diff --git a/agent/auto-config/config_translate.go b/agent/auto-config/config_translate.go index ba8f940d1c..829bd6b1e6 100644 --- a/agent/auto-config/config_translate.go +++ b/agent/auto-config/config_translate.go @@ -3,13 +3,14 @@ package autoconf import ( "fmt" + "github.com/mitchellh/mapstructure" + "github.com/hashicorp/consul/agent/config" "github.com/hashicorp/consul/agent/structs" "github.com/hashicorp/consul/proto" "github.com/hashicorp/consul/proto/pbautoconf" "github.com/hashicorp/consul/proto/pbconfig" "github.com/hashicorp/consul/proto/pbconnect" - "github.com/mitchellh/mapstructure" ) // translateAgentConfig is meant to take in a proto/pbconfig.Config type @@ -48,7 +49,6 @@ func translateConfig(c *pbconfig.Config) config.Config { DownPolicy: stringPtrOrNil(a.DownPolicy), DefaultPolicy: stringPtrOrNil(a.DefaultPolicy), EnableKeyListPolicy: &a.EnableKeyListPolicy, - DisabledTTL: stringPtrOrNil(a.DisabledTTL), EnableTokenPersistence: &a.EnableTokenPersistence, } diff --git a/agent/auto-config/config_translate_test.go b/agent/auto-config/config_translate_test.go index fa6d8febf0..0bdbec0bc3 100644 --- a/agent/auto-config/config_translate_test.go +++ b/agent/auto-config/config_translate_test.go @@ -4,11 +4,12 @@ import ( "fmt" "testing" + "github.com/stretchr/testify/require" + "github.com/hashicorp/consul/agent/config" "github.com/hashicorp/consul/agent/structs" pbconfig "github.com/hashicorp/consul/proto/pbconfig" "github.com/hashicorp/consul/proto/pbconnect" - "github.com/stretchr/testify/require" ) func stringPointer(s string) *string { @@ -65,7 +66,6 @@ func TestTranslateConfig(t *testing.T) { DownPolicy: "deny", DefaultPolicy: "deny", EnableKeyListPolicy: true, - DisabledTTL: "4s", EnableTokenPersistence: true, MSPDisableBootstrap: false, Tokens: &pbconfig.ACLTokens{ @@ -127,7 +127,6 @@ func TestTranslateConfig(t *testing.T) { DownPolicy: stringPointer("deny"), DefaultPolicy: stringPointer("deny"), EnableKeyListPolicy: boolPointer(true), - DisabledTTL: stringPointer("4s"), EnableTokenPersistence: boolPointer(true), Tokens: config.Tokens{ Master: stringPointer("99e7e490-6baf-43fc-9010-78b6aa9a6813"), diff --git a/agent/config/builder.go b/agent/config/builder.go index ed695276e4..849c54b0dc 100644 --- a/agent/config/builder.go +++ b/agent/config/builder.go @@ -873,7 +873,6 @@ func (b *builder) build() (rt RuntimeConfig, err error) { ACLPolicyTTL: b.durationVal("acl.policy_ttl", c.ACL.PolicyTTL), ACLTokenTTL: b.durationValWithDefault("acl.token_ttl", c.ACL.TokenTTL, b.durationVal("acl_ttl", c.ACLTTL)), ACLRoleTTL: b.durationVal("acl.role_ttl", c.ACL.RoleTTL), - ACLDisabledTTL: b.durationVal("acl.disabled_ttl", c.ACL.DisabledTTL), ACLDownPolicy: stringValWithDefault(c.ACL.DownPolicy, stringVal(c.ACLDownPolicy)), ACLDefaultPolicy: stringValWithDefault(c.ACL.DefaultPolicy, stringVal(c.ACLDefaultPolicy)), }, diff --git a/agent/config/config.go b/agent/config/config.go index 8b4578b49a..60b7dbbf64 100644 --- a/agent/config/config.go +++ b/agent/config/config.go @@ -268,8 +268,6 @@ type Config struct { SnapshotAgent map[string]interface{} `mapstructure:"snapshot_agent"` // non-user configurable values - // DEPRECATED (ACL-Legacy-Compat) - moved into the "acl" stanza - ACLDisabledTTL *string `mapstructure:"acl_disabled_ttl"` AEInterval *string `mapstructure:"ae_interval"` CheckDeregisterIntervalMin *string `mapstructure:"check_deregister_interval_min"` CheckReapInterval *string `mapstructure:"check_reap_interval"` @@ -741,7 +739,6 @@ type ACL struct { DefaultPolicy *string `mapstructure:"default_policy"` EnableKeyListPolicy *bool `mapstructure:"enable_key_list_policy"` Tokens Tokens `mapstructure:"tokens"` - DisabledTTL *string `mapstructure:"disabled_ttl"` EnableTokenPersistence *bool `mapstructure:"enable_token_persistence"` // Enterprise Only diff --git a/agent/config/default.go b/agent/config/default.go index 17e769c4ac..f0ffdc14f3 100644 --- a/agent/config/default.go +++ b/agent/config/default.go @@ -184,9 +184,6 @@ func NonUserSource() Source { Name: "non-user", Format: "hcl", Data: ` - acl = { - disabled_ttl = "120s" - } check_deregister_interval_min = "1m" check_reap_interval = "30s" ae_interval = "1m" diff --git a/agent/config/runtime_test.go b/agent/config/runtime_test.go index 35a39ef278..829b653d69 100644 --- a/agent/config/runtime_test.go +++ b/agent/config/runtime_test.go @@ -5241,7 +5241,6 @@ func TestLoad_FullConfig(t *testing.T) { ACLsEnabled: true, Datacenter: "rzo029wg", NodeName: "otlLxGaI", - ACLDisabledTTL: 120 * time.Second, ACLDefaultPolicy: "72c2e7a0", ACLDownPolicy: "03eb2aee", ACLTokenTTL: 3321 * time.Second, diff --git a/agent/config/testdata/TestRuntimeConfig_Sanitize.golden b/agent/config/testdata/TestRuntimeConfig_Sanitize.golden index c1383cb2b5..091287a978 100644 --- a/agent/config/testdata/TestRuntimeConfig_Sanitize.golden +++ b/agent/config/testdata/TestRuntimeConfig_Sanitize.golden @@ -3,7 +3,6 @@ "ACLMasterToken": "hidden", "ACLResolverSettings": { "ACLDefaultPolicy": "", - "ACLDisabledTTL": "0s", "ACLDownPolicy": "", "ACLPolicyTTL": "0s", "ACLRoleTTL": "0s", diff --git a/agent/consul/acl.go b/agent/consul/acl.go index f1d8cba755..e8b79340ca 100644 --- a/agent/consul/acl.go +++ b/agent/consul/acl.go @@ -212,6 +212,8 @@ type ACLResolverConfig struct { Tokens *token.Store } +const aclDisabledTTL = 30 * time.Second + // TODO: rename the fields to remove the ACL prefix type ACLResolverSettings struct { ACLsEnabled bool @@ -228,11 +230,6 @@ type ACLResolverSettings struct { // a major impact on performance. By default, it is set to 30 seconds. ACLRoleTTL time.Duration - // ACLDisabledTTL is used by agents to determine how long they will - // wait to check again with the servers if they discover ACLs are not - // enabled. (not user configurable) - ACLDisabledTTL time.Duration - // ACLDownPolicy is used to control the ACL interaction when we cannot // reach the PrimaryDatacenter and the token is not in the cache. // There are the following modes: @@ -1200,9 +1197,9 @@ func (r *ACLResolver) disableACLsWhenUpstreamDisabled(err error) error { return err } - r.logger.Debug("ACLs disabled on upstream servers, will retry", "retry_interval", r.config.ACLDisabledTTL) + r.logger.Debug("ACLs disabled on upstream servers, will retry", "retry_interval", aclDisabledTTL) r.disabledLock.Lock() - r.disabled = time.Now().Add(r.config.ACLDisabledTTL) + r.disabled = time.Now().Add(aclDisabledTTL) r.disabledLock.Unlock() return err diff --git a/agent/consul/auto_config_endpoint.go b/agent/consul/auto_config_endpoint.go index 82b59c8695..69bb573532 100644 --- a/agent/consul/auto_config_endpoint.go +++ b/agent/consul/auto_config_endpoint.go @@ -191,7 +191,6 @@ func (ac *AutoConfig) updateACLsInConfig(opts AutoConfigOptions, resp *pbautocon PolicyTTL: ac.config.ACLResolverSettings.ACLPolicyTTL.String(), RoleTTL: ac.config.ACLResolverSettings.ACLRoleTTL.String(), TokenTTL: ac.config.ACLResolverSettings.ACLTokenTTL.String(), - DisabledTTL: ac.config.ACLResolverSettings.ACLDisabledTTL.String(), DownPolicy: ac.config.ACLResolverSettings.ACLDownPolicy, DefaultPolicy: ac.config.ACLResolverSettings.ACLDefaultPolicy, EnableKeyListPolicy: ac.config.ACLEnableKeyListPolicy, diff --git a/agent/consul/auto_config_endpoint_test.go b/agent/consul/auto_config_endpoint_test.go index 3aa45bf5ce..58b8c063ff 100644 --- a/agent/consul/auto_config_endpoint_test.go +++ b/agent/consul/auto_config_endpoint_test.go @@ -153,8 +153,6 @@ func TestAutoConfigInitialConfiguration(t *testing.T) { } c.AutoConfigAuthzAllowReuse = true - c.ACLResolverSettings.ACLDisabledTTL = 12 * time.Second - cafile := path.Join(c.DataDir, "cacert.pem") err := ioutil.WriteFile(cafile, []byte(cacert), 0600) require.NoError(t, err) @@ -265,7 +263,6 @@ func TestAutoConfigInitialConfiguration(t *testing.T) { PolicyTTL: "30s", TokenTTL: "30s", RoleTTL: "30s", - DisabledTTL: "12s", DownPolicy: "extend-cache", DefaultPolicy: "deny", Tokens: &pbconfig.ACLTokens{ @@ -725,7 +722,6 @@ func TestAutoConfig_updateACLsInConfig(t *testing.T) { ACLPolicyTTL: 7 * time.Second, ACLRoleTTL: 10 * time.Second, ACLTokenTTL: 12 * time.Second, - ACLDisabledTTL: 31 * time.Second, ACLDefaultPolicy: "allow", ACLDownPolicy: "deny", }, @@ -739,7 +735,6 @@ func TestAutoConfig_updateACLsInConfig(t *testing.T) { PolicyTTL: "7s", RoleTTL: "10s", TokenTTL: "12s", - DisabledTTL: "31s", DownPolicy: "deny", DefaultPolicy: "allow", EnableKeyListPolicy: true, @@ -759,7 +754,6 @@ func TestAutoConfig_updateACLsInConfig(t *testing.T) { ACLPolicyTTL: 7 * time.Second, ACLRoleTTL: 10 * time.Second, ACLTokenTTL: 12 * time.Second, - ACLDisabledTTL: 31 * time.Second, ACLDefaultPolicy: "allow", ACLDownPolicy: "deny", }, @@ -773,7 +767,6 @@ func TestAutoConfig_updateACLsInConfig(t *testing.T) { PolicyTTL: "7s", RoleTTL: "10s", TokenTTL: "12s", - DisabledTTL: "31s", DownPolicy: "deny", DefaultPolicy: "allow", EnableKeyListPolicy: true, diff --git a/agent/consul/config.go b/agent/consul/config.go index eebf48559f..195e8a4b47 100644 --- a/agent/consul/config.go +++ b/agent/consul/config.go @@ -450,7 +450,6 @@ func DefaultConfig() *Config { ACLPolicyTTL: 30 * time.Second, ACLTokenTTL: 30 * time.Second, ACLRoleTTL: 30 * time.Second, - ACLDisabledTTL: 30 * time.Second, ACLDownPolicy: "extend-cache", ACLDefaultPolicy: "allow", }, diff --git a/proto/pbconfig/config.pb.go b/proto/pbconfig/config.pb.go index deb8d9c394..ab53b58b48 100644 --- a/proto/pbconfig/config.pb.go +++ b/proto/pbconfig/config.pb.go @@ -323,20 +323,22 @@ func (m *TLS) GetPreferServerCipherSuites() bool { } type ACL struct { - Enabled bool `protobuf:"varint,1,opt,name=Enabled,proto3" json:"Enabled,omitempty"` - PolicyTTL string `protobuf:"bytes,2,opt,name=PolicyTTL,proto3" json:"PolicyTTL,omitempty"` - RoleTTL string `protobuf:"bytes,3,opt,name=RoleTTL,proto3" json:"RoleTTL,omitempty"` - TokenTTL string `protobuf:"bytes,4,opt,name=TokenTTL,proto3" json:"TokenTTL,omitempty"` - DownPolicy string `protobuf:"bytes,5,opt,name=DownPolicy,proto3" json:"DownPolicy,omitempty"` - DefaultPolicy string `protobuf:"bytes,6,opt,name=DefaultPolicy,proto3" json:"DefaultPolicy,omitempty"` - EnableKeyListPolicy bool `protobuf:"varint,7,opt,name=EnableKeyListPolicy,proto3" json:"EnableKeyListPolicy,omitempty"` - Tokens *ACLTokens `protobuf:"bytes,8,opt,name=Tokens,proto3" json:"Tokens,omitempty"` - DisabledTTL string `protobuf:"bytes,9,opt,name=DisabledTTL,proto3" json:"DisabledTTL,omitempty"` - EnableTokenPersistence bool `protobuf:"varint,10,opt,name=EnableTokenPersistence,proto3" json:"EnableTokenPersistence,omitempty"` - MSPDisableBootstrap bool `protobuf:"varint,11,opt,name=MSPDisableBootstrap,proto3" json:"MSPDisableBootstrap,omitempty"` - XXX_NoUnkeyedLiteral struct{} `json:"-"` - XXX_unrecognized []byte `json:"-"` - XXX_sizecache int32 `json:"-"` + Enabled bool `protobuf:"varint,1,opt,name=Enabled,proto3" json:"Enabled,omitempty"` + PolicyTTL string `protobuf:"bytes,2,opt,name=PolicyTTL,proto3" json:"PolicyTTL,omitempty"` + RoleTTL string `protobuf:"bytes,3,opt,name=RoleTTL,proto3" json:"RoleTTL,omitempty"` + TokenTTL string `protobuf:"bytes,4,opt,name=TokenTTL,proto3" json:"TokenTTL,omitempty"` + DownPolicy string `protobuf:"bytes,5,opt,name=DownPolicy,proto3" json:"DownPolicy,omitempty"` + DefaultPolicy string `protobuf:"bytes,6,opt,name=DefaultPolicy,proto3" json:"DefaultPolicy,omitempty"` + EnableKeyListPolicy bool `protobuf:"varint,7,opt,name=EnableKeyListPolicy,proto3" json:"EnableKeyListPolicy,omitempty"` + Tokens *ACLTokens `protobuf:"bytes,8,opt,name=Tokens,proto3" json:"Tokens,omitempty"` + // DisabledTTL is deprecated. It is no longer populated and should be ignored + // by clients. + DisabledTTL string `protobuf:"bytes,9,opt,name=DisabledTTL,proto3" json:"DisabledTTL,omitempty"` + EnableTokenPersistence bool `protobuf:"varint,10,opt,name=EnableTokenPersistence,proto3" json:"EnableTokenPersistence,omitempty"` + MSPDisableBootstrap bool `protobuf:"varint,11,opt,name=MSPDisableBootstrap,proto3" json:"MSPDisableBootstrap,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` } func (m *ACL) Reset() { *m = ACL{} } diff --git a/proto/pbconfig/config.proto b/proto/pbconfig/config.proto index 6dcaabb02a..b56ed40884 100644 --- a/proto/pbconfig/config.proto +++ b/proto/pbconfig/config.proto @@ -43,6 +43,8 @@ message ACL { string DefaultPolicy = 6; bool EnableKeyListPolicy = 7; ACLTokens Tokens = 8; + // DisabledTTL is deprecated. It is no longer populated and should be ignored + // by clients. string DisabledTTL = 9; bool EnableTokenPersistence = 10; bool MSPDisableBootstrap = 11;