mirror of https://github.com/status-im/consul.git
Renames "prepared_query" ACL policy to "query".
This commit is contained in:
parent
87ceb2f3de
commit
483898abe5
|
@ -19,7 +19,7 @@ type Policy struct {
|
|||
Keys []*KeyPolicy `hcl:"key,expand"`
|
||||
Services []*ServicePolicy `hcl:"service,expand"`
|
||||
Events []*EventPolicy `hcl:"event,expand"`
|
||||
PreparedQueries []*PreparedQueryPolicy `hcl:"prepared_query,expand"`
|
||||
PreparedQueries []*PreparedQueryPolicy `hcl:"query,expand"`
|
||||
Keyring string `hcl:"keyring"`
|
||||
}
|
||||
|
||||
|
@ -116,7 +116,7 @@ func Parse(rules string) (*Policy, error) {
|
|||
// Validate the prepared query policies
|
||||
for _, pq := range p.PreparedQueries {
|
||||
if !isPolicyValid(pq.Policy) {
|
||||
return nil, fmt.Errorf("Invalid prepared_query policy: %#v", pq)
|
||||
return nil, fmt.Errorf("Invalid query policy: %#v", pq)
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -35,13 +35,13 @@ event "foo" {
|
|||
event "bar" {
|
||||
policy = "deny"
|
||||
}
|
||||
prepared_query "" {
|
||||
query "" {
|
||||
policy = "read"
|
||||
}
|
||||
prepared_query "foo" {
|
||||
query "foo" {
|
||||
policy = "write"
|
||||
}
|
||||
prepared_query "bar" {
|
||||
query "bar" {
|
||||
policy = "deny"
|
||||
}
|
||||
keyring = "deny"
|
||||
|
@ -151,7 +151,7 @@ func TestACLPolicy_Parse_JSON(t *testing.T) {
|
|||
"policy": "deny"
|
||||
}
|
||||
},
|
||||
"prepared_query": {
|
||||
"query": {
|
||||
"": {
|
||||
"policy": "read"
|
||||
},
|
||||
|
@ -257,7 +257,7 @@ func TestACLPolicy_Bad_Policy(t *testing.T) {
|
|||
`key "" { policy = "nope" }`,
|
||||
`service "" { policy = "nope" }`,
|
||||
`event "" { policy = "nope" }`,
|
||||
`prepared_query "" { policy = "nope" }`,
|
||||
`query "" { policy = "nope" }`,
|
||||
`keyring = "nope"`,
|
||||
}
|
||||
for _, c := range cases {
|
||||
|
|
|
@ -194,7 +194,7 @@ func TestPreparedQuery_Apply_ACLDeny(t *testing.T) {
|
|||
var token string
|
||||
{
|
||||
var rules = `
|
||||
prepared_query "redis" {
|
||||
query "redis" {
|
||||
policy = "write"
|
||||
}
|
||||
`
|
||||
|
@ -585,7 +585,7 @@ func TestPreparedQuery_Get(t *testing.T) {
|
|||
var token string
|
||||
{
|
||||
var rules = `
|
||||
prepared_query "redis" {
|
||||
query "redis" {
|
||||
policy = "write"
|
||||
}
|
||||
`
|
||||
|
@ -762,7 +762,7 @@ func TestPreparedQuery_List(t *testing.T) {
|
|||
var token string
|
||||
{
|
||||
var rules = `
|
||||
prepared_query "redis" {
|
||||
query "redis" {
|
||||
policy = "write"
|
||||
}
|
||||
`
|
||||
|
|
|
@ -48,7 +48,7 @@ its ID if it is created successfully.
|
|||
By default, the datacenter of the agent is queried; however, the dc can be
|
||||
provided using the "?dc=" query parameter.
|
||||
|
||||
If ACLs are enabled, then the client will need to supply a token with `prepared_query`
|
||||
If ACLs are enabled, then the client will need to supply a token with `query`
|
||||
write privileges sufficient to match the service name being queried and the `Name`
|
||||
given to the query, if any. See also the note about the `Token` field below.
|
||||
|
||||
|
@ -166,7 +166,7 @@ provided using the "?dc=" query parameter. This endpoint supports blocking
|
|||
queries and all consistency modes.
|
||||
|
||||
If ACLs are enabled, then the client will only see prepared queries for which their
|
||||
token has `prepared_query` read privileges. A management token will be able to see all
|
||||
token has `query` read privileges. A management token will be able to see all
|
||||
prepared queries. Tokens will be displayed as `<hidden>` unless a management token is
|
||||
used.
|
||||
|
||||
|
@ -211,7 +211,7 @@ The `PUT` method allows an existing prepared query to be updated.
|
|||
By default, the datacenter of the agent is queried; however, the dc can be
|
||||
provided using the "?dc=" query parameter.
|
||||
|
||||
If ACLs are enabled, then the client will need to supply a token with `prepared_query`
|
||||
If ACLs are enabled, then the client will need to supply a token with `query`
|
||||
write privileges sufficient to match the service name being queried and the `Name`
|
||||
given to the query, if any.
|
||||
|
||||
|
@ -232,7 +232,7 @@ only with a single item present. If the query does not exist then a 404
|
|||
status code will be returned.
|
||||
|
||||
If ACLs are enabled, then the client will only see prepared queries for which their
|
||||
token has `prepared_query` read privileges. A management token will be able to see all
|
||||
token has `query` read privileges. A management token will be able to see all
|
||||
prepared queries. Tokens will be displayed as `<hidden>` unless a management token is
|
||||
used.
|
||||
|
||||
|
@ -243,7 +243,7 @@ The `DELETE` method is used to delete a prepared query.
|
|||
By default, the datacenter of the agent is queried; however, the dc can be
|
||||
provided using the "?dc=" query parameter.
|
||||
|
||||
If ACLs are enabled, then the client will need to supply a token with `prepared_query`
|
||||
If ACLs are enabled, then the client will need to supply a token with `query`
|
||||
write privileges sufficient to match the service name being queried and the `Name`
|
||||
given to the query, if any.
|
||||
|
||||
|
|
|
@ -150,7 +150,7 @@ access to each API token based on the events they should be able to fire.
|
|||
### Blacklist mode and Prepared Queries
|
||||
|
||||
After Consul 0.6.3, significant changes were made to ACLs for prepared queries,
|
||||
incuding a new `prepared_query` ACL policy. See [Prepared Query ACLs](#prepared_query_acls) below for more details.
|
||||
incuding a new `query` ACL policy. See [Prepared Query ACLs](#prepared_query_acls) below for more details.
|
||||
|
||||
### Blacklist mode and Keyring Operations
|
||||
|
||||
|
@ -261,7 +261,7 @@ event "destroy-" {
|
|||
}
|
||||
|
||||
# Default prepared queries to read-only.
|
||||
prepared_query "" {
|
||||
query "" {
|
||||
policy = "read"
|
||||
}
|
||||
|
||||
|
@ -300,7 +300,7 @@ This is equivalent to the following JSON input:
|
|||
"policy": "deny"
|
||||
}
|
||||
},
|
||||
"prepared_query": {
|
||||
"query": {
|
||||
"": {
|
||||
"policy": "read"
|
||||
}
|
||||
|
@ -375,7 +375,7 @@ These variations are covered here, with examples:
|
|||
process to use via DNS.
|
||||
|
||||
* Static queries with a `Name` defined are controlled by the
|
||||
[`prepared_query`](/docs/internals/acl.html#prepared_query_acls) ACL policy.
|
||||
[`query`](/docs/internals/acl.html#prepared_query_acls) ACL policy.
|
||||
Clients are required to have an ACL token with a prefix sufficient to cover
|
||||
the name they are trying to manage, with a longest prefix match providing a
|
||||
way to define more specific policies. Clients can list or read queries for
|
||||
|
@ -431,7 +431,7 @@ These differences are outlined in the table below:
|
|||
<tr>
|
||||
<td>Create static query with `Name`</td>
|
||||
<td>The ACL Token used to create the prepared query is checked to make sure it can access the service being queried. This token is captured as the `Token` to use when executing the prepared query.</td>
|
||||
<td>The client token's `prepared_query` ACL policy is used to determine if the client is allowed to register a query for the given `Name`. No `Token` is captured by default unless specifically supplied by the client when creating the query.</td>
|
||||
<td>The client token's `query` ACL policy is used to determine if the client is allowed to register a query for the given `Name`. No `Token` is captured by default unless specifically supplied by the client when creating the query.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Manage static query without `Name`</td>
|
||||
|
@ -441,12 +441,12 @@ These differences are outlined in the table below:
|
|||
<tr>
|
||||
<td>Manage static query with a `Name`</td>
|
||||
<td>The ACL token used to create the query, or a management token must be supplied in order to perform these operations.</td>
|
||||
<td>Similar to create, the client token's `prepared_query` ACL policy is used to determine if these operations are allowed.</td>
|
||||
<td>Similar to create, the client token's `query` ACL policy is used to determine if these operations are allowed.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>List queries</td>
|
||||
<td>A management token is required to list any queries.</td>
|
||||
<td>The client token's `prepared_query` ACL policy is used to determine which queries they can see. Only management tokens can see prepared queries without `Name`.</td>
|
||||
<td>The client token's `query` ACL policy is used to determine which queries they can see. Only management tokens can see prepared queries without `Name`.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Execute query</td>
|
||||
|
|
Loading…
Reference in New Issue