From f21097beda3e09d9df411d1a46ee7f8d0649687a Mon Sep 17 00:00:00 2001 From: Daniel Nephin Date: Wed, 29 Sep 2021 15:45:11 -0400 Subject: [PATCH] acl: remove reading of serf acl tags We no long need to read the acl serf tag, because servers are always either ACL enabled or ACL disabled. We continue to write the tag so that during an upgarde older servers will see the tag. --- agent/consul/server_serf.go | 2 ++ agent/consul/util.go | 56 ------------------------------------- agent/metadata/server.go | 12 +------- agent/structs/acl.go | 10 ++----- 4 files changed, 5 insertions(+), 75 deletions(-) diff --git a/agent/consul/server_serf.go b/agent/consul/server_serf.go index f72c64c34..1950c6c32 100644 --- a/agent/consul/server_serf.go +++ b/agent/consul/server_serf.go @@ -72,6 +72,8 @@ func (s *Server) setupSerf(conf *serf.Config, ch chan serf.Event, path string, w conf.Tags["use_tls"] = "1" } + // TODO(ACL-Legacy-Compat): remove in phase 2. These are kept for now to + // allow for upgrades. if s.acls.ACLsEnabled() { conf.Tags[metadata.TagACLs] = string(structs.ACLModeEnabled) } else { diff --git a/agent/consul/util.go b/agent/consul/util.go index afc30451c..09e69381a 100644 --- a/agent/consul/util.go +++ b/agent/consul/util.go @@ -8,7 +8,6 @@ import ( "github.com/hashicorp/serf/serf" "github.com/hashicorp/consul/agent/metadata" - "github.com/hashicorp/consul/agent/structs" ) // CanServersUnderstandProtocol checks to see if all the servers in the given @@ -159,58 +158,3 @@ func (c *Client) CheckServers(datacenter string, fn func(*metadata.Server) bool) c.router.CheckServers(datacenter, fn) } - -type serversACLMode struct { - // leader is the address of the leader - leader string - - // mode indicates the overall ACL mode of the servers - mode structs.ACLMode - - // leaderMode is the ACL mode of the leader server - leaderMode structs.ACLMode - - // indicates that at least one server was processed - found bool -} - -func (s *serversACLMode) init(leader string) { - s.leader = leader - s.mode = structs.ACLModeEnabled - s.leaderMode = structs.ACLModeUnknown - s.found = false -} - -func (s *serversACLMode) update(srv *metadata.Server) bool { - if srv.Status != serf.StatusAlive && srv.Status != serf.StatusFailed { - // they are left or something so regardless we treat these servers as meeting - // the version requirement - return true - } - - // mark that we processed at least one server - s.found = true - - if srvAddr := srv.Addr.String(); srvAddr == s.leader { - s.leaderMode = srv.ACLs - } - - switch srv.ACLs { - case structs.ACLModeDisabled: - // anything disabled means we cant enable ACLs - s.mode = structs.ACLModeDisabled - case structs.ACLModeEnabled: - // do nothing - case structs.ACLModeLegacy: - // This covers legacy mode and older server versions that don't advertise ACL support - if s.mode != structs.ACLModeDisabled && s.mode != structs.ACLModeUnknown { - s.mode = structs.ACLModeLegacy - } - default: - if s.mode != structs.ACLModeDisabled { - s.mode = structs.ACLModeUnknown - } - } - - return true -} diff --git a/agent/metadata/server.go b/agent/metadata/server.go index b77d1d6d0..6fdad57c8 100644 --- a/agent/metadata/server.go +++ b/agent/metadata/server.go @@ -9,8 +9,6 @@ import ( "github.com/hashicorp/go-version" "github.com/hashicorp/serf/serf" - - "github.com/hashicorp/consul/agent/structs" ) // Key is used in maps and for equality tests. A key is based on endpoints. @@ -42,7 +40,6 @@ type Server struct { Addr net.Addr Status serf.MemberStatus ReadReplica bool - ACLs structs.ACLMode FeatureFlags map[string]int // If true, use TLS when connecting to this server @@ -97,13 +94,6 @@ func IsConsulServer(m serf.Member) (bool, *Server) { return false, nil } - var acls structs.ACLMode - if aclMode, ok := m.Tags[TagACLs]; ok { - acls = structs.ACLMode(aclMode) - } else { - acls = structs.ACLModeUnknown - } - segmentAddrs := make(map[string]string) segmentPorts := make(map[string]int) featureFlags := make(map[string]int) @@ -188,12 +178,12 @@ func IsConsulServer(m serf.Member) (bool, *Server) { UseTLS: useTLS, // DEPRECATED - remove nonVoter check once support for that tag is removed ReadReplica: nonVoter || readReplica, - ACLs: acls, FeatureFlags: featureFlags, } return true, parts } +// TODO(ACL-Legacy-Compat): remove in phase 2 const TagACLs = "acls" const featureFlagPrefix = "ft_" diff --git a/agent/structs/acl.go b/agent/structs/acl.go index 576199262..f4b944daf 100644 --- a/agent/structs/acl.go +++ b/agent/structs/acl.go @@ -20,16 +20,10 @@ import ( type ACLMode string const ( - // ACLs are disabled by configuration + // ACLModeDisabled indicates the ACL system is disabled ACLModeDisabled ACLMode = "0" - // ACLs are enabled + // ACLModeEnabled indicates the ACL system is enabled ACLModeEnabled ACLMode = "1" - // DEPRECATED (ACL-Legacy-Compat) - only needed while legacy ACLs are supported - // ACLs are enabled and using legacy ACLs - ACLModeLegacy ACLMode = "2" - // DEPRECATED (ACL-Legacy-Compat) - only needed while legacy ACLs are supported - // ACLs are assumed enabled but not being advertised - ACLModeUnknown ACLMode = "3" ) type ACLTokenIDType string