ACL Token ID Initialization #5307
Conversation
mkeeler
force-pushed
the
feature/acl-id-initialization
branch
from
ea7e2b8 to
1e9bc58
Compare
|
Is there anything about replication or snapshot restore that would be affected by this change as implemented? |
mkeeler
force-pushed
the
feature/acl-id-initialization
branch
from
1e9bc58 to
d7cb2cc
Compare
|
This will not affect replication or snapshotting at all. The raft requests being applied do not have any new data. The only difference is whether the ids originated from the user or were generated in the RPC code. |
|
This PR should probably wait until we figure out how to remove policy links for deleted policies. Otherwise we could create a policy, link some tokens to it, delete the original policy, and then recreate with the same id but different rules. The original assumption was that policy IDs were guaranteed to be unique and thus it isn't a problem if we left the links around. Allowing pre-generated IDs breaks that assumption. |
Lifted from PR #5307 as it was an unrelated drive-by fix on that PR anyway. s/token/policy/
Lifted from PR #5307 as it was an unrelated drive-by fix on that PR anyway. s/token/policy/
mkeeler
force-pushed
the
feature/acl-id-initialization
branch
from
d7cb2cc to
e95394b
Compare
|
Just wanted to note that this will not be part of 1.5.0 per #5307 (comment). More work required unfortunately. |
mkeeler
force-pushed
the
feature/acl-id-initialization
branch
from
76c849f to
86b2b24
Compare
…ialization # Conflicts: # vendor/github.com/hashicorp/consul/api/acl.go
|
It wasn't going to make it in then I had an idea about how to make it okay for now simply by not allowing to set policy IDs. |
There was a problem hiding this comment.
🎉 this is great.
I had a couple of comments about adding warnings about picking good tokens that you can take or leave.
Should we also consider updating the ACL guide/reference docs somewhere to make a note this is now possible and can simplify bootstrapping?
Co-Authored-By: mkeeler <mkeeler@users.noreply.github.com>
…consul into feature/acl-id-initialization
…ialization # Conflicts: # agent/consul/acl_endpoint.go # agent/consul/acl_endpoint_test.go # agent/structs/acl.go # command/acl/token/create/token_create.go # command/acl/token/update/token_update.go
mkeeler
changed the title
|
Can't wait for this PR as it'll allow us to encrypt the |
Fixes #4977
This PR allows for the ACL token accessor and secret ids, and the ACL policy id to be set to a user-supplied UUID during their first creation. These IDs are still immutable once set but this allows for external configuration management systems to generate the UUIDs and populate consul agent configurations without having to have yet spun up the consul servers to create the tokens.