From 454f62eacc441b4019f3646401ab298b57abb6c9 Mon Sep 17 00:00:00 2001 From: Daniel Nephin Date: Fri, 30 Jul 2021 18:56:11 -0400 Subject: [PATCH 1/4] acl: replace ACLResolver.Config with its own struct This is step toward decoupling ACLResolver from the agent/consul package. --- agent/consul/acl.go | 25 ++++++++++++++++++------- agent/consul/acl_test.go | 12 +++++++++++- agent/consul/client.go | 19 +++++++++++++++---- agent/consul/server.go | 12 +++++++++++- 4 files changed, 55 insertions(+), 13 deletions(-) diff --git a/agent/consul/acl.go b/agent/consul/acl.go index dd90d267e..49fdde84d 100644 --- a/agent/consul/acl.go +++ b/agent/consul/acl.go @@ -189,7 +189,8 @@ func (e policyOrRoleTokenError) Error() string { // ACLResolverConfig holds all the configuration necessary to create an ACLResolver type ACLResolverConfig struct { - Config *Config + // TODO: rename this field? + Config ACLResolverSettings Logger hclog.Logger // CacheConfig is a pass through configuration for ACL cache limits @@ -211,6 +212,20 @@ type ACLResolverConfig struct { Tokens *token.Store } +// TODO: remove these fields from consul.Config and config.RuntimeConfig +// TODO: rename the fields to remove the ACL prefix +type ACLResolverSettings struct { + ACLsEnabled bool + Datacenter string + NodeName string + ACLPolicyTTL time.Duration + ACLTokenTTL time.Duration + ACLRoleTTL time.Duration + ACLDisabledTTL time.Duration + ACLDownPolicy string + ACLDefaultPolicy string +} + // ACLResolver is the type to handle all your token and policy resolution needs. // // Supports: @@ -237,7 +252,8 @@ type ACLResolverConfig struct { // upon. // type ACLResolver struct { - config *Config + // TODO: store the ACLResolverConfig as a field instead of copying all the fields onto ACLResolver. + config ACLResolverSettings logger hclog.Logger delegate ACLResolverDelegate @@ -289,11 +305,6 @@ func NewACLResolver(config *ACLResolverConfig) (*ACLResolver, error) { if config == nil { return nil, fmt.Errorf("ACL Resolver must be initialized with a config") } - - if config.Config == nil { - return nil, fmt.Errorf("ACLResolverConfig.Config must not be nil") - } - if config.Delegate == nil { return nil, fmt.Errorf("ACL Resolver must be initialized with a valid delegate") } diff --git a/agent/consul/acl_test.go b/agent/consul/acl_test.go index 1c870b823..804e775f6 100644 --- a/agent/consul/acl_test.go +++ b/agent/consul/acl_test.go @@ -722,7 +722,17 @@ func newTestACLResolver(t *testing.T, delegate *ACLResolverTestDelegate, cb func config.ACLDownPolicy = "extend-cache" config.ACLsEnabled = delegate.enabled rconf := &ACLResolverConfig{ - Config: config, + Config: ACLResolverSettings{ + ACLsEnabled: config.ACLsEnabled, + Datacenter: config.Datacenter, + NodeName: config.NodeName, + ACLPolicyTTL: config.ACLPolicyTTL, + ACLTokenTTL: config.ACLTokenTTL, + ACLRoleTTL: config.ACLRoleTTL, + ACLDisabledTTL: config.ACLDisabledTTL, + ACLDownPolicy: config.ACLDownPolicy, + ACLDefaultPolicy: config.ACLDefaultPolicy, + }, Logger: testutil.Logger(t), CacheConfig: &structs.ACLCachesConfig{ Identities: 4, diff --git a/agent/consul/client.go b/agent/consul/client.go index d09dd34c7..b96691918 100644 --- a/agent/consul/client.go +++ b/agent/consul/client.go @@ -10,6 +10,10 @@ import ( "github.com/armon/go-metrics" "github.com/armon/go-metrics/prometheus" + "github.com/hashicorp/go-hclog" + "github.com/hashicorp/serf/serf" + "golang.org/x/time/rate" + "github.com/hashicorp/consul/agent/pool" "github.com/hashicorp/consul/agent/router" "github.com/hashicorp/consul/agent/structs" @@ -17,9 +21,6 @@ import ( "github.com/hashicorp/consul/logging" "github.com/hashicorp/consul/tlsutil" "github.com/hashicorp/consul/types" - "github.com/hashicorp/go-hclog" - "github.com/hashicorp/serf/serf" - "golang.org/x/time/rate" ) var ClientCounters = []prometheus.CounterDefinition{ @@ -122,7 +123,17 @@ func NewClient(config *Config, deps Deps) (*Client, error) { c.useNewACLs = 0 aclConfig := ACLResolverConfig{ - Config: config, + Config: ACLResolverSettings{ + ACLsEnabled: config.ACLsEnabled, + Datacenter: config.Datacenter, + NodeName: config.NodeName, + ACLPolicyTTL: config.ACLPolicyTTL, + ACLTokenTTL: config.ACLTokenTTL, + ACLRoleTTL: config.ACLRoleTTL, + ACLDisabledTTL: config.ACLDisabledTTL, + ACLDownPolicy: config.ACLDownPolicy, + ACLDefaultPolicy: config.ACLDefaultPolicy, + }, Delegate: c, Logger: c.logger, AutoDisable: true, diff --git a/agent/consul/server.go b/agent/consul/server.go index 4cab854e0..f9885348d 100644 --- a/agent/consul/server.go +++ b/agent/consul/server.go @@ -426,7 +426,17 @@ func NewServer(config *Config, flat Deps) (*Server, error) { s.aclConfig = newACLConfig(logger) s.useNewACLs = 0 aclConfig := ACLResolverConfig{ - Config: config, + Config: ACLResolverSettings{ + ACLsEnabled: config.ACLsEnabled, + Datacenter: config.Datacenter, + NodeName: config.NodeName, + ACLPolicyTTL: config.ACLPolicyTTL, + ACLTokenTTL: config.ACLTokenTTL, + ACLRoleTTL: config.ACLRoleTTL, + ACLDisabledTTL: config.ACLDisabledTTL, + ACLDownPolicy: config.ACLDownPolicy, + ACLDefaultPolicy: config.ACLDefaultPolicy, + }, Delegate: s, CacheConfig: serverACLCacheConfig, AutoDisable: false, From 75baa22e6427ddc4ebc839cd1087b5f9b3550c3d Mon Sep 17 00:00:00 2001 From: Daniel Nephin Date: Fri, 6 Aug 2021 18:39:39 -0400 Subject: [PATCH 2/4] acl: remove ACLResolver config fields from consul.Config --- agent/agent.go | 16 +--- agent/consul/acl.go | 1 - agent/consul/acl_endpoint.go | 4 +- agent/consul/acl_test.go | 20 ++--- agent/consul/auto_config_endpoint.go | 12 +-- agent/consul/auto_config_endpoint_test.go | 40 +++++----- agent/consul/catalog_endpoint_test.go | 16 ++-- agent/consul/client.go | 12 +-- agent/consul/config.go | 80 +++++++------------ agent/consul/config_endpoint_test.go | 12 +-- agent/consul/connect_ca_endpoint_test.go | 4 +- agent/consul/coordinate_endpoint_test.go | 6 +- agent/consul/discovery_chain_endpoint_test.go | 2 +- .../consul/federation_state_endpoint_test.go | 10 +-- agent/consul/health_endpoint_test.go | 4 +- agent/consul/intention_endpoint_test.go | 18 ++--- agent/consul/internal_endpoint_test.go | 12 +-- agent/consul/kvs_endpoint_test.go | 10 +-- agent/consul/leader_connect_test.go | 4 +- .../consul/leader_federation_state_ae_test.go | 4 +- agent/consul/leader_intentions_test.go | 4 +- agent/consul/leader_test.go | 26 +++--- .../operator_autopilot_endpoint_test.go | 4 +- agent/consul/operator_raft_endpoint_test.go | 6 +- agent/consul/prepared_query_endpoint_test.go | 18 ++--- agent/consul/rpc_test.go | 4 +- agent/consul/server.go | 12 +-- agent/consul/server_test.go | 2 +- agent/consul/session_endpoint_test.go | 6 +- agent/consul/snapshot_endpoint_test.go | 2 +- agent/consul/txn_endpoint_test.go | 4 +- 31 files changed, 155 insertions(+), 220 deletions(-) diff --git a/agent/agent.go b/agent/agent.go index 7c582c20f..53888ec78 100644 --- a/agent/agent.go +++ b/agent/agent.go @@ -1115,21 +1115,7 @@ func newConsulConfig(runtimeCfg *config.RuntimeConfig, logger hclog.Logger) (*co if runtimeCfg.ACLMasterToken != "" { cfg.ACLMasterToken = runtimeCfg.ACLMasterToken } - if runtimeCfg.ACLTokenTTL != 0 { - cfg.ACLTokenTTL = runtimeCfg.ACLTokenTTL - } - if runtimeCfg.ACLPolicyTTL != 0 { - cfg.ACLPolicyTTL = runtimeCfg.ACLPolicyTTL - } - if runtimeCfg.ACLRoleTTL != 0 { - cfg.ACLRoleTTL = runtimeCfg.ACLRoleTTL - } - if runtimeCfg.ACLDefaultPolicy != "" { - cfg.ACLDefaultPolicy = runtimeCfg.ACLDefaultPolicy - } - if runtimeCfg.ACLDownPolicy != "" { - cfg.ACLDownPolicy = runtimeCfg.ACLDownPolicy - } + // TODO: cfg.ACLResolverSettings = runtimeCfg.ACLResolverSettings cfg.ACLTokenReplication = runtimeCfg.ACLTokenReplication cfg.ACLsEnabled = runtimeCfg.ACLsEnabled if runtimeCfg.ACLEnableKeyListPolicy { diff --git a/agent/consul/acl.go b/agent/consul/acl.go index 49fdde84d..87302bb68 100644 --- a/agent/consul/acl.go +++ b/agent/consul/acl.go @@ -212,7 +212,6 @@ type ACLResolverConfig struct { Tokens *token.Store } -// TODO: remove these fields from consul.Config and config.RuntimeConfig // TODO: rename the fields to remove the ACL prefix type ACLResolverSettings struct { ACLsEnabled bool diff --git a/agent/consul/acl_endpoint.go b/agent/consul/acl_endpoint.go index ca17ce170..c6939b146 100644 --- a/agent/consul/acl_endpoint.go +++ b/agent/consul/acl_endpoint.go @@ -1390,7 +1390,7 @@ func (a *ACL) GetPolicy(args *structs.ACLPolicyResolveLegacyRequest, reply *stru } // Get the policy via the cache - parent := a.srv.config.ACLDefaultPolicy + parent := a.srv.config.ACLResolverSettings.ACLDefaultPolicy ident, policy, err := a.srv.acls.GetMergedPolicyForToken(args.ACL) if err != nil { @@ -1409,7 +1409,7 @@ func (a *ACL) GetPolicy(args *structs.ACLPolicyResolveLegacyRequest, reply *stru // Setup the response reply.ETag = etag - reply.TTL = a.srv.config.ACLTokenTTL + reply.TTL = a.srv.config.ACLResolverSettings.ACLTokenTTL a.srv.setQueryMeta(&reply.QueryMeta) // Only send the policy on an Etag mis-match diff --git a/agent/consul/acl_test.go b/agent/consul/acl_test.go index 804e775f6..d6861fec1 100644 --- a/agent/consul/acl_test.go +++ b/agent/consul/acl_test.go @@ -718,21 +718,11 @@ func (d *ACLResolverTestDelegate) RPC(method string, args interface{}, reply int func newTestACLResolver(t *testing.T, delegate *ACLResolverTestDelegate, cb func(*ACLResolverConfig)) *ACLResolver { config := DefaultConfig() - config.ACLDefaultPolicy = "deny" - config.ACLDownPolicy = "extend-cache" - config.ACLsEnabled = delegate.enabled + config.ACLResolverSettings.ACLDefaultPolicy = "deny" + config.ACLResolverSettings.ACLDownPolicy = "extend-cache" + config.ACLResolverSettings.ACLsEnabled = delegate.enabled rconf := &ACLResolverConfig{ - Config: ACLResolverSettings{ - ACLsEnabled: config.ACLsEnabled, - Datacenter: config.Datacenter, - NodeName: config.NodeName, - ACLPolicyTTL: config.ACLPolicyTTL, - ACLTokenTTL: config.ACLTokenTTL, - ACLRoleTTL: config.ACLRoleTTL, - ACLDisabledTTL: config.ACLDisabledTTL, - ACLDownPolicy: config.ACLDownPolicy, - ACLDefaultPolicy: config.ACLDefaultPolicy, - }, + Config: config.ACLResolverSettings, Logger: testutil.Logger(t), CacheConfig: &structs.ACLCachesConfig{ Identities: 4, @@ -2215,7 +2205,7 @@ func TestACL_Replication(t *testing.T) { dir2, s2 := testServerWithConfig(t, func(c *Config) { c.Datacenter = "dc2" c.PrimaryDatacenter = "dc1" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" c.ACLDownPolicy = aclDownPolicy c.ACLTokenReplication = true c.ACLReplicationRate = 100 diff --git a/agent/consul/auto_config_endpoint.go b/agent/consul/auto_config_endpoint.go index 82c13acbc..82b59c869 100644 --- a/agent/consul/auto_config_endpoint.go +++ b/agent/consul/auto_config_endpoint.go @@ -188,12 +188,12 @@ func (ac *AutoConfig) updateTLSCertificatesInConfig(opts AutoConfigOptions, resp func (ac *AutoConfig) updateACLsInConfig(opts AutoConfigOptions, resp *pbautoconf.AutoConfigResponse) error { acl := &pbconfig.ACL{ Enabled: ac.config.ACLsEnabled, - PolicyTTL: ac.config.ACLPolicyTTL.String(), - RoleTTL: ac.config.ACLRoleTTL.String(), - TokenTTL: ac.config.ACLTokenTTL.String(), - DisabledTTL: ac.config.ACLDisabledTTL.String(), - DownPolicy: ac.config.ACLDownPolicy, - DefaultPolicy: ac.config.ACLDefaultPolicy, + PolicyTTL: ac.config.ACLResolverSettings.ACLPolicyTTL.String(), + RoleTTL: ac.config.ACLResolverSettings.ACLRoleTTL.String(), + TokenTTL: ac.config.ACLResolverSettings.ACLTokenTTL.String(), + DisabledTTL: ac.config.ACLResolverSettings.ACLDisabledTTL.String(), + DownPolicy: ac.config.ACLResolverSettings.ACLDownPolicy, + DefaultPolicy: ac.config.ACLResolverSettings.ACLDefaultPolicy, EnableKeyListPolicy: ac.config.ACLEnableKeyListPolicy, } diff --git a/agent/consul/auto_config_endpoint_test.go b/agent/consul/auto_config_endpoint_test.go index 929bd9146..58335a65c 100644 --- a/agent/consul/auto_config_endpoint_test.go +++ b/agent/consul/auto_config_endpoint_test.go @@ -716,15 +716,17 @@ func TestAutoConfig_updateACLsInConfig(t *testing.T) { cases := map[string]testCase{ "enabled": { config: Config{ - Datacenter: testDC, - PrimaryDatacenter: testDC, - ACLsEnabled: true, - ACLPolicyTTL: 7 * time.Second, - ACLRoleTTL: 10 * time.Second, - ACLTokenTTL: 12 * time.Second, - ACLDisabledTTL: 31 * time.Second, - ACLDefaultPolicy: "allow", - ACLDownPolicy: "deny", + Datacenter: testDC, + PrimaryDatacenter: testDC, + ACLsEnabled: true, + ACLResolverSettings: ACLResolverSettings{ + ACLPolicyTTL: 7 * time.Second, + ACLRoleTTL: 10 * time.Second, + ACLTokenTTL: 12 * time.Second, + ACLDisabledTTL: 31 * time.Second, + ACLDefaultPolicy: "allow", + ACLDownPolicy: "deny", + }, ACLEnableKeyListPolicy: true, }, expectACLToken: true, @@ -748,15 +750,17 @@ func TestAutoConfig_updateACLsInConfig(t *testing.T) { }, "disabled": { config: Config{ - Datacenter: testDC, - PrimaryDatacenter: testDC, - ACLsEnabled: false, - ACLPolicyTTL: 7 * time.Second, - ACLRoleTTL: 10 * time.Second, - ACLTokenTTL: 12 * time.Second, - ACLDisabledTTL: 31 * time.Second, - ACLDefaultPolicy: "allow", - ACLDownPolicy: "deny", + Datacenter: testDC, + PrimaryDatacenter: testDC, + ACLsEnabled: false, + ACLResolverSettings: ACLResolverSettings{ + ACLPolicyTTL: 7 * time.Second, + ACLRoleTTL: 10 * time.Second, + ACLTokenTTL: 12 * time.Second, + ACLDisabledTTL: 31 * time.Second, + ACLDefaultPolicy: "allow", + ACLDownPolicy: "deny", + }, ACLEnableKeyListPolicy: true, }, expectACLToken: false, diff --git a/agent/consul/catalog_endpoint_test.go b/agent/consul/catalog_endpoint_test.go index b160c8dcb..5b0ea4542 100644 --- a/agent/consul/catalog_endpoint_test.go +++ b/agent/consul/catalog_endpoint_test.go @@ -183,7 +183,7 @@ func TestCatalog_Register_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -429,7 +429,7 @@ func TestCatalog_Register_ConnectProxy_ACLDestinationServiceName(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -558,7 +558,7 @@ func TestCatalog_Deregister_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -1298,7 +1298,7 @@ func TestCatalog_ListNodes_ACLFilter(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -2416,7 +2416,7 @@ func TestCatalog_ListServiceNodes_ConnectProxy_ACL(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -2711,7 +2711,7 @@ func testACLFilterServer(t *testing.T) (dir, token string, srv *Server, codec rp c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) codec = rpcClient(t, srv) @@ -2874,7 +2874,7 @@ func TestCatalog_NodeServices_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -3287,7 +3287,7 @@ func TestCatalog_GatewayServices_ACLFiltering(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() diff --git a/agent/consul/client.go b/agent/consul/client.go index b96691918..c7e8d94c7 100644 --- a/agent/consul/client.go +++ b/agent/consul/client.go @@ -123,17 +123,7 @@ func NewClient(config *Config, deps Deps) (*Client, error) { c.useNewACLs = 0 aclConfig := ACLResolverConfig{ - Config: ACLResolverSettings{ - ACLsEnabled: config.ACLsEnabled, - Datacenter: config.Datacenter, - NodeName: config.NodeName, - ACLPolicyTTL: config.ACLPolicyTTL, - ACLTokenTTL: config.ACLTokenTTL, - ACLRoleTTL: config.ACLRoleTTL, - ACLDisabledTTL: config.ACLDisabledTTL, - ACLDownPolicy: config.ACLDownPolicy, - ACLDefaultPolicy: config.ACLDefaultPolicy, - }, + Config: config.ACLResolverSettings, Delegate: c, Logger: c.logger, AutoDisable: true, diff --git a/agent/consul/config.go b/agent/consul/config.go index d31dcc478..eebf48559 100644 --- a/agent/consul/config.go +++ b/agent/consul/config.go @@ -175,6 +175,8 @@ type Config struct { // operators track which versions are actively deployed Build string + ACLResolverSettings ACLResolverSettings + // ACLEnabled is used to enable ACLs ACLsEnabled bool @@ -183,25 +185,6 @@ type Config struct { // that the Master token is available. This provides the initial token. ACLMasterToken string - // ACLTokenTTL controls the time-to-live of cached ACL tokens. - // It can be set to zero to disable caching, but this adds - // a substantial cost. - ACLTokenTTL time.Duration - - // ACLPolicyTTL controls the time-to-live of cached ACL policies. - // It can be set to zero to disable caching, but this adds - // a substantial cost. - ACLPolicyTTL time.Duration - - // ACLRoleTTL controls the time-to-live of cached ACL roles. - // It can be set to zero to disable caching, but this adds - // a substantial cost. - ACLRoleTTL time.Duration - - // ACLDisabledTTL is the time between checking if ACLs should be - // enabled. This - ACLDisabledTTL time.Duration - // ACLTokenReplication is used to enabled token replication. // // By default policy-only replication is enabled. When token @@ -209,20 +192,6 @@ type Config struct { // yet upgraded to the new ACLs no replication will be performed ACLTokenReplication bool - // ACLDefaultPolicy is used to control the ACL interaction when - // there is no defined policy. This can be "allow" which means - // ACLs are used to deny-list, or "deny" which means ACLs are - // allow-lists. - ACLDefaultPolicy string - - // ACLDownPolicy controls the behavior of ACLs if the PrimaryDatacenter - // cannot be contacted. It can be either "deny" to deny all requests, - // "extend-cache" or "async-cache" which ignores the ACLCacheInterval and - // uses cached policies. - // If a policy is not in the cache, it acts like deny. - // "allow" can be used to allow all requests. This is not recommended. - ACLDownPolicy string - // ACLReplicationRate is the max number of replication rounds that can // be run per second. Note that either 1 or 2 RPCs are used during each replication // round @@ -438,19 +407,20 @@ func (c *Config) CheckProtocolVersion() error { } // CheckACL validates the ACL configuration. +// TODO: move this to ACLResolverSettings func (c *Config) CheckACL() error { - switch c.ACLDefaultPolicy { + switch c.ACLResolverSettings.ACLDefaultPolicy { case "allow": case "deny": default: - return fmt.Errorf("Unsupported default ACL policy: %s", c.ACLDefaultPolicy) + return fmt.Errorf("Unsupported default ACL policy: %s", c.ACLResolverSettings.ACLDefaultPolicy) } - switch c.ACLDownPolicy { + switch c.ACLResolverSettings.ACLDownPolicy { case "allow": case "deny": case "async-cache", "extend-cache": default: - return fmt.Errorf("Unsupported down ACL policy: %s", c.ACLDownPolicy) + return fmt.Errorf("Unsupported down ACL policy: %s", c.ACLResolverSettings.ACLDownPolicy) } return nil } @@ -463,21 +433,27 @@ func DefaultConfig() *Config { } conf := &Config{ - Build: version.Version, - Datacenter: DefaultDC, - NodeName: hostname, - RPCAddr: DefaultRPCAddr, - RaftConfig: raft.DefaultConfig(), - SerfLANConfig: libserf.DefaultConfig(), - SerfWANConfig: libserf.DefaultConfig(), - SerfFloodInterval: 60 * time.Second, - ReconcileInterval: 60 * time.Second, - ProtocolVersion: ProtocolVersion2Compatible, - ACLRoleTTL: 30 * time.Second, - ACLPolicyTTL: 30 * time.Second, - ACLTokenTTL: 30 * time.Second, - ACLDefaultPolicy: "allow", - ACLDownPolicy: "extend-cache", + Build: version.Version, + Datacenter: DefaultDC, + NodeName: hostname, + RPCAddr: DefaultRPCAddr, + RaftConfig: raft.DefaultConfig(), + SerfLANConfig: libserf.DefaultConfig(), + SerfWANConfig: libserf.DefaultConfig(), + SerfFloodInterval: 60 * time.Second, + ReconcileInterval: 60 * time.Second, + ProtocolVersion: ProtocolVersion2Compatible, + ACLResolverSettings: ACLResolverSettings{ + ACLsEnabled: false, + Datacenter: DefaultDC, + NodeName: hostname, + ACLPolicyTTL: 30 * time.Second, + ACLTokenTTL: 30 * time.Second, + ACLRoleTTL: 30 * time.Second, + ACLDisabledTTL: 30 * time.Second, + ACLDownPolicy: "extend-cache", + ACLDefaultPolicy: "allow", + }, ACLReplicationRate: 1, ACLReplicationBurst: 5, ACLReplicationApplyLimit: 100, // ops / sec diff --git a/agent/consul/config_endpoint_test.go b/agent/consul/config_endpoint_test.go index da4510786..7eba5ad15 100644 --- a/agent/consul/config_endpoint_test.go +++ b/agent/consul/config_endpoint_test.go @@ -155,7 +155,7 @@ func TestConfigEntry_Apply_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -284,7 +284,7 @@ func TestConfigEntry_Get_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -497,7 +497,7 @@ func TestConfigEntry_List_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -582,7 +582,7 @@ func TestConfigEntry_ListAll_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -741,7 +741,7 @@ func TestConfigEntry_Delete_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -1963,7 +1963,7 @@ func TestConfigEntry_ResolveServiceConfig_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() diff --git a/agent/consul/connect_ca_endpoint_test.go b/agent/consul/connect_ca_endpoint_test.go index 448286094..45341fd55 100644 --- a/agent/consul/connect_ca_endpoint_test.go +++ b/agent/consul/connect_ca_endpoint_test.go @@ -164,7 +164,7 @@ func TestConnectCAConfig_GetSet_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = TestDefaultMasterToken - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -1109,7 +1109,7 @@ func TestConnectCASignValidation(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() diff --git a/agent/consul/coordinate_endpoint_test.go b/agent/consul/coordinate_endpoint_test.go index 5d9d183e7..5741450f7 100644 --- a/agent/consul/coordinate_endpoint_test.go +++ b/agent/consul/coordinate_endpoint_test.go @@ -197,7 +197,7 @@ func TestCoordinate_Update_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -373,7 +373,7 @@ func TestCoordinate_ListNodes_ACLFilter(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -565,7 +565,7 @@ func TestCoordinate_Node_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() diff --git a/agent/consul/discovery_chain_endpoint_test.go b/agent/consul/discovery_chain_endpoint_test.go index 294a78721..16e3fb562 100644 --- a/agent/consul/discovery_chain_endpoint_test.go +++ b/agent/consul/discovery_chain_endpoint_test.go @@ -27,7 +27,7 @@ func TestDiscoveryChainEndpoint_Get(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() diff --git a/agent/consul/federation_state_endpoint_test.go b/agent/consul/federation_state_endpoint_test.go index b48f42b21..9bee48f6a 100644 --- a/agent/consul/federation_state_endpoint_test.go +++ b/agent/consul/federation_state_endpoint_test.go @@ -117,7 +117,7 @@ func TestFederationState_Apply_Upsert_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -238,7 +238,7 @@ func TestFederationState_Get_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -410,7 +410,7 @@ func TestFederationState_List_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -426,7 +426,7 @@ func TestFederationState_List_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir2) defer s2.Shutdown() @@ -686,7 +686,7 @@ func TestFederationState_Apply_Delete_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() diff --git a/agent/consul/health_endpoint_test.go b/agent/consul/health_endpoint_test.go index 54b8ff86c..bc34c2c6d 100644 --- a/agent/consul/health_endpoint_test.go +++ b/agent/consul/health_endpoint_test.go @@ -984,7 +984,7 @@ func TestHealth_ServiceNodes_ConnectProxy_ACL(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -1298,7 +1298,7 @@ func TestHealth_ServiceNodes_Ingress_ACL(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() diff --git a/agent/consul/intention_endpoint_test.go b/agent/consul/intention_endpoint_test.go index bef7bedd4..4857bc09d 100644 --- a/agent/consul/intention_endpoint_test.go +++ b/agent/consul/intention_endpoint_test.go @@ -863,7 +863,7 @@ func TestIntentionApply_aclDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -1268,7 +1268,7 @@ func TestIntentionApply_aclDelete(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -1349,7 +1349,7 @@ func TestIntentionApply_aclUpdate(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -1418,7 +1418,7 @@ func TestIntentionApply_aclManagement(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -1463,7 +1463,7 @@ func TestIntentionApply_aclUpdateChange(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -1528,7 +1528,7 @@ func TestIntentionGet_acl(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -1932,7 +1932,7 @@ func TestIntentionCheck_defaultACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -1968,7 +1968,7 @@ func TestIntentionCheck_defaultACLAllow(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "allow" + c.ACLResolverSettings.ACLDefaultPolicy = "allow" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -2004,7 +2004,7 @@ func TestIntentionCheck_aclDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() diff --git a/agent/consul/internal_endpoint_test.go b/agent/consul/internal_endpoint_test.go index e03fb6b95..a4d64d256 100644 --- a/agent/consul/internal_endpoint_test.go +++ b/agent/consul/internal_endpoint_test.go @@ -563,8 +563,8 @@ func TestInternal_EventFire_Token(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDownPolicy = "deny" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDownPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir) defer srv.Shutdown() @@ -962,7 +962,7 @@ func TestInternal_GatewayServiceDump_Terminating_ACL(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -1305,7 +1305,7 @@ func TestInternal_GatewayServiceDump_Ingress_ACL(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -1908,7 +1908,7 @@ func TestInternal_ServiceTopology_ACL(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = TestDefaultMasterToken - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -2045,7 +2045,7 @@ func TestInternal_IntentionUpstreams_ACL(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = TestDefaultMasterToken - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() diff --git a/agent/consul/kvs_endpoint_test.go b/agent/consul/kvs_endpoint_test.go index 7e62aa8ea..398e9e305 100644 --- a/agent/consul/kvs_endpoint_test.go +++ b/agent/consul/kvs_endpoint_test.go @@ -85,7 +85,7 @@ func TestKVS_Apply_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -205,7 +205,7 @@ func TestKVS_Get_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -426,7 +426,7 @@ func TestKVSEndpoint_List_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -516,7 +516,7 @@ func TestKVSEndpoint_List_ACLEnableKeyListPolicy(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" c.ACLEnableKeyListPolicy = true }) defer os.RemoveAll(dir1) @@ -719,7 +719,7 @@ func TestKVSEndpoint_ListKeys_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() diff --git a/agent/consul/leader_connect_test.go b/agent/consul/leader_connect_test.go index 038f2f0ff..fe32e4ed1 100644 --- a/agent/consul/leader_connect_test.go +++ b/agent/consul/leader_connect_test.go @@ -205,7 +205,7 @@ func TestLeader_SecondaryCA_Initialize(t *testing.T) { c.Build = "1.6.0" c.ACLsEnabled = true c.ACLMasterToken = masterToken - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" c.CAConfig.Config["PrivateKeyType"] = tc.keyType c.CAConfig.Config["PrivateKeyBits"] = tc.keyBits c.CAConfig.Config["test_state"] = dc1State @@ -223,7 +223,7 @@ func TestLeader_SecondaryCA_Initialize(t *testing.T) { c.PrimaryDatacenter = "primary" c.Build = "1.6.0" c.ACLsEnabled = true - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" c.ACLTokenReplication = true c.CAConfig.Config["PrivateKeyType"] = tc.keyType c.CAConfig.Config["PrivateKeyBits"] = tc.keyBits diff --git a/agent/consul/leader_federation_state_ae_test.go b/agent/consul/leader_federation_state_ae_test.go index f2c483b4f..897133496 100644 --- a/agent/consul/leader_federation_state_ae_test.go +++ b/agent/consul/leader_federation_state_ae_test.go @@ -360,7 +360,7 @@ func TestLeader_FederationStateAntiEntropyPruning_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -374,7 +374,7 @@ func TestLeader_FederationStateAntiEntropyPruning_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) testrpc.WaitForLeader(t, s2.RPC, "dc2") defer os.RemoveAll(dir2) diff --git a/agent/consul/leader_intentions_test.go b/agent/consul/leader_intentions_test.go index 0294d0094..79f1d771e 100644 --- a/agent/consul/leader_intentions_test.go +++ b/agent/consul/leader_intentions_test.go @@ -30,7 +30,7 @@ func TestLeader_ReplicateIntentions(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" c.Build = "1.6.0" c.OverrideInitialSerfTags = func(tags map[string]string) { tags["ft_si"] = "0" @@ -64,7 +64,7 @@ func TestLeader_ReplicateIntentions(t *testing.T) { c.Datacenter = "dc2" c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" c.ACLTokenReplication = false c.Build = "1.6.0" c.OverrideInitialSerfTags = func(tags map[string]string) { diff --git a/agent/consul/leader_test.go b/agent/consul/leader_test.go index 8527ea9e9..7463b794d 100644 --- a/agent/consul/leader_test.go +++ b/agent/consul/leader_test.go @@ -32,7 +32,7 @@ func TestLeader_RegisterMember(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -109,7 +109,7 @@ func TestLeader_FailedMember(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -175,7 +175,7 @@ func TestLeader_LeftMember(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -227,7 +227,7 @@ func TestLeader_ReapMember(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -294,7 +294,7 @@ func TestLeader_CheckServersMeta(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "allow" + c.ACLResolverSettings.ACLDefaultPolicy = "allow" c.Bootstrap = true }) defer os.RemoveAll(dir1) @@ -304,7 +304,7 @@ func TestLeader_CheckServersMeta(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "allow" + c.ACLResolverSettings.ACLDefaultPolicy = "allow" c.Bootstrap = false }) defer os.RemoveAll(dir2) @@ -314,7 +314,7 @@ func TestLeader_CheckServersMeta(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "allow" + c.ACLResolverSettings.ACLDefaultPolicy = "allow" c.Bootstrap = false }) defer os.RemoveAll(dir3) @@ -402,7 +402,7 @@ func TestLeader_ReapServer(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "allow" + c.ACLResolverSettings.ACLDefaultPolicy = "allow" c.Bootstrap = true }) defer os.RemoveAll(dir1) @@ -412,7 +412,7 @@ func TestLeader_ReapServer(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "allow" + c.ACLResolverSettings.ACLDefaultPolicy = "allow" c.Bootstrap = false }) defer os.RemoveAll(dir2) @@ -422,7 +422,7 @@ func TestLeader_ReapServer(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "allow" + c.ACLResolverSettings.ACLDefaultPolicy = "allow" c.Bootstrap = false }) defer os.RemoveAll(dir3) @@ -483,7 +483,7 @@ func TestLeader_Reconcile_ReapMember(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -537,7 +537,7 @@ func TestLeader_Reconcile(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -892,7 +892,7 @@ func TestLeader_ReapTombstones(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" c.TombstoneTTL = 50 * time.Millisecond c.TombstoneTTLGranularity = 10 * time.Millisecond }) diff --git a/agent/consul/operator_autopilot_endpoint_test.go b/agent/consul/operator_autopilot_endpoint_test.go index 62a3a3926..5b8b7b2cd 100644 --- a/agent/consul/operator_autopilot_endpoint_test.go +++ b/agent/consul/operator_autopilot_endpoint_test.go @@ -55,7 +55,7 @@ func TestOperator_Autopilot_GetConfiguration_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" c.AutopilotConfig.CleanupDeadServers = false }) defer os.RemoveAll(dir1) @@ -159,7 +159,7 @@ func TestOperator_Autopilot_SetConfiguration_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" c.AutopilotConfig.CleanupDeadServers = false }) defer os.RemoveAll(dir1) diff --git a/agent/consul/operator_raft_endpoint_test.go b/agent/consul/operator_raft_endpoint_test.go index 53a7752e3..252bd14ba 100644 --- a/agent/consul/operator_raft_endpoint_test.go +++ b/agent/consul/operator_raft_endpoint_test.go @@ -73,7 +73,7 @@ func TestOperator_RaftGetConfiguration_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -221,7 +221,7 @@ func TestOperator_RaftRemovePeerByAddress_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -350,7 +350,7 @@ func TestOperator_RaftRemovePeerByID_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" c.RaftConfig.ProtocolVersion = 3 }) defer os.RemoveAll(dir1) diff --git a/agent/consul/prepared_query_endpoint_test.go b/agent/consul/prepared_query_endpoint_test.go index 6ebf05a5c..64ee6a227 100644 --- a/agent/consul/prepared_query_endpoint_test.go +++ b/agent/consul/prepared_query_endpoint_test.go @@ -201,7 +201,7 @@ func TestPreparedQuery_Apply_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -647,7 +647,7 @@ func TestPreparedQuery_ACLDeny_Catchall_Template(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -866,7 +866,7 @@ func TestPreparedQuery_Get(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -1124,7 +1124,7 @@ func TestPreparedQuery_List(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -1337,7 +1337,7 @@ func TestPreparedQuery_Explain(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -1478,7 +1478,7 @@ func TestPreparedQuery_Execute(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -1490,7 +1490,7 @@ func TestPreparedQuery_Execute(t *testing.T) { c.Datacenter = "dc2" c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir2) defer s2.Shutdown() @@ -2784,7 +2784,7 @@ func TestPreparedQuery_Wrapper(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -2794,7 +2794,7 @@ func TestPreparedQuery_Wrapper(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir2) defer s2.Shutdown() diff --git a/agent/consul/rpc_test.go b/agent/consul/rpc_test.go index 25ac96076..99d174b1d 100644 --- a/agent/consul/rpc_test.go +++ b/agent/consul/rpc_test.go @@ -829,7 +829,7 @@ func TestRPC_LocalTokenStrippedOnForward(t *testing.T) { dir1, s1 := testServerWithConfig(t, func(c *Config) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" c.ACLMasterToken = "root" }) defer os.RemoveAll(dir1) @@ -842,7 +842,7 @@ func TestRPC_LocalTokenStrippedOnForward(t *testing.T) { c.Datacenter = "dc2" c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" c.ACLTokenReplication = true c.ACLReplicationRate = 100 c.ACLReplicationBurst = 100 diff --git a/agent/consul/server.go b/agent/consul/server.go index f9885348d..97e092a1b 100644 --- a/agent/consul/server.go +++ b/agent/consul/server.go @@ -426,17 +426,7 @@ func NewServer(config *Config, flat Deps) (*Server, error) { s.aclConfig = newACLConfig(logger) s.useNewACLs = 0 aclConfig := ACLResolverConfig{ - Config: ACLResolverSettings{ - ACLsEnabled: config.ACLsEnabled, - Datacenter: config.Datacenter, - NodeName: config.NodeName, - ACLPolicyTTL: config.ACLPolicyTTL, - ACLTokenTTL: config.ACLTokenTTL, - ACLRoleTTL: config.ACLRoleTTL, - ACLDisabledTTL: config.ACLDisabledTTL, - ACLDownPolicy: config.ACLDownPolicy, - ACLDefaultPolicy: config.ACLDefaultPolicy, - }, + Config: config.ACLResolverSettings, Delegate: s, CacheConfig: serverACLCacheConfig, AutoDisable: false, diff --git a/agent/consul/server_test.go b/agent/consul/server_test.go index 0dd19156c..ce57c44dc 100644 --- a/agent/consul/server_test.go +++ b/agent/consul/server_test.go @@ -77,7 +77,7 @@ func testServerACLConfig(cb func(*Config)) func(*Config) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = TestDefaultMasterToken - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" if cb != nil { cb(c) diff --git a/agent/consul/session_endpoint_test.go b/agent/consul/session_endpoint_test.go index a3476cd1f..8615f8715 100644 --- a/agent/consul/session_endpoint_test.go +++ b/agent/consul/session_endpoint_test.go @@ -157,7 +157,7 @@ func TestSession_Apply_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -395,7 +395,7 @@ func TestSession_Get_List_NodeSessions_ACLFilter(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -754,7 +754,7 @@ func TestSession_Renew_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() diff --git a/agent/consul/snapshot_endpoint_test.go b/agent/consul/snapshot_endpoint_test.go index a1fa1efb8..44f0dda43 100644 --- a/agent/consul/snapshot_endpoint_test.go +++ b/agent/consul/snapshot_endpoint_test.go @@ -272,7 +272,7 @@ func TestSnapshot_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() diff --git a/agent/consul/txn_endpoint_test.go b/agent/consul/txn_endpoint_test.go index a23cdf192..53f9b36de 100644 --- a/agent/consul/txn_endpoint_test.go +++ b/agent/consul/txn_endpoint_test.go @@ -322,7 +322,7 @@ func TestTxn_Apply_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -857,7 +857,7 @@ func TestTxn_Read_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() From 0d69b49f41c25d6a9e595cf2f28f60447b34bc4f Mon Sep 17 00:00:00 2001 From: Daniel Nephin Date: Fri, 6 Aug 2021 18:59:05 -0400 Subject: [PATCH 3/4] config: remove ACLResolver settings from RuntimeConfig --- agent/agent.go | 6 +-- agent/config/builder.go | 23 +++++---- agent/config/runtime.go | 48 +------------------ agent/config/runtime_test.go | 25 ++++++---- .../TestRuntimeConfig_Sanitize.golden | 17 ++++--- agent/consul/acl.go | 45 +++++++++++++---- agent/http.go | 2 +- agent/uiserver/uiserver_test.go | 2 +- 8 files changed, 85 insertions(+), 83 deletions(-) diff --git a/agent/agent.go b/agent/agent.go index 53888ec78..b54af8b55 100644 --- a/agent/agent.go +++ b/agent/agent.go @@ -542,13 +542,13 @@ func (a *Agent) Start(ctx context.Context) error { } var intentionDefaultAllow bool - switch a.config.ACLDefaultPolicy { + switch a.config.ACLResolverSettings.ACLDefaultPolicy { case "allow": intentionDefaultAllow = true case "deny": intentionDefaultAllow = false default: - return fmt.Errorf("unexpected ACL default policy value of %q", a.config.ACLDefaultPolicy) + return fmt.Errorf("unexpected ACL default policy value of %q", a.config.ACLResolverSettings.ACLDefaultPolicy) } go a.baseDeps.ViewStore.Run(&lib.StopChannelContext{StopCh: a.shutdownCh}) @@ -1023,6 +1023,7 @@ func newConsulConfig(runtimeCfg *config.RuntimeConfig, logger hclog.Logger) (*co cfg.PrimaryDatacenter = runtimeCfg.PrimaryDatacenter cfg.DataDir = runtimeCfg.DataDir cfg.NodeName = runtimeCfg.NodeName + cfg.ACLResolverSettings = runtimeCfg.ACLResolverSettings cfg.CoordinateUpdateBatchSize = runtimeCfg.ConsulCoordinateUpdateBatchSize cfg.CoordinateUpdateMaxBatches = runtimeCfg.ConsulCoordinateUpdateMaxBatches @@ -1115,7 +1116,6 @@ func newConsulConfig(runtimeCfg *config.RuntimeConfig, logger hclog.Logger) (*co if runtimeCfg.ACLMasterToken != "" { cfg.ACLMasterToken = runtimeCfg.ACLMasterToken } - // TODO: cfg.ACLResolverSettings = runtimeCfg.ACLResolverSettings cfg.ACLTokenReplication = runtimeCfg.ACLTokenReplication cfg.ACLsEnabled = runtimeCfg.ACLsEnabled if runtimeCfg.ACLEnableKeyListPolicy { diff --git a/agent/config/builder.go b/agent/config/builder.go index fc4c39c87..ed695276e 100644 --- a/agent/config/builder.go +++ b/agent/config/builder.go @@ -830,7 +830,6 @@ func (b *builder) build() (rt RuntimeConfig, err error) { dataDir := stringVal(c.DataDir) rt = RuntimeConfig{ // non-user configurable values - ACLDisabledTTL: b.durationVal("acl.disabled_ttl", c.ACL.DisabledTTL), AEInterval: b.durationVal("ae_interval", c.AEInterval), CheckDeregisterIntervalMin: b.durationVal("check_deregister_interval_min", c.CheckDeregisterIntervalMin), CheckReapInterval: b.durationVal("check_reap_interval", c.CheckReapInterval), @@ -866,15 +865,23 @@ func (b *builder) build() (rt RuntimeConfig, err error) { GossipWANRetransmitMult: intVal(c.GossipWAN.RetransmitMult), // ACL - ACLsEnabled: aclsEnabled, - ACLDefaultPolicy: stringValWithDefault(c.ACL.DefaultPolicy, stringVal(c.ACLDefaultPolicy)), - ACLDownPolicy: stringValWithDefault(c.ACL.DownPolicy, stringVal(c.ACLDownPolicy)), + ACLsEnabled: aclsEnabled, + ACLResolverSettings: consul.ACLResolverSettings{ + ACLsEnabled: aclsEnabled, + Datacenter: datacenter, + NodeName: b.nodeName(c.NodeName), + ACLPolicyTTL: b.durationVal("acl.policy_ttl", c.ACL.PolicyTTL), + ACLTokenTTL: b.durationValWithDefault("acl.token_ttl", c.ACL.TokenTTL, b.durationVal("acl_ttl", c.ACLTTL)), + ACLRoleTTL: b.durationVal("acl.role_ttl", c.ACL.RoleTTL), + ACLDisabledTTL: b.durationVal("acl.disabled_ttl", c.ACL.DisabledTTL), + ACLDownPolicy: stringValWithDefault(c.ACL.DownPolicy, stringVal(c.ACLDownPolicy)), + ACLDefaultPolicy: stringValWithDefault(c.ACL.DefaultPolicy, stringVal(c.ACLDefaultPolicy)), + }, + ACLEnableKeyListPolicy: boolValWithDefault(c.ACL.EnableKeyListPolicy, boolVal(c.ACLEnableKeyListPolicy)), ACLMasterToken: stringValWithDefault(c.ACL.Tokens.Master, stringVal(c.ACLMasterToken)), - ACLTokenTTL: b.durationValWithDefault("acl.token_ttl", c.ACL.TokenTTL, b.durationVal("acl_ttl", c.ACLTTL)), - ACLPolicyTTL: b.durationVal("acl.policy_ttl", c.ACL.PolicyTTL), - ACLRoleTTL: b.durationVal("acl.role_ttl", c.ACL.RoleTTL), - ACLTokenReplication: boolValWithDefault(c.ACL.TokenReplication, boolValWithDefault(c.EnableACLReplication, enableTokenReplication)), + + ACLTokenReplication: boolValWithDefault(c.ACL.TokenReplication, boolValWithDefault(c.EnableACLReplication, enableTokenReplication)), ACLTokens: token.Config{ DataDir: dataDir, diff --git a/agent/config/runtime.go b/agent/config/runtime.go index 438cb2265..1e9ebf1e7 100644 --- a/agent/config/runtime.go +++ b/agent/config/runtime.go @@ -55,13 +55,6 @@ type RuntimeConfig struct { ConsulRaftLeaderLeaseTimeout time.Duration ConsulServerHealthInterval time.Duration - // ACLDisabledTTL is used by agents to determine how long they will - // wait to check again with the servers if they discover ACLs are not - // enabled. (not user configurable) - // - // hcl: acl.disabled_ttl = "duration" - ACLDisabledTTL time.Duration - // ACLsEnabled is used to determine whether ACLs should be enabled // // hcl: acl.enabled = boolean @@ -69,28 +62,7 @@ type RuntimeConfig struct { ACLTokens token.Config - // ACLDefaultPolicy is used to control the ACL interaction when - // there is no defined policy. This can be "allow" which means - // ACLs are used to deny-list, or "deny" which means ACLs are - // allow-lists. - // - // hcl: acl.default_policy = ("allow"|"deny") - ACLDefaultPolicy string - - // ACLDownPolicy is used to control the ACL interaction when we cannot - // reach the PrimaryDatacenter and the token is not in the cache. - // There are the following modes: - // * allow - Allow all requests - // * deny - Deny all requests - // * extend-cache - Ignore the cache expiration, and allow cached - // ACL's to be used to service requests. This - // is the default. If the ACL is not in the cache, - // this acts like deny. - // * async-cache - Same behavior as extend-cache, but perform ACL - // Lookups asynchronously when cache TTL is expired. - // - // hcl: acl.down_policy = ("allow"|"deny"|"extend-cache"|"async-cache") - ACLDownPolicy string + ACLResolverSettings consul.ACLResolverSettings // ACLEnableKeyListPolicy is used to opt-in to the "list" policy added to // KV ACLs in Consul 1.0. @@ -114,24 +86,6 @@ type RuntimeConfig struct { // hcl: acl.token_replication = boolean ACLTokenReplication bool - // ACLTokenTTL is used to control the time-to-live of cached ACL tokens. This has - // a major impact on performance. By default, it is set to 30 seconds. - // - // hcl: acl.policy_ttl = "duration" - ACLTokenTTL time.Duration - - // ACLPolicyTTL is used to control the time-to-live of cached ACL policies. This has - // a major impact on performance. By default, it is set to 30 seconds. - // - // hcl: acl.token_ttl = "duration" - ACLPolicyTTL time.Duration - - // ACLRoleTTL is used to control the time-to-live of cached ACL roles. This has - // a major impact on performance. By default, it is set to 30 seconds. - // - // hcl: acl.role_ttl = "duration" - ACLRoleTTL time.Duration - // AutopilotCleanupDeadServers enables the automatic cleanup of dead servers when new ones // are added to the peer list. Defaults to true. // diff --git a/agent/config/runtime_test.go b/agent/config/runtime_test.go index 5c012909b..35a39ef27 100644 --- a/agent/config/runtime_test.go +++ b/agent/config/runtime_test.go @@ -5146,6 +5146,10 @@ func (tc testCase) run(format string, dataDir string) func(t *testing.T) { // case does not need to set this field. require.Equal(t, actual.DataDir, actual.ACLTokens.DataDir) expected.ACLTokens.DataDir = actual.ACLTokens.DataDir + // These fields are always the same + expected.ACLResolverSettings.Datacenter = expected.Datacenter + expected.ACLResolverSettings.ACLsEnabled = expected.ACLsEnabled + expected.ACLResolverSettings.NodeName = expected.NodeName assertDeepEqual(t, expected, actual, cmpopts.EquateEmpty()) } @@ -5187,7 +5191,6 @@ func TestLoad_FullConfig(t *testing.T) { defaultEntMeta := structs.DefaultEnterpriseMetaInDefaultPartition() expected := &RuntimeConfig{ // non-user configurable values - ACLDisabledTTL: 120 * time.Second, AEInterval: time.Minute, CheckDeregisterIntervalMin: time.Minute, CheckReapInterval: 30 * time.Second, @@ -5232,15 +5235,21 @@ func TestLoad_FullConfig(t *testing.T) { ACLReplicationToken: "5795983a", }, - ACLsEnabled: true, - PrimaryDatacenter: "ejtmd43d", - ACLDefaultPolicy: "72c2e7a0", - ACLDownPolicy: "03eb2aee", + ACLsEnabled: true, + PrimaryDatacenter: "ejtmd43d", + ACLResolverSettings: consul.ACLResolverSettings{ + ACLsEnabled: true, + Datacenter: "rzo029wg", + NodeName: "otlLxGaI", + ACLDisabledTTL: 120 * time.Second, + ACLDefaultPolicy: "72c2e7a0", + ACLDownPolicy: "03eb2aee", + ACLTokenTTL: 3321 * time.Second, + ACLPolicyTTL: 1123 * time.Second, + ACLRoleTTL: 9876 * time.Second, + }, ACLEnableKeyListPolicy: true, ACLMasterToken: "8a19ac27", - ACLTokenTTL: 3321 * time.Second, - ACLPolicyTTL: 1123 * time.Second, - ACLRoleTTL: 9876 * time.Second, ACLTokenReplication: true, AdvertiseAddrLAN: ipAddr("17.99.29.16"), AdvertiseAddrWAN: ipAddr("78.63.37.19"), diff --git a/agent/config/testdata/TestRuntimeConfig_Sanitize.golden b/agent/config/testdata/TestRuntimeConfig_Sanitize.golden index 7f1ac0846..c1383cb2b 100644 --- a/agent/config/testdata/TestRuntimeConfig_Sanitize.golden +++ b/agent/config/testdata/TestRuntimeConfig_Sanitize.golden @@ -1,13 +1,18 @@ { - "ACLDefaultPolicy": "", - "ACLDisabledTTL": "0s", - "ACLDownPolicy": "", "ACLEnableKeyListPolicy": false, "ACLMasterToken": "hidden", - "ACLPolicyTTL": "0s", - "ACLRoleTTL": "0s", + "ACLResolverSettings": { + "ACLDefaultPolicy": "", + "ACLDisabledTTL": "0s", + "ACLDownPolicy": "", + "ACLPolicyTTL": "0s", + "ACLRoleTTL": "0s", + "ACLTokenTTL": "0s", + "ACLsEnabled": false, + "Datacenter": "", + "NodeName": "" + }, "ACLTokenReplication": false, - "ACLTokenTTL": "0s", "ACLTokens": { "ACLAgentMasterToken": "hidden", "ACLAgentToken": "hidden", diff --git a/agent/consul/acl.go b/agent/consul/acl.go index 87302bb68..f1d8cba75 100644 --- a/agent/consul/acl.go +++ b/agent/consul/acl.go @@ -214,14 +214,42 @@ type ACLResolverConfig struct { // TODO: rename the fields to remove the ACL prefix type ACLResolverSettings struct { - ACLsEnabled bool - Datacenter string - NodeName string - ACLPolicyTTL time.Duration - ACLTokenTTL time.Duration - ACLRoleTTL time.Duration - ACLDisabledTTL time.Duration - ACLDownPolicy string + ACLsEnabled bool + Datacenter string + NodeName string + + // ACLPolicyTTL is used to control the time-to-live of cached ACL policies. This has + // a major impact on performance. By default, it is set to 30 seconds. + ACLPolicyTTL time.Duration + // ACLTokenTTL is used to control the time-to-live of cached ACL tokens. This has + // a major impact on performance. By default, it is set to 30 seconds. + ACLTokenTTL time.Duration + // ACLRoleTTL is used to control the time-to-live of cached ACL roles. This has + // a major impact on performance. By default, it is set to 30 seconds. + ACLRoleTTL time.Duration + + // ACLDisabledTTL is used by agents to determine how long they will + // wait to check again with the servers if they discover ACLs are not + // enabled. (not user configurable) + ACLDisabledTTL time.Duration + + // ACLDownPolicy is used to control the ACL interaction when we cannot + // reach the PrimaryDatacenter and the token is not in the cache. + // There are the following modes: + // * allow - Allow all requests + // * deny - Deny all requests + // * extend-cache - Ignore the cache expiration, and allow cached + // ACL's to be used to service requests. This + // is the default. If the ACL is not in the cache, + // this acts like deny. + // * async-cache - Same behavior as extend-cache, but perform ACL + // Lookups asynchronously when cache TTL is expired. + ACLDownPolicy string + + // ACLDefaultPolicy is used to control the ACL interaction when + // there is no defined policy. This can be "allow" which means + // ACLs are used to deny-list, or "deny" which means ACLs are + // allow-lists. ACLDefaultPolicy string } @@ -251,7 +279,6 @@ type ACLResolverSettings struct { // upon. // type ACLResolver struct { - // TODO: store the ACLResolverConfig as a field instead of copying all the fields onto ACLResolver. config ACLResolverSettings logger hclog.Logger diff --git a/agent/http.go b/agent/http.go index 731150684..3c854287a 100644 --- a/agent/http.go +++ b/agent/http.go @@ -362,7 +362,7 @@ func (s *HTTPHandlers) wrap(handler endpoint, methods []string) http.HandlerFunc return func(resp http.ResponseWriter, req *http.Request) { setHeaders(resp, s.agent.config.HTTPResponseHeaders) setTranslateAddr(resp, s.agent.config.TranslateWANAddrs) - setACLDefaultPolicy(resp, s.agent.config.ACLDefaultPolicy) + setACLDefaultPolicy(resp, s.agent.config.ACLResolverSettings.ACLDefaultPolicy) // Obfuscate any tokens from appearing in the logs formVals, err := url.ParseQuery(req.URL.RawQuery) diff --git a/agent/uiserver/uiserver_test.go b/agent/uiserver/uiserver_test.go index 6b0769a22..ff4000981 100644 --- a/agent/uiserver/uiserver_test.go +++ b/agent/uiserver/uiserver_test.go @@ -227,7 +227,7 @@ func basicUIEnabledConfig(opts ...cfgFunc) *config.RuntimeConfig { func withACLs() cfgFunc { return func(cfg *config.RuntimeConfig) { cfg.PrimaryDatacenter = "dc1" - cfg.ACLDefaultPolicy = "deny" + cfg.ACLResolverSettings.ACLDefaultPolicy = "deny" cfg.ACLsEnabled = true } } From a8bc964241e219252257f481d98d387eb4dd0aa5 Mon Sep 17 00:00:00 2001 From: Daniel Nephin Date: Mon, 9 Aug 2021 14:04:27 -0400 Subject: [PATCH 4/4] Fix test failures Tests only specified one of the fields, but in production we copy the value from a single place, so we can do the same in tests. The AutoConfig test broke because of the problem noticed in a previous commit. The DisabledTTL is not wired up properly so it reports 0s here. Changed the test to use an explicit value. --- agent/consul/auto_config_endpoint_test.go | 4 +++- agent/consul/server_test.go | 6 ++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/agent/consul/auto_config_endpoint_test.go b/agent/consul/auto_config_endpoint_test.go index 58335a65c..3aa45bf5c 100644 --- a/agent/consul/auto_config_endpoint_test.go +++ b/agent/consul/auto_config_endpoint_test.go @@ -153,6 +153,8 @@ func TestAutoConfigInitialConfiguration(t *testing.T) { } c.AutoConfigAuthzAllowReuse = true + c.ACLResolverSettings.ACLDisabledTTL = 12 * time.Second + cafile := path.Join(c.DataDir, "cacert.pem") err := ioutil.WriteFile(cafile, []byte(cacert), 0600) require.NoError(t, err) @@ -263,7 +265,7 @@ func TestAutoConfigInitialConfiguration(t *testing.T) { PolicyTTL: "30s", TokenTTL: "30s", RoleTTL: "30s", - DisabledTTL: "0s", + DisabledTTL: "12s", DownPolicy: "extend-cache", DefaultPolicy: "deny", Tokens: &pbconfig.ACLTokens{ diff --git a/agent/consul/server_test.go b/agent/consul/server_test.go index ce57c44dc..25a0b407d 100644 --- a/agent/consul/server_test.go +++ b/agent/consul/server_test.go @@ -245,6 +245,12 @@ func testServerWithConfig(t *testing.T, cb func(*Config)) (string, *Server) { cb(config) } + // Apply config to copied fields because many tests only set the old + //values. + config.ACLResolverSettings.ACLsEnabled = config.ACLsEnabled + config.ACLResolverSettings.NodeName = config.NodeName + config.ACLResolverSettings.Datacenter = config.Datacenter + var err error srv, err = newServer(t, config) if err != nil {