diff --git a/command/agent/agent.go b/command/agent/agent.go index fdc5536783..289637adcc 100644 --- a/command/agent/agent.go +++ b/command/agent/agent.go @@ -184,6 +184,9 @@ func (a *Agent) consulConfig() *consul.Config { if a.config.ACLToken != "" { base.ACLToken = a.config.ACLToken } + if a.config.ACLMasterToken != "" { + base.ACLMasterToken = a.config.ACLMasterToken + } if a.config.ACLDatacenter != "" { base.ACLDatacenter = a.config.ACLDatacenter } diff --git a/command/agent/config.go b/command/agent/config.go index 3da8f8ff84..87584e1a2b 100644 --- a/command/agent/config.go +++ b/command/agent/config.go @@ -198,6 +198,11 @@ type Config struct { // token is not provided. If not configured the 'anonymous' token is used. ACLToken string `mapstructure:"acl_token" json:"-"` + // ACLMasterToken is used to bootstrap the ACL system. It should be specified + // on the servers in the ACLDatacenter. When the leader comes online, it ensures + // that the Master token is available. This provides the initial token. + ACLMasterToken string `mapstructure:"acl_master_token" json:"-"` + // ACLDatacenter is the central datacenter that holds authoritative // ACL records. This must be the same for the entire cluster. // If this is not set, ACLs are not enabled. Off by default. @@ -627,6 +632,9 @@ func MergeConfig(a, b *Config) *Config { if b.ACLToken != "" { result.ACLToken = b.ACLToken } + if b.ACLMasterToken != "" { + result.ACLMasterToken = b.ACLMasterToken + } if b.ACLDatacenter != "" { result.ACLDatacenter = b.ACLDatacenter } diff --git a/command/agent/config_test.go b/command/agent/config_test.go index 973964dcd5..9bc67c69c0 100644 --- a/command/agent/config_test.go +++ b/command/agent/config_test.go @@ -360,7 +360,7 @@ func TestDecodeConfig(t *testing.T) { // ACLs input = `{"acl_token": "1234", "acl_datacenter": "dc2", "acl_ttl": "60s", "acl_down_policy": "deny", - "acl_default_policy": "deny"}` + "acl_default_policy": "deny", "acl_master_token": "2345"}` config, err = DecodeConfig(bytes.NewReader([]byte(input))) if err != nil { t.Fatalf("err: %s", err) @@ -369,6 +369,9 @@ func TestDecodeConfig(t *testing.T) { if config.ACLToken != "1234" { t.Fatalf("bad: %#v", config) } + if config.ACLMasterToken != "2345" { + t.Fatalf("bad: %#v", config) + } if config.ACLDatacenter != "dc2" { t.Fatalf("bad: %#v", config) } @@ -529,6 +532,7 @@ func TestMergeConfig(t *testing.T) { CheckUpdateInterval: 8 * time.Minute, CheckUpdateIntervalRaw: "8m", ACLToken: "1234", + ACLMasterToken: "2345", ACLDatacenter: "dc2", ACLTTL: 15 * time.Second, ACLTTLRaw: "15s", diff --git a/consul/config.go b/consul/config.go index 92605b33ba..f49c8933a6 100644 --- a/consul/config.go +++ b/consul/config.go @@ -133,6 +133,11 @@ type Config struct { // backwards compatibility as well. ACLToken string + // ACLMasterToken is used to bootstrap the ACL system. It should be specified + // on the servers in the ACLDatacenter. When the leader comes online, it ensures + // that the Master token is available. This provides the initial token. + ACLMasterToken string + // ACLDatacenter provides the authoritative datacenter for ACL // tokens. If not provided, ACL verification is disabled. ACLDatacenter string