From 7d4aa1975fbf104143b5fd96287fb521c0dd7646 Mon Sep 17 00:00:00 2001 From: Armon Dadgar Date: Sun, 13 Aug 2017 14:11:06 -0700 Subject: [PATCH] agent: thread through ACL config to Server --- command/agent/agent.go | 12 ++++++++++++ command/agent/agent_test.go | 7 +++++++ nomad/config.go | 7 +++++++ 3 files changed, 26 insertions(+) diff --git a/command/agent/agent.go b/command/agent/agent.go index bc238443a..2ac31fcd8 100644 --- a/command/agent/agent.go +++ b/command/agent/agent.go @@ -106,6 +106,15 @@ func convertServerConfig(agentConfig *Config, logOutput io.Writer) (*nomad.Confi if agentConfig.Region != "" { conf.Region = agentConfig.Region } + + // Set the Authoritative Region if set, otherwise default to + // the same as the local region. + if agentConfig.Server.AuthoritativeRegion != "" { + conf.AuthoritativeRegion = agentConfig.Server.AuthoritativeRegion + } else if agentConfig.Region != "" { + conf.AuthoritativeRegion = agentConfig.Region + } + if agentConfig.Datacenter != "" { conf.Datacenter = agentConfig.Datacenter } @@ -134,6 +143,9 @@ func convertServerConfig(agentConfig *Config, logOutput io.Writer) (*nomad.Confi if len(agentConfig.Server.EnabledSchedulers) != 0 { conf.EnabledSchedulers = agentConfig.Server.EnabledSchedulers } + if agentConfig.ACL.Enabled { + conf.ACLEnabled = true + } // Set up the bind addresses rpcAddr, err := net.ResolveTCPAddr("tcp", agentConfig.normalizedAddrs.RPC) diff --git a/command/agent/agent_test.go b/command/agent/agent_test.go index 524bdef23..53607a601 100644 --- a/command/agent/agent_test.go +++ b/command/agent/agent_test.go @@ -57,6 +57,7 @@ func TestAgent_ServerConfig(t *testing.T) { conf.AdvertiseAddrs.Serf = "127.0.0.1:4000" conf.AdvertiseAddrs.RPC = "127.0.0.1:4001" conf.AdvertiseAddrs.HTTP = "10.10.11.1:4005" + conf.ACL.Enabled = true // Parses the advertise addrs correctly if err := conf.normalizeAddrs(); err != nil { @@ -74,6 +75,12 @@ func TestAgent_ServerConfig(t *testing.T) { if serfPort != 4000 { t.Fatalf("expected 4000, got: %d", serfPort) } + if out.AuthoritativeRegion != "global" { + t.Fatalf("bad: %#v", out.AuthoritativeRegion) + } + if !out.ACLEnabled { + t.Fatalf("ACL not enabled") + } // Assert addresses weren't changed if addr := conf.AdvertiseAddrs.RPC; addr != "127.0.0.1:4001" { diff --git a/nomad/config.go b/nomad/config.go index 29161ee57..801bcc114 100644 --- a/nomad/config.go +++ b/nomad/config.go @@ -101,6 +101,10 @@ type Config struct { // Region is the region this Nomad server belongs to. Region string + // AuthoritativeRegion is the region which is treated as the authoritative source + // for ACLs and Policies. This provides a single source of truth to resolve conflicts. + AuthoritativeRegion string + // Datacenter is the datacenter this Nomad server belongs to. Datacenter string @@ -224,6 +228,9 @@ type Config struct { // TLSConfig holds various TLS related configurations TLSConfig *config.TLSConfig + + // ACLEnabled controls if ACL enforcement and management is enabled. + ACLEnabled bool } // CheckVersion is used to check if the ProtocolVersion is valid