Require token replication to be enabled in secondary dcs when ACLs are enabled with AutoConfig (#8451)

AutoConfig will generate local tokens for clients and the ability to use local tokens is gated off of token replication being enabled and being configured with a replication token. Therefore we already have a hard requirement on having token replication enabled, this commit just makes sure to surface that to the operator instead of having to discern what the issue is from RPC errors.
This commit is contained in:
Matt Keeler 2020-08-07 10:20:27 -04:00 committed by hashicorp-ci
parent 98308542eb
commit 1c3c8c7804
2 changed files with 51 additions and 1 deletions

View File

@ -2054,7 +2054,6 @@ func (b *Builder) validateAutoConfig(rt RuntimeConfig) error {
return fmt.Errorf("auto_config.enabled is set without providing a list of addresses") return fmt.Errorf("auto_config.enabled is set without providing a list of addresses")
} }
// TODO (autoconf) should we validate the DNS and IP SANs? The IP SANs have already been parsed into IPs
return nil return nil
} }
@ -2064,6 +2063,15 @@ func (b *Builder) validateAutoConfigAuthorizer(rt RuntimeConfig) error {
if !authz.Enabled { if !authz.Enabled {
return nil return nil
} }
// When in a secondary datacenter with ACLs enabled, we require token replication to be enabled
// as that is what allows us to create the local tokens to distribute to the clients. Otherwise
// we would have to have a token with the ability to create ACL tokens in the primary and make
// RPCs in response to auto config requests.
if rt.ACLsEnabled && rt.PrimaryDatacenter != rt.Datacenter && !rt.ACLTokenReplication {
return fmt.Errorf("Enabling auto-config authorization (auto_config.authorization.enabled) in non primary datacenters with ACLs enabled (acl.enabled) requires also enabling ACL token replication (acl.enable_token_replication)")
}
// Auto Config Authorization is only supported on servers // Auto Config Authorization is only supported on servers
if !rt.ServerMode { if !rt.ServerMode {
return fmt.Errorf("auto_config.authorization.enabled cannot be set to true for client agents") return fmt.Errorf("auto_config.authorization.enabled cannot be set to true for client agents")

View File

@ -4082,6 +4082,48 @@ func TestConfigFlagsAndEdgecases(t *testing.T) {
err: `auto_config.authorization.static has invalid configuration: exactly one of 'JWTValidationPubKeys', 'JWKSURL', or 'OIDCDiscoveryURL' must be set for type "jwt"`, err: `auto_config.authorization.static has invalid configuration: exactly one of 'JWTValidationPubKeys', 'JWKSURL', or 'OIDCDiscoveryURL' must be set for type "jwt"`,
}, },
{
desc: "auto config authorizer require token replication in secondary",
args: []string{
`-data-dir=` + dataDir,
`-server`,
},
hcl: []string{`
primary_datacenter = "otherdc"
acl {
enabled = true
}
auto_config {
authorization {
enabled = true
static {
jwks_url = "https://fake.uri.local"
oidc_discovery_url = "https://fake.uri.local"
}
}
}
cert_file = "foo"
`},
json: []string{`
{
"primary_datacenter": "otherdc",
"acl": {
"enabled": true
},
"auto_config": {
"authorization": {
"enabled": true,
"static": {
"jwks_url": "https://fake.uri.local",
"oidc_discovery_url": "https://fake.uri.local"
}
}
},
"cert_file": "foo"
}`},
err: `Enabling auto-config authorization (auto_config.authorization.enabled) in non primary datacenters with ACLs enabled (acl.enabled) requires also enabling ACL token replication (acl.enable_token_replication)`,
},
{ {
desc: "auto config authorizer invalid claim assertion", desc: "auto config authorizer invalid claim assertion",
args: []string{ args: []string{