Remove artificial ACLTokenMaxTTL limit for configuring acl token expiry (#17066)

* Remove artificial ACLTokenMaxTTL limit for configuring acl token expiry

* Add changelog

* Remove test on default MaxTokenTTL

* Change to imperitive tense for changelog entry
This commit is contained in:
John Landa 2023-04-28 10:57:30 -05:00 committed by GitHub
parent 9fef1c7f17
commit eded58b62a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 45 additions and 25 deletions

3
.changelog/17066.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:improvement
command: Allow creating ACL Token TTL with greater than 24 hours with the -expires-ttl flag.
```

View File

@ -3261,21 +3261,6 @@ func TestACLEndpoint_AuthMethodSet(t *testing.T) {
err := aclEp.AuthMethodSet(&req, &resp) err := aclEp.AuthMethodSet(&req, &resp)
testutil.RequireErrorContains(t, err, "MaxTokenTTL 1ms cannot be less than") testutil.RequireErrorContains(t, err, "MaxTokenTTL 1ms cannot be less than")
}) })
t.Run("Create with MaxTokenTTL too big", func(t *testing.T) {
reqMethod := newAuthMethod("test")
reqMethod.MaxTokenTTL = 25 * time.Hour
req := structs.ACLAuthMethodSetRequest{
Datacenter: "dc1",
AuthMethod: reqMethod,
WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken},
}
resp := structs.ACLAuthMethod{}
err := aclEp.AuthMethodSet(&req, &resp)
testutil.RequireErrorContains(t, err, "MaxTokenTTL 25h0m0s cannot be more than")
})
} }
func TestACLEndpoint_AuthMethodDelete(t *testing.T) { func TestACLEndpoint_AuthMethodDelete(t *testing.T) {

View File

@ -238,9 +238,9 @@ type Config struct {
AutoConfigAuthzAllowReuse bool AutoConfigAuthzAllowReuse bool
// TombstoneTTL is used to control how long KV tombstones are retained. // TombstoneTTL is used to control how long KV tombstones are retained.
// This provides a window of time where the X-Consul-Index is monotonic. // This provides a window of time when the X-Consul-Index is monotonic.
// Outside this window, the index may not be monotonic. This is a result // Outside this window, the index may not be monotonic. This is a result
// of a few trade offs: // of a few trade-offs:
// 1) The index is defined by the data view and not globally. This is a // 1) The index is defined by the data view and not globally. This is a
// performance optimization that prevents any write from incrementing the // performance optimization that prevents any write from incrementing the
// index for all data views. // index for all data views.
@ -248,10 +248,10 @@ type Config struct {
// is also monotonic. This prevents deletes from reducing the disk space // is also monotonic. This prevents deletes from reducing the disk space
// used. // used.
// In theory, neither of these are intrinsic limitations, however for the // In theory, neither of these are intrinsic limitations, however for the
// purposes of building a practical system, they are reasonable trade offs. // purposes of building a practical system, they are reasonable trade-offs.
// //
// It is also possible to set this to an incredibly long time, thereby // It is also possible to set this to an incredibly long time, thereby
// simulating infinite retention. This is not recommended however. // simulating infinite retention. This is not recommended, however.
// //
TombstoneTTL time.Duration TombstoneTTL time.Duration
@ -524,11 +524,13 @@ func DefaultConfig() *Config {
TombstoneTTLGranularity: 30 * time.Second, TombstoneTTLGranularity: 30 * time.Second,
SessionTTLMin: 10 * time.Second, SessionTTLMin: 10 * time.Second,
ACLTokenMinExpirationTTL: 1 * time.Minute, ACLTokenMinExpirationTTL: 1 * time.Minute,
ACLTokenMaxExpirationTTL: 24 * time.Hour, // Duration is stored as an int64. Setting the default max
// to the max possible duration (approx 290 years).
ACLTokenMaxExpirationTTL: 1<<63 - 1,
// These are tuned to provide a total throughput of 128 updates // These are tuned to provide a total throughput of 128 updates
// per second. If you update these, you should update the client- // per second. If you update these, you should update the client-side
// side SyncCoordinateRateTarget parameter accordingly. // SyncCoordinateRateTarget parameter accordingly.
CoordinateUpdatePeriod: 5 * time.Second, CoordinateUpdatePeriod: 5 * time.Second,
CoordinateUpdateBatchSize: 128, CoordinateUpdateBatchSize: 128,
CoordinateUpdateMaxBatches: 5, CoordinateUpdateMaxBatches: 5,
@ -560,7 +562,7 @@ func DefaultConfig() *Config {
}, },
}, },
// Stay under the 10 second aggregation interval of // Stay under the 10-second aggregation interval of
// go-metrics. This ensures we always report the // go-metrics. This ensures we always report the
// usage metrics in each cycle. // usage metrics in each cycle.
MetricsReportingInterval: 9 * time.Second, MetricsReportingInterval: 9 * time.Second,

View File

@ -7,12 +7,14 @@ import (
"encoding/json" "encoding/json"
"strings" "strings"
"testing" "testing"
"time"
"github.com/mitchellh/cli"
"github.com/stretchr/testify/require"
"github.com/hashicorp/consul/agent" "github.com/hashicorp/consul/agent"
"github.com/hashicorp/consul/api" "github.com/hashicorp/consul/api"
"github.com/hashicorp/consul/testrpc" "github.com/hashicorp/consul/testrpc"
"github.com/mitchellh/cli"
"github.com/stretchr/testify/require"
) )
func TestTokenCreateCommand_noTabs(t *testing.T) { func TestTokenCreateCommand_noTabs(t *testing.T) {
@ -119,6 +121,34 @@ func TestTokenCreateCommand_Pretty(t *testing.T) {
require.Equal(t, "3d852bb8-5153-4388-a3ca-8ca78661889f", token.AccessorID) require.Equal(t, "3d852bb8-5153-4388-a3ca-8ca78661889f", token.AccessorID)
require.Equal(t, "3a69a8d8-c4d4-485d-9b19-b5b61648ea0c", token.SecretID) require.Equal(t, "3a69a8d8-c4d4-485d-9b19-b5b61648ea0c", token.SecretID)
}) })
// create with an expires-ttl (<24h)
t.Run("expires-ttl_short", func(t *testing.T) {
token := run(t, []string{
"-http-addr=" + a.HTTPAddr(),
"-token=root",
"-policy-name=" + policy.Name,
"-description=test token",
"-expires-ttl=1h",
})
// check diff between creation and expires time since we
// always set the token.ExpirationTTL value to 0 at the moment
require.Equal(t, time.Hour, token.ExpirationTime.Sub(token.CreateTime))
})
// create with an expires-ttl long (>24h)
t.Run("expires-ttl_long", func(t *testing.T) {
token := run(t, []string{
"-http-addr=" + a.HTTPAddr(),
"-token=root",
"-policy-name=" + policy.Name,
"-description=test token",
"-expires-ttl=8760h",
})
require.Equal(t, 8760*time.Hour, token.ExpirationTime.Sub(token.CreateTime))
})
} }
func TestTokenCreateCommand_JSON(t *testing.T) { func TestTokenCreateCommand_JSON(t *testing.T) {