mirror of https://github.com/status-im/consul.git
Remove artificial ACLTokenMaxTTL limit for configuring acl token expiry (#17066)
* Remove artificial ACLTokenMaxTTL limit for configuring acl token expiry * Add changelog * Remove test on default MaxTokenTTL * Change to imperitive tense for changelog entry
This commit is contained in:
parent
9fef1c7f17
commit
eded58b62a
|
@ -0,0 +1,3 @@
|
||||||
|
```release-note:improvement
|
||||||
|
command: Allow creating ACL Token TTL with greater than 24 hours with the -expires-ttl flag.
|
||||||
|
```
|
|
@ -3261,21 +3261,6 @@ func TestACLEndpoint_AuthMethodSet(t *testing.T) {
|
||||||
err := aclEp.AuthMethodSet(&req, &resp)
|
err := aclEp.AuthMethodSet(&req, &resp)
|
||||||
testutil.RequireErrorContains(t, err, "MaxTokenTTL 1ms cannot be less than")
|
testutil.RequireErrorContains(t, err, "MaxTokenTTL 1ms cannot be less than")
|
||||||
})
|
})
|
||||||
|
|
||||||
t.Run("Create with MaxTokenTTL too big", func(t *testing.T) {
|
|
||||||
reqMethod := newAuthMethod("test")
|
|
||||||
reqMethod.MaxTokenTTL = 25 * time.Hour
|
|
||||||
|
|
||||||
req := structs.ACLAuthMethodSetRequest{
|
|
||||||
Datacenter: "dc1",
|
|
||||||
AuthMethod: reqMethod,
|
|
||||||
WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken},
|
|
||||||
}
|
|
||||||
resp := structs.ACLAuthMethod{}
|
|
||||||
|
|
||||||
err := aclEp.AuthMethodSet(&req, &resp)
|
|
||||||
testutil.RequireErrorContains(t, err, "MaxTokenTTL 25h0m0s cannot be more than")
|
|
||||||
})
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestACLEndpoint_AuthMethodDelete(t *testing.T) {
|
func TestACLEndpoint_AuthMethodDelete(t *testing.T) {
|
||||||
|
|
|
@ -238,9 +238,9 @@ type Config struct {
|
||||||
AutoConfigAuthzAllowReuse bool
|
AutoConfigAuthzAllowReuse bool
|
||||||
|
|
||||||
// TombstoneTTL is used to control how long KV tombstones are retained.
|
// TombstoneTTL is used to control how long KV tombstones are retained.
|
||||||
// This provides a window of time where the X-Consul-Index is monotonic.
|
// This provides a window of time when the X-Consul-Index is monotonic.
|
||||||
// Outside this window, the index may not be monotonic. This is a result
|
// Outside this window, the index may not be monotonic. This is a result
|
||||||
// of a few trade offs:
|
// of a few trade-offs:
|
||||||
// 1) The index is defined by the data view and not globally. This is a
|
// 1) The index is defined by the data view and not globally. This is a
|
||||||
// performance optimization that prevents any write from incrementing the
|
// performance optimization that prevents any write from incrementing the
|
||||||
// index for all data views.
|
// index for all data views.
|
||||||
|
@ -248,10 +248,10 @@ type Config struct {
|
||||||
// is also monotonic. This prevents deletes from reducing the disk space
|
// is also monotonic. This prevents deletes from reducing the disk space
|
||||||
// used.
|
// used.
|
||||||
// In theory, neither of these are intrinsic limitations, however for the
|
// In theory, neither of these are intrinsic limitations, however for the
|
||||||
// purposes of building a practical system, they are reasonable trade offs.
|
// purposes of building a practical system, they are reasonable trade-offs.
|
||||||
//
|
//
|
||||||
// It is also possible to set this to an incredibly long time, thereby
|
// It is also possible to set this to an incredibly long time, thereby
|
||||||
// simulating infinite retention. This is not recommended however.
|
// simulating infinite retention. This is not recommended, however.
|
||||||
//
|
//
|
||||||
TombstoneTTL time.Duration
|
TombstoneTTL time.Duration
|
||||||
|
|
||||||
|
@ -524,11 +524,13 @@ func DefaultConfig() *Config {
|
||||||
TombstoneTTLGranularity: 30 * time.Second,
|
TombstoneTTLGranularity: 30 * time.Second,
|
||||||
SessionTTLMin: 10 * time.Second,
|
SessionTTLMin: 10 * time.Second,
|
||||||
ACLTokenMinExpirationTTL: 1 * time.Minute,
|
ACLTokenMinExpirationTTL: 1 * time.Minute,
|
||||||
ACLTokenMaxExpirationTTL: 24 * time.Hour,
|
// Duration is stored as an int64. Setting the default max
|
||||||
|
// to the max possible duration (approx 290 years).
|
||||||
|
ACLTokenMaxExpirationTTL: 1<<63 - 1,
|
||||||
|
|
||||||
// These are tuned to provide a total throughput of 128 updates
|
// These are tuned to provide a total throughput of 128 updates
|
||||||
// per second. If you update these, you should update the client-
|
// per second. If you update these, you should update the client-side
|
||||||
// side SyncCoordinateRateTarget parameter accordingly.
|
// SyncCoordinateRateTarget parameter accordingly.
|
||||||
CoordinateUpdatePeriod: 5 * time.Second,
|
CoordinateUpdatePeriod: 5 * time.Second,
|
||||||
CoordinateUpdateBatchSize: 128,
|
CoordinateUpdateBatchSize: 128,
|
||||||
CoordinateUpdateMaxBatches: 5,
|
CoordinateUpdateMaxBatches: 5,
|
||||||
|
@ -560,7 +562,7 @@ func DefaultConfig() *Config {
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
|
||||||
// Stay under the 10 second aggregation interval of
|
// Stay under the 10-second aggregation interval of
|
||||||
// go-metrics. This ensures we always report the
|
// go-metrics. This ensures we always report the
|
||||||
// usage metrics in each cycle.
|
// usage metrics in each cycle.
|
||||||
MetricsReportingInterval: 9 * time.Second,
|
MetricsReportingInterval: 9 * time.Second,
|
||||||
|
|
|
@ -7,12 +7,14 @@ import (
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
"strings"
|
"strings"
|
||||||
"testing"
|
"testing"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"github.com/mitchellh/cli"
|
||||||
|
"github.com/stretchr/testify/require"
|
||||||
|
|
||||||
"github.com/hashicorp/consul/agent"
|
"github.com/hashicorp/consul/agent"
|
||||||
"github.com/hashicorp/consul/api"
|
"github.com/hashicorp/consul/api"
|
||||||
"github.com/hashicorp/consul/testrpc"
|
"github.com/hashicorp/consul/testrpc"
|
||||||
"github.com/mitchellh/cli"
|
|
||||||
"github.com/stretchr/testify/require"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
func TestTokenCreateCommand_noTabs(t *testing.T) {
|
func TestTokenCreateCommand_noTabs(t *testing.T) {
|
||||||
|
@ -119,6 +121,34 @@ func TestTokenCreateCommand_Pretty(t *testing.T) {
|
||||||
require.Equal(t, "3d852bb8-5153-4388-a3ca-8ca78661889f", token.AccessorID)
|
require.Equal(t, "3d852bb8-5153-4388-a3ca-8ca78661889f", token.AccessorID)
|
||||||
require.Equal(t, "3a69a8d8-c4d4-485d-9b19-b5b61648ea0c", token.SecretID)
|
require.Equal(t, "3a69a8d8-c4d4-485d-9b19-b5b61648ea0c", token.SecretID)
|
||||||
})
|
})
|
||||||
|
|
||||||
|
// create with an expires-ttl (<24h)
|
||||||
|
t.Run("expires-ttl_short", func(t *testing.T) {
|
||||||
|
token := run(t, []string{
|
||||||
|
"-http-addr=" + a.HTTPAddr(),
|
||||||
|
"-token=root",
|
||||||
|
"-policy-name=" + policy.Name,
|
||||||
|
"-description=test token",
|
||||||
|
"-expires-ttl=1h",
|
||||||
|
})
|
||||||
|
|
||||||
|
// check diff between creation and expires time since we
|
||||||
|
// always set the token.ExpirationTTL value to 0 at the moment
|
||||||
|
require.Equal(t, time.Hour, token.ExpirationTime.Sub(token.CreateTime))
|
||||||
|
})
|
||||||
|
|
||||||
|
// create with an expires-ttl long (>24h)
|
||||||
|
t.Run("expires-ttl_long", func(t *testing.T) {
|
||||||
|
token := run(t, []string{
|
||||||
|
"-http-addr=" + a.HTTPAddr(),
|
||||||
|
"-token=root",
|
||||||
|
"-policy-name=" + policy.Name,
|
||||||
|
"-description=test token",
|
||||||
|
"-expires-ttl=8760h",
|
||||||
|
})
|
||||||
|
|
||||||
|
require.Equal(t, 8760*time.Hour, token.ExpirationTime.Sub(token.CreateTime))
|
||||||
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestTokenCreateCommand_JSON(t *testing.T) {
|
func TestTokenCreateCommand_JSON(t *testing.T) {
|
||||||
|
|
Loading…
Reference in New Issue