diff --git a/agent/consul/fsm/commands_oss.go b/agent/consul/fsm/commands_oss.go index 3ab3fe8212..ea6c15fcc6 100644 --- a/agent/consul/fsm/commands_oss.go +++ b/agent/consul/fsm/commands_oss.go @@ -260,24 +260,7 @@ func (c *FSM) applyACLOperation(buf []byte, index uint64) interface{} { return err } return enabled - case structs.ACLBootstrapNow: - // This is a bootstrap request from a non-upgraded node - if err := c.state.ACLBootstrap(index, 0, req.ACL.Convert(), true); err != nil { - return err - } - - // No need to check expiration times as those did not exist in legacy tokens. - if _, token, err := c.state.ACLTokenGetBySecret(nil, req.ACL.ID, nil); err != nil { - return err - } else { - acl, err := token.Convert() - if err != nil { - return err - } - return acl - } - - case structs.ACLForceSet, structs.ACLSet: + case structs.ACLSet: if err := c.state.ACLTokenSet(index, req.ACL.Convert(), true); err != nil { return err } diff --git a/agent/consul/fsm/commands_oss_test.go b/agent/consul/fsm/commands_oss_test.go index 31f20bf4ec..f56ae3f242 100644 --- a/agent/consul/fsm/commands_oss_test.go +++ b/agent/consul/fsm/commands_oss_test.go @@ -923,29 +923,6 @@ func TestFSM_ACL_CRUD(t *testing.T) { if !canBootstrap { t.Fatalf("bad: shouldn't be able to bootstrap") } - - // Do a bootstrap. - bootstrap := structs.ACLRequest{ - Datacenter: "dc1", - Op: structs.ACLBootstrapNow, - ACL: structs.ACL{ - ID: generateUUID(), - Name: "Bootstrap Token", - Type: structs.ACLTokenTypeManagement, - }, - } - buf, err = structs.Encode(structs.ACLRequestType, bootstrap) - if err != nil { - t.Fatalf("err: %v", err) - } - resp = fsm.Apply(makeLog(buf)) - respACL, ok := resp.(*structs.ACL) - if !ok { - t.Fatalf("resp: %v", resp) - } - bootstrap.ACL.CreateIndex = respACL.CreateIndex - bootstrap.ACL.ModifyIndex = respACL.ModifyIndex - require.Equal(t, &bootstrap.ACL, respACL) } func TestFSM_PreparedQuery_CRUD(t *testing.T) { diff --git a/agent/structs/acl.go b/agent/structs/acl.go index 3517aa1a19..67dbbb8711 100644 --- a/agent/structs/acl.go +++ b/agent/structs/acl.go @@ -91,9 +91,11 @@ func ACLIDReserved(id string) bool { const ( // ACLSet creates or updates a token. + // TODO(ACL-Legacy-Compat): remove ACLSet ACLOp = "set" // ACLDelete deletes a token. + // TODO(ACL-Legacy-Compat): remove ACLDelete ACLOp = "delete" ) diff --git a/agent/structs/acl_legacy.go b/agent/structs/acl_legacy.go index 2572c203e4..63c34baa64 100644 --- a/agent/structs/acl_legacy.go +++ b/agent/structs/acl_legacy.go @@ -7,7 +7,6 @@ package structs import ( - "errors" "fmt" "time" @@ -18,21 +17,10 @@ const ( // ACLBootstrapInit is used to perform a scan for existing tokens which // will decide whether bootstrapping is allowed for a cluster. This is // initiated by the leader when it steps up, if necessary. + // TODO(ACL-Legacy-Compat): remove ACLBootstrapInit ACLOp = "bootstrap-init" - - // ACLBootstrapNow is used to perform a one-time ACL bootstrap operation on - // a cluster to get the first management token. - ACLBootstrapNow ACLOp = "bootstrap-now" - - // ACLForceSet is deprecated, but left for backwards compatibility. - ACLForceSet ACLOp = "force-set" ) -// ACLBootstrapNotInitializedErr is returned when a bootstrap is attempted but -// we haven't yet initialized ACL bootstrap. It provides some guidance to -// operators on how to proceed. -var ACLBootstrapNotInitializedErr = errors.New("ACL bootstrap not initialized, need to force a leader election and ensure all Consul servers support this feature") - const ( // ACLTokenTypeClient tokens have rules applied ACLTokenTypeClient = "client" @@ -62,6 +50,7 @@ type ACLs []*ACL // equivalent. This will NOT fill in the other ACLToken fields or perform any other // upgrade (other than correcting an older HCL syntax that is no longer // supported). +// TODO(ACL-Legacy-Compat): remove func (a *ACL) Convert() *ACLToken { // Ensure that we correct any old HCL in legacy tokens to prevent old // syntax from leaking elsewhere into the system.