Modifies server reconcile path to not use the server's token for internal operations.

This commit is contained in:
James Phillips 2017-03-23 13:34:30 -07:00
parent a094a58163
commit d428bc63c1
No known key found for this signature in database
GPG Key ID: 77183E682AC5FC11
4 changed files with 61 additions and 31 deletions

View File

@ -464,10 +464,9 @@ AFTER_CHECK:
Status: structs.HealthPassing, Status: structs.HealthPassing,
Output: SerfCheckAliveOutput, Output: SerfCheckAliveOutput,
}, },
WriteRequest: structs.WriteRequest{Token: s.config.GetTokenForAgent()},
} }
var out struct{} _, err = s.raftApply(structs.RegisterRequestType, &req)
return s.endpoints.Catalog.Register(&req, &out) return err
} }
// handleFailedMember is used to mark the node's status // handleFailedMember is used to mark the node's status
@ -505,10 +504,9 @@ func (s *Server) handleFailedMember(member serf.Member) error {
Status: structs.HealthCritical, Status: structs.HealthCritical,
Output: SerfCheckFailedOutput, Output: SerfCheckFailedOutput,
}, },
WriteRequest: structs.WriteRequest{Token: s.config.GetTokenForAgent()},
} }
var out struct{} _, err = s.raftApply(structs.RegisterRequestType, &req)
return s.endpoints.Catalog.Register(&req, &out) return err
} }
// handleLeftMember is used to handle members that gracefully // handleLeftMember is used to handle members that gracefully
@ -553,12 +551,11 @@ func (s *Server) handleDeregisterMember(reason string, member serf.Member) error
// Deregister the node // Deregister the node
s.logger.Printf("[INFO] consul: member '%s' %s, deregistering", member.Name, reason) s.logger.Printf("[INFO] consul: member '%s' %s, deregistering", member.Name, reason)
req := structs.DeregisterRequest{ req := structs.DeregisterRequest{
Datacenter: s.config.Datacenter, Datacenter: s.config.Datacenter,
Node: member.Name, Node: member.Name,
WriteRequest: structs.WriteRequest{Token: s.config.GetTokenForAgent()},
} }
var out struct{} _, err = s.raftApply(structs.DeregisterRequestType, &req)
return s.endpoints.Catalog.Deregister(&req, &out) return err
} }
// joinConsulServer is used to try to join another consul server // joinConsulServer is used to try to join another consul server
@ -712,10 +709,9 @@ func (s *Server) removeConsulServer(m serf.Member, port int) error {
func (s *Server) reapTombstones(index uint64) { func (s *Server) reapTombstones(index uint64) {
defer metrics.MeasureSince([]string{"consul", "leader", "reapTombstones"}, time.Now()) defer metrics.MeasureSince([]string{"consul", "leader", "reapTombstones"}, time.Now())
req := structs.TombstoneRequest{ req := structs.TombstoneRequest{
Datacenter: s.config.Datacenter, Datacenter: s.config.Datacenter,
Op: structs.TombstoneReap, Op: structs.TombstoneReap,
ReapIndex: index, ReapIndex: index,
WriteRequest: structs.WriteRequest{Token: s.config.GetTokenForAgent()},
} }
_, err := s.raftApply(structs.TombstoneRequestType, &req) _, err := s.raftApply(structs.TombstoneRequestType, &req)
if err != nil { if err != nil {

View File

@ -14,7 +14,12 @@ import (
) )
func TestLeader_RegisterMember(t *testing.T) { func TestLeader_RegisterMember(t *testing.T) {
dir1, s1 := testServer(t) dir1, s1 := testServerWithConfig(t, func(c *Config) {
c.ACLDatacenter = "dc1"
c.ACLMasterToken = "root"
c.ACLDefaultPolicy = "deny"
c.ACLEnforceVersion8 = true
})
defer os.RemoveAll(dir1) defer os.RemoveAll(dir1)
defer s1.Shutdown() defer s1.Shutdown()
@ -81,7 +86,12 @@ func TestLeader_RegisterMember(t *testing.T) {
} }
func TestLeader_FailedMember(t *testing.T) { func TestLeader_FailedMember(t *testing.T) {
dir1, s1 := testServer(t) dir1, s1 := testServerWithConfig(t, func(c *Config) {
c.ACLDatacenter = "dc1"
c.ACLMasterToken = "root"
c.ACLDefaultPolicy = "deny"
c.ACLEnforceVersion8 = true
})
defer os.RemoveAll(dir1) defer os.RemoveAll(dir1)
defer s1.Shutdown() defer s1.Shutdown()
@ -140,7 +150,12 @@ func TestLeader_FailedMember(t *testing.T) {
} }
func TestLeader_LeftMember(t *testing.T) { func TestLeader_LeftMember(t *testing.T) {
dir1, s1 := testServer(t) dir1, s1 := testServerWithConfig(t, func(c *Config) {
c.ACLDatacenter = "dc1"
c.ACLMasterToken = "root"
c.ACLDefaultPolicy = "deny"
c.ACLEnforceVersion8 = true
})
defer os.RemoveAll(dir1) defer os.RemoveAll(dir1)
defer s1.Shutdown() defer s1.Shutdown()
@ -185,7 +200,12 @@ func TestLeader_LeftMember(t *testing.T) {
} }
func TestLeader_ReapMember(t *testing.T) { func TestLeader_ReapMember(t *testing.T) {
dir1, s1 := testServer(t) dir1, s1 := testServerWithConfig(t, func(c *Config) {
c.ACLDatacenter = "dc1"
c.ACLMasterToken = "root"
c.ACLDefaultPolicy = "deny"
c.ACLEnforceVersion8 = true
})
defer os.RemoveAll(dir1) defer os.RemoveAll(dir1)
defer s1.Shutdown() defer s1.Shutdown()
@ -244,7 +264,12 @@ func TestLeader_ReapMember(t *testing.T) {
} }
func TestLeader_Reconcile_ReapMember(t *testing.T) { func TestLeader_Reconcile_ReapMember(t *testing.T) {
dir1, s1 := testServer(t) dir1, s1 := testServerWithConfig(t, func(c *Config) {
c.ACLDatacenter = "dc1"
c.ACLMasterToken = "root"
c.ACLDefaultPolicy = "deny"
c.ACLEnforceVersion8 = true
})
defer os.RemoveAll(dir1) defer os.RemoveAll(dir1)
defer s1.Shutdown() defer s1.Shutdown()
@ -261,6 +286,9 @@ func TestLeader_Reconcile_ReapMember(t *testing.T) {
Name: SerfCheckName, Name: SerfCheckName,
Status: structs.HealthCritical, Status: structs.HealthCritical,
}, },
WriteRequest: structs.WriteRequest{
Token: "root",
},
} }
var out struct{} var out struct{}
if err := s1.RPC("Catalog.Register", &dead, &out); err != nil { if err := s1.RPC("Catalog.Register", &dead, &out); err != nil {
@ -284,7 +312,12 @@ func TestLeader_Reconcile_ReapMember(t *testing.T) {
} }
func TestLeader_Reconcile(t *testing.T) { func TestLeader_Reconcile(t *testing.T) {
dir1, s1 := testServer(t) dir1, s1 := testServerWithConfig(t, func(c *Config) {
c.ACLDatacenter = "dc1"
c.ACLMasterToken = "root"
c.ACLDefaultPolicy = "deny"
c.ACLEnforceVersion8 = true
})
defer os.RemoveAll(dir1) defer os.RemoveAll(dir1)
defer s1.Shutdown() defer s1.Shutdown()
@ -562,6 +595,9 @@ func TestLeader_TombstoneGC_Reset(t *testing.T) {
func TestLeader_ReapTombstones(t *testing.T) { func TestLeader_ReapTombstones(t *testing.T) {
dir1, s1 := testServerWithConfig(t, func(c *Config) { dir1, s1 := testServerWithConfig(t, func(c *Config) {
c.ACLDatacenter = "dc1"
c.ACLMasterToken = "root"
c.ACLDefaultPolicy = "deny"
c.TombstoneTTL = 50 * time.Millisecond c.TombstoneTTL = 50 * time.Millisecond
c.TombstoneTTLGranularity = 10 * time.Millisecond c.TombstoneTTLGranularity = 10 * time.Millisecond
}) })
@ -579,6 +615,9 @@ func TestLeader_ReapTombstones(t *testing.T) {
Key: "test", Key: "test",
Value: []byte("test"), Value: []byte("test"),
}, },
WriteRequest: structs.WriteRequest{
Token: "root",
},
} }
var out bool var out bool
if err := msgpackrpc.CallWithCodec(codec, "KVS.Apply", &arg, &out); err != nil { if err := msgpackrpc.CallWithCodec(codec, "KVS.Apply", &arg, &out); err != nil {

View File

@ -454,9 +454,8 @@ Consul will not enable TLS for the HTTP API unless the `https` port has been ass
and servers to perform internal operations to the service catalog. If this isn't specified, then and servers to perform internal operations to the service catalog. If this isn't specified, then
the <a href="#acl_token">`acl_token`</a> will be used. This was added in Consul 0.7.2. the <a href="#acl_token">`acl_token`</a> will be used. This was added in Consul 0.7.2.
<br><br> <br><br>
For clients, this token must at least have write access to the node name it will register as. For This token must at least have write access to the node name it will register as in order to set any
servers, this must have write access to all nodes that are expected to join the cluster, as well of the node-level information in the catalog such as metadata, or the node's tagged addresses.
as write access to the "consul" service, which will be registered automatically on its behalf.
* <a name="acl_enforce_version_8"></a><a href="#acl_enforce_version_8">`acl_enforce_version_8`</a> - * <a name="acl_enforce_version_8"></a><a href="#acl_enforce_version_8">`acl_enforce_version_8`</a> -
Used for clients and servers to determine if enforcement should occur for new ACL policies being Used for clients and servers to determine if enforcement should occur for new ACL policies being

View File

@ -571,13 +571,9 @@ Two new configuration options are used once complete ACLs are enabled:
tokens during normal operation. tokens during normal operation.
* [`acl_agent_token`](/docs/agent/options.html#acl_agent_token) is used internally by * [`acl_agent_token`](/docs/agent/options.html#acl_agent_token) is used internally by
Consul agents to perform operations to the service catalog when registering themselves Consul agents to perform operations to the service catalog when registering themselves
or sending network coordinates to the servers. or sending network coordinates to the servers. This token must at least have `node` ACL
<br> policy `write` access to the node name it will register as in order to register any
<br> node-level information like metadata or tagged addresses.
For clients, this token must at least have `node` ACL policy `write` access to the node
name it will register as. For servers, this must have `node` ACL policy `write` access to
all nodes that are expected to join the cluster, as well as `service` ACL policy `write`
access to the `consul` service, which will be registered automatically on its behalf.
Since clients now resolve ACLs locally, the [`acl_down_policy`](/docs/agent/options.html#acl_down_policy) Since clients now resolve ACLs locally, the [`acl_down_policy`](/docs/agent/options.html#acl_down_policy)
now applies to Consul clients as well as Consul servers. This will determine what the now applies to Consul clients as well as Consul servers. This will determine what the