consul: ACL setting passthrough

2014-08-05 15:20:35 -07:00 · 2014-08-05 15:20:35 -07:00 · a8063457f8
parent 9cd9a6bcc4
commit a8063457f8
5 changed files with 75 additions and 2 deletions
--- a/command/agent/agent.go
+++ b/command/agent/agent.go
@ -181,6 +181,21 @@ func (a *Agent) consulConfig() *consul.Config {
 	if a.config.Protocol > 0 {
 		base.ProtocolVersion = uint8(a.config.Protocol)
 	}
+	if a.config.ACLToken != "" {
+		base.ACLToken = a.config.ACLToken
+	}
+	if a.config.ACLDatacenter != "" {
+		base.ACLDatacenter = a.config.ACLDatacenter
+	}
+	if a.config.ACLTTLRaw != "" {
+		base.ACLTTL = a.config.ACLTTL
+	}
+	if a.config.ACLDefaultPolicy != "" {
+		base.ACLDefaultPolicy = a.config.ACLDefaultPolicy
+	}
+	if a.config.ACLDownPolicy != "" {
+		base.ACLDownPolicy = a.config.ACLDownPolicy
+	}

 	// Format the build string
 	revision := a.config.Revision
--- a/command/agent/config_test.go
+++ b/command/agent/config_test.go
@ -359,7 +359,7 @@ func TestDecodeConfig(t *testing.T) {

 	// ACLs
 	input = `{"acl_token": "1234", "acl_datacenter": "dc2",
-	"acl_cache_interval": "60s", "acl_down_policy": "deny",
+	"acl_ttl": "60s", "acl_down_policy": "deny",
 	"acl_default_policy": "deny"}`
 	config, err = DecodeConfig(bytes.NewReader([]byte(input)))
 	if err != nil {
@ -372,7 +372,7 @@ func TestDecodeConfig(t *testing.T) {
 	if config.ACLDatacenter != "dc2" {
 		t.Fatalf("bad: %#v", config)
 	}
-	if config.ACLCacheInterval != 60*time.Second {
+	if config.ACLTTL != 60*time.Second {
 		t.Fatalf("bad: %#v", config)
 	}
 	if config.ACLDownPolicy != "deny" {
--- a/consul/client.go
+++ b/consul/client.go
@ -80,6 +80,11 @@ func NewClient(config *Config) (*Client, error) {
 		return nil, fmt.Errorf("Config must provide a DataDir")
 	}

+	// Sanity check the ACLs
+	if err := config.CheckACL(); err != nil {
+		return nil, err
+	}
+
 	// Ensure we have a log output
 	if config.LogOutput == nil {
 		config.LogOutput = os.Stderr
--- a/consul/config.go
+++ b/consul/config.go
@ -128,6 +128,33 @@ type Config struct {
 	// operators track which versions are actively deployed
 	Build string

+	// ACLToken is the default token to use when making a request.
+	// If not provided, the anonymous token is used. This enables
+	// backwards compatibility as well.
+	ACLToken string
+
+	// ACLDatacenter provides the authoritative datacenter for ACL
+	// tokens. If not provided, ACL verification is disabled.
+	ACLDatacenter string
+
+	// ACLTTL controls the time-to-live of cached ACL policies.
+	// It can be set to zero to disable caching, but this adds
+	// a substantial cost.
+	ACLTTL time.Duration
+
+	// ACLDefaultPolicy is used to control the ACL interaction when
+	// there is no defined policy. This can be "allow" which means
+	// ACLs are used to black-list, or "deny" which means ACLs are
+	// white-lists.
+	ACLDefaultPolicy string
+
+	// ACLDownPolicy controls the behavior of ACLs if the ACLDatacenter
+	// cannot be contacted. It can be either "deny" to deny all requests,
+	// or "extend-cache" which ignores the ACLCacheInterval and uses
+	// cached policies. If a policy is not in the cache, it acts like deny.
+	// "allow" can be used to allow all requests. This is not recommended.
+	ACLDownPolicy string
+
 	// ServerUp callback can be used to trigger a notification that
 	// a Consul server is now up and known about.
 	ServerUp func()
@ -145,6 +172,24 @@ func (c *Config) CheckVersion() error {
 	return nil
 }

+// CheckACL is used to sanity check the ACL configuration
+func (c *Config) CheckACL() error {
+	switch c.ACLDefaultPolicy {
+	case "allow":
+	case "deny":
+	default:
+		return fmt.Errorf("Unsupported default ACL policy: %s", c.ACLDefaultPolicy)
+	}
+	switch c.ACLDownPolicy {
+	case "allow":
+	case "deny":
+	case "extend-cache":
+	default:
+		return fmt.Errorf("Unsupported down ACL policy: %s", c.ACLDownPolicy)
+	}
+	return nil
+}
+
 // AppendCA opens and parses the CA file and adds the certificates to
 // the provided CertPool.
 func (c *Config) AppendCA(pool *x509.CertPool) error {
@ -324,6 +369,9 @@ func DefaultConfig() *Config {
 		SerfWANConfig:     serf.DefaultConfig(),
 		ReconcileInterval: 60 * time.Second,
 		ProtocolVersion:   ProtocolVersionMax,
+		ACLTTL:            30 * time.Second,
+		ACLDefaultPolicy:  "allow",
+		ACLDownPolicy:     "extend-cache",
 	}

 	// Increase our reap interval to 3 days instead of 24h.
--- a/consul/server.go
+++ b/consul/server.go
@ -140,6 +140,11 @@ func NewServer(config *Config) (*Server, error) {
 		return nil, fmt.Errorf("Config must provide a DataDir")
 	}

+	// Sanity check the ACLs
+	if err := config.CheckACL(); err != nil {
+		return nil, err
+	}
+
 	// Ensure we have a log output
 	if config.LogOutput == nil {
 		config.LogOutput = os.Stderr