Backport of [CC-5719] Add support for builtin global-read-only policy into release/1.15.x (#18344)

[CC-5719] Add support for builtin global-read-only policy (#18319) * [CC-5719] Add support for builtin global-read-only policy * Add changelog * Add read-only to docs * Fix some minor issues. * Change from ReplaceAll to Sprintf * Change IsValidPolicy name to return an error instead of bool * Fix PolicyList test * Fix other tests * Apply suggestions from code review * Fix state store test for policy list. * Fix naming issues * Update acl/validation.go * Update agent/consul/acl_endpoint.go --------- Co-authored-by: Jeremy Jacobson <jjacobson93@users.noreply.github.com> Co-authored-by: Paul Glass <pglass@hashicorp.com> Co-authored-by: Chris Thain <32781396+cthain@users.noreply.github.com>
1 year ago · 30a16232e9
parent 39ed6a77c5
commit 30a16232e9
18 changed files with 316 additions and 149 deletions
--- a/.changelog/18319.txt
+++ b/.changelog/18319.txt
@ -0,0 +1,6 @@
+```release-note:improvement
+acl: added builtin ACL policy that provides global read-only access (builtin/global-read-only)
+```
+```release-note:improvement
+acl: allow for a single slash character in policy names
+```
--- a/acl/acl.go
+++ b/acl/acl.go
@ -9,6 +9,8 @@ const (
 	AnonymousTokenID     = "00000000-0000-0000-0000-000000000002"
 	AnonymousTokenAlias  = "anonymous token"
 	AnonymousTokenSecret = "anonymous"
+
+	ReservedBuiltinPrefix = "builtin/"
 )

 // Config encapsulates all of the generic configuration parameters used for
--- a/acl/validation.go
+++ b/acl/validation.go
@ -1,16 +1,21 @@
 package acl

-import "regexp"
+import (
+	"fmt"
+	"regexp"
+	"strings"
+)

 const (
 	ServiceIdentityNameMaxLength = 256
 	NodeIdentityNameMaxLength    = 256
+	PolicyNameMaxLength          = 128
 )

 var (
 	validServiceIdentityName = regexp.MustCompile(`^[a-z0-9]([a-z0-9\-_]*[a-z0-9])?$`)
 	validNodeIdentityName    = regexp.MustCompile(`^[a-z0-9]([a-z0-9\-_]*[a-z0-9])?$`)
-	validPolicyName          = regexp.MustCompile(`^[A-Za-z0-9\-_]{1,128}$`)
+	validPolicyName          = regexp.MustCompile(`^[A-Za-z0-9\-_]+\/?[A-Za-z0-9\-_]*$`)
 	validRoleName            = regexp.MustCompile(`^[A-Za-z0-9\-_]{1,256}$`)
 	validAuthMethodName      = regexp.MustCompile(`^[A-Za-z0-9\-_]{1,128}$`)
 )
@ -37,10 +42,21 @@ func IsValidNodeIdentityName(name string) bool {
 	return validNodeIdentityName.MatchString(name)
 }

-// IsValidPolicyName returns true if the provided name can be used as an
-// ACLPolicy Name.
-func IsValidPolicyName(name string) bool {
-	return validPolicyName.MatchString(name)
+// ValidatePolicyName returns nil if the provided name can be used as an
+// ACLPolicy Name otherwise a useful error is returned.
+func ValidatePolicyName(name string) error {
+	if len(name) < 1 || len(name) > PolicyNameMaxLength {
+		return fmt.Errorf("Invalid Policy: invalid Name. Length must be greater than 0 and less than %d", PolicyNameMaxLength)
+	}
+
+	if strings.HasPrefix(name, "/") || strings.HasPrefix(name, ReservedBuiltinPrefix) {
+		return fmt.Errorf("Invalid Policy: invalid Name. Names cannot be prefixed with '/' or '%s'", ReservedBuiltinPrefix)
+	}
+
+	if !validPolicyName.MatchString(name) {
+		return fmt.Errorf("Invalid Policy: invalid Name. Only alphanumeric characters, a single '/', '-' and '_' are allowed")
+	}
+	return nil
 }

 // IsValidRoleName returns true if the provided name can be used as an
--- a/acl/validation_test.go
+++ b/acl/validation_test.go
@ -0,0 +1,78 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+package acl
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func Test_ValidatePolicyName(t *testing.T) {
+	for _, tc := range []struct {
+		description string
+		name        string
+		valid       bool
+	}{
+		{
+			description: "valid policy",
+			name:        "this-is-valid",
+			valid:       true,
+		},
+		{
+			description: "empty policy",
+			name:        "",
+			valid:       false,
+		},
+		{
+			description: "with slash",
+			name:        "policy/with-slash",
+			valid:       true,
+		},
+		{
+			description: "leading slash",
+			name:        "/no-leading-slash",
+			valid:       false,
+		},
+		{
+			description: "too many slashes",
+			name:        "too/many/slashes",
+			valid:       false,
+		},
+		{
+			description: "no double-slash",
+			name:        "no//double-slash",
+			valid:       false,
+		},
+		{
+			description: "builtin prefix",
+			name:        "builtin/prefix-cannot-be-used",
+			valid:       false,
+		},
+		{
+			description: "long",
+			name:        "this-policy-name-is-very-very-long-but-it-is-okay-because-it-is-the-max-length-that-we-allow-here-in-a-policy-name-which-is-good",
+			valid:       true,
+		},
+		{
+			description: "too long",
+			name:        "this-is-a-policy-that-has-one-character-too-many-it-is-way-too-long-for-a-policy-we-do-not-want-a-policy-of-this-length-because-1",
+			valid:       false,
+		},
+		{
+			description: "invalid start character",
+			name:        "!foo",
+			valid:       false,
+		},
+		{
+			description: "invalid character",
+			name:        "this%is%bad",
+			valid:       false,
+		},
+	} {
+		t.Run(tc.description, func(t *testing.T) {
+			require.Equal(t, tc.valid, ValidatePolicyName(tc.name) == nil)
+		})
+	}
+}
--- a/agent/acl_endpoint_test.go
+++ b/agent/acl_endpoint_test.go
@ -435,8 +435,8 @@ func TestACL_HTTP(t *testing.T) {
 			policies, ok := raw.(structs.ACLPolicyListStubs)
 			require.True(t, ok)

-			// 2 we just created + global management
-			require.Len(t, policies, 3)
+			// 2 we just created + builtin policies
+			require.Len(t, policies, 2+len(structs.ACLBuiltinPolicies))

 			for policyID, expected := range policyMap {
 				found := false
--- a/agent/consul/acl_endpoint.go
+++ b/agent/consul/acl_endpoint.go
@ -866,8 +866,8 @@ func (a *ACL) PolicySet(args *structs.ACLPolicySetRequest, reply *structs.ACLPol
 		return fmt.Errorf("Invalid Policy: no Name is set")
 	}

-	if !acl.IsValidPolicyName(policy.Name) {
-		return fmt.Errorf("Invalid Policy: invalid Name. Only alphanumeric characters, '-' and '_' are allowed")
+	if err := acl.ValidatePolicyName(policy.Name); err != nil {
+		return err
 	}

 	var idMatch *structs.ACLPolicy
@ -912,13 +912,13 @@ func (a *ACL) PolicySet(args *structs.ACLPolicySetRequest, reply *structs.ACLPol
 			return fmt.Errorf("Invalid Policy: A policy with name %q already exists", policy.Name)
 		}

-		if policy.ID == structs.ACLPolicyGlobalManagementID {
+		if builtinPolicy, ok := structs.ACLBuiltinPolicies[policy.ID]; ok {
 			if policy.Datacenters != nil || len(policy.Datacenters) > 0 {
-				return fmt.Errorf("Changing the Datacenters of the builtin global-management policy is not permitted")
+				return fmt.Errorf("Changing the Datacenters of the %s policy is not permitted", builtinPolicy.Name)
 			}

 			if policy.Rules != idMatch.Rules {
-				return fmt.Errorf("Changing the Rules for the builtin global-management policy is not permitted")
+				return fmt.Errorf("Changing the Rules for the builtin %s policy is not permitted", builtinPolicy.Name)
 			}
 		}
 	}
@ -996,8 +996,8 @@ func (a *ACL) PolicyDelete(args *structs.ACLPolicyDeleteRequest, reply *string)
 		return fmt.Errorf("policy does not exist: %w", acl.ErrNotFound)
 	}

-	if policy.ID == structs.ACLPolicyGlobalManagementID {
-		return fmt.Errorf("Delete operation not permitted on the builtin global-management policy")
+	if builtinPolicy, ok := structs.ACLBuiltinPolicies[policy.ID]; ok {
+		return fmt.Errorf("Delete operation not permitted on the builtin %s policy", builtinPolicy.Name)
 	}

 	req := structs.ACLPolicyBatchDeleteRequest{
--- a/agent/consul/acl_endpoint_test.go
+++ b/agent/consul/acl_endpoint_test.go
@ -2180,7 +2180,7 @@ func TestACLEndpoint_PolicySet_CustomID(t *testing.T) {
 	require.Error(t, err)
 }

-func TestACLEndpoint_PolicySet_globalManagement(t *testing.T) {
+func TestACLEndpoint_PolicySet_builtins(t *testing.T) {
 	if testing.Short() {
 		t.Skip("too slow for testing.Short")
 	}
@ -2192,47 +2192,50 @@ func TestACLEndpoint_PolicySet_globalManagement(t *testing.T) {

 	aclEp := ACL{srv: srv}

-	// Can't change the rules
-	{
-		req := structs.ACLPolicySetRequest{
-			Datacenter: "dc1",
-			Policy: structs.ACLPolicy{
-				ID:    structs.ACLPolicyGlobalManagementID,
-				Name:  "foobar", // This is required to get past validation
-				Rules: "service \"\" { policy = \"write\" }",
-			},
-			WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken},
-		}
-		resp := structs.ACLPolicy{}
+	for _, builtinPolicy := range structs.ACLBuiltinPolicies {
+		name := fmt.Sprintf("foobar-%s", builtinPolicy.Name) // This is required to get past validation

-		err := aclEp.PolicySet(&req, &resp)
-		require.EqualError(t, err, "Changing the Rules for the builtin global-management policy is not permitted")
-	}
+		// Can't change the rules
+		{
+			req := structs.ACLPolicySetRequest{
+				Datacenter: "dc1",
+				Policy: structs.ACLPolicy{
+					ID:    builtinPolicy.ID,
+					Name:  name,
+					Rules: "service \"\" { policy = \"write\" }",
+				},
+				WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken},
+			}
+			resp := structs.ACLPolicy{}

-	// Can rename it
-	{
-		req := structs.ACLPolicySetRequest{
-			Datacenter: "dc1",
-			Policy: structs.ACLPolicy{
-				ID:    structs.ACLPolicyGlobalManagementID,
-				Name:  "foobar",
-				Rules: structs.ACLPolicyGlobalManagement,
-			},
-			WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken},
+			err := aclEp.PolicySet(&req, &resp)
+			require.EqualError(t, err, fmt.Sprintf("Changing the Rules for the builtin %s policy is not permitted", builtinPolicy.Name))
 		}
-		resp := structs.ACLPolicy{}

-		err := aclEp.PolicySet(&req, &resp)
-		require.NoError(t, err)
+		// Can rename it
+		{
+			req := structs.ACLPolicySetRequest{
+				Datacenter: "dc1",
+				Policy: structs.ACLPolicy{
+					ID:    builtinPolicy.ID,
+					Name:  name,
+					Rules: builtinPolicy.Rules,
+				},
+				WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken},
+			}
+			resp := structs.ACLPolicy{}

-		// Get the policy again
-		policyResp, err := retrieveTestPolicy(codec, TestDefaultInitialManagementToken, "dc1", structs.ACLPolicyGlobalManagementID)
-		require.NoError(t, err)
-		policy := policyResp.Policy
+			err := aclEp.PolicySet(&req, &resp)
+			require.NoError(t, err)

-		require.Equal(t, policy.ID, structs.ACLPolicyGlobalManagementID)
-		require.Equal(t, policy.Name, "foobar")
+			// Get the policy again
+			policyResp, err := retrieveTestPolicy(codec, TestDefaultInitialManagementToken, "dc1", builtinPolicy.ID)
+			require.NoError(t, err)
+			policy := policyResp.Policy

+			require.Equal(t, policy.ID, builtinPolicy.ID)
+			require.Equal(t, policy.Name, name)
+		}
 	}
 }

@ -2268,7 +2271,7 @@ func TestACLEndpoint_PolicyDelete(t *testing.T) {
 	require.Nil(t, tokenResp.Policy)
 }

-func TestACLEndpoint_PolicyDelete_globalManagement(t *testing.T) {
+func TestACLEndpoint_PolicyDelete_builtins(t *testing.T) {
 	if testing.Short() {
 		t.Skip("too slow for testing.Short")
 	}
@ -2279,16 +2282,17 @@ func TestACLEndpoint_PolicyDelete_globalManagement(t *testing.T) {
 	waitForLeaderEstablishment(t, srv)
 	aclEp := ACL{srv: srv}

-	req := structs.ACLPolicyDeleteRequest{
-		Datacenter:   "dc1",
-		PolicyID:     structs.ACLPolicyGlobalManagementID,
-		WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken},
-	}
-	var resp string
-
-	err := aclEp.PolicyDelete(&req, &resp)
+	for _, builtinPolicy := range structs.ACLBuiltinPolicies {
+		req := structs.ACLPolicyDeleteRequest{
+			Datacenter:   "dc1",
+			PolicyID:     builtinPolicy.ID,
+			WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken},
+		}
+		var resp string

-	require.EqualError(t, err, "Delete operation not permitted on the builtin global-management policy")
+		err := aclEp.PolicyDelete(&req, &resp)
+		require.EqualError(t, err, fmt.Sprintf("Delete operation not permitted on the builtin %s policy", builtinPolicy.Name))
+	}
 }

 func TestACLEndpoint_PolicyList(t *testing.T) {
@ -2321,6 +2325,7 @@ func TestACLEndpoint_PolicyList(t *testing.T) {

 	policies := []string{
 		structs.ACLPolicyGlobalManagementID,
+		structs.ACLPolicyGlobalReadOnlyID,
 		p1.ID,
 		p2.ID,
 	}
--- a/agent/consul/auth/token_writer.go
+++ b/agent/consul/auth/token_writer.go
@ -241,7 +241,7 @@ func (w *TokenWriter) Delete(secretID string, fromLogout bool) error {

 func validateTokenID(id string) error {
 	if structs.ACLIDReserved(id) {
-		return fmt.Errorf("UUIDs with the prefix %q are reserved", structs.ACLReservedPrefix)
+		return fmt.Errorf("UUIDs with the prefix %q are reserved", structs.ACLReservedIDPrefix)
 	}
 	if _, err := uuid.ParseUUID(id); err != nil {
 		return errors.New("not a valid UUID")
--- a/agent/consul/auth/token_writer_test.go
+++ b/agent/consul/auth/token_writer_test.go
@ -38,7 +38,7 @@ func TestTokenWriter_Create_Validation(t *testing.T) {
 			errorContains: "not a valid UUID",
 		},
 		"AccessorID is reserved": {
-			token:         structs.ACLToken{AccessorID: structs.ACLReservedPrefix + generateID(t)},
+			token:         structs.ACLToken{AccessorID: structs.ACLReservedIDPrefix + generateID(t)},
 			errorContains: "reserved",
 		},
 		"AccessorID already in use (as AccessorID)": {
@ -54,7 +54,7 @@ func TestTokenWriter_Create_Validation(t *testing.T) {
 			errorContains: "not a valid UUID",
 		},
 		"SecretID is reserved": {
-			token:         structs.ACLToken{SecretID: structs.ACLReservedPrefix + generateID(t)},
+			token:         structs.ACLToken{SecretID: structs.ACLReservedIDPrefix + generateID(t)},
 			errorContains: "reserved",
 		},
 		"SecretID already in use (as AccessorID)": {
--- a/agent/consul/fsm/snapshot_test.go
+++ b/agent/consul/fsm/snapshot_test.go
@ -84,7 +84,7 @@ func TestFSM_SnapshotRestore_OSS(t *testing.T) {
 		ID:          structs.ACLPolicyGlobalManagementID,
 		Name:        "global-management",
 		Description: "Builtin Policy that grants unlimited access",
-		Rules:       structs.ACLPolicyGlobalManagement,
+		Rules:       structs.ACLPolicyGlobalManagementRules,
 	}
 	policy.SetHash(true)
 	require.NoError(t, fsm.state.ACLPolicySet(1, policy))
--- a/agent/consul/leader.go
+++ b/agent/consul/leader.go
@ -417,34 +417,11 @@ func (s *Server) initializeACLs(ctx context.Context) error {
 	if s.InPrimaryDatacenter() {
 		s.logger.Info("initializing acls")

-		// Create/Upgrade the builtin global-management policy
-		_, policy, err := s.fsm.State().ACLPolicyGetByID(nil, structs.ACLPolicyGlobalManagementID, structs.DefaultEnterpriseMetaInDefaultPartition())
-		if err != nil {
-			return fmt.Errorf("failed to get the builtin global-management policy")
-		}
-		if policy == nil || policy.Rules != structs.ACLPolicyGlobalManagement {
-			newPolicy := structs.ACLPolicy{
-				ID:             structs.ACLPolicyGlobalManagementID,
-				Name:           "global-management",
-				Description:    "Builtin Policy that grants unlimited access",
-				Rules:          structs.ACLPolicyGlobalManagement,
-				EnterpriseMeta: *structs.DefaultEnterpriseMetaInDefaultPartition(),
-			}
-			if policy != nil {
-				newPolicy.Name = policy.Name
-				newPolicy.Description = policy.Description
-			}
-
-			newPolicy.SetHash(true)
-
-			req := structs.ACLPolicyBatchSetRequest{
-				Policies: structs.ACLPolicies{&newPolicy},
-			}
-			_, err := s.raftApply(structs.ACLPolicySetRequestType, &req)
-			if err != nil {
-				return fmt.Errorf("failed to create global-management policy: %v", err)
+		// Create/Upgrade the builtin policies
+		for _, policy := range structs.ACLBuiltinPolicies {
+			if err := s.writeBuiltinACLPolicy(policy); err != nil {
+				return err
 			}
-			s.logger.Info("Created ACL 'global-management' policy")
 		}

 		// Check for configured initial management token.
@ -489,6 +466,36 @@ func (s *Server) initializeACLs(ctx context.Context) error {
 	return nil
 }

+// writeBuiltinACLPolicy writes the given built-in policy to Raft if the policy
+// is not found or if the policy rules have been changed. The name and
+// description of a built-in policy are user-editable and must be preserved
+// during updates. This function must only be called in a primary datacenter.
+func (s *Server) writeBuiltinACLPolicy(newPolicy structs.ACLPolicy) error {
+	_, policy, err := s.fsm.State().ACLPolicyGetByID(nil, newPolicy.ID, structs.DefaultEnterpriseMetaInDefaultPartition())
+	if err != nil {
+		return fmt.Errorf("failed to get the builtin %s policy", newPolicy.Name)
+	}
+	if policy == nil || policy.Rules != newPolicy.Rules {
+		if policy != nil {
+			newPolicy.Name = policy.Name
+			newPolicy.Description = policy.Description
+		}
+
+		newPolicy.EnterpriseMeta = *structs.DefaultEnterpriseMetaInDefaultPartition()
+		newPolicy.SetHash(true)
+
+		req := structs.ACLPolicyBatchSetRequest{
+			Policies: structs.ACLPolicies{&newPolicy},
+		}
+		_, err := s.raftApply(structs.ACLPolicySetRequestType, &req)
+		if err != nil {
+			return fmt.Errorf("failed to create %s policy: %v", newPolicy.Name, err)
+		}
+		s.logger.Info(fmt.Sprintf("Created ACL '%s' policy", newPolicy.Name))
+	}
+	return nil
+}
+
 func (s *Server) initializeManagementToken(name, secretID string) error {
 	state := s.fsm.State()
 	if _, err := uuid.ParseUUID(secretID); err != nil {
--- a/agent/consul/leader_test.go
+++ b/agent/consul/leader_test.go
@ -1304,9 +1304,12 @@ func TestLeader_ACL_Initialization(t *testing.T) {
 			_, s1 := testServerWithConfig(t, conf)
 			testrpc.WaitForTestAgent(t, s1.RPC, "dc1")

-			_, policy, err := s1.fsm.State().ACLPolicyGetByID(nil, structs.ACLPolicyGlobalManagementID, nil)
-			require.NoError(t, err)
-			require.NotNil(t, policy)
+			// check that the builtin policies were created
+			for _, builtinPolicy := range structs.ACLBuiltinPolicies {
+				_, policy, err := s1.fsm.State().ACLPolicyGetByID(nil, builtinPolicy.ID, nil)
+				require.NoError(t, err)
+				require.NotNil(t, policy)
+			}

 			if tt.initialManagement != "" {
 				_, initialManagement, err := s1.fsm.State().ACLTokenGetBySecret(nil, tt.initialManagement, nil)
@ -1436,15 +1439,17 @@ func TestLeader_ACLUpgrade_IsStickyEvenIfSerfTagsRegress(t *testing.T) {
 	waitForLeaderEstablishment(t, s2)
 	waitForNewACLReplication(t, s2, structs.ACLReplicatePolicies, 1, 0, 0)

-	// Everybody has the management policy.
+	// Everybody has the builtin policies.
 	retry.Run(t, func(r *retry.R) {
-		_, policy1, err := s1.fsm.State().ACLPolicyGetByID(nil, structs.ACLPolicyGlobalManagementID, structs.DefaultEnterpriseMetaInDefaultPartition())
-		require.NoError(r, err)
-		require.NotNil(r, policy1)
+		for _, builtinPolicy := range structs.ACLBuiltinPolicies {
+			_, policy1, err := s1.fsm.State().ACLPolicyGetByID(nil, builtinPolicy.ID, structs.DefaultEnterpriseMetaInDefaultPartition())
+			require.NoError(r, err)
+			require.NotNil(r, policy1)

-		_, policy2, err := s2.fsm.State().ACLPolicyGetByID(nil, structs.ACLPolicyGlobalManagementID, structs.DefaultEnterpriseMetaInDefaultPartition())
-		require.NoError(r, err)
-		require.NotNil(r, policy2)
+			_, policy2, err := s2.fsm.State().ACLPolicyGetByID(nil, builtinPolicy.ID, structs.DefaultEnterpriseMetaInDefaultPartition())
+			require.NoError(r, err)
+			require.NotNil(r, policy2)
+		}
 	})

 	// Shutdown s1 and s2.
--- a/agent/consul/state/acl.go
+++ b/agent/consul/state/acl.go
@ -881,18 +881,18 @@ func aclPolicySetTxn(tx WriteTxn, idx uint64, policy *structs.ACLPolicy) error {
 	}

 	if existing != nil {
-		if policy.ID == structs.ACLPolicyGlobalManagementID {
+		if builtinPolicy, ok := structs.ACLBuiltinPolicies[policy.ID]; ok {
 			// Only the name and description are modifiable
-			// Here we specifically check that the rules on the global management policy
+			// Here we specifically check that the rules on the builtin policy
 			// are identical to the correct policy rules within the binary. This is opposed
 			// to checking against the current rules to allow us to update the rules during
 			// upgrades.
-			if policy.Rules != structs.ACLPolicyGlobalManagement {
-				return fmt.Errorf("Changing the Rules for the builtin global-management policy is not permitted")
+			if policy.Rules != builtinPolicy.Rules {
+				return fmt.Errorf("Changing the Rules for the builtin %s policy is not permitted", builtinPolicy.Name)
 			}

 			if policy.Datacenters != nil && len(policy.Datacenters) != 0 {
-				return fmt.Errorf("Changing the Datacenters of the builtin global-management policy is not permitted")
+				return fmt.Errorf("Changing the Datacenters of the builtin %s policy is not permitted", builtinPolicy.Name)
 			}
 		}
 	}
@ -1059,8 +1059,8 @@ func aclPolicyDeleteTxn(tx WriteTxn, idx uint64, value string, fn aclPolicyGetFn

 	policy := rawPolicy.(*structs.ACLPolicy)

-	if policy.ID == structs.ACLPolicyGlobalManagementID {
-		return fmt.Errorf("Deletion of the builtin global-management policy is not permitted")
+	if builtinPolicy, ok := structs.ACLBuiltinPolicies[policy.ID]; ok {
+		return fmt.Errorf("Deletion of the builtin %s policy is not permitted", builtinPolicy.Name)
 	}

 	return aclPolicyDeleteWithPolicy(tx, policy, idx)
--- a/agent/consul/state/acl_test.go
+++ b/agent/consul/state/acl_test.go
@ -27,16 +27,17 @@ const (
 )

 func setupGlobalManagement(t *testing.T, s *Store) {
-	policy := structs.ACLPolicy{
-		ID:          structs.ACLPolicyGlobalManagementID,
-		Name:        "global-management",
-		Description: "Builtin Policy that grants unlimited access",
-		Rules:       structs.ACLPolicyGlobalManagement,
-	}
+	policy := structs.ACLBuiltinPolicies[structs.ACLPolicyGlobalManagementID]
 	policy.SetHash(true)
 	require.NoError(t, s.ACLPolicySet(1, &policy))
 }

+func setupBuiltinGlobalReadOnly(t *testing.T, s *Store) {
+	policy := structs.ACLBuiltinPolicies[structs.ACLPolicyGlobalReadOnlyID]
+	policy.SetHash(true)
+	require.NoError(t, s.ACLPolicySet(2, &policy))
+}
+
 func setupAnonymous(t *testing.T, s *Store) {
 	token := structs.ACLToken{
 		AccessorID:  acl.AnonymousTokenID,
@ -50,6 +51,7 @@ func setupAnonymous(t *testing.T, s *Store) {
 func testACLStateStore(t *testing.T) *Store {
 	s := testStateStore(t)
 	setupGlobalManagement(t, s)
+	setupBuiltinGlobalReadOnly(t, s)
 	setupAnonymous(t, s)
 	return s
 }
@ -181,6 +183,7 @@ func TestStateStore_ACLBootstrap(t *testing.T) {

 	s := testStateStore(t)
 	setupGlobalManagement(t, s)
+	setupBuiltinGlobalReadOnly(t, s)

 	canBootstrap, index, err := s.CanBootstrapACLToken()
 	require.NoError(t, err)
@ -1427,7 +1430,7 @@ func TestStateStore_ACLPolicy_SetGet(t *testing.T) {
 				ID:          structs.ACLPolicyGlobalManagementID,
 				Name:        "global-management",
 				Description: "Global Management",
-				Rules:       structs.ACLPolicyGlobalManagement,
+				Rules:       structs.ACLPolicyGlobalManagementRules,
 				Datacenters: []string{"dc1"},
 			}

@ -1441,7 +1444,7 @@ func TestStateStore_ACLPolicy_SetGet(t *testing.T) {
 				ID:          structs.ACLPolicyGlobalManagementID,
 				Name:        "management",
 				Description: "Modified",
-				Rules:       structs.ACLPolicyGlobalManagement,
+				Rules:       structs.ACLPolicyGlobalManagementRules,
 			}

 			require.NoError(t, s.ACLPolicySet(3, &policy))
@ -1491,7 +1494,7 @@ func TestStateStore_ACLPolicy_SetGet(t *testing.T) {
 		require.NotNil(t, rpolicy)
 		require.Equal(t, "global-management", rpolicy.Name)
 		require.Equal(t, "Builtin Policy that grants unlimited access", rpolicy.Description)
-		require.Equal(t, structs.ACLPolicyGlobalManagement, rpolicy.Rules)
+		require.Equal(t, structs.ACLPolicyGlobalManagementRules, rpolicy.Rules)
 		require.Len(t, rpolicy.Datacenters, 0)
 		require.Equal(t, uint64(1), rpolicy.CreateIndex)
 		require.Equal(t, uint64(1), rpolicy.ModifyIndex)
@ -1661,31 +1664,39 @@ func TestStateStore_ACLPolicy_List(t *testing.T) {

 	_, policies, err := s.ACLPolicyList(nil, nil)
 	require.NoError(t, err)
-	require.Len(t, policies, 3)
+	require.Len(t, policies, 4)
 	policies.Sort()
 	require.Equal(t, structs.ACLPolicyGlobalManagementID, policies[0].ID)
-	require.Equal(t, "global-management", policies[0].Name)
-	require.Equal(t, "Builtin Policy that grants unlimited access", policies[0].Description)
+	require.Equal(t, structs.ACLPolicyGlobalManagementName, policies[0].Name)
+	require.Equal(t, structs.ACLPolicyGlobalManagementDesc, policies[0].Description)
 	require.Empty(t, policies[0].Datacenters)
 	require.NotEqual(t, []byte{}, policies[0].Hash)
 	require.Equal(t, uint64(1), policies[0].CreateIndex)
 	require.Equal(t, uint64(1), policies[0].ModifyIndex)

-	require.Equal(t, "a2719052-40b3-4a4b-baeb-f3df1831a217", policies[1].ID)
-	require.Equal(t, "acl-write-dc3", policies[1].Name)
-	require.Equal(t, "Can manage ACLs in dc3", policies[1].Description)
-	require.ElementsMatch(t, []string{"dc3"}, policies[1].Datacenters)
-	require.Nil(t, policies[1].Hash)
+	require.Equal(t, structs.ACLPolicyGlobalReadOnlyID, policies[1].ID)
+	require.Equal(t, structs.ACLPolicyGlobalReadOnlyName, policies[1].Name)
+	require.Equal(t, structs.ACLPolicyGlobalReadOnlyDesc, policies[1].Description)
+	require.Empty(t, policies[1].Datacenters)
+	require.NotEqual(t, []byte{}, policies[1].Hash)
 	require.Equal(t, uint64(2), policies[1].CreateIndex)
 	require.Equal(t, uint64(2), policies[1].ModifyIndex)

-	require.Equal(t, "a4f68bd6-3af5-4f56-b764-3c6f20247879", policies[2].ID)
-	require.Equal(t, "service-read", policies[2].Name)
-	require.Equal(t, "", policies[2].Description)
-	require.Empty(t, policies[2].Datacenters)
+	require.Equal(t, "a2719052-40b3-4a4b-baeb-f3df1831a217", policies[2].ID)
+	require.Equal(t, "acl-write-dc3", policies[2].Name)
+	require.Equal(t, "Can manage ACLs in dc3", policies[2].Description)
+	require.ElementsMatch(t, []string{"dc3"}, policies[2].Datacenters)
 	require.Nil(t, policies[2].Hash)
 	require.Equal(t, uint64(2), policies[2].CreateIndex)
 	require.Equal(t, uint64(2), policies[2].ModifyIndex)
+
+	require.Equal(t, "a4f68bd6-3af5-4f56-b764-3c6f20247879", policies[3].ID)
+	require.Equal(t, "service-read", policies[3].Name)
+	require.Equal(t, "", policies[3].Description)
+	require.Empty(t, policies[3].Datacenters)
+	require.Nil(t, policies[3].Hash)
+	require.Equal(t, uint64(2), policies[3].CreateIndex)
+	require.Equal(t, uint64(2), policies[3].ModifyIndex)
 }

 func TestStateStore_ACLPolicy_Delete(t *testing.T) {
--- a/agent/structs/acl.go
+++ b/agent/structs/acl.go
@ -42,41 +42,68 @@ const (

 	// This policy gives unlimited access to everything. Users
 	// may rename if desired but cannot delete or modify the rules.
-	ACLPolicyGlobalManagementID = "00000000-0000-0000-0000-000000000001"
-	ACLPolicyGlobalManagement   = `
-acl = "write"
+	ACLPolicyGlobalManagementID   = "00000000-0000-0000-0000-000000000001"
+	ACLPolicyGlobalManagementName = "global-management"
+	ACLPolicyGlobalManagementDesc = "Builtin Policy that grants unlimited access"
+
+	ACLPolicyGlobalReadOnlyID   = "00000000-0000-0000-0000-000000000002"
+	ACLPolicyGlobalReadOnlyName = "builtin/global-read-only"
+	ACLPolicyGlobalReadOnlyDesc = "Builtin Policy that grants unlimited read-only access to all components"
+
+	ACLReservedIDPrefix = "00000000-0000-0000-0000-0000000000"
+
+	aclPolicyGlobalRulesTemplate = `
+acl = "%[1]s"
 agent_prefix "" {
-	policy = "write"
+	policy = "%[1]s"
 }
 event_prefix "" {
-	policy = "write"
+	policy = "%[1]s"
 }
 key_prefix "" {
-	policy = "write"
+	policy = "%[1]s"
 }
-keyring = "write"
+keyring = "%[1]s"
 node_prefix "" {
-	policy = "write"
+	policy = "%[1]s"
 }
-operator = "write"
-mesh = "write"
-peering = "write"
+operator = "%[1]s"
+mesh = "%[1]s"
+peering = "%[1]s"
 query_prefix "" {
-	policy = "write"
+	policy = "%[1]s"
 }
 service_prefix "" {
-	policy = "write"
-	intentions = "write"
+	policy = "%[1]s"
+	intentions = "%[1]s"
 }
 session_prefix "" {
-	policy = "write"
-}` + EnterpriseACLPolicyGlobalManagement
+	policy = "%[1]s"
+}`
+)

-	ACLReservedPrefix = "00000000-0000-0000-0000-0000000000"
+var (
+	ACLPolicyGlobalReadOnlyRules   = fmt.Sprintf(aclPolicyGlobalRulesTemplate, "read") + EnterpriseACLPolicyGlobalReadOnly
+	ACLPolicyGlobalManagementRules = fmt.Sprintf(aclPolicyGlobalRulesTemplate, "write") + EnterpriseACLPolicyGlobalManagement
+
+	ACLBuiltinPolicies = map[string]ACLPolicy{
+		ACLPolicyGlobalManagementID: {
+			ID:          ACLPolicyGlobalManagementID,
+			Name:        ACLPolicyGlobalManagementName,
+			Description: ACLPolicyGlobalManagementDesc,
+			Rules:       ACLPolicyGlobalManagementRules,
+		},
+		ACLPolicyGlobalReadOnlyID: {
+			ID:          ACLPolicyGlobalReadOnlyID,
+			Name:        ACLPolicyGlobalReadOnlyName,
+			Description: ACLPolicyGlobalReadOnlyDesc,
+			Rules:       ACLPolicyGlobalReadOnlyRules,
+		},
+	}
 )

 func ACLIDReserved(id string) bool {
-	return strings.HasPrefix(id, ACLReservedPrefix)
+	return strings.HasPrefix(id, ACLReservedIDPrefix)
 }

 // ACLBootstrapNotAllowedErr is returned once we know that a bootstrap can no
--- a/agent/structs/acl_oss.go
+++ b/agent/structs/acl_oss.go
@ -11,6 +11,7 @@ import (

 const (
 	EnterpriseACLPolicyGlobalManagement = ""
+	EnterpriseACLPolicyGlobalReadOnly   = ""

 	// aclPolicyTemplateServiceIdentity is the template used for synthesizing
 	// policies for service identities.
--- a/api/acl_test.go
+++ b/api/acl_test.go
@ -187,7 +187,7 @@ func TestAPI_ACLPolicy_List(t *testing.T) {

 	policies, qm, err := acl.PolicyList(nil)
 	require.NoError(t, err)
-	require.Len(t, policies, 4)
+	require.Len(t, policies, 5)
 	require.NotEqual(t, 0, qm.LastIndex)
 	require.True(t, qm.KnownLeader)

@ -230,6 +230,11 @@ func TestAPI_ACLPolicy_List(t *testing.T) {
 	policy4, ok := policyMap["00000000-0000-0000-0000-000000000001"]
 	require.True(t, ok)
 	require.NotNil(t, policy4)
+
+	// make sure the 5th policy is the global read-only
+	policy5, ok := policyMap["00000000-0000-0000-0000-000000000002"]
+	require.True(t, ok)
+	require.NotNil(t, policy5)
 }

 func prepTokenPolicies(t *testing.T, acl *ACL) (policies []*ACLPolicy) {
--- a/website/content/docs/security/acl/acl-policies.mdx
+++ b/website/content/docs/security/acl/acl-policies.mdx
@ -391,7 +391,11 @@ New installations of Consul ship with the following built-in policies.

 ### Global Management

-The `global-management` policy grants unrestricted privileges to any token linked to it. The policy is assigned the reserved ID of `00000000-0000-0000-0000-000000000001`. You can rename the global management policy, but Consul will prevent you from modifying any other attributes, including the rule set and datacenter scope.
+The `global-management` policy grants unrestricted privileges to any token linked to it. The policy is assigned the reserved ID of `00000000-0000-0000-0000-000000000001`. You can rename the global management policy, but Consul prevents you from modifying any other attributes, including the rule set and datacenter scope.
+
+### Global Read-Only
+
+The `builtin/global-read-only` policy grants unrestricted _read-only_ privileges to any token linked to it. The policy is assigned the reserved ID of `00000000-0000-0000-0000-000000000002`. You can rename the global read-only policy, but Consul prevents you from modifying any other attributes, including the rule set and datacenter scope.

 ### Namespace Management <EnterpriseAlert inline />