diff --git a/acl/policy.go b/acl/policy.go index fca018a65e..a0e56da425 100644 --- a/acl/policy.go +++ b/acl/policy.go @@ -19,7 +19,7 @@ type Policy struct { Keys []*KeyPolicy `hcl:"key,expand"` Services []*ServicePolicy `hcl:"service,expand"` Events []*EventPolicy `hcl:"event,expand"` - PreparedQueries []*PreparedQueryPolicy `hcl:"prepared_query,expand"` + PreparedQueries []*PreparedQueryPolicy `hcl:"query,expand"` Keyring string `hcl:"keyring"` } @@ -116,7 +116,7 @@ func Parse(rules string) (*Policy, error) { // Validate the prepared query policies for _, pq := range p.PreparedQueries { if !isPolicyValid(pq.Policy) { - return nil, fmt.Errorf("Invalid prepared_query policy: %#v", pq) + return nil, fmt.Errorf("Invalid query policy: %#v", pq) } } diff --git a/acl/policy_test.go b/acl/policy_test.go index ae4d76a160..c59a4e0146 100644 --- a/acl/policy_test.go +++ b/acl/policy_test.go @@ -35,13 +35,13 @@ event "foo" { event "bar" { policy = "deny" } -prepared_query "" { +query "" { policy = "read" } -prepared_query "foo" { +query "foo" { policy = "write" } -prepared_query "bar" { +query "bar" { policy = "deny" } keyring = "deny" @@ -151,7 +151,7 @@ func TestACLPolicy_Parse_JSON(t *testing.T) { "policy": "deny" } }, - "prepared_query": { + "query": { "": { "policy": "read" }, @@ -257,7 +257,7 @@ func TestACLPolicy_Bad_Policy(t *testing.T) { `key "" { policy = "nope" }`, `service "" { policy = "nope" }`, `event "" { policy = "nope" }`, - `prepared_query "" { policy = "nope" }`, + `query "" { policy = "nope" }`, `keyring = "nope"`, } for _, c := range cases { diff --git a/consul/prepared_query_endpoint_test.go b/consul/prepared_query_endpoint_test.go index 620b816ee3..16c37cb54f 100644 --- a/consul/prepared_query_endpoint_test.go +++ b/consul/prepared_query_endpoint_test.go @@ -194,7 +194,7 @@ func TestPreparedQuery_Apply_ACLDeny(t *testing.T) { var token string { var rules = ` - prepared_query "redis" { + query "redis" { policy = "write" } ` @@ -585,7 +585,7 @@ func TestPreparedQuery_Get(t *testing.T) { var token string { var rules = ` - prepared_query "redis" { + query "redis" { policy = "write" } ` @@ -762,7 +762,7 @@ func TestPreparedQuery_List(t *testing.T) { var token string { var rules = ` - prepared_query "redis" { + query "redis" { policy = "write" } ` diff --git a/website/source/docs/agent/http/query.html.markdown b/website/source/docs/agent/http/query.html.markdown index 12553180b3..3140e8f975 100644 --- a/website/source/docs/agent/http/query.html.markdown +++ b/website/source/docs/agent/http/query.html.markdown @@ -48,7 +48,7 @@ its ID if it is created successfully. By default, the datacenter of the agent is queried; however, the dc can be provided using the "?dc=" query parameter. -If ACLs are enabled, then the client will need to supply a token with `prepared_query` +If ACLs are enabled, then the client will need to supply a token with `query` write privileges sufficient to match the service name being queried and the `Name` given to the query, if any. See also the note about the `Token` field below. @@ -166,7 +166,7 @@ provided using the "?dc=" query parameter. This endpoint supports blocking queries and all consistency modes. If ACLs are enabled, then the client will only see prepared queries for which their -token has `prepared_query` read privileges. A management token will be able to see all +token has `query` read privileges. A management token will be able to see all prepared queries. Tokens will be displayed as `` unless a management token is used. @@ -211,7 +211,7 @@ The `PUT` method allows an existing prepared query to be updated. By default, the datacenter of the agent is queried; however, the dc can be provided using the "?dc=" query parameter. -If ACLs are enabled, then the client will need to supply a token with `prepared_query` +If ACLs are enabled, then the client will need to supply a token with `query` write privileges sufficient to match the service name being queried and the `Name` given to the query, if any. @@ -232,7 +232,7 @@ only with a single item present. If the query does not exist then a 404 status code will be returned. If ACLs are enabled, then the client will only see prepared queries for which their -token has `prepared_query` read privileges. A management token will be able to see all +token has `query` read privileges. A management token will be able to see all prepared queries. Tokens will be displayed as `` unless a management token is used. @@ -243,7 +243,7 @@ The `DELETE` method is used to delete a prepared query. By default, the datacenter of the agent is queried; however, the dc can be provided using the "?dc=" query parameter. -If ACLs are enabled, then the client will need to supply a token with `prepared_query` +If ACLs are enabled, then the client will need to supply a token with `query` write privileges sufficient to match the service name being queried and the `Name` given to the query, if any. diff --git a/website/source/docs/internals/acl.html.markdown b/website/source/docs/internals/acl.html.markdown index d216be304f..0bac349100 100644 --- a/website/source/docs/internals/acl.html.markdown +++ b/website/source/docs/internals/acl.html.markdown @@ -150,7 +150,7 @@ access to each API token based on the events they should be able to fire. ### Blacklist mode and Prepared Queries After Consul 0.6.3, significant changes were made to ACLs for prepared queries, -incuding a new `prepared_query` ACL policy. See [Prepared Query ACLs](#prepared_query_acls) below for more details. +incuding a new `query` ACL policy. See [Prepared Query ACLs](#prepared_query_acls) below for more details. ### Blacklist mode and Keyring Operations @@ -261,7 +261,7 @@ event "destroy-" { } # Default prepared queries to read-only. -prepared_query "" { +query "" { policy = "read" } @@ -300,7 +300,7 @@ This is equivalent to the following JSON input: "policy": "deny" } }, - "prepared_query": { + "query": { "": { "policy": "read" } @@ -375,7 +375,7 @@ These variations are covered here, with examples: process to use via DNS. * Static queries with a `Name` defined are controlled by the - [`prepared_query`](/docs/internals/acl.html#prepared_query_acls) ACL policy. + [`query`](/docs/internals/acl.html#prepared_query_acls) ACL policy. Clients are required to have an ACL token with a prefix sufficient to cover the name they are trying to manage, with a longest prefix match providing a way to define more specific policies. Clients can list or read queries for @@ -431,7 +431,7 @@ These differences are outlined in the table below: Create static query with `Name` The ACL Token used to create the prepared query is checked to make sure it can access the service being queried. This token is captured as the `Token` to use when executing the prepared query. - The client token's `prepared_query` ACL policy is used to determine if the client is allowed to register a query for the given `Name`. No `Token` is captured by default unless specifically supplied by the client when creating the query. + The client token's `query` ACL policy is used to determine if the client is allowed to register a query for the given `Name`. No `Token` is captured by default unless specifically supplied by the client when creating the query. Manage static query without `Name` @@ -441,12 +441,12 @@ These differences are outlined in the table below: Manage static query with a `Name` The ACL token used to create the query, or a management token must be supplied in order to perform these operations. - Similar to create, the client token's `prepared_query` ACL policy is used to determine if these operations are allowed. + Similar to create, the client token's `query` ACL policy is used to determine if these operations are allowed. List queries A management token is required to list any queries. - The client token's `prepared_query` ACL policy is used to determine which queries they can see. Only management tokens can see prepared queries without `Name`. + The client token's `query` ACL policy is used to determine which queries they can see. Only management tokens can see prepared queries without `Name`. Execute query