mirror of https://github.com/hashicorp/consul
Update force-leave ACL requirement to operator:write (#7033)
parent
663cf1e9a8
commit
e635b24215
|
@ -475,7 +475,7 @@ func (s *HTTPServer) AgentForceLeave(resp http.ResponseWriter, req *http.Request
|
|||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if rule != nil && rule.AgentWrite(s.agent.config.NodeName, nil) != acl.Allow {
|
||||
if rule != nil && rule.OperatorWrite(nil) != acl.Allow {
|
||||
return nil, acl.ErrPermissionDenied
|
||||
}
|
||||
|
||||
|
|
|
@ -1646,7 +1646,7 @@ func TestAgent_ForceLeave_ACLDeny(t *testing.T) {
|
|||
|
||||
t.Run("agent master token", func(t *testing.T) {
|
||||
req, _ := http.NewRequest("PUT", uri+"?token=towel", nil)
|
||||
if _, err := a.srv.AgentForceLeave(nil, req); err != nil {
|
||||
if _, err := a.srv.AgentForceLeave(nil, req); !acl.IsErrPermissionDenied(err) {
|
||||
t.Fatalf("err: %v", err)
|
||||
}
|
||||
})
|
||||
|
@ -1658,6 +1658,19 @@ func TestAgent_ForceLeave_ACLDeny(t *testing.T) {
|
|||
t.Fatalf("err: %v", err)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("operator write token", func(t *testing.T) {
|
||||
// Create an ACL with operator read permissions.
|
||||
var rules = `
|
||||
operator = "write"
|
||||
`
|
||||
opToken := testCreateToken(t, a, rules)
|
||||
|
||||
req, _ := http.NewRequest("PUT", fmt.Sprintf(uri+"?token=%s", opToken), nil)
|
||||
if _, err := a.srv.AgentForceLeave(nil, req); err != nil {
|
||||
t.Fatalf("err: %v", err)
|
||||
}
|
||||
})
|
||||
}
|
||||
|
||||
func TestAgent_ForceLeavePrune(t *testing.T) {
|
||||
|
|
|
@ -506,7 +506,7 @@ The table below shows this endpoint's support for
|
|||
|
||||
| Blocking Queries | Consistency Modes | Agent Caching | ACL Required |
|
||||
| ---------------- | ----------------- | ------------- | ------------- |
|
||||
| `NO` | `none` | `none` | `agent:write` |
|
||||
| `NO` | `none` | `none` | `operator:write` |
|
||||
|
||||
### Parameters
|
||||
|
||||
|
|
Loading…
Reference in New Issue