Update force-leave ACL requirement to operator:write (#7033)

pull/7074/head
Freddy 2020-01-14 15:40:34 -07:00 committed by GitHub
parent 663cf1e9a8
commit e635b24215
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 16 additions and 3 deletions

View File

@ -475,7 +475,7 @@ func (s *HTTPServer) AgentForceLeave(resp http.ResponseWriter, req *http.Request
if err != nil {
return nil, err
}
if rule != nil && rule.AgentWrite(s.agent.config.NodeName, nil) != acl.Allow {
if rule != nil && rule.OperatorWrite(nil) != acl.Allow {
return nil, acl.ErrPermissionDenied
}

View File

@ -1646,7 +1646,7 @@ func TestAgent_ForceLeave_ACLDeny(t *testing.T) {
t.Run("agent master token", func(t *testing.T) {
req, _ := http.NewRequest("PUT", uri+"?token=towel", nil)
if _, err := a.srv.AgentForceLeave(nil, req); err != nil {
if _, err := a.srv.AgentForceLeave(nil, req); !acl.IsErrPermissionDenied(err) {
t.Fatalf("err: %v", err)
}
})
@ -1658,6 +1658,19 @@ func TestAgent_ForceLeave_ACLDeny(t *testing.T) {
t.Fatalf("err: %v", err)
}
})
t.Run("operator write token", func(t *testing.T) {
// Create an ACL with operator read permissions.
var rules = `
operator = "write"
`
opToken := testCreateToken(t, a, rules)
req, _ := http.NewRequest("PUT", fmt.Sprintf(uri+"?token=%s", opToken), nil)
if _, err := a.srv.AgentForceLeave(nil, req); err != nil {
t.Fatalf("err: %v", err)
}
})
}
func TestAgent_ForceLeavePrune(t *testing.T) {

View File

@ -506,7 +506,7 @@ The table below shows this endpoint's support for
| Blocking Queries | Consistency Modes | Agent Caching | ACL Required |
| ---------------- | ----------------- | ------------- | ------------- |
| `NO` | `none` | `none` | `agent:write` |
| `NO` | `none` | `none` | `operator:write` |
### Parameters