From 2a67c898f3990bbb096a30c7d240430778c269ff Mon Sep 17 00:00:00 2001 From: Daniel Nephin Date: Tue, 5 Oct 2021 14:01:31 -0400 Subject: [PATCH 1/4] api-docs: remove duplicate acl-legacy page Redirect the url to the copy that is part of the left nav. --- website/content/api-docs/acl-legacy.mdx | 421 ------------------------ website/redirects.next.js | 5 + 2 files changed, 5 insertions(+), 421 deletions(-) delete mode 100644 website/content/api-docs/acl-legacy.mdx diff --git a/website/content/api-docs/acl-legacy.mdx b/website/content/api-docs/acl-legacy.mdx deleted file mode 100644 index 678b60ce32..0000000000 --- a/website/content/api-docs/acl-legacy.mdx +++ /dev/null @@ -1,421 +0,0 @@ ---- -layout: api -page_title: Legacy ACLs - HTTP API -description: >- - The /acl endpoints create, update, destroy, and query Legacy ACL tokens in - Consul. ---- - --> **Consul 1.4.0 deprecates the legacy ACL system completely.** It's _strongly_ -recommended you do not build anything using the legacy system and consider using -the new ACL [Token](/docs/api/acl-token) and [Policy](/docs/api/acl-policy) APIs instead. - -# ACL HTTP API - -These `/acl` endpoints create, update, destroy, and query ACL tokens in Consul. For more information about ACLs, please check the -[ACL tutorial](https://learn.hashicorp.com/tutorials/consul/access-control-setup-production). - -## Bootstrap ACLs - -This endpoint does a special one-time bootstrap of the ACL system, making the first -management token if the [`acl_master_token`](/docs/agent/options#acl_master_token) -is not specified in the Consul server configuration, and if the cluster has not been -bootstrapped previously. This is available in Consul 0.9.1 and later, and requires all -Consul servers to be upgraded in order to operate. - -This provides a mechanism to bootstrap ACLs without having any secrets present in Consul's -configuration files. - -| Method | Path | Produces | -| ------ | ---------------- | ------------------ | -| `PUT` | `/acl/bootstrap` | `application/json` | - -The table below shows this endpoint's support for -[blocking queries](/api/features/blocking), -[consistency modes](/api/features/consistency), -[agent caching](/api/features/caching), and -[required ACLs](/api#authentication). - -| Blocking Queries | Consistency Modes | Agent Caching | ACL Required | -| ---------------- | ----------------- | ------------- | ------------ | -| `NO` | `none` | `none` | `none` | - -### Sample Request - -```shell-session -$ curl \ - --request PUT \ - http://127.0.0.1:8500/v1/acl/bootstrap -``` - -### Sample Response - -```json -{ - "ID": "adf4238a-882b-9ddc-4a9d-5b6758e4159e" -} -``` - -You can detect if something has interfered with the ACL bootstrapping process by -checking the response code. A 200 response means that the bootstrap was a success, and -a 403 means that the cluster has already been bootstrapped, at which point you should -consider the cluster in a potentially compromised state. - -The returned token will be a management token which can be used to further configure the -ACL system. Please check the -[ACL tutorial](https://learn.hashicorp.com/tutorials/consul/access-control-setup-production) for more details. - -## Create ACL Token - -This endpoint makes a new ACL token. - -| Method | Path | Produces | -| ------ | ------------- | ------------------ | -| `PUT` | `/acl/create` | `application/json` | - -The table below shows this endpoint's support for -[blocking queries](/api/features/blocking), -[consistency modes](/api/features/consistency), -[agent caching](/api/features/caching), and -[required ACLs](/api#authentication). - -| Blocking Queries | Consistency Modes | Agent Caching | ACL Required | -| ---------------- | ----------------- | ------------- | ------------ | -| `NO` | `none` | `none` | `management` | - -### Parameters - -- `ID` `(string: "")` - Specifies the ID of the ACL. If not provided, a UUID is - generated. - -- `Name` `(string: "")` - Specifies a human-friendly name for the ACL token. - -- `Type` `(string: "client")` - Specifies the type of ACL token. Valid values - are: `client` and `management`. - -- `Rules` `(string: "")` - Specifies rules for this ACL token. The format of the - `Rules` property is documented in the [ACL tutorial](https://learn.hashicorp.com/tutorials/consul/access-control-setup-production). - -### Sample Payload - -```json -{ - "Name": "my-app-token", - "Type": "client", - "Rules": "" -} -``` - -### Sample Request - -```shell-session -$ curl \ - --request PUT \ - --data @payload.json \ - http://127.0.0.1:8500/v1/acl/create -``` - -### Sample Response - -```json -{ - "ID": "adf4238a-882b-9ddc-4a9d-5b6758e4159e" -} -``` - -## Update ACL Token - -This endpoint is used to modify the policy for a given ACL token. Instead of -generating a new token ID, the `ID` field must be provided. - -| Method | Path | Produces | -| ------ | ------------- | ------------------ | -| `PUT` | `/acl/update` | `application/json` | - -The table below shows this endpoint's support for -[blocking queries](/api/features/blocking), -[consistency modes](/api/features/consistency), -[agent caching](/api/features/caching), and -[required ACLs](/api#authentication). - -| Blocking Queries | Consistency Modes | Agent Caching | ACL Required | -| ---------------- | ----------------- | ------------- | ------------ | -| `NO` | `none` | `none` | `management` | - -### Parameters - -The parameters are the same as the _create_ endpoint, except the `ID` field is -required. - -### Sample Payload - -```json -{ - "ID": "adf4238a-882b-9ddc-4a9d-5b6758e4159e", - "Name": "my-app-token-updated", - "Type": "client", - "Rules": "# New Rules" -} -``` - -### Sample Request - -```shell-session -$ curl \ - --request PUT \ - --data @payload.json \ - http://127.0.0.1:8500/v1/acl/update -``` - -### Sample Response - -```json -{ - "ID": "adf4238a-882b-9ddc-4a9d-5b6758e4159e" -} -``` - -## Delete ACL Token - -This endpoint deletes an ACL token with the given ID. - -| Method | Path | Produces | -| ------ | -------------------- | ------------------ | -| `PUT` | `/acl/destroy/:uuid` | `application/json` | - -Even though the return type is application/json, the value is either true or false, indicating whether the delete succeeded. - -The table below shows this endpoint's support for -[blocking queries](/api/features/blocking), -[consistency modes](/api/features/consistency), -[agent caching](/api/features/caching), and -[required ACLs](/api#authentication). - -| Blocking Queries | Consistency Modes | Agent Caching | ACL Required | -| ---------------- | ----------------- | ------------- | ------------ | -| `NO` | `none` | `none` | `management` | - -### Parameters - -- `uuid` `(string: )` - Specifies the UUID of the ACL token to - destroy. This is required and is specified as part of the URL path. - -### Sample Request - -```shell-session -$ curl \ - --request PUT \ - http://127.0.0.1:8500/v1/acl/destroy/8f246b77-f3e1-ff88-5b48-8ec93abf3e05 -``` - -### Sample Response - -```text -true -``` - -## Read ACL Token - -This endpoint reads an ACL token with the given ID. - -| Method | Path | Produces | -| ------ | ----------------- | ------------------ | -| `GET` | `/acl/info/:uuid` | `application/json` | - -The table below shows this endpoint's support for -[blocking queries](/api/features/blocking), -[consistency modes](/api/features/consistency), -[agent caching](/api/features/caching), and -[required ACLs](/api#authentication). - -| Blocking Queries | Consistency Modes | Agent Caching | ACL Required | -| ---------------- | ----------------- | ------------- | ------------ | -| `YES` | `all` | `none` | `none` | - -Note: No ACL is required because the ACL is specified in the URL path. - -### Parameters - -- `uuid` `(string: )` - Specifies the UUID of the ACL token to - read. This is required and is specified as part of the URL path. - -### Sample Request - -```shell-session -$ curl \ - http://127.0.0.1:8500/v1/acl/info/8f246b77-f3e1-ff88-5b48-8ec93abf3e05 -``` - -### Sample Response - -```json -[ - { - "CreateIndex": 3, - "ModifyIndex": 3, - "ID": "8f246b77-f3e1-ff88-5b48-8ec93abf3e05", - "Name": "Client Token", - "Type": "client", - "Rules": "..." - } -] -``` - -## Clone ACL Token - -This endpoint clones an ACL and returns a new token `ID`. This allows a token to -serve as a template for others, making it simple to generate new tokens without -complex rule management. - -| Method | Path | Produces | -| ------ | ------------------ | ------------------ | -| `PUT` | `/acl/clone/:uuid` | `application/json` | - -The table below shows this endpoint's support for -[blocking queries](/api/features/blocking), -[consistency modes](/api/features/consistency), -[agent caching](/api/features/caching), and -[required ACLs](/api#authentication). - -| Blocking Queries | Consistency Modes | Agent Caching | ACL Required | -| ---------------- | ----------------- | ------------- | ------------ | -| `NO` | `none` | `none` | `management` | - -### Parameters - -- `uuid` `(string: )` - Specifies the UUID of the ACL token to - be cloned. This is required and is specified as part of the URL path. - -### Sample Request - -```shell-session -$ curl \ - --request PUT \ - http://127.0.0.1:8500/v1/acl/clone/8f246b77-f3e1-ff88-5b48-8ec93abf3e05 -``` - -### Sample Response - -```json -{ - "ID": "adf4238a-882b-9ddc-4a9d-5b6758e4159e" -} -``` - -## List ACLs - -This endpoint lists all the active ACL tokens. - -| Method | Path | Produces | -| ------ | ----------- | ------------------ | -| `GET` | `/acl/list` | `application/json` | - -The table below shows this endpoint's support for -[blocking queries](/api/features/blocking), -[consistency modes](/api/features/consistency), -[agent caching](/api/features/caching), and -[required ACLs](/api#authentication). - -| Blocking Queries | Consistency Modes | Agent Caching | ACL Required | -| ---------------- | ----------------- | ------------- | ------------ | -| `YES` | `all` | `none` | `management` | - -### Sample Request - -```shell-session -$ curl \ - http://127.0.0.1:8500/v1/acl/list -``` - -### Sample Response - -```json -[ - { - "CreateIndex": 3, - "ModifyIndex": 3, - "ID": "8f246b77-f3e1-ff88-5b48-8ec93abf3e05", - "Name": "Client Token", - "Type": "client", - "Rules": "..." - } -] -``` - -## Check ACL Replication - -This endpoint returns the status of the ACL replication process in the -datacenter. This is intended to be used by operators, or by automation checking -the health of ACL replication. - -Please check the [ACL Replication tutorial](https://learn.hashicorp.com/tutorials/consul/access-control-replication-multiple-datacenters) -for more details. - -| Method | Path | Produces | -| ------ | ------------------ | ------------------ | -| `GET` | `/acl/replication` | `application/json` | - -The table below shows this endpoint's support for -[blocking queries](/api/features/blocking), -[consistency modes](/api/features/consistency), -[agent caching](/api/features/caching), and -[required ACLs](/api#authentication). - -| Blocking Queries | Consistency Modes | Agent Caching | ACL Required | -| ---------------- | ----------------- | ------------- | ------------ | -| `NO` | `consistent` | `none` | `none` | - -### Parameters - -- `dc` `(string: "")` - Specifies the datacenter to query. This will default to - the datacenter of the agent being queried. This is specified as part of the - URL as a query parameter. - -### Sample Request - -```shell-session -$ curl \ - http://127.0.0.1:8500/v1/acl/replication -``` - -### Sample Response - -```json -{ - "Enabled": true, - "Running": true, - "SourceDatacenter": "dc1", - "ReplicatedIndex": 1976, - "LastSuccess": "2016-08-05T06:28:58Z", - "LastError": "2016-08-05T06:28:28Z" -} -``` - -- `Enabled` reports whether ACL replication is enabled for the datacenter. - -- `Running` reports whether the ACL replication process is running. The process - may take approximately 60 seconds to begin running after a leader election - occurs. - -- `SourceDatacenter` is the authoritative ACL datacenter that ACLs are being - replicated from, and will match the - [`primary_datacenter`](/docs/agent/options#primary_datacenter) configuration. - -- `ReplicatedIndex` is the last index that was successfully replicated. You can - compare this to the `X-Consul-Index` header returned by the - [`/v1/acl/list`](#list-acls) endpoint to determine if the replication process - has gotten all available ACLs. Replication runs as a background process - approximately every 30 seconds, and that local updates are rate limited to 100 - updates/second, so so it may take several minutes to perform the initial sync - of a large set of ACLs. After the initial sync, replica lag should be on the - order of about 30 seconds. - -- `LastSuccess` is the UTC time of the last successful sync operation. Since ACL - replication is done with a blocking query, this may not update for up to 5 - minutes if there have been no ACL changes to replicate. A zero value of - "0001-01-01T00:00:00Z" will be present if no sync has been successful. - -- `LastError` is the UTC time of the last error encountered during a sync - operation. If this time is later than `LastSuccess`, you can assume the - replication process is not in a good state. A zero value of - "0001-01-01T00:00:00Z" will be present if no sync has resulted in an error. diff --git a/website/redirects.next.js b/website/redirects.next.js index 1300162fbe..e3db27ff75 100644 --- a/website/redirects.next.js +++ b/website/redirects.next.js @@ -56,6 +56,11 @@ module.exports = [ destination: '/docs/security/acl/acl-legacy', permanent: true, }, + { + source: '/api-docs/acl-legacy', + destination: '/api-docs/acl/legacy', + permanent: true, + }, { source: '/docs/guides/acl-migrate-tokens', destination: '/docs/security/acl/acl-migrate-tokens', From 18b3ac33e8379ddedc648ce18e9a7ad6d8b71441 Mon Sep 17 00:00:00 2001 From: Daniel Nephin Date: Tue, 5 Oct 2021 18:18:13 -0400 Subject: [PATCH 2/4] acl: remove unused translate rules endpoint The CLI command does not use this endpoint, so we can remove it. It was missed in an earlier pass. --- agent/acl_endpoint.go | 32 -------------------------------- agent/acl_endpoint_test.go | 1 - agent/http_register.go | 4 ++-- 3 files changed, 2 insertions(+), 35 deletions(-) diff --git a/agent/acl_endpoint.go b/agent/acl_endpoint.go index d3d4e2a517..08ddfb4965 100644 --- a/agent/acl_endpoint.go +++ b/agent/acl_endpoint.go @@ -2,7 +2,6 @@ package agent import ( "fmt" - "io/ioutil" "net/http" "strings" @@ -74,37 +73,6 @@ func (s *HTTPHandlers) ACLReplicationStatus(resp http.ResponseWriter, req *http. return out, nil } -func (s *HTTPHandlers) ACLRulesTranslate(resp http.ResponseWriter, req *http.Request) (interface{}, error) { - if s.checkACLDisabled(resp, req) { - return nil, nil - } - - var token string - s.parseToken(req, &token) - authz, err := s.agent.delegate.ResolveTokenAndDefaultMeta(token, nil, nil) - if err != nil { - return nil, err - } - // Should this require lesser permissions? Really the only reason to require authorization at all is - // to prevent external entities from DoS Consul with repeated rule translation requests - if authz.ACLRead(nil) != acl.Allow { - return nil, acl.ErrPermissionDenied - } - - policyBytes, err := ioutil.ReadAll(req.Body) - if err != nil { - return nil, BadRequestError{Reason: fmt.Sprintf("Failed to read body: %v", err)} - } - - translated, err := acl.TranslateLegacyRules(policyBytes) - if err != nil { - return nil, BadRequestError{Reason: err.Error()} - } - - resp.Write(translated) - return nil, nil -} - func (s *HTTPHandlers) ACLPolicyList(resp http.ResponseWriter, req *http.Request) (interface{}, error) { if s.checkACLDisabled(resp, req) { return nil, nil diff --git a/agent/acl_endpoint_test.go b/agent/acl_endpoint_test.go index 0debb7da80..9c149c60ef 100644 --- a/agent/acl_endpoint_test.go +++ b/agent/acl_endpoint_test.go @@ -45,7 +45,6 @@ func TestACL_Disabled_Response(t *testing.T) { {"ACLBootstrap", a.srv.ACLBootstrap}, {"ACLReplicationStatus", a.srv.ACLReplicationStatus}, {"AgentToken", a.srv.AgentToken}, // See TestAgent_Token - {"ACLRulesTranslate", a.srv.ACLRulesTranslate}, {"ACLPolicyList", a.srv.ACLPolicyList}, {"ACLPolicyCRUD", a.srv.ACLPolicyCRUD}, {"ACLPolicyCreate", a.srv.ACLPolicyCreate}, diff --git a/agent/http_register.go b/agent/http_register.go index 7a7e750820..2e3d98ade1 100644 --- a/agent/http_register.go +++ b/agent/http_register.go @@ -19,8 +19,6 @@ func init() { registerEndpoint("/v1/acl/auth-methods", []string{"GET"}, (*HTTPHandlers).ACLAuthMethodList) registerEndpoint("/v1/acl/auth-method", []string{"PUT"}, (*HTTPHandlers).ACLAuthMethodCreate) registerEndpoint("/v1/acl/auth-method/", []string{"GET", "PUT", "DELETE"}, (*HTTPHandlers).ACLAuthMethodCRUD) - registerEndpoint("/v1/acl/rules/translate", []string{"POST"}, (*HTTPHandlers).ACLRulesTranslate) - registerEndpoint("/v1/acl/rules/translate/", []string{"GET"}, (*HTTPHandlers).ACLLegacy) registerEndpoint("/v1/acl/tokens", []string{"GET"}, (*HTTPHandlers).ACLTokenList) registerEndpoint("/v1/acl/token", []string{"PUT"}, (*HTTPHandlers).ACLTokenCreate) registerEndpoint("/v1/acl/token/self", []string{"GET"}, (*HTTPHandlers).ACLTokenSelf) @@ -126,4 +124,6 @@ func init() { registerEndpoint("/v1/acl/info/", []string{"GET"}, (*HTTPHandlers).ACLLegacy) registerEndpoint("/v1/acl/clone/", []string{"PUT"}, (*HTTPHandlers).ACLLegacy) registerEndpoint("/v1/acl/list", []string{"GET"}, (*HTTPHandlers).ACLLegacy) + registerEndpoint("/v1/acl/rules/translate", []string{"POST"}, (*HTTPHandlers).ACLLegacy) + registerEndpoint("/v1/acl/rules/translate/", []string{"GET"}, (*HTTPHandlers).ACLLegacy) } From b4e3367e63fcff66f8516f3b026e8d9399f5dd0f Mon Sep 17 00:00:00 2001 From: Daniel Nephin Date: Tue, 5 Oct 2021 14:28:51 -0400 Subject: [PATCH 3/4] docs: add notice that legacy ACLs have been removed. Add changelog Also remove a metric that is no longer emitted that was missed in a previous step. --- .changelog/11232.txt | 3 +++ agent/consul/acl.go | 4 ---- website/content/api-docs/acl/index.mdx | 10 +++++----- website/content/api-docs/acl/legacy.mdx | 8 ++++---- website/content/docs/agent/telemetry.mdx | 1 - website/content/docs/security/acl/acl-legacy.mdx | 5 +++-- 6 files changed, 15 insertions(+), 16 deletions(-) create mode 100644 .changelog/11232.txt diff --git a/.changelog/11232.txt b/.changelog/11232.txt new file mode 100644 index 0000000000..25386cf4af --- /dev/null +++ b/.changelog/11232.txt @@ -0,0 +1,3 @@ +```release-note:breaking-change +acl: The legacy ACL system that was deprecated in Consul 1.4.0 has been removed. Before upgrading you should verify that nothing is still using the legacy ACL system. See the [Migrate Legacy ACL Tokens Learn Guide](https://learn.hashicorp.com/tutorials/consul/access-control-token-migration) for more information. +``` diff --git a/agent/consul/acl.go b/agent/consul/acl.go index a5c4010f12..46605e8946 100644 --- a/agent/consul/acl.go +++ b/agent/consul/acl.go @@ -30,10 +30,6 @@ var ACLCounters = []prometheus.CounterDefinition{ } var ACLSummaries = []prometheus.SummaryDefinition{ - { - Name: []string{"acl", "resolveTokenLegacy"}, - Help: "This measures the time it takes to resolve an ACL token using the legacy ACL system.", - }, { Name: []string{"acl", "ResolveToken"}, Help: "This measures the time it takes to resolve an ACL token.", diff --git a/website/content/api-docs/acl/index.mdx b/website/content/api-docs/acl/index.mdx index ecfac75e11..5596ec0c57 100644 --- a/website/content/api-docs/acl/index.mdx +++ b/website/content/api-docs/acl/index.mdx @@ -144,7 +144,7 @@ $ curl \ - `ReplicationType` - The type of replication that is currently in use. - - `legacy` - ACL replication is in legacy mode and is replicating legacy ACL tokens. + - `legacy` - (removed in Consul 1.11.0) ACL replication is in legacy mode and is replicating legacy ACL tokens. - `policies` - ACL replication is only replicating policies as token replication is disabled. @@ -181,8 +181,8 @@ $ curl \ ## Translate Rules --> **Deprecated** - This endpoint was introduced in Consul 1.4.0 for migration from the previous ACL system. It -will be removed in a future major Consul version when support for legacy ACLs is removed. +-> **Deprecated** - This endpoint was removed in Consul 1.11.0. +This endpoint was introduced in Consul 1.4.0 for migration from the previous ACL system. This endpoint translates the legacy rule syntax into the latest syntax. It is intended to be used by operators managing Consul's ACLs and performing legacy token to new policy @@ -226,8 +226,8 @@ agent_prefix "" { ## Translate a Legacy Token's Rules --> **Deprecated** - This endpoint was introduced in Consul 1.4.0 for migration from the previous ACL system.. It -will be removed in a future major Consul version when support for legacy ACLs is removed. +-> **Deprecated** - This endpoint was removed in Consul 1.11.0. +This endpoint was introduced in Consul 1.4.0 for migration from the previous ACL system. This endpoint translates the legacy rules embedded within a legacy ACL into the latest syntax. It is intended to be used by operators managing Consul's ACLs and performing diff --git a/website/content/api-docs/acl/legacy.mdx b/website/content/api-docs/acl/legacy.mdx index 72d7efb10d..27d54d38bc 100644 --- a/website/content/api-docs/acl/legacy.mdx +++ b/website/content/api-docs/acl/legacy.mdx @@ -2,17 +2,17 @@ layout: api page_title: Legacy ACLs - HTTP API description: >- - The /acl endpoints create, update, destroy, and query Legacy ACL tokens in + The legacy /acl endpoints to create, update, destroy, and query legacy ACL tokens in Consul. --- # ACL HTTP API --> **Consul 1.4.0 deprecates the legacy ACL system completely.** It's _strongly_ -recommended you do not build anything using the legacy system and consider using +-> **The legacy ACL system was deprecated in Consul 1.4.0 and removed in Consul 1.11.0.** It's _strongly_ +recommended you do not build anything using the legacy system and use the new ACL [Token](/api/acl/tokens) and [Policy](/api/acl/policies) APIs instead. -The `/acl` endpoints create, update, destroy, and query ACL tokens in Consul. +The legacy `/acl` endpoints to create, update, destroy, and query legacy ACL tokens in Consul. For more information about ACLs, please check the [ACL tutorial](https://learn.hashicorp.com/tutorials/consul/access-control-setup-production). diff --git a/website/content/docs/agent/telemetry.mdx b/website/content/docs/agent/telemetry.mdx index 2902d43553..424e9f17a5 100644 --- a/website/content/docs/agent/telemetry.mdx +++ b/website/content/docs/agent/telemetry.mdx @@ -329,7 +329,6 @@ These metrics are used to monitor the health of the Consul servers. | Metric | Description | Unit | Type | | --------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------- | ------- | -| `consul.acl.resolveTokenLegacy` | Measures the time it takes to resolve an ACL token using the legacy ACL system. | ms | timer | | `consul.acl.ResolveToken` | Measures the time it takes to resolve an ACL token. | ms | timer | | `consul.acl.ResolveTokenToIdentity` | Measures the time it takes to resolve an ACL token to an Identity. | ms | timer | | `consul.acl.token.cache_hit` | Increments if Consul is able to resolve a token's identity, or a legacy token, from the cache. | cache read op | counter | diff --git a/website/content/docs/security/acl/acl-legacy.mdx b/website/content/docs/security/acl/acl-legacy.mdx index d2e63c5334..b556ee2b00 100644 --- a/website/content/docs/security/acl/acl-legacy.mdx +++ b/website/content/docs/security/acl/acl-legacy.mdx @@ -13,8 +13,9 @@ description: >- -> **1.3.0 and earlier:** This document only applies in Consul versions 1.3.0 and before. If you are using version 1.4.0 or later please use the updated documentation [here](/docs/acl/acl-system). ~> **Alert: Deprecation Notice** -The ACL system described here was Consul's original ACL implementation. In Consul 1.4.0 -the ACL system was rewritten and the legacy system was deprecated. The new ACL system information can be found [here](/docs/acl/acl-system). For information on how to migrate to the new ACL System, please read the [Migrate Legacy ACL Tokens](https://learn.hashicorp.com/tutorials/consul/access-control-token-migration) tutorial. +The ACL system described here was Consul's original ACL implementation. +The legacy ACL system was deprecated in Consul 1.4.0 and removed in Consul 1.11.0. +The documentation for the new ACL system can be found [here](/docs/acl/acl-system). For information on how to migrate to the new ACL System, please read the [Migrate Legacy ACL Tokens](https://learn.hashicorp.com/tutorials/consul/access-control-token-migration) tutorial. The legacy documentation has two sections. From dc58a8c3398c65fa5b35aaa738e9deab4596eed2 Mon Sep 17 00:00:00 2001 From: Daniel Nephin Date: Tue, 5 Oct 2021 18:56:27 -0400 Subject: [PATCH 4/4] api: remove the test for TestAPI_RulesTranslate_Raw The API endpoint was removed in a previous commit, so we can no longer test this deprecated method. --- api/acl_test.go | 71 ------------------------------------------------- 1 file changed, 71 deletions(-) diff --git a/api/acl_test.go b/api/acl_test.go index d33f63c505..c4749f23ea 100644 --- a/api/acl_test.go +++ b/api/acl_test.go @@ -1,7 +1,6 @@ package api import ( - "strings" "testing" "time" @@ -629,73 +628,3 @@ SxTJANJHqf4BiFtVjN7LZXi3HUIRAsceEbd0TfW5be9SQ0tbDyyGYt/bXtBLGTIh } return } - -func TestAPI_RulesTranslate_Raw(t *testing.T) { - t.Parallel() - c, s := makeACLClient(t) - defer s.Stop() - - acl := c.ACL() - - input := `#start of policy -agent "" { - policy = "read" -} - -node "" { - policy = "read" -} - -service "" { - policy = "read" -} - -key "" { - policy = "read" -} - -session "" { - policy = "read" -} - -event "" { - policy = "read" -} - -query "" { - policy = "read" -}` - - expected := `#start of policy -agent_prefix "" { - policy = "read" -} - -node_prefix "" { - policy = "read" -} - -service_prefix "" { - policy = "read" -} - -key_prefix "" { - policy = "read" -} - -session_prefix "" { - policy = "read" -} - -event_prefix "" { - policy = "read" -} - -query_prefix "" { - policy = "read" -}` - - rules, err := acl.RulesTranslate(strings.NewReader(input)) - require.NoError(t, err) - require.Equal(t, expected, rules) -}