Merge pull request #10808 from hashicorp/dnephin/acl-resolver-3

acl: isolate the config used by ACLResolver

agent/agent.go

@@ -542,13 +542,13 @@ func (a *Agent) Start(ctx context.Context) error {
 	}
 
 	var intentionDefaultAllow bool
-	switch a.config.ACLDefaultPolicy {
+	switch a.config.ACLResolverSettings.ACLDefaultPolicy {
 	case "allow":
 		intentionDefaultAllow = true
 	case "deny":
 		intentionDefaultAllow = false
 	default:
-		return fmt.Errorf("unexpected ACL default policy value of %q", a.config.ACLDefaultPolicy)
+		return fmt.Errorf("unexpected ACL default policy value of %q", a.config.ACLResolverSettings.ACLDefaultPolicy)
 	}
 
 	go a.baseDeps.ViewStore.Run(&lib.StopChannelContext{StopCh: a.shutdownCh})
@@ -1023,6 +1023,7 @@ func newConsulConfig(runtimeCfg *config.RuntimeConfig, logger hclog.Logger) (*co
 	cfg.PrimaryDatacenter = runtimeCfg.PrimaryDatacenter
 	cfg.DataDir = runtimeCfg.DataDir
 	cfg.NodeName = runtimeCfg.NodeName
+	cfg.ACLResolverSettings = runtimeCfg.ACLResolverSettings
 
 	cfg.CoordinateUpdateBatchSize = runtimeCfg.ConsulCoordinateUpdateBatchSize
 	cfg.CoordinateUpdateMaxBatches = runtimeCfg.ConsulCoordinateUpdateMaxBatches
@@ -1115,21 +1116,6 @@ func newConsulConfig(runtimeCfg *config.RuntimeConfig, logger hclog.Logger) (*co
 	if runtimeCfg.ACLMasterToken != "" {
 		cfg.ACLMasterToken = runtimeCfg.ACLMasterToken
 	}
-	if runtimeCfg.ACLTokenTTL != 0 {
-		cfg.ACLTokenTTL = runtimeCfg.ACLTokenTTL
-	}
-	if runtimeCfg.ACLPolicyTTL != 0 {
-		cfg.ACLPolicyTTL = runtimeCfg.ACLPolicyTTL
-	}
-	if runtimeCfg.ACLRoleTTL != 0 {
-		cfg.ACLRoleTTL = runtimeCfg.ACLRoleTTL
-	}
-	if runtimeCfg.ACLDefaultPolicy != "" {
-		cfg.ACLDefaultPolicy = runtimeCfg.ACLDefaultPolicy
-	}
-	if runtimeCfg.ACLDownPolicy != "" {
-		cfg.ACLDownPolicy = runtimeCfg.ACLDownPolicy
-	}
 	cfg.ACLTokenReplication = runtimeCfg.ACLTokenReplication
 	cfg.ACLsEnabled = runtimeCfg.ACLsEnabled
 	if runtimeCfg.ACLEnableKeyListPolicy {

agent/config/builder.go

@@ -830,7 +830,6 @@ func (b *builder) build() (rt RuntimeConfig, err error) {
 	dataDir := stringVal(c.DataDir)
 	rt = RuntimeConfig{
 		// non-user configurable values
-		ACLDisabledTTL:             b.durationVal("acl.disabled_ttl", c.ACL.DisabledTTL),
 		AEInterval:                 b.durationVal("ae_interval", c.AEInterval),
 		CheckDeregisterIntervalMin: b.durationVal("check_deregister_interval_min", c.CheckDeregisterIntervalMin),
 		CheckReapInterval:          b.durationVal("check_reap_interval", c.CheckReapInterval),
@@ -866,15 +865,23 @@ func (b *builder) build() (rt RuntimeConfig, err error) {
 		GossipWANRetransmitMult: intVal(c.GossipWAN.RetransmitMult),
 
 		// ACL
-		ACLsEnabled:            aclsEnabled,
+		ACLsEnabled: aclsEnabled,
-		ACLDefaultPolicy:       stringValWithDefault(c.ACL.DefaultPolicy, stringVal(c.ACLDefaultPolicy)),
+		ACLResolverSettings: consul.ACLResolverSettings{
-		ACLDownPolicy:          stringValWithDefault(c.ACL.DownPolicy, stringVal(c.ACLDownPolicy)),
+			ACLsEnabled:      aclsEnabled,
+			Datacenter:       datacenter,
+			NodeName:         b.nodeName(c.NodeName),
+			ACLPolicyTTL:     b.durationVal("acl.policy_ttl", c.ACL.PolicyTTL),
+			ACLTokenTTL:      b.durationValWithDefault("acl.token_ttl", c.ACL.TokenTTL, b.durationVal("acl_ttl", c.ACLTTL)),
+			ACLRoleTTL:       b.durationVal("acl.role_ttl", c.ACL.RoleTTL),
+			ACLDisabledTTL:   b.durationVal("acl.disabled_ttl", c.ACL.DisabledTTL),
+			ACLDownPolicy:    stringValWithDefault(c.ACL.DownPolicy, stringVal(c.ACLDownPolicy)),
+			ACLDefaultPolicy: stringValWithDefault(c.ACL.DefaultPolicy, stringVal(c.ACLDefaultPolicy)),
+		},
+
 		ACLEnableKeyListPolicy: boolValWithDefault(c.ACL.EnableKeyListPolicy, boolVal(c.ACLEnableKeyListPolicy)),
 		ACLMasterToken:         stringValWithDefault(c.ACL.Tokens.Master, stringVal(c.ACLMasterToken)),
-		ACLTokenTTL:            b.durationValWithDefault("acl.token_ttl", c.ACL.TokenTTL, b.durationVal("acl_ttl", c.ACLTTL)),
+
-		ACLPolicyTTL:           b.durationVal("acl.policy_ttl", c.ACL.PolicyTTL),
+		ACLTokenReplication: boolValWithDefault(c.ACL.TokenReplication, boolValWithDefault(c.EnableACLReplication, enableTokenReplication)),
-		ACLRoleTTL:             b.durationVal("acl.role_ttl", c.ACL.RoleTTL),
-		ACLTokenReplication:    boolValWithDefault(c.ACL.TokenReplication, boolValWithDefault(c.EnableACLReplication, enableTokenReplication)),
 
 		ACLTokens: token.Config{
 			DataDir:             dataDir,

agent/config/runtime.go

@@ -55,13 +55,6 @@ type RuntimeConfig struct {
 	ConsulRaftLeaderLeaseTimeout     time.Duration
 	ConsulServerHealthInterval       time.Duration
 
-	// ACLDisabledTTL is used by agents to determine how long they will
-	// wait to check again with the servers if they discover ACLs are not
-	// enabled. (not user configurable)
-	//
-	// hcl: acl.disabled_ttl = "duration"
-	ACLDisabledTTL time.Duration
-
 	// ACLsEnabled is used to determine whether ACLs should be enabled
 	//
 	// hcl: acl.enabled = boolean
@@ -69,28 +62,7 @@ type RuntimeConfig struct {
 
 	ACLTokens token.Config
 
-	// ACLDefaultPolicy is used to control the ACL interaction when
+	ACLResolverSettings consul.ACLResolverSettings
-	// there is no defined policy. This can be "allow" which means
-	// ACLs are used to deny-list, or "deny" which means ACLs are
-	// allow-lists.
-	//
-	// hcl: acl.default_policy = ("allow"|"deny")
-	ACLDefaultPolicy string
-
-	// ACLDownPolicy is used to control the ACL interaction when we cannot
-	// reach the PrimaryDatacenter and the token is not in the cache.
-	// There are the following modes:
-	//   * allow - Allow all requests
-	//   * deny - Deny all requests
-	//   * extend-cache - Ignore the cache expiration, and allow cached
-	//                    ACL's to be used to service requests. This
-	//                    is the default. If the ACL is not in the cache,
-	//                    this acts like deny.
-	//   * async-cache - Same behavior as extend-cache, but perform ACL
-	//                   Lookups asynchronously when cache TTL is expired.
-	//
-	// hcl: acl.down_policy = ("allow"|"deny"|"extend-cache"|"async-cache")
-	ACLDownPolicy string
 
 	// ACLEnableKeyListPolicy is used to opt-in to the "list" policy added to
 	// KV ACLs in Consul 1.0.
@@ -114,24 +86,6 @@ type RuntimeConfig struct {
 	// hcl: acl.token_replication = boolean
 	ACLTokenReplication bool
 
-	// ACLTokenTTL is used to control the time-to-live of cached ACL tokens. This has
-	// a major impact on performance. By default, it is set to 30 seconds.
-	//
-	// hcl: acl.policy_ttl = "duration"
-	ACLTokenTTL time.Duration
-
-	// ACLPolicyTTL is used to control the time-to-live of cached ACL policies. This has
-	// a major impact on performance. By default, it is set to 30 seconds.
-	//
-	// hcl: acl.token_ttl = "duration"
-	ACLPolicyTTL time.Duration
-
-	// ACLRoleTTL is used to control the time-to-live of cached ACL roles. This has
-	// a major impact on performance. By default, it is set to 30 seconds.
-	//
-	// hcl: acl.role_ttl = "duration"
-	ACLRoleTTL time.Duration
-
 	// AutopilotCleanupDeadServers enables the automatic cleanup of dead servers when new ones
 	// are added to the peer list. Defaults to true.
 	//

agent/config/runtime_test.go

@@ -5146,6 +5146,10 @@ func (tc testCase) run(format string, dataDir string) func(t *testing.T) {
 		// case does not need to set this field.
 		require.Equal(t, actual.DataDir, actual.ACLTokens.DataDir)
 		expected.ACLTokens.DataDir = actual.ACLTokens.DataDir
+		// These fields are always the same
+		expected.ACLResolverSettings.Datacenter = expected.Datacenter
+		expected.ACLResolverSettings.ACLsEnabled = expected.ACLsEnabled
+		expected.ACLResolverSettings.NodeName = expected.NodeName
 
 		assertDeepEqual(t, expected, actual, cmpopts.EquateEmpty())
 	}
@@ -5187,7 +5191,6 @@ func TestLoad_FullConfig(t *testing.T) {
 	defaultEntMeta := structs.DefaultEnterpriseMetaInDefaultPartition()
 	expected := &RuntimeConfig{
 		// non-user configurable values
-		ACLDisabledTTL:             120 * time.Second,
 		AEInterval:                 time.Minute,
 		CheckDeregisterIntervalMin: time.Minute,
 		CheckReapInterval:          30 * time.Second,
@@ -5232,15 +5235,21 @@ func TestLoad_FullConfig(t *testing.T) {
 			ACLReplicationToken: "5795983a",
 		},
 
-		ACLsEnabled:                      true,
+		ACLsEnabled:       true,
-		PrimaryDatacenter:                "ejtmd43d",
+		PrimaryDatacenter: "ejtmd43d",
-		ACLDefaultPolicy:                 "72c2e7a0",
+		ACLResolverSettings: consul.ACLResolverSettings{
-		ACLDownPolicy:                    "03eb2aee",
+			ACLsEnabled:      true,
+			Datacenter:       "rzo029wg",
+			NodeName:         "otlLxGaI",
+			ACLDisabledTTL:   120 * time.Second,
+			ACLDefaultPolicy: "72c2e7a0",
+			ACLDownPolicy:    "03eb2aee",
+			ACLTokenTTL:      3321 * time.Second,
+			ACLPolicyTTL:     1123 * time.Second,
+			ACLRoleTTL:       9876 * time.Second,
+		},
 		ACLEnableKeyListPolicy:           true,
 		ACLMasterToken:                   "8a19ac27",
-		ACLTokenTTL:                      3321 * time.Second,
-		ACLPolicyTTL:                     1123 * time.Second,
-		ACLRoleTTL:                       9876 * time.Second,
 		ACLTokenReplication:              true,
 		AdvertiseAddrLAN:                 ipAddr("17.99.29.16"),
 		AdvertiseAddrWAN:                 ipAddr("78.63.37.19"),

agent/config/testdata/TestRuntimeConfig_Sanitize.golden

@@ -1,13 +1,18 @@
 {
-    "ACLDefaultPolicy": "",
-    "ACLDisabledTTL": "0s",
-    "ACLDownPolicy": "",
     "ACLEnableKeyListPolicy": false,
     "ACLMasterToken": "hidden",
-    "ACLPolicyTTL": "0s",
+    "ACLResolverSettings": {
-    "ACLRoleTTL": "0s",
+        "ACLDefaultPolicy": "",
+        "ACLDisabledTTL": "0s",
+        "ACLDownPolicy": "",
+        "ACLPolicyTTL": "0s",
+        "ACLRoleTTL": "0s",
+        "ACLTokenTTL": "0s",
+        "ACLsEnabled": false,
+        "Datacenter": "",
+        "NodeName": ""
+    },
     "ACLTokenReplication": false,
-    "ACLTokenTTL": "0s",
     "ACLTokens": {
         "ACLAgentMasterToken": "hidden",
         "ACLAgentToken": "hidden",

agent/consul/acl.go

@@ -189,7 +189,8 @@ func (e policyOrRoleTokenError) Error() string {
 
 // ACLResolverConfig holds all the configuration necessary to create an ACLResolver
 type ACLResolverConfig struct {
-	Config *Config
+	// TODO: rename this field?
+	Config ACLResolverSettings
 	Logger hclog.Logger
 
 	// CacheConfig is a pass through configuration for ACL cache limits
@@ -211,6 +212,47 @@ type ACLResolverConfig struct {
 	Tokens *token.Store
 }
 
+// TODO: rename the fields to remove the ACL prefix
+type ACLResolverSettings struct {
+	ACLsEnabled bool
+	Datacenter  string
+	NodeName    string
+
+	// ACLPolicyTTL is used to control the time-to-live of cached ACL policies. This has
+	// a major impact on performance. By default, it is set to 30 seconds.
+	ACLPolicyTTL time.Duration
+	// ACLTokenTTL is used to control the time-to-live of cached ACL tokens. This has
+	// a major impact on performance. By default, it is set to 30 seconds.
+	ACLTokenTTL time.Duration
+	// ACLRoleTTL is used to control the time-to-live of cached ACL roles. This has
+	// a major impact on performance. By default, it is set to 30 seconds.
+	ACLRoleTTL time.Duration
+
+	// ACLDisabledTTL is used by agents to determine how long they will
+	// wait to check again with the servers if they discover ACLs are not
+	// enabled. (not user configurable)
+	ACLDisabledTTL time.Duration
+
+	// ACLDownPolicy is used to control the ACL interaction when we cannot
+	// reach the PrimaryDatacenter and the token is not in the cache.
+	// There are the following modes:
+	//   * allow - Allow all requests
+	//   * deny - Deny all requests
+	//   * extend-cache - Ignore the cache expiration, and allow cached
+	//                    ACL's to be used to service requests. This
+	//                    is the default. If the ACL is not in the cache,
+	//                    this acts like deny.
+	//   * async-cache - Same behavior as extend-cache, but perform ACL
+	//                   Lookups asynchronously when cache TTL is expired.
+	ACLDownPolicy string
+
+	// ACLDefaultPolicy is used to control the ACL interaction when
+	// there is no defined policy. This can be "allow" which means
+	// ACLs are used to deny-list, or "deny" which means ACLs are
+	// allow-lists.
+	ACLDefaultPolicy string
+}
+
 // ACLResolver is the type to handle all your token and policy resolution needs.
 //
 // Supports:
@@ -237,7 +279,7 @@ type ACLResolverConfig struct {
 //   upon.
 //
 type ACLResolver struct {
-	config *Config
+	config ACLResolverSettings
 	logger hclog.Logger
 
 	delegate ACLResolverDelegate
@@ -289,11 +331,6 @@ func NewACLResolver(config *ACLResolverConfig) (*ACLResolver, error) {
 	if config == nil {
 		return nil, fmt.Errorf("ACL Resolver must be initialized with a config")
 	}
-
-	if config.Config == nil {
-		return nil, fmt.Errorf("ACLResolverConfig.Config must not be nil")
-	}
-
 	if config.Delegate == nil {
 		return nil, fmt.Errorf("ACL Resolver must be initialized with a valid delegate")
 	}

agent/consul/acl_endpoint.go

@@ -1390,7 +1390,7 @@ func (a *ACL) GetPolicy(args *structs.ACLPolicyResolveLegacyRequest, reply *stru
 	}
 
 	// Get the policy via the cache
-	parent := a.srv.config.ACLDefaultPolicy
+	parent := a.srv.config.ACLResolverSettings.ACLDefaultPolicy
 
 	ident, policy, err := a.srv.acls.GetMergedPolicyForToken(args.ACL)
 	if err != nil {
@@ -1409,7 +1409,7 @@ func (a *ACL) GetPolicy(args *structs.ACLPolicyResolveLegacyRequest, reply *stru
 
 	// Setup the response
 	reply.ETag = etag
-	reply.TTL = a.srv.config.ACLTokenTTL
+	reply.TTL = a.srv.config.ACLResolverSettings.ACLTokenTTL
 	a.srv.setQueryMeta(&reply.QueryMeta)
 
 	// Only send the policy on an Etag mis-match

agent/consul/acl_test.go

@@ -718,11 +718,11 @@ func (d *ACLResolverTestDelegate) RPC(method string, args interface{}, reply int
 
 func newTestACLResolver(t *testing.T, delegate *ACLResolverTestDelegate, cb func(*ACLResolverConfig)) *ACLResolver {
 	config := DefaultConfig()
-	config.ACLDefaultPolicy = "deny"
+	config.ACLResolverSettings.ACLDefaultPolicy = "deny"
-	config.ACLDownPolicy = "extend-cache"
+	config.ACLResolverSettings.ACLDownPolicy = "extend-cache"
-	config.ACLsEnabled = delegate.enabled
+	config.ACLResolverSettings.ACLsEnabled = delegate.enabled
 	rconf := &ACLResolverConfig{
-		Config: config,
+		Config: config.ACLResolverSettings,
 		Logger: testutil.Logger(t),
 		CacheConfig: &structs.ACLCachesConfig{
 			Identities:     4,
@@ -2205,7 +2205,7 @@ func TestACL_Replication(t *testing.T) {
 		dir2, s2 := testServerWithConfig(t, func(c *Config) {
 			c.Datacenter = "dc2"
 			c.PrimaryDatacenter = "dc1"
-			c.ACLDefaultPolicy = "deny"
+			c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 			c.ACLDownPolicy = aclDownPolicy
 			c.ACLTokenReplication = true
 			c.ACLReplicationRate = 100

agent/consul/auto_config_endpoint.go

@@ -188,12 +188,12 @@ func (ac *AutoConfig) updateTLSCertificatesInConfig(opts AutoConfigOptions, resp
 func (ac *AutoConfig) updateACLsInConfig(opts AutoConfigOptions, resp *pbautoconf.AutoConfigResponse) error {
 	acl := &pbconfig.ACL{
 		Enabled:             ac.config.ACLsEnabled,
-		PolicyTTL:           ac.config.ACLPolicyTTL.String(),
+		PolicyTTL:           ac.config.ACLResolverSettings.ACLPolicyTTL.String(),
-		RoleTTL:             ac.config.ACLRoleTTL.String(),
+		RoleTTL:             ac.config.ACLResolverSettings.ACLRoleTTL.String(),
-		TokenTTL:            ac.config.ACLTokenTTL.String(),
+		TokenTTL:            ac.config.ACLResolverSettings.ACLTokenTTL.String(),
-		DisabledTTL:         ac.config.ACLDisabledTTL.String(),
+		DisabledTTL:         ac.config.ACLResolverSettings.ACLDisabledTTL.String(),
-		DownPolicy:          ac.config.ACLDownPolicy,
+		DownPolicy:          ac.config.ACLResolverSettings.ACLDownPolicy,
-		DefaultPolicy:       ac.config.ACLDefaultPolicy,
+		DefaultPolicy:       ac.config.ACLResolverSettings.ACLDefaultPolicy,
 		EnableKeyListPolicy: ac.config.ACLEnableKeyListPolicy,
 	}
 

agent/consul/auto_config_endpoint_test.go

@@ -153,6 +153,8 @@ func TestAutoConfigInitialConfiguration(t *testing.T) {
 		}
 		c.AutoConfigAuthzAllowReuse = true
 
+		c.ACLResolverSettings.ACLDisabledTTL = 12 * time.Second
+
 		cafile := path.Join(c.DataDir, "cacert.pem")
 		err := ioutil.WriteFile(cafile, []byte(cacert), 0600)
 		require.NoError(t, err)
@@ -263,7 +265,7 @@ func TestAutoConfigInitialConfiguration(t *testing.T) {
 						PolicyTTL:     "30s",
 						TokenTTL:      "30s",
 						RoleTTL:       "30s",
-						DisabledTTL:   "0s",
+						DisabledTTL:   "12s",
 						DownPolicy:    "extend-cache",
 						DefaultPolicy: "deny",
 						Tokens: &pbconfig.ACLTokens{
@@ -716,15 +718,17 @@ func TestAutoConfig_updateACLsInConfig(t *testing.T) {
 	cases := map[string]testCase{
 		"enabled": {
 			config: Config{
-				Datacenter:             testDC,
+				Datacenter:        testDC,
-				PrimaryDatacenter:      testDC,
+				PrimaryDatacenter: testDC,
-				ACLsEnabled:            true,
+				ACLsEnabled:       true,
-				ACLPolicyTTL:           7 * time.Second,
+				ACLResolverSettings: ACLResolverSettings{
-				ACLRoleTTL:             10 * time.Second,
+					ACLPolicyTTL:     7 * time.Second,
-				ACLTokenTTL:            12 * time.Second,
+					ACLRoleTTL:       10 * time.Second,
-				ACLDisabledTTL:         31 * time.Second,
+					ACLTokenTTL:      12 * time.Second,
-				ACLDefaultPolicy:       "allow",
+					ACLDisabledTTL:   31 * time.Second,
-				ACLDownPolicy:          "deny",
+					ACLDefaultPolicy: "allow",
+					ACLDownPolicy:    "deny",
+				},
 				ACLEnableKeyListPolicy: true,
 			},
 			expectACLToken: true,
@@ -748,15 +752,17 @@ func TestAutoConfig_updateACLsInConfig(t *testing.T) {
 		},
 		"disabled": {
 			config: Config{
-				Datacenter:             testDC,
+				Datacenter:        testDC,
-				PrimaryDatacenter:      testDC,
+				PrimaryDatacenter: testDC,
-				ACLsEnabled:            false,
+				ACLsEnabled:       false,
-				ACLPolicyTTL:           7 * time.Second,
+				ACLResolverSettings: ACLResolverSettings{
-				ACLRoleTTL:             10 * time.Second,
+					ACLPolicyTTL:     7 * time.Second,
-				ACLTokenTTL:            12 * time.Second,
+					ACLRoleTTL:       10 * time.Second,
-				ACLDisabledTTL:         31 * time.Second,
+					ACLTokenTTL:      12 * time.Second,
-				ACLDefaultPolicy:       "allow",
+					ACLDisabledTTL:   31 * time.Second,
-				ACLDownPolicy:          "deny",
+					ACLDefaultPolicy: "allow",
+					ACLDownPolicy:    "deny",
+				},
 				ACLEnableKeyListPolicy: true,
 			},
 			expectACLToken: false,

agent/consul/catalog_endpoint_test.go

@@ -183,7 +183,7 @@ func TestCatalog_Register_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -429,7 +429,7 @@ func TestCatalog_Register_ConnectProxy_ACLDestinationServiceName(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -558,7 +558,7 @@ func TestCatalog_Deregister_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -1298,7 +1298,7 @@ func TestCatalog_ListNodes_ACLFilter(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -2416,7 +2416,7 @@ func TestCatalog_ListServiceNodes_ConnectProxy_ACL(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -2711,7 +2711,7 @@ func testACLFilterServer(t *testing.T) (dir, token string, srv *Server, codec rp
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 
 	codec = rpcClient(t, srv)
@@ -2874,7 +2874,7 @@ func TestCatalog_NodeServices_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -3287,7 +3287,7 @@ func TestCatalog_GatewayServices_ACLFiltering(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()

agent/consul/client.go

@@ -10,6 +10,10 @@ import (
 
 	"github.com/armon/go-metrics"
 	"github.com/armon/go-metrics/prometheus"
+	"github.com/hashicorp/go-hclog"
+	"github.com/hashicorp/serf/serf"
+	"golang.org/x/time/rate"
+
 	"github.com/hashicorp/consul/agent/pool"
 	"github.com/hashicorp/consul/agent/router"
 	"github.com/hashicorp/consul/agent/structs"
@@ -17,9 +21,6 @@ import (
 	"github.com/hashicorp/consul/logging"
 	"github.com/hashicorp/consul/tlsutil"
 	"github.com/hashicorp/consul/types"
-	"github.com/hashicorp/go-hclog"
-	"github.com/hashicorp/serf/serf"
-	"golang.org/x/time/rate"
 )
 
 var ClientCounters = []prometheus.CounterDefinition{
@@ -122,7 +123,7 @@ func NewClient(config *Config, deps Deps) (*Client, error) {
 
 	c.useNewACLs = 0
 	aclConfig := ACLResolverConfig{
-		Config:      config,
+		Config:      config.ACLResolverSettings,
 		Delegate:    c,
 		Logger:      c.logger,
 		AutoDisable: true,

agent/consul/config.go

@@ -175,6 +175,8 @@ type Config struct {
 	// operators track which versions are actively deployed
 	Build string
 
+	ACLResolverSettings ACLResolverSettings
+
 	// ACLEnabled is used to enable ACLs
 	ACLsEnabled bool
 
@@ -183,25 +185,6 @@ type Config struct {
 	// that the Master token is available. This provides the initial token.
 	ACLMasterToken string
 
-	// ACLTokenTTL controls the time-to-live of cached ACL tokens.
-	// It can be set to zero to disable caching, but this adds
-	// a substantial cost.
-	ACLTokenTTL time.Duration
-
-	// ACLPolicyTTL controls the time-to-live of cached ACL policies.
-	// It can be set to zero to disable caching, but this adds
-	// a substantial cost.
-	ACLPolicyTTL time.Duration
-
-	// ACLRoleTTL controls the time-to-live of cached ACL roles.
-	// It can be set to zero to disable caching, but this adds
-	// a substantial cost.
-	ACLRoleTTL time.Duration
-
-	// ACLDisabledTTL is the time between checking if ACLs should be
-	// enabled. This
-	ACLDisabledTTL time.Duration
-
 	// ACLTokenReplication is used to enabled token replication.
 	//
 	// By default policy-only replication is enabled. When token
@@ -209,20 +192,6 @@ type Config struct {
 	// yet upgraded to the new ACLs no replication will be performed
 	ACLTokenReplication bool
 
-	// ACLDefaultPolicy is used to control the ACL interaction when
-	// there is no defined policy. This can be "allow" which means
-	// ACLs are used to deny-list, or "deny" which means ACLs are
-	// allow-lists.
-	ACLDefaultPolicy string
-
-	// ACLDownPolicy controls the behavior of ACLs if the PrimaryDatacenter
-	// cannot be contacted. It can be either "deny" to deny all requests,
-	// "extend-cache" or "async-cache" which ignores the ACLCacheInterval and
-	// uses cached policies.
-	// If a policy is not in the cache, it acts like deny.
-	// "allow" can be used to allow all requests. This is not recommended.
-	ACLDownPolicy string
-
 	// ACLReplicationRate is the max number of replication rounds that can
 	// be run per second. Note that either 1 or 2 RPCs are used during each replication
 	// round
@@ -438,19 +407,20 @@ func (c *Config) CheckProtocolVersion() error {
 }
 
 // CheckACL validates the ACL configuration.
+// TODO: move this to ACLResolverSettings
 func (c *Config) CheckACL() error {
-	switch c.ACLDefaultPolicy {
+	switch c.ACLResolverSettings.ACLDefaultPolicy {
 	case "allow":
 	case "deny":
 	default:
-		return fmt.Errorf("Unsupported default ACL policy: %s", c.ACLDefaultPolicy)
+		return fmt.Errorf("Unsupported default ACL policy: %s", c.ACLResolverSettings.ACLDefaultPolicy)
 	}
-	switch c.ACLDownPolicy {
+	switch c.ACLResolverSettings.ACLDownPolicy {
 	case "allow":
 	case "deny":
 	case "async-cache", "extend-cache":
 	default:
-		return fmt.Errorf("Unsupported down ACL policy: %s", c.ACLDownPolicy)
+		return fmt.Errorf("Unsupported down ACL policy: %s", c.ACLResolverSettings.ACLDownPolicy)
 	}
 	return nil
 }
@@ -463,21 +433,27 @@ func DefaultConfig() *Config {
 	}
 
 	conf := &Config{
-		Build:                                version.Version,
+		Build:             version.Version,
-		Datacenter:                           DefaultDC,
+		Datacenter:        DefaultDC,
-		NodeName:                             hostname,
+		NodeName:          hostname,
-		RPCAddr:                              DefaultRPCAddr,
+		RPCAddr:           DefaultRPCAddr,
-		RaftConfig:                           raft.DefaultConfig(),
+		RaftConfig:        raft.DefaultConfig(),
-		SerfLANConfig:                        libserf.DefaultConfig(),
+		SerfLANConfig:     libserf.DefaultConfig(),
-		SerfWANConfig:                        libserf.DefaultConfig(),
+		SerfWANConfig:     libserf.DefaultConfig(),
-		SerfFloodInterval:                    60 * time.Second,
+		SerfFloodInterval: 60 * time.Second,
-		ReconcileInterval:                    60 * time.Second,
+		ReconcileInterval: 60 * time.Second,
-		ProtocolVersion:                      ProtocolVersion2Compatible,
+		ProtocolVersion:   ProtocolVersion2Compatible,
-		ACLRoleTTL:                           30 * time.Second,
+		ACLResolverSettings: ACLResolverSettings{
-		ACLPolicyTTL:                         30 * time.Second,
+			ACLsEnabled:      false,
-		ACLTokenTTL:                          30 * time.Second,
+			Datacenter:       DefaultDC,
-		ACLDefaultPolicy:                     "allow",
+			NodeName:         hostname,
-		ACLDownPolicy:                        "extend-cache",
+			ACLPolicyTTL:     30 * time.Second,
+			ACLTokenTTL:      30 * time.Second,
+			ACLRoleTTL:       30 * time.Second,
+			ACLDisabledTTL:   30 * time.Second,
+			ACLDownPolicy:    "extend-cache",
+			ACLDefaultPolicy: "allow",
+		},
 		ACLReplicationRate:                   1,
 		ACLReplicationBurst:                  5,
 		ACLReplicationApplyLimit:             100, // ops / sec

agent/consul/config_endpoint_test.go

@@ -155,7 +155,7 @@ func TestConfigEntry_Apply_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -284,7 +284,7 @@ func TestConfigEntry_Get_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -497,7 +497,7 @@ func TestConfigEntry_List_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -582,7 +582,7 @@ func TestConfigEntry_ListAll_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -741,7 +741,7 @@ func TestConfigEntry_Delete_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -1963,7 +1963,7 @@ func TestConfigEntry_ResolveServiceConfig_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()

agent/consul/connect_ca_endpoint_test.go

@@ -164,7 +164,7 @@ func TestConnectCAConfig_GetSet_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = TestDefaultMasterToken
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -1109,7 +1109,7 @@ func TestConnectCASignValidation(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()

agent/consul/coordinate_endpoint_test.go

@@ -197,7 +197,7 @@ func TestCoordinate_Update_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -373,7 +373,7 @@ func TestCoordinate_ListNodes_ACLFilter(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -565,7 +565,7 @@ func TestCoordinate_Node_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()

agent/consul/discovery_chain_endpoint_test.go

@@ -27,7 +27,7 @@ func TestDiscoveryChainEndpoint_Get(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()

agent/consul/federation_state_endpoint_test.go

@@ -117,7 +117,7 @@ func TestFederationState_Apply_Upsert_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -238,7 +238,7 @@ func TestFederationState_Get_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -410,7 +410,7 @@ func TestFederationState_List_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -426,7 +426,7 @@ func TestFederationState_List_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir2)
 	defer s2.Shutdown()
@@ -686,7 +686,7 @@ func TestFederationState_Apply_Delete_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()

agent/consul/health_endpoint_test.go

@@ -984,7 +984,7 @@ func TestHealth_ServiceNodes_ConnectProxy_ACL(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -1298,7 +1298,7 @@ func TestHealth_ServiceNodes_Ingress_ACL(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()

agent/consul/intention_endpoint_test.go

@@ -863,7 +863,7 @@ func TestIntentionApply_aclDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -1268,7 +1268,7 @@ func TestIntentionApply_aclDelete(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -1349,7 +1349,7 @@ func TestIntentionApply_aclUpdate(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -1418,7 +1418,7 @@ func TestIntentionApply_aclManagement(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -1463,7 +1463,7 @@ func TestIntentionApply_aclUpdateChange(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -1528,7 +1528,7 @@ func TestIntentionGet_acl(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -1932,7 +1932,7 @@ func TestIntentionCheck_defaultACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -1968,7 +1968,7 @@ func TestIntentionCheck_defaultACLAllow(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "allow"
+		c.ACLResolverSettings.ACLDefaultPolicy = "allow"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -2004,7 +2004,7 @@ func TestIntentionCheck_aclDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()

agent/consul/internal_endpoint_test.go

@@ -563,8 +563,8 @@ func TestInternal_EventFire_Token(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDownPolicy = "deny"
+		c.ACLResolverSettings.ACLDownPolicy = "deny"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir)
 	defer srv.Shutdown()
@@ -962,7 +962,7 @@ func TestInternal_GatewayServiceDump_Terminating_ACL(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -1305,7 +1305,7 @@ func TestInternal_GatewayServiceDump_Ingress_ACL(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -1908,7 +1908,7 @@ func TestInternal_ServiceTopology_ACL(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = TestDefaultMasterToken
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -2045,7 +2045,7 @@ func TestInternal_IntentionUpstreams_ACL(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = TestDefaultMasterToken
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()

agent/consul/kvs_endpoint_test.go

@@ -85,7 +85,7 @@ func TestKVS_Apply_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -205,7 +205,7 @@ func TestKVS_Get_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -426,7 +426,7 @@ func TestKVSEndpoint_List_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -516,7 +516,7 @@ func TestKVSEndpoint_List_ACLEnableKeyListPolicy(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 		c.ACLEnableKeyListPolicy = true
 	})
 	defer os.RemoveAll(dir1)
@@ -719,7 +719,7 @@ func TestKVSEndpoint_ListKeys_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()

agent/consul/leader_connect_test.go

@@ -205,7 +205,7 @@ func TestLeader_SecondaryCA_Initialize(t *testing.T) {
 				c.Build = "1.6.0"
 				c.ACLsEnabled = true
 				c.ACLMasterToken = masterToken
-				c.ACLDefaultPolicy = "deny"
+				c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 				c.CAConfig.Config["PrivateKeyType"] = tc.keyType
 				c.CAConfig.Config["PrivateKeyBits"] = tc.keyBits
 				c.CAConfig.Config["test_state"] = dc1State
@@ -223,7 +223,7 @@ func TestLeader_SecondaryCA_Initialize(t *testing.T) {
 				c.PrimaryDatacenter = "primary"
 				c.Build = "1.6.0"
 				c.ACLsEnabled = true
-				c.ACLDefaultPolicy = "deny"
+				c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 				c.ACLTokenReplication = true
 				c.CAConfig.Config["PrivateKeyType"] = tc.keyType
 				c.CAConfig.Config["PrivateKeyBits"] = tc.keyBits

agent/consul/leader_federation_state_ae_test.go

@@ -360,7 +360,7 @@ func TestLeader_FederationStateAntiEntropyPruning_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -374,7 +374,7 @@ func TestLeader_FederationStateAntiEntropyPruning_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	testrpc.WaitForLeader(t, s2.RPC, "dc2")
 	defer os.RemoveAll(dir2)

agent/consul/leader_intentions_test.go

@@ -30,7 +30,7 @@ func TestLeader_ReplicateIntentions(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 		c.Build = "1.6.0"
 		c.OverrideInitialSerfTags = func(tags map[string]string) {
 			tags["ft_si"] = "0"
@@ -64,7 +64,7 @@ func TestLeader_ReplicateIntentions(t *testing.T) {
 		c.Datacenter = "dc2"
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 		c.ACLTokenReplication = false
 		c.Build = "1.6.0"
 		c.OverrideInitialSerfTags = func(tags map[string]string) {

agent/consul/leader_test.go

@@ -32,7 +32,7 @@ func TestLeader_RegisterMember(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -109,7 +109,7 @@ func TestLeader_FailedMember(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -175,7 +175,7 @@ func TestLeader_LeftMember(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -227,7 +227,7 @@ func TestLeader_ReapMember(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -294,7 +294,7 @@ func TestLeader_CheckServersMeta(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "allow"
+		c.ACLResolverSettings.ACLDefaultPolicy = "allow"
 		c.Bootstrap = true
 	})
 	defer os.RemoveAll(dir1)
@@ -304,7 +304,7 @@ func TestLeader_CheckServersMeta(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "allow"
+		c.ACLResolverSettings.ACLDefaultPolicy = "allow"
 		c.Bootstrap = false
 	})
 	defer os.RemoveAll(dir2)
@@ -314,7 +314,7 @@ func TestLeader_CheckServersMeta(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "allow"
+		c.ACLResolverSettings.ACLDefaultPolicy = "allow"
 		c.Bootstrap = false
 	})
 	defer os.RemoveAll(dir3)
@@ -402,7 +402,7 @@ func TestLeader_ReapServer(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "allow"
+		c.ACLResolverSettings.ACLDefaultPolicy = "allow"
 		c.Bootstrap = true
 	})
 	defer os.RemoveAll(dir1)
@@ -412,7 +412,7 @@ func TestLeader_ReapServer(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "allow"
+		c.ACLResolverSettings.ACLDefaultPolicy = "allow"
 		c.Bootstrap = false
 	})
 	defer os.RemoveAll(dir2)
@@ -422,7 +422,7 @@ func TestLeader_ReapServer(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "allow"
+		c.ACLResolverSettings.ACLDefaultPolicy = "allow"
 		c.Bootstrap = false
 	})
 	defer os.RemoveAll(dir3)
@@ -483,7 +483,7 @@ func TestLeader_Reconcile_ReapMember(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -537,7 +537,7 @@ func TestLeader_Reconcile(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -892,7 +892,7 @@ func TestLeader_ReapTombstones(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 		c.TombstoneTTL = 50 * time.Millisecond
 		c.TombstoneTTLGranularity = 10 * time.Millisecond
 	})

agent/consul/operator_autopilot_endpoint_test.go

@@ -55,7 +55,7 @@ func TestOperator_Autopilot_GetConfiguration_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 		c.AutopilotConfig.CleanupDeadServers = false
 	})
 	defer os.RemoveAll(dir1)
@@ -159,7 +159,7 @@ func TestOperator_Autopilot_SetConfiguration_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 		c.AutopilotConfig.CleanupDeadServers = false
 	})
 	defer os.RemoveAll(dir1)

agent/consul/operator_raft_endpoint_test.go

@@ -73,7 +73,7 @@ func TestOperator_RaftGetConfiguration_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -221,7 +221,7 @@ func TestOperator_RaftRemovePeerByAddress_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -350,7 +350,7 @@ func TestOperator_RaftRemovePeerByID_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 		c.RaftConfig.ProtocolVersion = 3
 	})
 	defer os.RemoveAll(dir1)

agent/consul/prepared_query_endpoint_test.go

@@ -201,7 +201,7 @@ func TestPreparedQuery_Apply_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -647,7 +647,7 @@ func TestPreparedQuery_ACLDeny_Catchall_Template(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -866,7 +866,7 @@ func TestPreparedQuery_Get(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -1124,7 +1124,7 @@ func TestPreparedQuery_List(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -1337,7 +1337,7 @@ func TestPreparedQuery_Explain(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -1478,7 +1478,7 @@ func TestPreparedQuery_Execute(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -1490,7 +1490,7 @@ func TestPreparedQuery_Execute(t *testing.T) {
 		c.Datacenter = "dc2"
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir2)
 	defer s2.Shutdown()
@@ -2784,7 +2784,7 @@ func TestPreparedQuery_Wrapper(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -2794,7 +2794,7 @@ func TestPreparedQuery_Wrapper(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir2)
 	defer s2.Shutdown()

agent/consul/rpc_test.go

@@ -829,7 +829,7 @@ func TestRPC_LocalTokenStrippedOnForward(t *testing.T) {
 	dir1, s1 := testServerWithConfig(t, func(c *Config) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 		c.ACLMasterToken = "root"
 	})
 	defer os.RemoveAll(dir1)
@@ -842,7 +842,7 @@ func TestRPC_LocalTokenStrippedOnForward(t *testing.T) {
 		c.Datacenter = "dc2"
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 		c.ACLTokenReplication = true
 		c.ACLReplicationRate = 100
 		c.ACLReplicationBurst = 100

agent/consul/server.go

@@ -426,7 +426,7 @@ func NewServer(config *Config, flat Deps) (*Server, error) {
 	s.aclConfig = newACLConfig(logger)
 	s.useNewACLs = 0
 	aclConfig := ACLResolverConfig{
-		Config:      config,
+		Config:      config.ACLResolverSettings,
 		Delegate:    s,
 		CacheConfig: serverACLCacheConfig,
 		AutoDisable: false,

agent/consul/server_test.go

@@ -77,7 +77,7 @@ func testServerACLConfig(cb func(*Config)) func(*Config) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = TestDefaultMasterToken
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 
 		if cb != nil {
 			cb(c)
@@ -245,6 +245,12 @@ func testServerWithConfig(t *testing.T, cb func(*Config)) (string, *Server) {
 			cb(config)
 		}
 
+		// Apply config to copied fields because many tests only set the old
+		//values.
+		config.ACLResolverSettings.ACLsEnabled = config.ACLsEnabled
+		config.ACLResolverSettings.NodeName = config.NodeName
+		config.ACLResolverSettings.Datacenter = config.Datacenter
+
 		var err error
 		srv, err = newServer(t, config)
 		if err != nil {

agent/consul/session_endpoint_test.go

@@ -157,7 +157,7 @@ func TestSession_Apply_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -395,7 +395,7 @@ func TestSession_Get_List_NodeSessions_ACLFilter(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -754,7 +754,7 @@ func TestSession_Renew_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()

agent/consul/snapshot_endpoint_test.go

@@ -272,7 +272,7 @@ func TestSnapshot_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()

agent/consul/txn_endpoint_test.go

@@ -322,7 +322,7 @@ func TestTxn_Apply_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@@ -857,7 +857,7 @@ func TestTxn_Read_ACLDeny(t *testing.T) {
 		c.PrimaryDatacenter = "dc1"
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
-		c.ACLDefaultPolicy = "deny"
+		c.ACLResolverSettings.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()

agent/http.go

@@ -362,7 +362,7 @@ func (s *HTTPHandlers) wrap(handler endpoint, methods []string) http.HandlerFunc
 	return func(resp http.ResponseWriter, req *http.Request) {
 		setHeaders(resp, s.agent.config.HTTPResponseHeaders)
 		setTranslateAddr(resp, s.agent.config.TranslateWANAddrs)
-		setACLDefaultPolicy(resp, s.agent.config.ACLDefaultPolicy)
+		setACLDefaultPolicy(resp, s.agent.config.ACLResolverSettings.ACLDefaultPolicy)
 
 		// Obfuscate any tokens from appearing in the logs
 		formVals, err := url.ParseQuery(req.URL.RawQuery)

agent/uiserver/uiserver_test.go

@@ -227,7 +227,7 @@ func basicUIEnabledConfig(opts ...cfgFunc) *config.RuntimeConfig {
 func withACLs() cfgFunc {
 	return func(cfg *config.RuntimeConfig) {
 		cfg.PrimaryDatacenter = "dc1"
-		cfg.ACLDefaultPolicy = "deny"
+		cfg.ACLResolverSettings.ACLDefaultPolicy = "deny"
 		cfg.ACLsEnabled = true
 	}
 }