0c76a4389f
This PR adds two features which will be useful for operators when ACLs are in use. 1. Tokens set in configuration files are now reloadable. 2. If `acl.enable_token_persistence` is set to `true` in the configuration, tokens set via the `v1/agent/token` endpoint are now persisted to disk and loaded when the agent starts (or during configuration reload) Note that token persistence is opt-in so our users who do not want tokens on the local disk will see no change. Some other secondary changes: * Refactored a bunch of places where the replication token is retrieved from the token store. This token isn't just for replicating ACLs and now it is named accordingly. * Allowed better paths in the `v1/agent/token/` API. Instead of paths like: `v1/agent/token/acl_replication_token` the path can now be just `v1/agent/token/replication`. The old paths remain to be valid. * Added a couple new API functions to set tokens via the new paths. Deprecated the old ones and pointed to the new names. The names are also generally better and don't imply that what you are setting is for ACLs but rather are setting ACL tokens. There is a minor semantic difference there especially for the replication token as again, its no longer used only for ACL token/policy replication. The new functions will detect 404s and fallback to using the older token paths when talking to pre-1.4.3 agents. * Docs updated to reflect the API additions and to show using the new endpoints. * Updated the ACL CLI set-agent-tokens command to use the non-deprecated APIs.
135 lines
3.5 KiB
Go
135 lines
3.5 KiB
Go
package agenttokens
|
|
|
|
import (
|
|
"flag"
|
|
"fmt"
|
|
"io"
|
|
|
|
"github.com/hashicorp/consul/command/flags"
|
|
"github.com/hashicorp/consul/command/helpers"
|
|
"github.com/mitchellh/cli"
|
|
)
|
|
|
|
func New(ui cli.Ui) *cmd {
|
|
c := &cmd{UI: ui}
|
|
c.init()
|
|
return c
|
|
}
|
|
|
|
type cmd struct {
|
|
UI cli.Ui
|
|
flags *flag.FlagSet
|
|
http *flags.HTTPFlags
|
|
help string
|
|
|
|
testStdin io.Reader
|
|
}
|
|
|
|
func (c *cmd) init() {
|
|
c.flags = flag.NewFlagSet("", flag.ContinueOnError)
|
|
c.http = &flags.HTTPFlags{}
|
|
flags.Merge(c.flags, c.http.ClientFlags())
|
|
flags.Merge(c.flags, c.http.ServerFlags())
|
|
c.help = flags.Usage(help, c.flags)
|
|
}
|
|
func (c *cmd) Run(args []string) int {
|
|
if err := c.flags.Parse(args); err != nil {
|
|
return 1
|
|
}
|
|
|
|
tokenType, token, err := c.dataFromArgs(c.flags.Args())
|
|
if err != nil {
|
|
c.UI.Error(fmt.Sprintf("Error! %s", err))
|
|
return 1
|
|
}
|
|
|
|
client, err := c.http.APIClient()
|
|
if err != nil {
|
|
c.UI.Error(fmt.Sprintf("Error connecting to Consul Agent: %s", err))
|
|
return 1
|
|
}
|
|
|
|
switch tokenType {
|
|
case "default":
|
|
_, err = client.Agent().UpdateDefaultACLToken(token, nil)
|
|
case "agent":
|
|
_, err = client.Agent().UpdateAgentACLToken(token, nil)
|
|
case "master":
|
|
_, err = client.Agent().UpdateAgentMasterACLToken(token, nil)
|
|
case "replication":
|
|
_, err = client.Agent().UpdateReplicationACLToken(token, nil)
|
|
default:
|
|
c.UI.Error(fmt.Sprintf("Unknown token type"))
|
|
return 1
|
|
}
|
|
|
|
if err != nil {
|
|
c.UI.Error(fmt.Sprintf("Failed to set ACL token %q: %v", tokenType, err))
|
|
return 1
|
|
}
|
|
|
|
c.UI.Info(fmt.Sprintf("ACL token %q set successfully", tokenType))
|
|
return 0
|
|
}
|
|
|
|
func (c *cmd) dataFromArgs(args []string) (string, string, error) {
|
|
switch len(args) {
|
|
case 0:
|
|
return "", "", fmt.Errorf("Missing TYPE and TOKEN arguments")
|
|
case 1:
|
|
switch args[0] {
|
|
case "default", "agent", "master", "replication":
|
|
return "", "", fmt.Errorf("Missing TOKEN argument")
|
|
default:
|
|
return "", "", fmt.Errorf("MISSING TYPE argument")
|
|
}
|
|
case 2:
|
|
data, err := helpers.LoadDataSource(args[1], c.testStdin)
|
|
if err != nil {
|
|
return "", "", err
|
|
}
|
|
|
|
return args[0], data, nil
|
|
default:
|
|
return "", "", fmt.Errorf("Too many arguments: expected 2 got %d", len(args))
|
|
}
|
|
}
|
|
|
|
func (c *cmd) Synopsis() string {
|
|
return synopsis
|
|
}
|
|
|
|
func (c *cmd) Help() string {
|
|
return flags.Usage(c.help, nil)
|
|
}
|
|
|
|
const synopsis = "Assign tokens for the Consul Agent's usage"
|
|
const help = `
|
|
Usage: consul acl set-agent-token [options] TYPE TOKEN
|
|
|
|
This command will set the corresponding token for the agent to use.
|
|
Note that the tokens uploaded this way are not persisted and if
|
|
the agent reloads then the tokens will need to be set again.
|
|
|
|
Token Types:
|
|
|
|
default The default token is the token that the agent will use for
|
|
both internal agent operations and operations initiated by
|
|
the HTTP and DNS interfaces when no specific token is provided.
|
|
If not set the agent will use the anonymous token.
|
|
|
|
agent The token that the agent will use for internal agent operations.
|
|
If not given then the default token is used for these operations.
|
|
|
|
master This sets the token that can be used to access the Agent APIs in
|
|
the event that the ACL datacenter cannot be reached.
|
|
|
|
replication This is the token that the agent will use for replication
|
|
operations. This token will need to be configured with read access
|
|
to whatever data is being replicated.
|
|
|
|
Example:
|
|
|
|
$ consul acl set-agent-token default c4d0f8df-3aba-4ab6-a7a0-35b760dc29a1
|
|
`
|