local: default to the agent token instead of the user token

When de-registering in anti-entropy sync, when there is no service or
check token.

The agent token will fall back to the default (aka user) token if no agent
token is set, so the existing behaviour still works, but it will prefer
the agent token over the user token if both are set.

ref: https://www.consul.io/docs/agent/options#acl_tokens

The agent token seems more approrpiate in this case, since this is an
"internal operation", not something initiated by the user.
This commit is contained in:
Daniel Nephin 2021-02-01 17:40:21 -05:00
parent b73816fabb
commit f8d33b36fd
2 changed files with 5 additions and 2 deletions

3
.changelog/9683.txt Normal file
View File

@ -0,0 +1,3 @@
```release-notes:improvement
client: when a client agent is attempting to dereigster a service, anddoes not have access to the ACL token used to register a service, attempt to use the agent token instead of the default user token. If no agent token is set, fall back to the default user token.
```

View File

@ -215,7 +215,7 @@ func (l *State) serviceToken(id structs.ServiceID) string {
token = s.Token
}
if token == "" {
token = l.tokens.UserToken()
token = l.tokens.AgentToken()
}
return token
}
@ -428,7 +428,7 @@ func (l *State) checkToken(id structs.CheckID) string {
token = c.Token
}
if token == "" {
token = l.tokens.UserToken()
token = l.tokens.AgentToken()
}
return token
}