Added async-cache with similar behaviour as extend-cache but asynchronously

agent/acl.go

@@ -104,6 +104,7 @@ func newACLManager(config *config.RuntimeConfig) (*aclManager, error) {
 	case "deny":
 		down = acl.DenyAll()
 	case "extend-cache":
+	case "async-cache":
 		// Leave the down policy as nil to signal this.
 	default:
 		return nil, fmt.Errorf("invalid ACL down policy %q", config.ACLDownPolicy)

agent/acl_test.go

@@ -274,8 +274,10 @@ func TestACL_Down_Allow(t *testing.T) {
 
 func TestACL_Down_Extend(t *testing.T) {
 	t.Parallel()
+	aclExtendPolicies := []string{"extend-cache", "async-cache"}
+	for _, aclDownPolicy := range aclExtendPolicies {
 		a := NewTestAgent(t.Name(), TestACLConfig()+`
-		acl_down_policy = "extend-cache"
+		acl_down_policy = "`+aclDownPolicy+`"
 		acl_enforce_version_8 = true
 	`)
 		defer a.Shutdown()
@@ -348,6 +350,7 @@ func TestACL_Down_Extend(t *testing.T) {
 		if acl.AgentWrite(a.config.NodeName) {
 			t.Fatalf("should deny")
 		}
+	}
 }
 
 func TestACL_Cache(t *testing.T) {

agent/config/runtime.go

@@ -94,8 +94,10 @@ type RuntimeConfig struct {
 	//                    ACL's to be used to service requests. This
 	//                    is the default. If the ACL is not in the cache,
 	//                    this acts like deny.
+	//   * async-cache - Same behaviour as extend-cache, but perform ACL
+	//                   Lookups asynchronously when cache TTL is expired.
 	//
-	// hcl: acl_down_policy = ("allow"|"deny"|"extend-cache")
+	// hcl: acl_down_policy = ("allow"|"deny"|"extend-cache"|"async-cache")
 	ACLDownPolicy string
 
 	// ACLEnforceVersion8 is used to gate a set of ACL policy features that

agent/consul/acl.go

@@ -146,10 +146,12 @@ func newACLCache(conf *Config, logger *log.Logger, rpc rpcFn, local acl.FaultFun
 	if err != nil {
 		return nil, fmt.Errorf("Failed to create ACL policy cache: %v", err)
 	}
+	cache.fetchMap = make(map[string][]chan (RemoteACLResult))
 
 	return cache, nil
 }
 
+// Result Type returned when fetching Remote ACLs asynchronously
 type RemoteACLResult struct {
 	result acl.ACL
 	err    error
@@ -179,8 +181,9 @@ func (c *aclCache) fireResult(id string, theACL acl.ACL, err error) {
 	channels := c.fetchMap[id]
 	delete(c.fetchMap, id)
 	c.fetchMutex.Unlock()
+	aclResult := RemoteACLResult{theACL, err}
 	for _, cx := range channels {
-		cx <- RemoteACLResult{theACL, err}
+		cx <- aclResult
 		close(cx)
 	}
 }
@@ -231,7 +234,7 @@ func (c *aclCache) loadACLInChan(id, authDC string, cached *aclCacheEntry) {
 	// local ACL fault function is registered to query replicated ACL data,
 	// and the user's policy allows it, we will try locally before we give
 	// up.
-	if c.local != nil && c.config.ACLDownPolicy == "extend-cache" {
+	if c.local != nil && (c.config.ACLDownPolicy == "extend-cache" || c.config.ACLDownPolicy == "async-cache") {
 		parent, rules, err := c.local(id)
 		if err != nil {
 			// We don't make an exception here for ACLs that aren't
@@ -274,6 +277,7 @@ ACL_DOWN:
 	case "allow":
 		c.fireResult(id, acl.AllowAll(), nil)
 		return
+	case "async-cache":
 	case "extend-cache":
 		if cached != nil {
 			c.fireResult(id, cached.ACL, nil)
@@ -289,11 +293,11 @@ ACL_DOWN:
 func (c *aclCache) lookupACLRemote(id, authDC string, cached *aclCacheEntry) RemoteACLResult {
 	// Attempt to refresh the policy from the ACL datacenter via an RPC.
 	myChan := make(chan RemoteACLResult)
-	mustWaitForResult := cached == nil || c.config.ACLDownPolicy != "extend-cache"
+	mustWaitForResult := cached == nil || c.config.ACLDownPolicy != "async-cache"
 	c.fetchMutex.Lock()
 	clients, ok := c.fetchMap[id]
-	if !ok {
-		clients = make([]chan RemoteACLResult, 16)
+	if !ok || clients == nil {
+		clients = make([]chan RemoteACLResult, 0)
 	}
 	if mustWaitForResult {
 		c.fetchMap[id] = append(clients, myChan)

agent/consul/acl_test.go

@@ -508,10 +508,13 @@ func TestACL_DownPolicy_Allow(t *testing.T) {
 
 func TestACL_DownPolicy_ExtendCache(t *testing.T) {
 	t.Parallel()
+	aclExtendPolicies := []string{"extend-cache", "async-cache"} //"async-cache"
+
+	for _, aclDownPolicy := range aclExtendPolicies {
 		dir1, s1 := testServerWithConfig(t, func(c *Config) {
 			c.ACLDatacenter = "dc1"
 			c.ACLTTL = 0
-		c.ACLDownPolicy = "extend-cache"
+			c.ACLDownPolicy = aclDownPolicy
 			c.ACLMasterToken = "root"
 		})
 		defer os.RemoveAll(dir1)
@@ -522,7 +525,7 @@ func TestACL_DownPolicy_ExtendCache(t *testing.T) {
 		dir2, s2 := testServerWithConfig(t, func(c *Config) {
 			c.ACLDatacenter = "dc1" // Enable ACLs!
 			c.ACLTTL = 0
-		c.ACLDownPolicy = "extend-cache"
+			c.ACLDownPolicy = aclDownPolicy
 			c.Bootstrap = false // Disable bootstrap
 		})
 		defer os.RemoveAll(dir2)
@@ -581,6 +584,7 @@ func TestACL_DownPolicy_ExtendCache(t *testing.T) {
 		if aclR2 != aclR {
 			t.Fatalf("bad acl: %#v", aclR)
 		}
+	}
 }
 
 func TestACL_Replication(t *testing.T) {

agent/consul/config.go

@@ -235,8 +235,9 @@ type Config struct {
 
 	// ACLDownPolicy controls the behavior of ACLs if the ACLDatacenter
 	// cannot be contacted. It can be either "deny" to deny all requests,
-	// or "extend-cache" which ignores the ACLCacheInterval and uses
-	// cached policies. If a policy is not in the cache, it acts like deny.
+	// "extend-cache" or "async-cache" which ignores the ACLCacheInterval and
+	// uses cached policies.
+	// If a policy is not in the cache, it acts like deny.
 	// "allow" can be used to allow all requests. This is not recommended.
 	ACLDownPolicy string
 
@@ -378,6 +379,7 @@ func (c *Config) CheckACL() error {
 	switch c.ACLDownPolicy {
 	case "allow":
 	case "deny":
+	case "async-cache":
 	case "extend-cache":
 	default:
 		return fmt.Errorf("Unsupported down ACL policy: %s", c.ACLDownPolicy)