From 0784a31e8536c9e92260b5876e485f68f85b4bc1 Mon Sep 17 00:00:00 2001 From: Daniel Nephin Date: Tue, 5 Oct 2021 12:07:52 -0400 Subject: [PATCH] acl: remove init check for legacy anon token This token should always already be migrated from a previous version. --- agent/config/default.go | 5 ----- agent/consul/leader.go | 43 +++++++++++++++-------------------------- 2 files changed, 16 insertions(+), 32 deletions(-) diff --git a/agent/config/default.go b/agent/config/default.go index b916b6a93e..bb8ad905c8 100644 --- a/agent/config/default.go +++ b/agent/config/default.go @@ -18,11 +18,6 @@ func DefaultSource() Source { serfLAN := cfg.SerfLANConfig.MemberlistConfig serfWAN := cfg.SerfWANConfig.MemberlistConfig - // DEPRECATED (ACL-Legacy-Compat) - when legacy ACL support is removed these defaults - // the acl_* config entries here should be transitioned to their counterparts in the - // acl stanza for now we need to be able to detect the new entries not being set (not - // just set to the defaults here) so that we can use the old entries. So the true - // default still needs to reside in the original config values return FileSource{ Name: "default", Format: "hcl", diff --git a/agent/consul/leader.go b/agent/consul/leader.go index 847db5c1a3..3c1633290b 100644 --- a/agent/consul/leader.go +++ b/agent/consul/leader.go @@ -498,35 +498,24 @@ func (s *Server) initializeACLs(ctx context.Context) error { } // Ignoring expiration times to avoid an insertion collision. if token == nil { - // DEPRECATED (ACL-Legacy-Compat) - Don't need to query for previous "anonymous" token - // check for legacy token that needs an upgrade - _, legacyToken, err := state.ACLTokenGetBySecret(nil, anonymousToken, nil) + token = &structs.ACLToken{ + AccessorID: structs.ACLTokenAnonymousID, + SecretID: anonymousToken, + Description: "Anonymous Token", + CreateTime: time.Now(), + EnterpriseMeta: *structs.DefaultEnterpriseMetaInDefaultPartition(), + } + token.SetHash(true) + + req := structs.ACLTokenBatchSetRequest{ + Tokens: structs.ACLTokens{token}, + CAS: false, + } + _, err := s.raftApply(structs.ACLTokenSetRequestType, &req) if err != nil { - return fmt.Errorf("failed to get anonymous token: %v", err) - } - // Ignoring expiration times to avoid an insertion collision. - - // the token upgrade routine will take care of upgrading the token if a legacy version exists - if legacyToken == nil { - token = &structs.ACLToken{ - AccessorID: structs.ACLTokenAnonymousID, - SecretID: anonymousToken, - Description: "Anonymous Token", - CreateTime: time.Now(), - EnterpriseMeta: *structs.DefaultEnterpriseMetaInDefaultPartition(), - } - token.SetHash(true) - - req := structs.ACLTokenBatchSetRequest{ - Tokens: structs.ACLTokens{token}, - CAS: false, - } - _, err := s.raftApply(structs.ACLTokenSetRequestType, &req) - if err != nil { - return fmt.Errorf("failed to create anonymous token: %v", err) - } - s.logger.Info("Created ACL anonymous token from configuration") + return fmt.Errorf("failed to create anonymous token: %v", err) } + s.logger.Info("Created ACL anonymous token from configuration") } // launch the upgrade go routine to generate accessors for everything s.startACLUpgrade(ctx)