Merge pull request #10808 from hashicorp/dnephin/acl-resolver-3
acl: isolate the config used by ACLResolver
This commit is contained in:
Daniel Nephin
GitHub
commit
fb11d0f6c8
|
|
@ -542,13 +542,13 @@ func (a *Agent) Start(ctx context.Context) error {
|
|||
}
|
||||
|
||||
var intentionDefaultAllow bool
|
||||
switch a.config.ACLDefaultPolicy {
|
||||
switch a.config.ACLResolverSettings.ACLDefaultPolicy {
|
||||
case "allow":
|
||||
intentionDefaultAllow = true
|
||||
case "deny":
|
||||
intentionDefaultAllow = false
|
||||
default:
|
||||
return fmt.Errorf("unexpected ACL default policy value of %q", a.config.ACLDefaultPolicy)
|
||||
return fmt.Errorf("unexpected ACL default policy value of %q", a.config.ACLResolverSettings.ACLDefaultPolicy)
|
||||
}
|
||||
|
||||
go a.baseDeps.ViewStore.Run(&lib.StopChannelContext{StopCh: a.shutdownCh})
|
||||
|
|
@ -1023,6 +1023,7 @@ func newConsulConfig(runtimeCfg *config.RuntimeConfig, logger hclog.Logger) (*co
|
|||
cfg.PrimaryDatacenter = runtimeCfg.PrimaryDatacenter
|
||||
cfg.DataDir = runtimeCfg.DataDir
|
||||
cfg.NodeName = runtimeCfg.NodeName
|
||||
cfg.ACLResolverSettings = runtimeCfg.ACLResolverSettings
|
||||
|
||||
cfg.CoordinateUpdateBatchSize = runtimeCfg.ConsulCoordinateUpdateBatchSize
|
||||
cfg.CoordinateUpdateMaxBatches = runtimeCfg.ConsulCoordinateUpdateMaxBatches
|
||||
|
|
@ -1115,21 +1116,6 @@ func newConsulConfig(runtimeCfg *config.RuntimeConfig, logger hclog.Logger) (*co
|
|||
if runtimeCfg.ACLMasterToken != "" {
|
||||
cfg.ACLMasterToken = runtimeCfg.ACLMasterToken
|
||||
}
|
||||
if runtimeCfg.ACLTokenTTL != 0 {
|
||||
cfg.ACLTokenTTL = runtimeCfg.ACLTokenTTL
|
||||
}
|
||||
if runtimeCfg.ACLPolicyTTL != 0 {
|
||||
cfg.ACLPolicyTTL = runtimeCfg.ACLPolicyTTL
|
||||
}
|
||||
if runtimeCfg.ACLRoleTTL != 0 {
|
||||
cfg.ACLRoleTTL = runtimeCfg.ACLRoleTTL
|
||||
}
|
||||
if runtimeCfg.ACLDefaultPolicy != "" {
|
||||
cfg.ACLDefaultPolicy = runtimeCfg.ACLDefaultPolicy
|
||||
}
|
||||
if runtimeCfg.ACLDownPolicy != "" {
|
||||
cfg.ACLDownPolicy = runtimeCfg.ACLDownPolicy
|
||||
}
|
||||
cfg.ACLTokenReplication = runtimeCfg.ACLTokenReplication
|
||||
cfg.ACLsEnabled = runtimeCfg.ACLsEnabled
|
||||
if runtimeCfg.ACLEnableKeyListPolicy {
|
||||
|
|
|
|||
|
|
@ -830,7 +830,6 @@ func (b *builder) build() (rt RuntimeConfig, err error) {
|
|||
dataDir := stringVal(c.DataDir)
|
||||
rt = RuntimeConfig{
|
||||
// non-user configurable values
|
||||
ACLDisabledTTL: b.durationVal("acl.disabled_ttl", c.ACL.DisabledTTL),
|
||||
AEInterval: b.durationVal("ae_interval", c.AEInterval),
|
||||
CheckDeregisterIntervalMin: b.durationVal("check_deregister_interval_min", c.CheckDeregisterIntervalMin),
|
||||
CheckReapInterval: b.durationVal("check_reap_interval", c.CheckReapInterval),
|
||||
|
|
@ -867,13 +866,21 @@ func (b *builder) build() (rt RuntimeConfig, err error) {
|
|||
|
||||
// ACL
|
||||
ACLsEnabled: aclsEnabled,
|
||||
ACLDefaultPolicy: stringValWithDefault(c.ACL.DefaultPolicy, stringVal(c.ACLDefaultPolicy)),
|
||||
ACLResolverSettings: consul.ACLResolverSettings{
|
||||
ACLsEnabled: aclsEnabled,
|
||||
Datacenter: datacenter,
|
||||
NodeName: b.nodeName(c.NodeName),
|
||||
ACLPolicyTTL: b.durationVal("acl.policy_ttl", c.ACL.PolicyTTL),
|
||||
ACLTokenTTL: b.durationValWithDefault("acl.token_ttl", c.ACL.TokenTTL, b.durationVal("acl_ttl", c.ACLTTL)),
|
||||
ACLRoleTTL: b.durationVal("acl.role_ttl", c.ACL.RoleTTL),
|
||||
ACLDisabledTTL: b.durationVal("acl.disabled_ttl", c.ACL.DisabledTTL),
|
||||
ACLDownPolicy: stringValWithDefault(c.ACL.DownPolicy, stringVal(c.ACLDownPolicy)),
|
||||
ACLDefaultPolicy: stringValWithDefault(c.ACL.DefaultPolicy, stringVal(c.ACLDefaultPolicy)),
|
||||
},
|
||||
|
||||
ACLEnableKeyListPolicy: boolValWithDefault(c.ACL.EnableKeyListPolicy, boolVal(c.ACLEnableKeyListPolicy)),
|
||||
ACLMasterToken: stringValWithDefault(c.ACL.Tokens.Master, stringVal(c.ACLMasterToken)),
|
||||
ACLTokenTTL: b.durationValWithDefault("acl.token_ttl", c.ACL.TokenTTL, b.durationVal("acl_ttl", c.ACLTTL)),
|
||||
ACLPolicyTTL: b.durationVal("acl.policy_ttl", c.ACL.PolicyTTL),
|
||||
ACLRoleTTL: b.durationVal("acl.role_ttl", c.ACL.RoleTTL),
|
||||
|
||||
ACLTokenReplication: boolValWithDefault(c.ACL.TokenReplication, boolValWithDefault(c.EnableACLReplication, enableTokenReplication)),
|
||||
|
||||
ACLTokens: token.Config{
|
||||
|
|
|
|||
|
|
@ -55,13 +55,6 @@ type RuntimeConfig struct {
|
|||
ConsulRaftLeaderLeaseTimeout time.Duration
|
||||
ConsulServerHealthInterval time.Duration
|
||||
|
||||
// ACLDisabledTTL is used by agents to determine how long they will
|
||||
// wait to check again with the servers if they discover ACLs are not
|
||||
// enabled. (not user configurable)
|
||||
//
|
||||
// hcl: acl.disabled_ttl = "duration"
|
||||
ACLDisabledTTL time.Duration
|
||||
|
||||
// ACLsEnabled is used to determine whether ACLs should be enabled
|
||||
//
|
||||
// hcl: acl.enabled = boolean
|
||||
|
|
@ -69,28 +62,7 @@ type RuntimeConfig struct {
|
|||
|
||||
ACLTokens token.Config
|
||||
|
||||
// ACLDefaultPolicy is used to control the ACL interaction when
|
||||
// there is no defined policy. This can be "allow" which means
|
||||
// ACLs are used to deny-list, or "deny" which means ACLs are
|
||||
// allow-lists.
|
||||
//
|
||||
// hcl: acl.default_policy = ("allow"|"deny")
|
||||
ACLDefaultPolicy string
|
||||
|
||||
// ACLDownPolicy is used to control the ACL interaction when we cannot
|
||||
// reach the PrimaryDatacenter and the token is not in the cache.
|
||||
// There are the following modes:
|
||||
// * allow - Allow all requests
|
||||
// * deny - Deny all requests
|
||||
// * extend-cache - Ignore the cache expiration, and allow cached
|
||||
// ACL's to be used to service requests. This
|
||||
// is the default. If the ACL is not in the cache,
|
||||
// this acts like deny.
|
||||
// * async-cache - Same behavior as extend-cache, but perform ACL
|
||||
// Lookups asynchronously when cache TTL is expired.
|
||||
//
|
||||
// hcl: acl.down_policy = ("allow"|"deny"|"extend-cache"|"async-cache")
|
||||
ACLDownPolicy string
|
||||
ACLResolverSettings consul.ACLResolverSettings
|
||||
|
||||
// ACLEnableKeyListPolicy is used to opt-in to the "list" policy added to
|
||||
// KV ACLs in Consul 1.0.
|
||||
|
|
@ -114,24 +86,6 @@ type RuntimeConfig struct {
|
|||
// hcl: acl.token_replication = boolean
|
||||
ACLTokenReplication bool
|
||||
|
||||
// ACLTokenTTL is used to control the time-to-live of cached ACL tokens. This has
|
||||
// a major impact on performance. By default, it is set to 30 seconds.
|
||||
//
|
||||
// hcl: acl.policy_ttl = "duration"
|
||||
ACLTokenTTL time.Duration
|
||||
|
||||
// ACLPolicyTTL is used to control the time-to-live of cached ACL policies. This has
|
||||
// a major impact on performance. By default, it is set to 30 seconds.
|
||||
//
|
||||
// hcl: acl.token_ttl = "duration"
|
||||
ACLPolicyTTL time.Duration
|
||||
|
||||
// ACLRoleTTL is used to control the time-to-live of cached ACL roles. This has
|
||||
// a major impact on performance. By default, it is set to 30 seconds.
|
||||
//
|
||||
// hcl: acl.role_ttl = "duration"
|
||||
ACLRoleTTL time.Duration
|
||||
|
||||
// AutopilotCleanupDeadServers enables the automatic cleanup of dead servers when new ones
|
||||
// are added to the peer list. Defaults to true.
|
||||
//
|
||||
|
|
|
|||
|
|
@ -5146,6 +5146,10 @@ func (tc testCase) run(format string, dataDir string) func(t *testing.T) {
|
|||
// case does not need to set this field.
|
||||
require.Equal(t, actual.DataDir, actual.ACLTokens.DataDir)
|
||||
expected.ACLTokens.DataDir = actual.ACLTokens.DataDir
|
||||
// These fields are always the same
|
||||
expected.ACLResolverSettings.Datacenter = expected.Datacenter
|
||||
expected.ACLResolverSettings.ACLsEnabled = expected.ACLsEnabled
|
||||
expected.ACLResolverSettings.NodeName = expected.NodeName
|
||||
|
||||
assertDeepEqual(t, expected, actual, cmpopts.EquateEmpty())
|
||||
}
|
||||
|
|
@ -5187,7 +5191,6 @@ func TestLoad_FullConfig(t *testing.T) {
|
|||
defaultEntMeta := structs.DefaultEnterpriseMetaInDefaultPartition()
|
||||
expected := &RuntimeConfig{
|
||||
// non-user configurable values
|
||||
ACLDisabledTTL: 120 * time.Second,
|
||||
AEInterval: time.Minute,
|
||||
CheckDeregisterIntervalMin: time.Minute,
|
||||
CheckReapInterval: 30 * time.Second,
|
||||
|
|
@ -5234,13 +5237,19 @@ func TestLoad_FullConfig(t *testing.T) {
|
|||
|
||||
ACLsEnabled: true,
|
||||
PrimaryDatacenter: "ejtmd43d",
|
||||
ACLResolverSettings: consul.ACLResolverSettings{
|
||||
ACLsEnabled: true,
|
||||
Datacenter: "rzo029wg",
|
||||
NodeName: "otlLxGaI",
|
||||
ACLDisabledTTL: 120 * time.Second,
|
||||
ACLDefaultPolicy: "72c2e7a0",
|
||||
ACLDownPolicy: "03eb2aee",
|
||||
ACLEnableKeyListPolicy: true,
|
||||
ACLMasterToken: "8a19ac27",
|
||||
ACLTokenTTL: 3321 * time.Second,
|
||||
ACLPolicyTTL: 1123 * time.Second,
|
||||
ACLRoleTTL: 9876 * time.Second,
|
||||
},
|
||||
ACLEnableKeyListPolicy: true,
|
||||
ACLMasterToken: "8a19ac27",
|
||||
ACLTokenReplication: true,
|
||||
AdvertiseAddrLAN: ipAddr("17.99.29.16"),
|
||||
AdvertiseAddrWAN: ipAddr("78.63.37.19"),
|
||||
|
|
|
|||
|
|
@ -1,13 +1,18 @@
|
|||
{
|
||||
"ACLEnableKeyListPolicy": false,
|
||||
"ACLMasterToken": "hidden",
|
||||
"ACLResolverSettings": {
|
||||
"ACLDefaultPolicy": "",
|
||||
"ACLDisabledTTL": "0s",
|
||||
"ACLDownPolicy": "",
|
||||
"ACLEnableKeyListPolicy": false,
|
||||
"ACLMasterToken": "hidden",
|
||||
"ACLPolicyTTL": "0s",
|
||||
"ACLRoleTTL": "0s",
|
||||
"ACLTokenReplication": false,
|
||||
"ACLTokenTTL": "0s",
|
||||
"ACLsEnabled": false,
|
||||
"Datacenter": "",
|
||||
"NodeName": ""
|
||||
},
|
||||
"ACLTokenReplication": false,
|
||||
"ACLTokens": {
|
||||
"ACLAgentMasterToken": "hidden",
|
||||
"ACLAgentToken": "hidden",
|
||||
|
|
|
|||
|
|
@ -189,7 +189,8 @@ func (e policyOrRoleTokenError) Error() string {
|
|||
|
||||
// ACLResolverConfig holds all the configuration necessary to create an ACLResolver
|
||||
type ACLResolverConfig struct {
|
||||
Config *Config
|
||||
// TODO: rename this field?
|
||||
Config ACLResolverSettings
|
||||
Logger hclog.Logger
|
||||
|
||||
// CacheConfig is a pass through configuration for ACL cache limits
|
||||
|
|
@ -211,6 +212,47 @@ type ACLResolverConfig struct {
|
|||
Tokens *token.Store
|
||||
}
|
||||
|
||||
// TODO: rename the fields to remove the ACL prefix
|
||||
type ACLResolverSettings struct {
|
||||
ACLsEnabled bool
|
||||
Datacenter string
|
||||
NodeName string
|
||||
|
||||
// ACLPolicyTTL is used to control the time-to-live of cached ACL policies. This has
|
||||
// a major impact on performance. By default, it is set to 30 seconds.
|
||||
ACLPolicyTTL time.Duration
|
||||
// ACLTokenTTL is used to control the time-to-live of cached ACL tokens. This has
|
||||
// a major impact on performance. By default, it is set to 30 seconds.
|
||||
ACLTokenTTL time.Duration
|
||||
// ACLRoleTTL is used to control the time-to-live of cached ACL roles. This has
|
||||
// a major impact on performance. By default, it is set to 30 seconds.
|
||||
ACLRoleTTL time.Duration
|
||||
|
||||
// ACLDisabledTTL is used by agents to determine how long they will
|
||||
// wait to check again with the servers if they discover ACLs are not
|
||||
// enabled. (not user configurable)
|
||||
ACLDisabledTTL time.Duration
|
||||
|
||||
// ACLDownPolicy is used to control the ACL interaction when we cannot
|
||||
// reach the PrimaryDatacenter and the token is not in the cache.
|
||||
// There are the following modes:
|
||||
// * allow - Allow all requests
|
||||
// * deny - Deny all requests
|
||||
// * extend-cache - Ignore the cache expiration, and allow cached
|
||||
// ACL's to be used to service requests. This
|
||||
// is the default. If the ACL is not in the cache,
|
||||
// this acts like deny.
|
||||
// * async-cache - Same behavior as extend-cache, but perform ACL
|
||||
// Lookups asynchronously when cache TTL is expired.
|
||||
ACLDownPolicy string
|
||||
|
||||
// ACLDefaultPolicy is used to control the ACL interaction when
|
||||
// there is no defined policy. This can be "allow" which means
|
||||
// ACLs are used to deny-list, or "deny" which means ACLs are
|
||||
// allow-lists.
|
||||
ACLDefaultPolicy string
|
||||
}
|
||||
|
||||
// ACLResolver is the type to handle all your token and policy resolution needs.
|
||||
//
|
||||
// Supports:
|
||||
|
|
@ -237,7 +279,7 @@ type ACLResolverConfig struct {
|
|||
// upon.
|
||||
//
|
||||
type ACLResolver struct {
|
||||
config *Config
|
||||
config ACLResolverSettings
|
||||
logger hclog.Logger
|
||||
|
||||
delegate ACLResolverDelegate
|
||||
|
|
@ -289,11 +331,6 @@ func NewACLResolver(config *ACLResolverConfig) (*ACLResolver, error) {
|
|||
if config == nil {
|
||||
return nil, fmt.Errorf("ACL Resolver must be initialized with a config")
|
||||
}
|
||||
|
||||
if config.Config == nil {
|
||||
return nil, fmt.Errorf("ACLResolverConfig.Config must not be nil")
|
||||
}
|
||||
|
||||
if config.Delegate == nil {
|
||||
return nil, fmt.Errorf("ACL Resolver must be initialized with a valid delegate")
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1390,7 +1390,7 @@ func (a *ACL) GetPolicy(args *structs.ACLPolicyResolveLegacyRequest, reply *stru
|
|||
}
|
||||
|
||||
// Get the policy via the cache
|
||||
parent := a.srv.config.ACLDefaultPolicy
|
||||
parent := a.srv.config.ACLResolverSettings.ACLDefaultPolicy
|
||||
|
||||
ident, policy, err := a.srv.acls.GetMergedPolicyForToken(args.ACL)
|
||||
if err != nil {
|
||||
|
|
@ -1409,7 +1409,7 @@ func (a *ACL) GetPolicy(args *structs.ACLPolicyResolveLegacyRequest, reply *stru
|
|||
|
||||
// Setup the response
|
||||
reply.ETag = etag
|
||||
reply.TTL = a.srv.config.ACLTokenTTL
|
||||
reply.TTL = a.srv.config.ACLResolverSettings.ACLTokenTTL
|
||||
a.srv.setQueryMeta(&reply.QueryMeta)
|
||||
|
||||
// Only send the policy on an Etag mis-match
|
||||
|
|
|
|||
|
|
@ -718,11 +718,11 @@ func (d *ACLResolverTestDelegate) RPC(method string, args interface{}, reply int
|
|||
|
||||
func newTestACLResolver(t *testing.T, delegate *ACLResolverTestDelegate, cb func(*ACLResolverConfig)) *ACLResolver {
|
||||
config := DefaultConfig()
|
||||
config.ACLDefaultPolicy = "deny"
|
||||
config.ACLDownPolicy = "extend-cache"
|
||||
config.ACLsEnabled = delegate.enabled
|
||||
config.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
config.ACLResolverSettings.ACLDownPolicy = "extend-cache"
|
||||
config.ACLResolverSettings.ACLsEnabled = delegate.enabled
|
||||
rconf := &ACLResolverConfig{
|
||||
Config: config,
|
||||
Config: config.ACLResolverSettings,
|
||||
Logger: testutil.Logger(t),
|
||||
CacheConfig: &structs.ACLCachesConfig{
|
||||
Identities: 4,
|
||||
|
|
@ -2205,7 +2205,7 @@ func TestACL_Replication(t *testing.T) {
|
|||
dir2, s2 := testServerWithConfig(t, func(c *Config) {
|
||||
c.Datacenter = "dc2"
|
||||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
c.ACLDownPolicy = aclDownPolicy
|
||||
c.ACLTokenReplication = true
|
||||
c.ACLReplicationRate = 100
|
||||
|
|
|
|||
|
|
@ -188,12 +188,12 @@ func (ac *AutoConfig) updateTLSCertificatesInConfig(opts AutoConfigOptions, resp
|
|||
func (ac *AutoConfig) updateACLsInConfig(opts AutoConfigOptions, resp *pbautoconf.AutoConfigResponse) error {
|
||||
acl := &pbconfig.ACL{
|
||||
Enabled: ac.config.ACLsEnabled,
|
||||
PolicyTTL: ac.config.ACLPolicyTTL.String(),
|
||||
RoleTTL: ac.config.ACLRoleTTL.String(),
|
||||
TokenTTL: ac.config.ACLTokenTTL.String(),
|
||||
DisabledTTL: ac.config.ACLDisabledTTL.String(),
|
||||
DownPolicy: ac.config.ACLDownPolicy,
|
||||
DefaultPolicy: ac.config.ACLDefaultPolicy,
|
||||
PolicyTTL: ac.config.ACLResolverSettings.ACLPolicyTTL.String(),
|
||||
RoleTTL: ac.config.ACLResolverSettings.ACLRoleTTL.String(),
|
||||
TokenTTL: ac.config.ACLResolverSettings.ACLTokenTTL.String(),
|
||||
DisabledTTL: ac.config.ACLResolverSettings.ACLDisabledTTL.String(),
|
||||
DownPolicy: ac.config.ACLResolverSettings.ACLDownPolicy,
|
||||
DefaultPolicy: ac.config.ACLResolverSettings.ACLDefaultPolicy,
|
||||
EnableKeyListPolicy: ac.config.ACLEnableKeyListPolicy,
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -153,6 +153,8 @@ func TestAutoConfigInitialConfiguration(t *testing.T) {
|
|||
}
|
||||
c.AutoConfigAuthzAllowReuse = true
|
||||
|
||||
c.ACLResolverSettings.ACLDisabledTTL = 12 * time.Second
|
||||
|
||||
cafile := path.Join(c.DataDir, "cacert.pem")
|
||||
err := ioutil.WriteFile(cafile, []byte(cacert), 0600)
|
||||
require.NoError(t, err)
|
||||
|
|
@ -263,7 +265,7 @@ func TestAutoConfigInitialConfiguration(t *testing.T) {
|
|||
PolicyTTL: "30s",
|
||||
TokenTTL: "30s",
|
||||
RoleTTL: "30s",
|
||||
DisabledTTL: "0s",
|
||||
DisabledTTL: "12s",
|
||||
DownPolicy: "extend-cache",
|
||||
DefaultPolicy: "deny",
|
||||
Tokens: &pbconfig.ACLTokens{
|
||||
|
|
@ -719,12 +721,14 @@ func TestAutoConfig_updateACLsInConfig(t *testing.T) {
|
|||
Datacenter: testDC,
|
||||
PrimaryDatacenter: testDC,
|
||||
ACLsEnabled: true,
|
||||
ACLResolverSettings: ACLResolverSettings{
|
||||
ACLPolicyTTL: 7 * time.Second,
|
||||
ACLRoleTTL: 10 * time.Second,
|
||||
ACLTokenTTL: 12 * time.Second,
|
||||
ACLDisabledTTL: 31 * time.Second,
|
||||
ACLDefaultPolicy: "allow",
|
||||
ACLDownPolicy: "deny",
|
||||
},
|
||||
ACLEnableKeyListPolicy: true,
|
||||
},
|
||||
expectACLToken: true,
|
||||
|
|
@ -751,12 +755,14 @@ func TestAutoConfig_updateACLsInConfig(t *testing.T) {
|
|||
Datacenter: testDC,
|
||||
PrimaryDatacenter: testDC,
|
||||
ACLsEnabled: false,
|
||||
ACLResolverSettings: ACLResolverSettings{
|
||||
ACLPolicyTTL: 7 * time.Second,
|
||||
ACLRoleTTL: 10 * time.Second,
|
||||
ACLTokenTTL: 12 * time.Second,
|
||||
ACLDisabledTTL: 31 * time.Second,
|
||||
ACLDefaultPolicy: "allow",
|
||||
ACLDownPolicy: "deny",
|
||||
},
|
||||
ACLEnableKeyListPolicy: true,
|
||||
},
|
||||
expectACLToken: false,
|
||||
|
|
|
|||
|
|
@ -183,7 +183,7 @@ func TestCatalog_Register_ACLDeny(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
@ -429,7 +429,7 @@ func TestCatalog_Register_ConnectProxy_ACLDestinationServiceName(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
@ -558,7 +558,7 @@ func TestCatalog_Deregister_ACLDeny(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
@ -1298,7 +1298,7 @@ func TestCatalog_ListNodes_ACLFilter(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
@ -2416,7 +2416,7 @@ func TestCatalog_ListServiceNodes_ConnectProxy_ACL(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
@ -2711,7 +2711,7 @@ func testACLFilterServer(t *testing.T) (dir, token string, srv *Server, codec rp
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
|
||||
codec = rpcClient(t, srv)
|
||||
|
|
@ -2874,7 +2874,7 @@ func TestCatalog_NodeServices_ACLDeny(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
@ -3287,7 +3287,7 @@ func TestCatalog_GatewayServices_ACLFiltering(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
|
|||
|
|
@ -10,6 +10,10 @@ import (
|
|||
|
||||
"github.com/armon/go-metrics"
|
||||
"github.com/armon/go-metrics/prometheus"
|
||||
"github.com/hashicorp/go-hclog"
|
||||
"github.com/hashicorp/serf/serf"
|
||||
"golang.org/x/time/rate"
|
||||
|
||||
"github.com/hashicorp/consul/agent/pool"
|
||||
"github.com/hashicorp/consul/agent/router"
|
||||
"github.com/hashicorp/consul/agent/structs"
|
||||
|
|
@ -17,9 +21,6 @@ import (
|
|||
"github.com/hashicorp/consul/logging"
|
||||
"github.com/hashicorp/consul/tlsutil"
|
||||
"github.com/hashicorp/consul/types"
|
||||
"github.com/hashicorp/go-hclog"
|
||||
"github.com/hashicorp/serf/serf"
|
||||
"golang.org/x/time/rate"
|
||||
)
|
||||
|
||||
var ClientCounters = []prometheus.CounterDefinition{
|
||||
|
|
@ -122,7 +123,7 @@ func NewClient(config *Config, deps Deps) (*Client, error) {
|
|||
|
||||
c.useNewACLs = 0
|
||||
aclConfig := ACLResolverConfig{
|
||||
Config: config,
|
||||
Config: config.ACLResolverSettings,
|
||||
Delegate: c,
|
||||
Logger: c.logger,
|
||||
AutoDisable: true,
|
||||
|
|
|
|||
|
|
@ -175,6 +175,8 @@ type Config struct {
|
|||
// operators track which versions are actively deployed
|
||||
Build string
|
||||
|
||||
ACLResolverSettings ACLResolverSettings
|
||||
|
||||
// ACLEnabled is used to enable ACLs
|
||||
ACLsEnabled bool
|
||||
|
||||
|
|
@ -183,25 +185,6 @@ type Config struct {
|
|||
// that the Master token is available. This provides the initial token.
|
||||
ACLMasterToken string
|
||||
|
||||
// ACLTokenTTL controls the time-to-live of cached ACL tokens.
|
||||
// It can be set to zero to disable caching, but this adds
|
||||
// a substantial cost.
|
||||
ACLTokenTTL time.Duration
|
||||
|
||||
// ACLPolicyTTL controls the time-to-live of cached ACL policies.
|
||||
// It can be set to zero to disable caching, but this adds
|
||||
// a substantial cost.
|
||||
ACLPolicyTTL time.Duration
|
||||
|
||||
// ACLRoleTTL controls the time-to-live of cached ACL roles.
|
||||
// It can be set to zero to disable caching, but this adds
|
||||
// a substantial cost.
|
||||
ACLRoleTTL time.Duration
|
||||
|
||||
// ACLDisabledTTL is the time between checking if ACLs should be
|
||||
// enabled. This
|
||||
ACLDisabledTTL time.Duration
|
||||
|
||||
// ACLTokenReplication is used to enabled token replication.
|
||||
//
|
||||
// By default policy-only replication is enabled. When token
|
||||
|
|
@ -209,20 +192,6 @@ type Config struct {
|
|||
// yet upgraded to the new ACLs no replication will be performed
|
||||
ACLTokenReplication bool
|
||||
|
||||
// ACLDefaultPolicy is used to control the ACL interaction when
|
||||
// there is no defined policy. This can be "allow" which means
|
||||
// ACLs are used to deny-list, or "deny" which means ACLs are
|
||||
// allow-lists.
|
||||
ACLDefaultPolicy string
|
||||
|
||||
// ACLDownPolicy controls the behavior of ACLs if the PrimaryDatacenter
|
||||
// cannot be contacted. It can be either "deny" to deny all requests,
|
||||
// "extend-cache" or "async-cache" which ignores the ACLCacheInterval and
|
||||
// uses cached policies.
|
||||
// If a policy is not in the cache, it acts like deny.
|
||||
// "allow" can be used to allow all requests. This is not recommended.
|
||||
ACLDownPolicy string
|
||||
|
||||
// ACLReplicationRate is the max number of replication rounds that can
|
||||
// be run per second. Note that either 1 or 2 RPCs are used during each replication
|
||||
// round
|
||||
|
|
@ -438,19 +407,20 @@ func (c *Config) CheckProtocolVersion() error {
|
|||
}
|
||||
|
||||
// CheckACL validates the ACL configuration.
|
||||
// TODO: move this to ACLResolverSettings
|
||||
func (c *Config) CheckACL() error {
|
||||
switch c.ACLDefaultPolicy {
|
||||
switch c.ACLResolverSettings.ACLDefaultPolicy {
|
||||
case "allow":
|
||||
case "deny":
|
||||
default:
|
||||
return fmt.Errorf("Unsupported default ACL policy: %s", c.ACLDefaultPolicy)
|
||||
return fmt.Errorf("Unsupported default ACL policy: %s", c.ACLResolverSettings.ACLDefaultPolicy)
|
||||
}
|
||||
switch c.ACLDownPolicy {
|
||||
switch c.ACLResolverSettings.ACLDownPolicy {
|
||||
case "allow":
|
||||
case "deny":
|
||||
case "async-cache", "extend-cache":
|
||||
default:
|
||||
return fmt.Errorf("Unsupported down ACL policy: %s", c.ACLDownPolicy)
|
||||
return fmt.Errorf("Unsupported down ACL policy: %s", c.ACLResolverSettings.ACLDownPolicy)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
|
@ -473,11 +443,17 @@ func DefaultConfig() *Config {
|
|||
SerfFloodInterval: 60 * time.Second,
|
||||
ReconcileInterval: 60 * time.Second,
|
||||
ProtocolVersion: ProtocolVersion2Compatible,
|
||||
ACLRoleTTL: 30 * time.Second,
|
||||
ACLResolverSettings: ACLResolverSettings{
|
||||
ACLsEnabled: false,
|
||||
Datacenter: DefaultDC,
|
||||
NodeName: hostname,
|
||||
ACLPolicyTTL: 30 * time.Second,
|
||||
ACLTokenTTL: 30 * time.Second,
|
||||
ACLDefaultPolicy: "allow",
|
||||
ACLRoleTTL: 30 * time.Second,
|
||||
ACLDisabledTTL: 30 * time.Second,
|
||||
ACLDownPolicy: "extend-cache",
|
||||
ACLDefaultPolicy: "allow",
|
||||
},
|
||||
ACLReplicationRate: 1,
|
||||
ACLReplicationBurst: 5,
|
||||
ACLReplicationApplyLimit: 100, // ops / sec
|
||||
|
|
|
|||
|
|
@ -155,7 +155,7 @@ func TestConfigEntry_Apply_ACLDeny(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
@ -284,7 +284,7 @@ func TestConfigEntry_Get_ACLDeny(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
@ -497,7 +497,7 @@ func TestConfigEntry_List_ACLDeny(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
@ -582,7 +582,7 @@ func TestConfigEntry_ListAll_ACLDeny(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
@ -741,7 +741,7 @@ func TestConfigEntry_Delete_ACLDeny(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
@ -1963,7 +1963,7 @@ func TestConfigEntry_ResolveServiceConfig_ACLDeny(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
|
|||
|
|
@ -164,7 +164,7 @@ func TestConnectCAConfig_GetSet_ACLDeny(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = TestDefaultMasterToken
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
@ -1109,7 +1109,7 @@ func TestConnectCASignValidation(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
|
|||
|
|
@ -197,7 +197,7 @@ func TestCoordinate_Update_ACLDeny(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
@ -373,7 +373,7 @@ func TestCoordinate_ListNodes_ACLFilter(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
@ -565,7 +565,7 @@ func TestCoordinate_Node_ACLDeny(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@ func TestDiscoveryChainEndpoint_Get(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
|
|||
|
|
@ -117,7 +117,7 @@ func TestFederationState_Apply_Upsert_ACLDeny(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
@ -238,7 +238,7 @@ func TestFederationState_Get_ACLDeny(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
@ -410,7 +410,7 @@ func TestFederationState_List_ACLDeny(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
@ -426,7 +426,7 @@ func TestFederationState_List_ACLDeny(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir2)
|
||||
defer s2.Shutdown()
|
||||
|
|
@ -686,7 +686,7 @@ func TestFederationState_Apply_Delete_ACLDeny(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
|
|||
|
|
@ -984,7 +984,7 @@ func TestHealth_ServiceNodes_ConnectProxy_ACL(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
@ -1298,7 +1298,7 @@ func TestHealth_ServiceNodes_Ingress_ACL(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
|
|||
|
|
@ -863,7 +863,7 @@ func TestIntentionApply_aclDeny(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
@ -1268,7 +1268,7 @@ func TestIntentionApply_aclDelete(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
@ -1349,7 +1349,7 @@ func TestIntentionApply_aclUpdate(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
@ -1418,7 +1418,7 @@ func TestIntentionApply_aclManagement(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
@ -1463,7 +1463,7 @@ func TestIntentionApply_aclUpdateChange(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
@ -1528,7 +1528,7 @@ func TestIntentionGet_acl(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
@ -1932,7 +1932,7 @@ func TestIntentionCheck_defaultACLDeny(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
@ -1968,7 +1968,7 @@ func TestIntentionCheck_defaultACLAllow(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "allow"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "allow"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
@ -2004,7 +2004,7 @@ func TestIntentionCheck_aclDeny(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
|
|||
|
|
@ -563,8 +563,8 @@ func TestInternal_EventFire_Token(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDownPolicy = "deny"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDownPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir)
|
||||
defer srv.Shutdown()
|
||||
|
|
@ -962,7 +962,7 @@ func TestInternal_GatewayServiceDump_Terminating_ACL(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
@ -1305,7 +1305,7 @@ func TestInternal_GatewayServiceDump_Ingress_ACL(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
@ -1908,7 +1908,7 @@ func TestInternal_ServiceTopology_ACL(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = TestDefaultMasterToken
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
@ -2045,7 +2045,7 @@ func TestInternal_IntentionUpstreams_ACL(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = TestDefaultMasterToken
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
|
|||
|
|
@ -85,7 +85,7 @@ func TestKVS_Apply_ACLDeny(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
@ -205,7 +205,7 @@ func TestKVS_Get_ACLDeny(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
@ -426,7 +426,7 @@ func TestKVSEndpoint_List_ACLDeny(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
@ -516,7 +516,7 @@ func TestKVSEndpoint_List_ACLEnableKeyListPolicy(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
c.ACLEnableKeyListPolicy = true
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
|
|
@ -719,7 +719,7 @@ func TestKVSEndpoint_ListKeys_ACLDeny(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
|
|||
|
|
@ -205,7 +205,7 @@ func TestLeader_SecondaryCA_Initialize(t *testing.T) {
|
|||
c.Build = "1.6.0"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = masterToken
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
c.CAConfig.Config["PrivateKeyType"] = tc.keyType
|
||||
c.CAConfig.Config["PrivateKeyBits"] = tc.keyBits
|
||||
c.CAConfig.Config["test_state"] = dc1State
|
||||
|
|
@ -223,7 +223,7 @@ func TestLeader_SecondaryCA_Initialize(t *testing.T) {
|
|||
c.PrimaryDatacenter = "primary"
|
||||
c.Build = "1.6.0"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
c.ACLTokenReplication = true
|
||||
c.CAConfig.Config["PrivateKeyType"] = tc.keyType
|
||||
c.CAConfig.Config["PrivateKeyBits"] = tc.keyBits
|
||||
|
|
|
|||
|
|
@ -360,7 +360,7 @@ func TestLeader_FederationStateAntiEntropyPruning_ACLDeny(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
@ -374,7 +374,7 @@ func TestLeader_FederationStateAntiEntropyPruning_ACLDeny(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
testrpc.WaitForLeader(t, s2.RPC, "dc2")
|
||||
defer os.RemoveAll(dir2)
|
||||
|
|
|
|||
|
|
@ -30,7 +30,7 @@ func TestLeader_ReplicateIntentions(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
c.Build = "1.6.0"
|
||||
c.OverrideInitialSerfTags = func(tags map[string]string) {
|
||||
tags["ft_si"] = "0"
|
||||
|
|
@ -64,7 +64,7 @@ func TestLeader_ReplicateIntentions(t *testing.T) {
|
|||
c.Datacenter = "dc2"
|
||||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
c.ACLTokenReplication = false
|
||||
c.Build = "1.6.0"
|
||||
c.OverrideInitialSerfTags = func(tags map[string]string) {
|
||||
|
|
|
|||
|
|
@ -32,7 +32,7 @@ func TestLeader_RegisterMember(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
@ -109,7 +109,7 @@ func TestLeader_FailedMember(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
@ -175,7 +175,7 @@ func TestLeader_LeftMember(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
@ -227,7 +227,7 @@ func TestLeader_ReapMember(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
@ -294,7 +294,7 @@ func TestLeader_CheckServersMeta(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "allow"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "allow"
|
||||
c.Bootstrap = true
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
|
|
@ -304,7 +304,7 @@ func TestLeader_CheckServersMeta(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "allow"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "allow"
|
||||
c.Bootstrap = false
|
||||
})
|
||||
defer os.RemoveAll(dir2)
|
||||
|
|
@ -314,7 +314,7 @@ func TestLeader_CheckServersMeta(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "allow"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "allow"
|
||||
c.Bootstrap = false
|
||||
})
|
||||
defer os.RemoveAll(dir3)
|
||||
|
|
@ -402,7 +402,7 @@ func TestLeader_ReapServer(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "allow"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "allow"
|
||||
c.Bootstrap = true
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
|
|
@ -412,7 +412,7 @@ func TestLeader_ReapServer(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "allow"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "allow"
|
||||
c.Bootstrap = false
|
||||
})
|
||||
defer os.RemoveAll(dir2)
|
||||
|
|
@ -422,7 +422,7 @@ func TestLeader_ReapServer(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "allow"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "allow"
|
||||
c.Bootstrap = false
|
||||
})
|
||||
defer os.RemoveAll(dir3)
|
||||
|
|
@ -483,7 +483,7 @@ func TestLeader_Reconcile_ReapMember(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
@ -537,7 +537,7 @@ func TestLeader_Reconcile(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
@ -892,7 +892,7 @@ func TestLeader_ReapTombstones(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
c.TombstoneTTL = 50 * time.Millisecond
|
||||
c.TombstoneTTLGranularity = 10 * time.Millisecond
|
||||
})
|
||||
|
|
|
|||
|
|
@ -55,7 +55,7 @@ func TestOperator_Autopilot_GetConfiguration_ACLDeny(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
c.AutopilotConfig.CleanupDeadServers = false
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
|
|
@ -159,7 +159,7 @@ func TestOperator_Autopilot_SetConfiguration_ACLDeny(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
c.AutopilotConfig.CleanupDeadServers = false
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
|
|
|
|||
|
|
@ -73,7 +73,7 @@ func TestOperator_RaftGetConfiguration_ACLDeny(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
@ -221,7 +221,7 @@ func TestOperator_RaftRemovePeerByAddress_ACLDeny(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
@ -350,7 +350,7 @@ func TestOperator_RaftRemovePeerByID_ACLDeny(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
c.RaftConfig.ProtocolVersion = 3
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
|
|
|
|||
|
|
@ -201,7 +201,7 @@ func TestPreparedQuery_Apply_ACLDeny(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
@ -647,7 +647,7 @@ func TestPreparedQuery_ACLDeny_Catchall_Template(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
@ -866,7 +866,7 @@ func TestPreparedQuery_Get(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
@ -1124,7 +1124,7 @@ func TestPreparedQuery_List(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
@ -1337,7 +1337,7 @@ func TestPreparedQuery_Explain(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
@ -1478,7 +1478,7 @@ func TestPreparedQuery_Execute(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
@ -1490,7 +1490,7 @@ func TestPreparedQuery_Execute(t *testing.T) {
|
|||
c.Datacenter = "dc2"
|
||||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir2)
|
||||
defer s2.Shutdown()
|
||||
|
|
@ -2784,7 +2784,7 @@ func TestPreparedQuery_Wrapper(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
@ -2794,7 +2794,7 @@ func TestPreparedQuery_Wrapper(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir2)
|
||||
defer s2.Shutdown()
|
||||
|
|
|
|||
|
|
@ -829,7 +829,7 @@ func TestRPC_LocalTokenStrippedOnForward(t *testing.T) {
|
|||
dir1, s1 := testServerWithConfig(t, func(c *Config) {
|
||||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
c.ACLMasterToken = "root"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
|
|
@ -842,7 +842,7 @@ func TestRPC_LocalTokenStrippedOnForward(t *testing.T) {
|
|||
c.Datacenter = "dc2"
|
||||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
c.ACLTokenReplication = true
|
||||
c.ACLReplicationRate = 100
|
||||
c.ACLReplicationBurst = 100
|
||||
|
|
|
|||
|
|
@ -426,7 +426,7 @@ func NewServer(config *Config, flat Deps) (*Server, error) {
|
|||
s.aclConfig = newACLConfig(logger)
|
||||
s.useNewACLs = 0
|
||||
aclConfig := ACLResolverConfig{
|
||||
Config: config,
|
||||
Config: config.ACLResolverSettings,
|
||||
Delegate: s,
|
||||
CacheConfig: serverACLCacheConfig,
|
||||
AutoDisable: false,
|
||||
|
|
|
|||
|
|
@ -77,7 +77,7 @@ func testServerACLConfig(cb func(*Config)) func(*Config) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = TestDefaultMasterToken
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
|
||||
if cb != nil {
|
||||
cb(c)
|
||||
|
|
@ -245,6 +245,12 @@ func testServerWithConfig(t *testing.T, cb func(*Config)) (string, *Server) {
|
|||
cb(config)
|
||||
}
|
||||
|
||||
// Apply config to copied fields because many tests only set the old
|
||||
//values.
|
||||
config.ACLResolverSettings.ACLsEnabled = config.ACLsEnabled
|
||||
config.ACLResolverSettings.NodeName = config.NodeName
|
||||
config.ACLResolverSettings.Datacenter = config.Datacenter
|
||||
|
||||
var err error
|
||||
srv, err = newServer(t, config)
|
||||
if err != nil {
|
||||
|
|
|
|||
|
|
@ -157,7 +157,7 @@ func TestSession_Apply_ACLDeny(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
@ -395,7 +395,7 @@ func TestSession_Get_List_NodeSessions_ACLFilter(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
@ -754,7 +754,7 @@ func TestSession_Renew_ACLDeny(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
|
|||
|
|
@ -272,7 +272,7 @@ func TestSnapshot_ACLDeny(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
|
|||
|
|
@ -322,7 +322,7 @@ func TestTxn_Apply_ACLDeny(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
@ -857,7 +857,7 @@ func TestTxn_Read_ACLDeny(t *testing.T) {
|
|||
c.PrimaryDatacenter = "dc1"
|
||||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
|
|
|||
|
|
@ -362,7 +362,7 @@ func (s *HTTPHandlers) wrap(handler endpoint, methods []string) http.HandlerFunc
|
|||
return func(resp http.ResponseWriter, req *http.Request) {
|
||||
setHeaders(resp, s.agent.config.HTTPResponseHeaders)
|
||||
setTranslateAddr(resp, s.agent.config.TranslateWANAddrs)
|
||||
setACLDefaultPolicy(resp, s.agent.config.ACLDefaultPolicy)
|
||||
setACLDefaultPolicy(resp, s.agent.config.ACLResolverSettings.ACLDefaultPolicy)
|
||||
|
||||
// Obfuscate any tokens from appearing in the logs
|
||||
formVals, err := url.ParseQuery(req.URL.RawQuery)
|
||||
|
|
|
|||
|
|
@ -227,7 +227,7 @@ func basicUIEnabledConfig(opts ...cfgFunc) *config.RuntimeConfig {
|
|||
func withACLs() cfgFunc {
|
||||
return func(cfg *config.RuntimeConfig) {
|
||||
cfg.PrimaryDatacenter = "dc1"
|
||||
cfg.ACLDefaultPolicy = "deny"
|
||||
cfg.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||
cfg.ACLsEnabled = true
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue