
master This sets the token that can be used to access the Agent APIs in
|
recovery This sets the token that can be used to access the Agent APIs in
|
||||||
the event that the ACL datacenter cannot be reached.
|
the event that the ACL datacenter cannot be reached.
|
||||||
|
|
||||||
replication This is the token that the agent will use for replication
|
replication This is the token that the agent will use for replication
|
||||||
|
|
|
@ -33,7 +33,7 @@ func TestAgentTokensCommand(t *testing.T) {
|
||||||
enabled = true
|
enabled = true
|
||||||
|
|
||||||
tokens {
|
tokens {
|
||||||
master = "root"
|
initial_management = "root"
|
||||||
}
|
}
|
||||||
}`)
|
}`)
|
||||||
|
|
||||||
|
@ -78,11 +78,11 @@ func TestAgentTokensCommand(t *testing.T) {
|
||||||
assert.Empty(ui.ErrorWriter.String())
|
assert.Empty(ui.ErrorWriter.String())
|
||||||
}
|
}
|
||||||
|
|
||||||
// master token
|
// recovery token
|
||||||
{
|
{
|
||||||
args := []string{
|
args := []string{
|
||||||
"-http-addr=" + a.HTTPAddr(),
|
"-http-addr=" + a.HTTPAddr(),
|
||||||
"master",
|
"recovery",
|
||||||
token.SecretID,
|
token.SecretID,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -728,17 +728,26 @@ configuration is `true`. When not being persisted, they will need to be reset if
|
||||||
is restarted.
|
is restarted.
|
||||||
|
|
||||||
| Method | Path | Produces |
|
| Method | Path | Produces |
|
||||||
| ------ | --------------------------- | ------------------ |
|
| ------ | ----------------------------- | ------------------ |
|
||||||
| `PUT` | `/agent/token/default` | `application/json` |
|
| `PUT` | `/agent/token/default` | `application/json` |
|
||||||
| `PUT` | `/agent/token/agent` | `application/json` |
|
| `PUT` | `/agent/token/agent` | `application/json` |
|
||||||
| `PUT` | `/agent/token/agent_master` | `application/json` |
|
| `PUT` | `/agent/token/agent_recovery` | `application/json` |
|
||||||
| `PUT` | `/agent/token/replication` | `application/json` |
|
| `PUT` | `/agent/token/replication` | `application/json` |
|
||||||
|
|
||||||
The paths above correspond to the token names as found in the agent configuration:
|
The paths above correspond to the token names as found in the agent configuration:
|
||||||
[`default`](/docs/agent/options#acl_tokens_default), [`agent`](/docs/agent/options#acl_tokens_agent),
|
[`default`](/docs/agent/options#acl_tokens_default), [`agent`](/docs/agent/options#acl_tokens_agent),
|
||||||
[`agent_master`](/docs/agent/options#acl_tokens_agent_master), and
|
[`agent_recovery`](/docs/agent/options#acl_tokens_agent_recovery), and
|
||||||
[`replication`](/docs/agent/options#acl_tokens_replication).
|
[`replication`](/docs/agent/options#acl_tokens_replication).
|
||||||
|
|
||||||
|
-> **Deprecation Note:** The following paths were deprecated in version 1.11
|
||||||
|
|
||||||
|
| Method | Path | Produces |
|
||||||
|
| ------ | --------------------------- | ------------------ |
|
||||||
|
| `PUT` | `/agent/token/agent_master` | `application/json` |
|
||||||
|
|
||||||
|
The paths above correspond to the token names as found in the agent configuration:
|
||||||
|
[`agent_master`](/docs/agent/options#acl_tokens_agent_master).
|
||||||
|
|
||||||
-> **Deprecation Note:** The following paths were deprecated in version 1.4.3
|
-> **Deprecation Note:** The following paths were deprecated in version 1.4.3
|
||||||
|
|
||||||
| Method | Path | Produces |
|
| Method | Path | Produces |
|
||||||
|
|
|
@ -28,8 +28,9 @@ Usage: `consul acl set-agent-token [options] TYPE TOKEN`
|
||||||
- `agent` - The token that the agent will use for internal agent operations.
|
- `agent` - The token that the agent will use for internal agent operations.
|
||||||
If not given then the default token is used for these operations.
|
If not given then the default token is used for these operations.
|
||||||
|
|
||||||
- `master` - This sets the token that can be used to access the Agent APIs in
|
- `recovery` - This sets the token that can be used to access the Agent APIs
|
||||||
the event that the ACL datacenter cannot be reached.
|
in the event that the ACL datacenter cannot be reached. In Consul versions
|
||||||
|
prior to 1.11, this token type was called `master`.
|
||||||
|
|
||||||
- `replication` - This is the token that the agent will use for replication
|
- `replication` - This is the token that the agent will use for replication
|
||||||
operations. This token will need to be configured with read access to
|
operations. This token will need to be configured with read access to
|
||||||
|
|
Loading…
Reference in New Issue