mirror of https://github.com/hashicorp/consul
Modifies server reconcile path to not use the server's token for internal operations.
parent
a094a58163
commit
d428bc63c1
|
@ -464,10 +464,9 @@ AFTER_CHECK:
|
||||||
Status: structs.HealthPassing,
|
Status: structs.HealthPassing,
|
||||||
Output: SerfCheckAliveOutput,
|
Output: SerfCheckAliveOutput,
|
||||||
},
|
},
|
||||||
WriteRequest: structs.WriteRequest{Token: s.config.GetTokenForAgent()},
|
|
||||||
}
|
}
|
||||||
var out struct{}
|
_, err = s.raftApply(structs.RegisterRequestType, &req)
|
||||||
return s.endpoints.Catalog.Register(&req, &out)
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
// handleFailedMember is used to mark the node's status
|
// handleFailedMember is used to mark the node's status
|
||||||
|
@ -505,10 +504,9 @@ func (s *Server) handleFailedMember(member serf.Member) error {
|
||||||
Status: structs.HealthCritical,
|
Status: structs.HealthCritical,
|
||||||
Output: SerfCheckFailedOutput,
|
Output: SerfCheckFailedOutput,
|
||||||
},
|
},
|
||||||
WriteRequest: structs.WriteRequest{Token: s.config.GetTokenForAgent()},
|
|
||||||
}
|
}
|
||||||
var out struct{}
|
_, err = s.raftApply(structs.RegisterRequestType, &req)
|
||||||
return s.endpoints.Catalog.Register(&req, &out)
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
// handleLeftMember is used to handle members that gracefully
|
// handleLeftMember is used to handle members that gracefully
|
||||||
|
@ -555,10 +553,9 @@ func (s *Server) handleDeregisterMember(reason string, member serf.Member) error
|
||||||
req := structs.DeregisterRequest{
|
req := structs.DeregisterRequest{
|
||||||
Datacenter: s.config.Datacenter,
|
Datacenter: s.config.Datacenter,
|
||||||
Node: member.Name,
|
Node: member.Name,
|
||||||
WriteRequest: structs.WriteRequest{Token: s.config.GetTokenForAgent()},
|
|
||||||
}
|
}
|
||||||
var out struct{}
|
_, err = s.raftApply(structs.DeregisterRequestType, &req)
|
||||||
return s.endpoints.Catalog.Deregister(&req, &out)
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
// joinConsulServer is used to try to join another consul server
|
// joinConsulServer is used to try to join another consul server
|
||||||
|
@ -715,7 +712,6 @@ func (s *Server) reapTombstones(index uint64) {
|
||||||
Datacenter: s.config.Datacenter,
|
Datacenter: s.config.Datacenter,
|
||||||
Op: structs.TombstoneReap,
|
Op: structs.TombstoneReap,
|
||||||
ReapIndex: index,
|
ReapIndex: index,
|
||||||
WriteRequest: structs.WriteRequest{Token: s.config.GetTokenForAgent()},
|
|
||||||
}
|
}
|
||||||
_, err := s.raftApply(structs.TombstoneRequestType, &req)
|
_, err := s.raftApply(structs.TombstoneRequestType, &req)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
|
@ -14,7 +14,12 @@ import (
|
||||||
)
|
)
|
||||||
|
|
||||||
func TestLeader_RegisterMember(t *testing.T) {
|
func TestLeader_RegisterMember(t *testing.T) {
|
||||||
dir1, s1 := testServer(t)
|
dir1, s1 := testServerWithConfig(t, func(c *Config) {
|
||||||
|
c.ACLDatacenter = "dc1"
|
||||||
|
c.ACLMasterToken = "root"
|
||||||
|
c.ACLDefaultPolicy = "deny"
|
||||||
|
c.ACLEnforceVersion8 = true
|
||||||
|
})
|
||||||
defer os.RemoveAll(dir1)
|
defer os.RemoveAll(dir1)
|
||||||
defer s1.Shutdown()
|
defer s1.Shutdown()
|
||||||
|
|
||||||
|
@ -81,7 +86,12 @@ func TestLeader_RegisterMember(t *testing.T) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestLeader_FailedMember(t *testing.T) {
|
func TestLeader_FailedMember(t *testing.T) {
|
||||||
dir1, s1 := testServer(t)
|
dir1, s1 := testServerWithConfig(t, func(c *Config) {
|
||||||
|
c.ACLDatacenter = "dc1"
|
||||||
|
c.ACLMasterToken = "root"
|
||||||
|
c.ACLDefaultPolicy = "deny"
|
||||||
|
c.ACLEnforceVersion8 = true
|
||||||
|
})
|
||||||
defer os.RemoveAll(dir1)
|
defer os.RemoveAll(dir1)
|
||||||
defer s1.Shutdown()
|
defer s1.Shutdown()
|
||||||
|
|
||||||
|
@ -140,7 +150,12 @@ func TestLeader_FailedMember(t *testing.T) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestLeader_LeftMember(t *testing.T) {
|
func TestLeader_LeftMember(t *testing.T) {
|
||||||
dir1, s1 := testServer(t)
|
dir1, s1 := testServerWithConfig(t, func(c *Config) {
|
||||||
|
c.ACLDatacenter = "dc1"
|
||||||
|
c.ACLMasterToken = "root"
|
||||||
|
c.ACLDefaultPolicy = "deny"
|
||||||
|
c.ACLEnforceVersion8 = true
|
||||||
|
})
|
||||||
defer os.RemoveAll(dir1)
|
defer os.RemoveAll(dir1)
|
||||||
defer s1.Shutdown()
|
defer s1.Shutdown()
|
||||||
|
|
||||||
|
@ -185,7 +200,12 @@ func TestLeader_LeftMember(t *testing.T) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestLeader_ReapMember(t *testing.T) {
|
func TestLeader_ReapMember(t *testing.T) {
|
||||||
dir1, s1 := testServer(t)
|
dir1, s1 := testServerWithConfig(t, func(c *Config) {
|
||||||
|
c.ACLDatacenter = "dc1"
|
||||||
|
c.ACLMasterToken = "root"
|
||||||
|
c.ACLDefaultPolicy = "deny"
|
||||||
|
c.ACLEnforceVersion8 = true
|
||||||
|
})
|
||||||
defer os.RemoveAll(dir1)
|
defer os.RemoveAll(dir1)
|
||||||
defer s1.Shutdown()
|
defer s1.Shutdown()
|
||||||
|
|
||||||
|
@ -244,7 +264,12 @@ func TestLeader_ReapMember(t *testing.T) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestLeader_Reconcile_ReapMember(t *testing.T) {
|
func TestLeader_Reconcile_ReapMember(t *testing.T) {
|
||||||
dir1, s1 := testServer(t)
|
dir1, s1 := testServerWithConfig(t, func(c *Config) {
|
||||||
|
c.ACLDatacenter = "dc1"
|
||||||
|
c.ACLMasterToken = "root"
|
||||||
|
c.ACLDefaultPolicy = "deny"
|
||||||
|
c.ACLEnforceVersion8 = true
|
||||||
|
})
|
||||||
defer os.RemoveAll(dir1)
|
defer os.RemoveAll(dir1)
|
||||||
defer s1.Shutdown()
|
defer s1.Shutdown()
|
||||||
|
|
||||||
|
@ -261,6 +286,9 @@ func TestLeader_Reconcile_ReapMember(t *testing.T) {
|
||||||
Name: SerfCheckName,
|
Name: SerfCheckName,
|
||||||
Status: structs.HealthCritical,
|
Status: structs.HealthCritical,
|
||||||
},
|
},
|
||||||
|
WriteRequest: structs.WriteRequest{
|
||||||
|
Token: "root",
|
||||||
|
},
|
||||||
}
|
}
|
||||||
var out struct{}
|
var out struct{}
|
||||||
if err := s1.RPC("Catalog.Register", &dead, &out); err != nil {
|
if err := s1.RPC("Catalog.Register", &dead, &out); err != nil {
|
||||||
|
@ -284,7 +312,12 @@ func TestLeader_Reconcile_ReapMember(t *testing.T) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestLeader_Reconcile(t *testing.T) {
|
func TestLeader_Reconcile(t *testing.T) {
|
||||||
dir1, s1 := testServer(t)
|
dir1, s1 := testServerWithConfig(t, func(c *Config) {
|
||||||
|
c.ACLDatacenter = "dc1"
|
||||||
|
c.ACLMasterToken = "root"
|
||||||
|
c.ACLDefaultPolicy = "deny"
|
||||||
|
c.ACLEnforceVersion8 = true
|
||||||
|
})
|
||||||
defer os.RemoveAll(dir1)
|
defer os.RemoveAll(dir1)
|
||||||
defer s1.Shutdown()
|
defer s1.Shutdown()
|
||||||
|
|
||||||
|
@ -562,6 +595,9 @@ func TestLeader_TombstoneGC_Reset(t *testing.T) {
|
||||||
|
|
||||||
func TestLeader_ReapTombstones(t *testing.T) {
|
func TestLeader_ReapTombstones(t *testing.T) {
|
||||||
dir1, s1 := testServerWithConfig(t, func(c *Config) {
|
dir1, s1 := testServerWithConfig(t, func(c *Config) {
|
||||||
|
c.ACLDatacenter = "dc1"
|
||||||
|
c.ACLMasterToken = "root"
|
||||||
|
c.ACLDefaultPolicy = "deny"
|
||||||
c.TombstoneTTL = 50 * time.Millisecond
|
c.TombstoneTTL = 50 * time.Millisecond
|
||||||
c.TombstoneTTLGranularity = 10 * time.Millisecond
|
c.TombstoneTTLGranularity = 10 * time.Millisecond
|
||||||
})
|
})
|
||||||
|
@ -579,6 +615,9 @@ func TestLeader_ReapTombstones(t *testing.T) {
|
||||||
Key: "test",
|
Key: "test",
|
||||||
Value: []byte("test"),
|
Value: []byte("test"),
|
||||||
},
|
},
|
||||||
|
WriteRequest: structs.WriteRequest{
|
||||||
|
Token: "root",
|
||||||
|
},
|
||||||
}
|
}
|
||||||
var out bool
|
var out bool
|
||||||
if err := msgpackrpc.CallWithCodec(codec, "KVS.Apply", &arg, &out); err != nil {
|
if err := msgpackrpc.CallWithCodec(codec, "KVS.Apply", &arg, &out); err != nil {
|
||||||
|
|
|
@ -454,9 +454,8 @@ Consul will not enable TLS for the HTTP API unless the `https` port has been ass
|
||||||
and servers to perform internal operations to the service catalog. If this isn't specified, then
|
and servers to perform internal operations to the service catalog. If this isn't specified, then
|
||||||
the <a href="#acl_token">`acl_token`</a> will be used. This was added in Consul 0.7.2.
|
the <a href="#acl_token">`acl_token`</a> will be used. This was added in Consul 0.7.2.
|
||||||
<br><br>
|
<br><br>
|
||||||
For clients, this token must at least have write access to the node name it will register as. For
|
This token must at least have write access to the node name it will register as in order to set any
|
||||||
servers, this must have write access to all nodes that are expected to join the cluster, as well
|
of the node-level information in the catalog such as metadata, or the node's tagged addresses.
|
||||||
as write access to the "consul" service, which will be registered automatically on its behalf.
|
|
||||||
|
|
||||||
* <a name="acl_enforce_version_8"></a><a href="#acl_enforce_version_8">`acl_enforce_version_8`</a> -
|
* <a name="acl_enforce_version_8"></a><a href="#acl_enforce_version_8">`acl_enforce_version_8`</a> -
|
||||||
Used for clients and servers to determine if enforcement should occur for new ACL policies being
|
Used for clients and servers to determine if enforcement should occur for new ACL policies being
|
||||||
|
|
|
@ -571,13 +571,9 @@ Two new configuration options are used once complete ACLs are enabled:
|
||||||
tokens during normal operation.
|
tokens during normal operation.
|
||||||
* [`acl_agent_token`](/docs/agent/options.html#acl_agent_token) is used internally by
|
* [`acl_agent_token`](/docs/agent/options.html#acl_agent_token) is used internally by
|
||||||
Consul agents to perform operations to the service catalog when registering themselves
|
Consul agents to perform operations to the service catalog when registering themselves
|
||||||
or sending network coordinates to the servers.
|
or sending network coordinates to the servers. This token must at least have `node` ACL
|
||||||
<br>
|
policy `write` access to the node name it will register as in order to register any
|
||||||
<br>
|
node-level information like metadata or tagged addresses.
|
||||||
For clients, this token must at least have `node` ACL policy `write` access to the node
|
|
||||||
name it will register as. For servers, this must have `node` ACL policy `write` access to
|
|
||||||
all nodes that are expected to join the cluster, as well as `service` ACL policy `write`
|
|
||||||
access to the `consul` service, which will be registered automatically on its behalf.
|
|
||||||
|
|
||||||
Since clients now resolve ACLs locally, the [`acl_down_policy`](/docs/agent/options.html#acl_down_policy)
|
Since clients now resolve ACLs locally, the [`acl_down_policy`](/docs/agent/options.html#acl_down_policy)
|
||||||
now applies to Consul clients as well as Consul servers. This will determine what the
|
now applies to Consul clients as well as Consul servers. This will determine what the
|
||||||
|
|
Loading…
Reference in New Issue