ACL Token Persistence and Reloading

[mkeeler]

This PR adds two features which will be useful for operators when ACLs are in use.

1. Tokens set in configuration files are now reloadable.
2. If acl.enable_token_persistence is set to true in the configuration, tokens set via the v1/agent/token endpoint are now persisted to disk and loaded when the agent starts (or during configuration reload)

Note that token persistence is opt-in so our users who do not want tokens on the local disk will see no change.

Some other secondary changes:

• Refactored a bunch of places where the replication token is retrieved from the token store. This token isn't just for replicating ACLs and now it is named accordingly.
• Allowed better paths in the v1/agent/token/ API. Instead of paths like: v1/agent/token/acl_replication_token the path can now be just v1/agent/token/replication. The old paths remain to be valid.
• Added a couple new API functions to set tokens via the new paths. Deprecated the old ones and pointed to the new names. The names are also generally better and don't imply that what you are setting is for ACLs but rather are setting ACL tokens. There is a minor semantic difference there especially for the replication token as again, its no longer used only for ACL token/policy replication.
• Docs updated to reflect the API additions and to show using the new endpoints.
• Updated the ACL CLI set-agent-tokens command to use the non-deprecated APIs. I kind of went back and forth on this one. We may want to let it continue using the deprecated ones so that it will work with 1.4.0 - 1.4.2. However people could always just used the older CLI which is probably what they will be using if they haven't upgraded things to 1.4.3 yet? If anyone has concerns about this I would be open to flipping it back to the deprecated APIs.

[rboyer]

Why not hard-fail if the file is unreadable or corrupt? It seems like an unlikely event that should warrant extraordinary operational attention.

[mkeeler]

I guess it could be a hard fail. I modeled this off of other load* functions which did similarly.

[mkeeler]

Should a corrupt file prevent the agent from starting at all? Thats what would happen with a hard fail.

[mkeeler]

Should corrupt persisted services prevent the agent from starting up?. I think the answer is no and we should instead just log the warning.

[rboyer]

If we go for worst case scenario, the agent isn't going to be terribly useful on restart if the sole store of tokens is that file, it's corrupt, and the operator is has a full belt-and-suspenders ACL setup configured.

Sure the agent will start, but it won't have any acl tokens with which to operate. If you had a fleet of hundreds of agents how can you tell the difference between an operational one and one that starts up but has no valid tokens?

But then I guess this is nearly indistinguishable from an agent having all of its acl tokens be rotated into the bit bucket already today.

[mkeeler]

Yes, but with the agent up you can remedy the situation by PUTing new tokens to the API. Which is better than needing to, remote in, blow away/fix the corrupt file and restart (maybe still need to repost up tokens depending on the corruption).

[rboyer]

Well if you were being secure about it, the API would only be bound to loopback anyway, so remoting in is still required.

[mkeeler]

I disagree that the only secure way to enable the API is bound to loopback. If using HTTPs + ACLs I would allow it on the LAN.

Additionally, even if not able to directly connect to the API I would say that doing a consul acl set-agent-token ... is much easier/reliable then having to hand edit files (which is still always a viable alternative).

[kyhavlov]

This looks great, Matt. Just one comment/question but otherwise 👍

[kyhavlov]

The persistedTokens struct could be used here as well