mirror of
https://github.com/status-im/consul.git
synced 2025-01-24 20:51:10 +00:00
config: remove ACLResolver settings from RuntimeConfig
This commit is contained in:
parent
31e034215f
commit
17841248dd
@ -542,13 +542,13 @@ func (a *Agent) Start(ctx context.Context) error {
|
|||||||
}
|
}
|
||||||
|
|
||||||
var intentionDefaultAllow bool
|
var intentionDefaultAllow bool
|
||||||
switch a.config.ACLDefaultPolicy {
|
switch a.config.ACLResolverSettings.ACLDefaultPolicy {
|
||||||
case "allow":
|
case "allow":
|
||||||
intentionDefaultAllow = true
|
intentionDefaultAllow = true
|
||||||
case "deny":
|
case "deny":
|
||||||
intentionDefaultAllow = false
|
intentionDefaultAllow = false
|
||||||
default:
|
default:
|
||||||
return fmt.Errorf("unexpected ACL default policy value of %q", a.config.ACLDefaultPolicy)
|
return fmt.Errorf("unexpected ACL default policy value of %q", a.config.ACLResolverSettings.ACLDefaultPolicy)
|
||||||
}
|
}
|
||||||
|
|
||||||
go a.baseDeps.ViewStore.Run(&lib.StopChannelContext{StopCh: a.shutdownCh})
|
go a.baseDeps.ViewStore.Run(&lib.StopChannelContext{StopCh: a.shutdownCh})
|
||||||
@ -1023,6 +1023,7 @@ func newConsulConfig(runtimeCfg *config.RuntimeConfig, logger hclog.Logger) (*co
|
|||||||
cfg.PrimaryDatacenter = runtimeCfg.PrimaryDatacenter
|
cfg.PrimaryDatacenter = runtimeCfg.PrimaryDatacenter
|
||||||
cfg.DataDir = runtimeCfg.DataDir
|
cfg.DataDir = runtimeCfg.DataDir
|
||||||
cfg.NodeName = runtimeCfg.NodeName
|
cfg.NodeName = runtimeCfg.NodeName
|
||||||
|
cfg.ACLResolverSettings = runtimeCfg.ACLResolverSettings
|
||||||
|
|
||||||
cfg.CoordinateUpdateBatchSize = runtimeCfg.ConsulCoordinateUpdateBatchSize
|
cfg.CoordinateUpdateBatchSize = runtimeCfg.ConsulCoordinateUpdateBatchSize
|
||||||
cfg.CoordinateUpdateMaxBatches = runtimeCfg.ConsulCoordinateUpdateMaxBatches
|
cfg.CoordinateUpdateMaxBatches = runtimeCfg.ConsulCoordinateUpdateMaxBatches
|
||||||
@ -1115,7 +1116,6 @@ func newConsulConfig(runtimeCfg *config.RuntimeConfig, logger hclog.Logger) (*co
|
|||||||
if runtimeCfg.ACLMasterToken != "" {
|
if runtimeCfg.ACLMasterToken != "" {
|
||||||
cfg.ACLMasterToken = runtimeCfg.ACLMasterToken
|
cfg.ACLMasterToken = runtimeCfg.ACLMasterToken
|
||||||
}
|
}
|
||||||
// TODO: cfg.ACLResolverSettings = runtimeCfg.ACLResolverSettings
|
|
||||||
cfg.ACLTokenReplication = runtimeCfg.ACLTokenReplication
|
cfg.ACLTokenReplication = runtimeCfg.ACLTokenReplication
|
||||||
cfg.ACLsEnabled = runtimeCfg.ACLsEnabled
|
cfg.ACLsEnabled = runtimeCfg.ACLsEnabled
|
||||||
if runtimeCfg.ACLEnableKeyListPolicy {
|
if runtimeCfg.ACLEnableKeyListPolicy {
|
||||||
|
@ -830,7 +830,6 @@ func (b *builder) build() (rt RuntimeConfig, err error) {
|
|||||||
dataDir := stringVal(c.DataDir)
|
dataDir := stringVal(c.DataDir)
|
||||||
rt = RuntimeConfig{
|
rt = RuntimeConfig{
|
||||||
// non-user configurable values
|
// non-user configurable values
|
||||||
ACLDisabledTTL: b.durationVal("acl.disabled_ttl", c.ACL.DisabledTTL),
|
|
||||||
AEInterval: b.durationVal("ae_interval", c.AEInterval),
|
AEInterval: b.durationVal("ae_interval", c.AEInterval),
|
||||||
CheckDeregisterIntervalMin: b.durationVal("check_deregister_interval_min", c.CheckDeregisterIntervalMin),
|
CheckDeregisterIntervalMin: b.durationVal("check_deregister_interval_min", c.CheckDeregisterIntervalMin),
|
||||||
CheckReapInterval: b.durationVal("check_reap_interval", c.CheckReapInterval),
|
CheckReapInterval: b.durationVal("check_reap_interval", c.CheckReapInterval),
|
||||||
@ -867,13 +866,21 @@ func (b *builder) build() (rt RuntimeConfig, err error) {
|
|||||||
|
|
||||||
// ACL
|
// ACL
|
||||||
ACLsEnabled: aclsEnabled,
|
ACLsEnabled: aclsEnabled,
|
||||||
ACLDefaultPolicy: stringValWithDefault(c.ACL.DefaultPolicy, stringVal(c.ACLDefaultPolicy)),
|
ACLResolverSettings: consul.ACLResolverSettings{
|
||||||
|
ACLsEnabled: aclsEnabled,
|
||||||
|
Datacenter: datacenter,
|
||||||
|
NodeName: b.nodeName(c.NodeName),
|
||||||
|
ACLPolicyTTL: b.durationVal("acl.policy_ttl", c.ACL.PolicyTTL),
|
||||||
|
ACLTokenTTL: b.durationValWithDefault("acl.token_ttl", c.ACL.TokenTTL, b.durationVal("acl_ttl", c.ACLTTL)),
|
||||||
|
ACLRoleTTL: b.durationVal("acl.role_ttl", c.ACL.RoleTTL),
|
||||||
|
ACLDisabledTTL: b.durationVal("acl.disabled_ttl", c.ACL.DisabledTTL),
|
||||||
ACLDownPolicy: stringValWithDefault(c.ACL.DownPolicy, stringVal(c.ACLDownPolicy)),
|
ACLDownPolicy: stringValWithDefault(c.ACL.DownPolicy, stringVal(c.ACLDownPolicy)),
|
||||||
|
ACLDefaultPolicy: stringValWithDefault(c.ACL.DefaultPolicy, stringVal(c.ACLDefaultPolicy)),
|
||||||
|
},
|
||||||
|
|
||||||
ACLEnableKeyListPolicy: boolValWithDefault(c.ACL.EnableKeyListPolicy, boolVal(c.ACLEnableKeyListPolicy)),
|
ACLEnableKeyListPolicy: boolValWithDefault(c.ACL.EnableKeyListPolicy, boolVal(c.ACLEnableKeyListPolicy)),
|
||||||
ACLMasterToken: stringValWithDefault(c.ACL.Tokens.Master, stringVal(c.ACLMasterToken)),
|
ACLMasterToken: stringValWithDefault(c.ACL.Tokens.Master, stringVal(c.ACLMasterToken)),
|
||||||
ACLTokenTTL: b.durationValWithDefault("acl.token_ttl", c.ACL.TokenTTL, b.durationVal("acl_ttl", c.ACLTTL)),
|
|
||||||
ACLPolicyTTL: b.durationVal("acl.policy_ttl", c.ACL.PolicyTTL),
|
|
||||||
ACLRoleTTL: b.durationVal("acl.role_ttl", c.ACL.RoleTTL),
|
|
||||||
ACLTokenReplication: boolValWithDefault(c.ACL.TokenReplication, boolValWithDefault(c.EnableACLReplication, enableTokenReplication)),
|
ACLTokenReplication: boolValWithDefault(c.ACL.TokenReplication, boolValWithDefault(c.EnableACLReplication, enableTokenReplication)),
|
||||||
|
|
||||||
ACLTokens: token.Config{
|
ACLTokens: token.Config{
|
||||||
|
@ -55,13 +55,6 @@ type RuntimeConfig struct {
|
|||||||
ConsulRaftLeaderLeaseTimeout time.Duration
|
ConsulRaftLeaderLeaseTimeout time.Duration
|
||||||
ConsulServerHealthInterval time.Duration
|
ConsulServerHealthInterval time.Duration
|
||||||
|
|
||||||
// ACLDisabledTTL is used by agents to determine how long they will
|
|
||||||
// wait to check again with the servers if they discover ACLs are not
|
|
||||||
// enabled. (not user configurable)
|
|
||||||
//
|
|
||||||
// hcl: acl.disabled_ttl = "duration"
|
|
||||||
ACLDisabledTTL time.Duration
|
|
||||||
|
|
||||||
// ACLsEnabled is used to determine whether ACLs should be enabled
|
// ACLsEnabled is used to determine whether ACLs should be enabled
|
||||||
//
|
//
|
||||||
// hcl: acl.enabled = boolean
|
// hcl: acl.enabled = boolean
|
||||||
@ -69,28 +62,7 @@ type RuntimeConfig struct {
|
|||||||
|
|
||||||
ACLTokens token.Config
|
ACLTokens token.Config
|
||||||
|
|
||||||
// ACLDefaultPolicy is used to control the ACL interaction when
|
ACLResolverSettings consul.ACLResolverSettings
|
||||||
// there is no defined policy. This can be "allow" which means
|
|
||||||
// ACLs are used to deny-list, or "deny" which means ACLs are
|
|
||||||
// allow-lists.
|
|
||||||
//
|
|
||||||
// hcl: acl.default_policy = ("allow"|"deny")
|
|
||||||
ACLDefaultPolicy string
|
|
||||||
|
|
||||||
// ACLDownPolicy is used to control the ACL interaction when we cannot
|
|
||||||
// reach the PrimaryDatacenter and the token is not in the cache.
|
|
||||||
// There are the following modes:
|
|
||||||
// * allow - Allow all requests
|
|
||||||
// * deny - Deny all requests
|
|
||||||
// * extend-cache - Ignore the cache expiration, and allow cached
|
|
||||||
// ACL's to be used to service requests. This
|
|
||||||
// is the default. If the ACL is not in the cache,
|
|
||||||
// this acts like deny.
|
|
||||||
// * async-cache - Same behavior as extend-cache, but perform ACL
|
|
||||||
// Lookups asynchronously when cache TTL is expired.
|
|
||||||
//
|
|
||||||
// hcl: acl.down_policy = ("allow"|"deny"|"extend-cache"|"async-cache")
|
|
||||||
ACLDownPolicy string
|
|
||||||
|
|
||||||
// ACLEnableKeyListPolicy is used to opt-in to the "list" policy added to
|
// ACLEnableKeyListPolicy is used to opt-in to the "list" policy added to
|
||||||
// KV ACLs in Consul 1.0.
|
// KV ACLs in Consul 1.0.
|
||||||
@ -114,24 +86,6 @@ type RuntimeConfig struct {
|
|||||||
// hcl: acl.token_replication = boolean
|
// hcl: acl.token_replication = boolean
|
||||||
ACLTokenReplication bool
|
ACLTokenReplication bool
|
||||||
|
|
||||||
// ACLTokenTTL is used to control the time-to-live of cached ACL tokens. This has
|
|
||||||
// a major impact on performance. By default, it is set to 30 seconds.
|
|
||||||
//
|
|
||||||
// hcl: acl.policy_ttl = "duration"
|
|
||||||
ACLTokenTTL time.Duration
|
|
||||||
|
|
||||||
// ACLPolicyTTL is used to control the time-to-live of cached ACL policies. This has
|
|
||||||
// a major impact on performance. By default, it is set to 30 seconds.
|
|
||||||
//
|
|
||||||
// hcl: acl.token_ttl = "duration"
|
|
||||||
ACLPolicyTTL time.Duration
|
|
||||||
|
|
||||||
// ACLRoleTTL is used to control the time-to-live of cached ACL roles. This has
|
|
||||||
// a major impact on performance. By default, it is set to 30 seconds.
|
|
||||||
//
|
|
||||||
// hcl: acl.role_ttl = "duration"
|
|
||||||
ACLRoleTTL time.Duration
|
|
||||||
|
|
||||||
// AutopilotCleanupDeadServers enables the automatic cleanup of dead servers when new ones
|
// AutopilotCleanupDeadServers enables the automatic cleanup of dead servers when new ones
|
||||||
// are added to the peer list. Defaults to true.
|
// are added to the peer list. Defaults to true.
|
||||||
//
|
//
|
||||||
|
@ -5146,6 +5146,10 @@ func (tc testCase) run(format string, dataDir string) func(t *testing.T) {
|
|||||||
// case does not need to set this field.
|
// case does not need to set this field.
|
||||||
require.Equal(t, actual.DataDir, actual.ACLTokens.DataDir)
|
require.Equal(t, actual.DataDir, actual.ACLTokens.DataDir)
|
||||||
expected.ACLTokens.DataDir = actual.ACLTokens.DataDir
|
expected.ACLTokens.DataDir = actual.ACLTokens.DataDir
|
||||||
|
// These fields are always the same
|
||||||
|
expected.ACLResolverSettings.Datacenter = expected.Datacenter
|
||||||
|
expected.ACLResolverSettings.ACLsEnabled = expected.ACLsEnabled
|
||||||
|
expected.ACLResolverSettings.NodeName = expected.NodeName
|
||||||
|
|
||||||
assertDeepEqual(t, expected, actual, cmpopts.EquateEmpty())
|
assertDeepEqual(t, expected, actual, cmpopts.EquateEmpty())
|
||||||
}
|
}
|
||||||
@ -5187,7 +5191,6 @@ func TestLoad_FullConfig(t *testing.T) {
|
|||||||
defaultEntMeta := structs.DefaultEnterpriseMetaInDefaultPartition()
|
defaultEntMeta := structs.DefaultEnterpriseMetaInDefaultPartition()
|
||||||
expected := &RuntimeConfig{
|
expected := &RuntimeConfig{
|
||||||
// non-user configurable values
|
// non-user configurable values
|
||||||
ACLDisabledTTL: 120 * time.Second,
|
|
||||||
AEInterval: time.Minute,
|
AEInterval: time.Minute,
|
||||||
CheckDeregisterIntervalMin: time.Minute,
|
CheckDeregisterIntervalMin: time.Minute,
|
||||||
CheckReapInterval: 30 * time.Second,
|
CheckReapInterval: 30 * time.Second,
|
||||||
@ -5234,13 +5237,19 @@ func TestLoad_FullConfig(t *testing.T) {
|
|||||||
|
|
||||||
ACLsEnabled: true,
|
ACLsEnabled: true,
|
||||||
PrimaryDatacenter: "ejtmd43d",
|
PrimaryDatacenter: "ejtmd43d",
|
||||||
|
ACLResolverSettings: consul.ACLResolverSettings{
|
||||||
|
ACLsEnabled: true,
|
||||||
|
Datacenter: "rzo029wg",
|
||||||
|
NodeName: "otlLxGaI",
|
||||||
|
ACLDisabledTTL: 120 * time.Second,
|
||||||
ACLDefaultPolicy: "72c2e7a0",
|
ACLDefaultPolicy: "72c2e7a0",
|
||||||
ACLDownPolicy: "03eb2aee",
|
ACLDownPolicy: "03eb2aee",
|
||||||
ACLEnableKeyListPolicy: true,
|
|
||||||
ACLMasterToken: "8a19ac27",
|
|
||||||
ACLTokenTTL: 3321 * time.Second,
|
ACLTokenTTL: 3321 * time.Second,
|
||||||
ACLPolicyTTL: 1123 * time.Second,
|
ACLPolicyTTL: 1123 * time.Second,
|
||||||
ACLRoleTTL: 9876 * time.Second,
|
ACLRoleTTL: 9876 * time.Second,
|
||||||
|
},
|
||||||
|
ACLEnableKeyListPolicy: true,
|
||||||
|
ACLMasterToken: "8a19ac27",
|
||||||
ACLTokenReplication: true,
|
ACLTokenReplication: true,
|
||||||
AdvertiseAddrLAN: ipAddr("17.99.29.16"),
|
AdvertiseAddrLAN: ipAddr("17.99.29.16"),
|
||||||
AdvertiseAddrWAN: ipAddr("78.63.37.19"),
|
AdvertiseAddrWAN: ipAddr("78.63.37.19"),
|
||||||
|
@ -1,13 +1,18 @@
|
|||||||
{
|
{
|
||||||
|
"ACLEnableKeyListPolicy": false,
|
||||||
|
"ACLMasterToken": "hidden",
|
||||||
|
"ACLResolverSettings": {
|
||||||
"ACLDefaultPolicy": "",
|
"ACLDefaultPolicy": "",
|
||||||
"ACLDisabledTTL": "0s",
|
"ACLDisabledTTL": "0s",
|
||||||
"ACLDownPolicy": "",
|
"ACLDownPolicy": "",
|
||||||
"ACLEnableKeyListPolicy": false,
|
|
||||||
"ACLMasterToken": "hidden",
|
|
||||||
"ACLPolicyTTL": "0s",
|
"ACLPolicyTTL": "0s",
|
||||||
"ACLRoleTTL": "0s",
|
"ACLRoleTTL": "0s",
|
||||||
"ACLTokenReplication": false,
|
|
||||||
"ACLTokenTTL": "0s",
|
"ACLTokenTTL": "0s",
|
||||||
|
"ACLsEnabled": false,
|
||||||
|
"Datacenter": "",
|
||||||
|
"NodeName": ""
|
||||||
|
},
|
||||||
|
"ACLTokenReplication": false,
|
||||||
"ACLTokens": {
|
"ACLTokens": {
|
||||||
"ACLAgentMasterToken": "hidden",
|
"ACLAgentMasterToken": "hidden",
|
||||||
"ACLAgentToken": "hidden",
|
"ACLAgentToken": "hidden",
|
||||||
|
@ -217,11 +217,39 @@ type ACLResolverSettings struct {
|
|||||||
ACLsEnabled bool
|
ACLsEnabled bool
|
||||||
Datacenter string
|
Datacenter string
|
||||||
NodeName string
|
NodeName string
|
||||||
|
|
||||||
|
// ACLPolicyTTL is used to control the time-to-live of cached ACL policies. This has
|
||||||
|
// a major impact on performance. By default, it is set to 30 seconds.
|
||||||
ACLPolicyTTL time.Duration
|
ACLPolicyTTL time.Duration
|
||||||
|
// ACLTokenTTL is used to control the time-to-live of cached ACL tokens. This has
|
||||||
|
// a major impact on performance. By default, it is set to 30 seconds.
|
||||||
ACLTokenTTL time.Duration
|
ACLTokenTTL time.Duration
|
||||||
|
// ACLRoleTTL is used to control the time-to-live of cached ACL roles. This has
|
||||||
|
// a major impact on performance. By default, it is set to 30 seconds.
|
||||||
ACLRoleTTL time.Duration
|
ACLRoleTTL time.Duration
|
||||||
|
|
||||||
|
// ACLDisabledTTL is used by agents to determine how long they will
|
||||||
|
// wait to check again with the servers if they discover ACLs are not
|
||||||
|
// enabled. (not user configurable)
|
||||||
ACLDisabledTTL time.Duration
|
ACLDisabledTTL time.Duration
|
||||||
|
|
||||||
|
// ACLDownPolicy is used to control the ACL interaction when we cannot
|
||||||
|
// reach the PrimaryDatacenter and the token is not in the cache.
|
||||||
|
// There are the following modes:
|
||||||
|
// * allow - Allow all requests
|
||||||
|
// * deny - Deny all requests
|
||||||
|
// * extend-cache - Ignore the cache expiration, and allow cached
|
||||||
|
// ACL's to be used to service requests. This
|
||||||
|
// is the default. If the ACL is not in the cache,
|
||||||
|
// this acts like deny.
|
||||||
|
// * async-cache - Same behavior as extend-cache, but perform ACL
|
||||||
|
// Lookups asynchronously when cache TTL is expired.
|
||||||
ACLDownPolicy string
|
ACLDownPolicy string
|
||||||
|
|
||||||
|
// ACLDefaultPolicy is used to control the ACL interaction when
|
||||||
|
// there is no defined policy. This can be "allow" which means
|
||||||
|
// ACLs are used to deny-list, or "deny" which means ACLs are
|
||||||
|
// allow-lists.
|
||||||
ACLDefaultPolicy string
|
ACLDefaultPolicy string
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -251,7 +279,6 @@ type ACLResolverSettings struct {
|
|||||||
// upon.
|
// upon.
|
||||||
//
|
//
|
||||||
type ACLResolver struct {
|
type ACLResolver struct {
|
||||||
// TODO: store the ACLResolverConfig as a field instead of copying all the fields onto ACLResolver.
|
|
||||||
config ACLResolverSettings
|
config ACLResolverSettings
|
||||||
logger hclog.Logger
|
logger hclog.Logger
|
||||||
|
|
||||||
|
@ -362,7 +362,7 @@ func (s *HTTPHandlers) wrap(handler endpoint, methods []string) http.HandlerFunc
|
|||||||
return func(resp http.ResponseWriter, req *http.Request) {
|
return func(resp http.ResponseWriter, req *http.Request) {
|
||||||
setHeaders(resp, s.agent.config.HTTPResponseHeaders)
|
setHeaders(resp, s.agent.config.HTTPResponseHeaders)
|
||||||
setTranslateAddr(resp, s.agent.config.TranslateWANAddrs)
|
setTranslateAddr(resp, s.agent.config.TranslateWANAddrs)
|
||||||
setACLDefaultPolicy(resp, s.agent.config.ACLDefaultPolicy)
|
setACLDefaultPolicy(resp, s.agent.config.ACLResolverSettings.ACLDefaultPolicy)
|
||||||
|
|
||||||
// Obfuscate any tokens from appearing in the logs
|
// Obfuscate any tokens from appearing in the logs
|
||||||
formVals, err := url.ParseQuery(req.URL.RawQuery)
|
formVals, err := url.ParseQuery(req.URL.RawQuery)
|
||||||
|
@ -227,7 +227,7 @@ func basicUIEnabledConfig(opts ...cfgFunc) *config.RuntimeConfig {
|
|||||||
func withACLs() cfgFunc {
|
func withACLs() cfgFunc {
|
||||||
return func(cfg *config.RuntimeConfig) {
|
return func(cfg *config.RuntimeConfig) {
|
||||||
cfg.PrimaryDatacenter = "dc1"
|
cfg.PrimaryDatacenter = "dc1"
|
||||||
cfg.ACLDefaultPolicy = "deny"
|
cfg.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
||||||
cfg.ACLsEnabled = true
|
cfg.ACLsEnabled = true
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
Loading…
x
Reference in New Issue
Block a user