Update force-leave ACL requirement to operator:write (#7033)

agent/agent_endpoint.go

@@ -475,7 +475,7 @@ func (s *HTTPServer) AgentForceLeave(resp http.ResponseWriter, req *http.Request
 	if err != nil {
 		return nil, err
 	}
-	if rule != nil && rule.AgentWrite(s.agent.config.NodeName, nil) != acl.Allow {
+	if rule != nil && rule.OperatorWrite(nil) != acl.Allow {
 		return nil, acl.ErrPermissionDenied
 	}
 

agent/agent_endpoint_test.go

@@ -1646,7 +1646,7 @@ func TestAgent_ForceLeave_ACLDeny(t *testing.T) {
 
 	t.Run("agent master token", func(t *testing.T) {
 		req, _ := http.NewRequest("PUT", uri+"?token=towel", nil)
-		if _, err := a.srv.AgentForceLeave(nil, req); err != nil {
+		if _, err := a.srv.AgentForceLeave(nil, req); !acl.IsErrPermissionDenied(err) {
 			t.Fatalf("err: %v", err)
 		}
 	})
@@ -1658,6 +1658,19 @@ func TestAgent_ForceLeave_ACLDeny(t *testing.T) {
 			t.Fatalf("err: %v", err)
 		}
 	})
+
+	t.Run("operator write token", func(t *testing.T) {
+		// Create an ACL with operator read permissions.
+		var rules = `
+                    operator = "write"
+                `
+		opToken := testCreateToken(t, a, rules)
+
+		req, _ := http.NewRequest("PUT", fmt.Sprintf(uri+"?token=%s", opToken), nil)
+		if _, err := a.srv.AgentForceLeave(nil, req); err != nil {
+			t.Fatalf("err: %v", err)
+		}
+	})
 }
 
 func TestAgent_ForceLeavePrune(t *testing.T) {

website/source/api/agent.html.md

@@ -506,7 +506,7 @@ The table below shows this endpoint's support for
 
 | Blocking Queries | Consistency Modes | Agent Caching | ACL Required  |
 | ---------------- | ----------------- | ------------- | ------------- |
-| `NO`             | `none`            | `none`        | `agent:write` |
+| `NO`             | `none`            | `none`        | `operator:write` |
 
 ### Parameters