diff --git a/command/agent/config.go b/command/agent/config.go index 5c14ae3641..3da8f8ff84 100644 --- a/command/agent/config.go +++ b/command/agent/config.go @@ -203,10 +203,16 @@ type Config struct { // If this is not set, ACLs are not enabled. Off by default. ACLDatacenter string `mapstructure:"acl_datacenter"` - // ACLCacheInterval is used to control how long ACLs are cached. This has + // ACLTTL is used to control the time-to-live of cached ACLs . This has // a major impact on performance. By default, it is set to 30 seconds. - ACLCacheInterval time.Duration `mapstructure:"-"` - ACLCacheIntervalRaw string `mapstructure:"acl_cache_interval"` + ACLTTL time.Duration `mapstructure:"-"` + ACLTTLRaw string `mapstructure:"acl_ttl"` + + // ACLDefaultPolicy is used to control the ACL interaction when + // there is no defined policy. This can be "allow" which means + // ACLs are used to black-list, or "deny" which means ACLs are + // white-lists. + ACLDefaultPolicy string `mapstructure:"acl_default_policy"` // ACLDownPolicy is used to control the ACL interaction when we cannot // reach the ACLDatacenter and the token is not in the cache. @@ -270,8 +276,9 @@ func DefaultConfig() *Config { Protocol: consul.ProtocolVersionMax, CheckUpdateInterval: 5 * time.Minute, AEInterval: time.Minute, - ACLCacheInterval: 30 * time.Second, + ACLTTL: 30 * time.Second, ACLDownPolicy: "extend-cache", + ACLDefaultPolicy: "allow", } } @@ -367,12 +374,12 @@ func DecodeConfig(r io.Reader) (*Config, error) { result.CheckUpdateInterval = dur } - if raw := result.ACLCacheIntervalRaw; raw != "" { + if raw := result.ACLTTLRaw; raw != "" { dur, err := time.ParseDuration(raw) if err != nil { - return nil, fmt.Errorf("ACLCacheInterval invalid: %v", err) + return nil, fmt.Errorf("ACL TTL invalid: %v", err) } - result.ACLCacheInterval = dur + result.ACLTTL = dur } return &result, nil @@ -623,13 +630,16 @@ func MergeConfig(a, b *Config) *Config { if b.ACLDatacenter != "" { result.ACLDatacenter = b.ACLDatacenter } - if b.ACLCacheIntervalRaw != "" { - result.ACLCacheInterval = b.ACLCacheInterval - result.ACLCacheIntervalRaw = b.ACLCacheIntervalRaw + if b.ACLTTLRaw != "" { + result.ACLTTL = b.ACLTTL + result.ACLTTLRaw = b.ACLTTLRaw } if b.ACLDownPolicy != "" { result.ACLDownPolicy = b.ACLDownPolicy } + if b.ACLDefaultPolicy != "" { + result.ACLDefaultPolicy = b.ACLDefaultPolicy + } // Copy the start join addresses result.StartJoin = make([]string, 0, len(a.StartJoin)+len(b.StartJoin)) diff --git a/command/agent/config_test.go b/command/agent/config_test.go index 17abee7e5b..c543e87005 100644 --- a/command/agent/config_test.go +++ b/command/agent/config_test.go @@ -359,7 +359,8 @@ func TestDecodeConfig(t *testing.T) { // ACLs input = `{"acl_token": "1234", "acl_datacenter": "dc2", - "acl_cache_interval": "60s", "acl_down_policy": "deny"}` + "acl_cache_interval": "60s", "acl_down_policy": "deny", + "acl_default_policy": "deny"}` config, err = DecodeConfig(bytes.NewReader([]byte(input))) if err != nil { t.Fatalf("err: %s", err) @@ -377,6 +378,9 @@ func TestDecodeConfig(t *testing.T) { if config.ACLDownPolicy != "deny" { t.Fatalf("bad: %#v", config) } + if config.ACLDefaultPolicy != "deny" { + t.Fatalf("bad: %#v", config) + } } func TestDecodeConfig_Service(t *testing.T) { @@ -526,9 +530,10 @@ func TestMergeConfig(t *testing.T) { CheckUpdateIntervalRaw: "8m", ACLToken: "1234", ACLDatacenter: "dc2", - ACLCacheInterval: 15 * time.Second, - ACLCacheIntervalRaw: "15s", + ACLTTL: 15 * time.Second, + ACLTTLRaw: "15s", ACLDownPolicy: "deny", + ACLDefaultPolicy: "deny", } c := MergeConfig(a, b)