diff --git a/agent/consul/server_serf.go b/agent/consul/server_serf.go index f72c64c34..1950c6c32 100644 --- a/agent/consul/server_serf.go +++ b/agent/consul/server_serf.go @@ -72,6 +72,8 @@ func (s *Server) setupSerf(conf *serf.Config, ch chan serf.Event, path string, w conf.Tags["use_tls"] = "1" } + // TODO(ACL-Legacy-Compat): remove in phase 2. These are kept for now to + // allow for upgrades. if s.acls.ACLsEnabled() { conf.Tags[metadata.TagACLs] = string(structs.ACLModeEnabled) } else { diff --git a/agent/consul/util.go b/agent/consul/util.go index afc30451c..09e69381a 100644 --- a/agent/consul/util.go +++ b/agent/consul/util.go @@ -8,7 +8,6 @@ import ( "github.com/hashicorp/serf/serf" "github.com/hashicorp/consul/agent/metadata" - "github.com/hashicorp/consul/agent/structs" ) // CanServersUnderstandProtocol checks to see if all the servers in the given @@ -159,58 +158,3 @@ func (c *Client) CheckServers(datacenter string, fn func(*metadata.Server) bool) c.router.CheckServers(datacenter, fn) } - -type serversACLMode struct { - // leader is the address of the leader - leader string - - // mode indicates the overall ACL mode of the servers - mode structs.ACLMode - - // leaderMode is the ACL mode of the leader server - leaderMode structs.ACLMode - - // indicates that at least one server was processed - found bool -} - -func (s *serversACLMode) init(leader string) { - s.leader = leader - s.mode = structs.ACLModeEnabled - s.leaderMode = structs.ACLModeUnknown - s.found = false -} - -func (s *serversACLMode) update(srv *metadata.Server) bool { - if srv.Status != serf.StatusAlive && srv.Status != serf.StatusFailed { - // they are left or something so regardless we treat these servers as meeting - // the version requirement - return true - } - - // mark that we processed at least one server - s.found = true - - if srvAddr := srv.Addr.String(); srvAddr == s.leader { - s.leaderMode = srv.ACLs - } - - switch srv.ACLs { - case structs.ACLModeDisabled: - // anything disabled means we cant enable ACLs - s.mode = structs.ACLModeDisabled - case structs.ACLModeEnabled: - // do nothing - case structs.ACLModeLegacy: - // This covers legacy mode and older server versions that don't advertise ACL support - if s.mode != structs.ACLModeDisabled && s.mode != structs.ACLModeUnknown { - s.mode = structs.ACLModeLegacy - } - default: - if s.mode != structs.ACLModeDisabled { - s.mode = structs.ACLModeUnknown - } - } - - return true -} diff --git a/agent/metadata/server.go b/agent/metadata/server.go index b77d1d6d0..6fdad57c8 100644 --- a/agent/metadata/server.go +++ b/agent/metadata/server.go @@ -9,8 +9,6 @@ import ( "github.com/hashicorp/go-version" "github.com/hashicorp/serf/serf" - - "github.com/hashicorp/consul/agent/structs" ) // Key is used in maps and for equality tests. A key is based on endpoints. @@ -42,7 +40,6 @@ type Server struct { Addr net.Addr Status serf.MemberStatus ReadReplica bool - ACLs structs.ACLMode FeatureFlags map[string]int // If true, use TLS when connecting to this server @@ -97,13 +94,6 @@ func IsConsulServer(m serf.Member) (bool, *Server) { return false, nil } - var acls structs.ACLMode - if aclMode, ok := m.Tags[TagACLs]; ok { - acls = structs.ACLMode(aclMode) - } else { - acls = structs.ACLModeUnknown - } - segmentAddrs := make(map[string]string) segmentPorts := make(map[string]int) featureFlags := make(map[string]int) @@ -188,12 +178,12 @@ func IsConsulServer(m serf.Member) (bool, *Server) { UseTLS: useTLS, // DEPRECATED - remove nonVoter check once support for that tag is removed ReadReplica: nonVoter || readReplica, - ACLs: acls, FeatureFlags: featureFlags, } return true, parts } +// TODO(ACL-Legacy-Compat): remove in phase 2 const TagACLs = "acls" const featureFlagPrefix = "ft_" diff --git a/agent/structs/acl.go b/agent/structs/acl.go index 576199262..f4b944daf 100644 --- a/agent/structs/acl.go +++ b/agent/structs/acl.go @@ -20,16 +20,10 @@ import ( type ACLMode string const ( - // ACLs are disabled by configuration + // ACLModeDisabled indicates the ACL system is disabled ACLModeDisabled ACLMode = "0" - // ACLs are enabled + // ACLModeEnabled indicates the ACL system is enabled ACLModeEnabled ACLMode = "1" - // DEPRECATED (ACL-Legacy-Compat) - only needed while legacy ACLs are supported - // ACLs are enabled and using legacy ACLs - ACLModeLegacy ACLMode = "2" - // DEPRECATED (ACL-Legacy-Compat) - only needed while legacy ACLs are supported - // ACLs are assumed enabled but not being advertised - ACLModeUnknown ACLMode = "3" ) type ACLTokenIDType string