ACL Node Identities #7970
Merged
ACL Node Identities #7970
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mkeeler
force-pushed
the
feature/acl-node-identity
branch
6 times, most recently
from
243348f to
dfe90f3
Compare
mkeeler
force-pushed
the
feature/acl-node-identity
branch
2 times, most recently
from
ce40ebb to
1ad948a
Compare
A Node Identity is very similar to a service identity. Its main targeted use is to allow creating tokens for use by Consul agents that will grant the necessary permissions for all the typical agent operations (node registration, coordinate updates, anti-entropy). Half of this commit is for golden file based tests of the acl token and role cli output. Another big updates was to refactor many of the tests in agent/consul/acl_endpoint_test.go to use the same style of tests and the same helpers. Besides being less boiler plate in the tests it also uses a common way of starting a test server with ACLs that should operate without any warnings regarding deprecated non-uuid master tokens etc.
mkeeler
force-pushed
the
feature/acl-node-identity
branch
from
1ad948a to
937deb7
Compare
hashicorp-ci
pushed a commit
that referenced
this pull request
Jun 16, 2020
A Node Identity is very similar to a service identity. Its main targeted use is to allow creating tokens for use by Consul agents that will grant the necessary permissions for all the typical agent operations (node registration, coordinate updates, anti-entropy). Half of this commit is for golden file based tests of the acl token and role cli output. Another big updates was to refactor many of the tests in agent/consul/acl_endpoint_test.go to use the same style of tests and the same helpers. Besides being less boiler plate in the tests it also uses a common way of starting a test server with ACLs that should operate without any warnings regarding deprecated non-uuid master tokens etc.
blake
added a commit
that referenced
this pull request
Sep 12, 2020
Document `-node-identity` option which was added in #7970 for `acl token <create|update>` and `acl role <create|update>` commands.
blake
added a commit
that referenced
this pull request
Sep 15, 2020
Document `-node-identity` option which was added in #7970 for `acl token <create|update>` and `acl role <create|update>` commands.
hashicorp-ci
pushed a commit
that referenced
this pull request
Sep 15, 2020
Document `-node-identity` option which was added in #7970 for `acl token <create|update>` and `acl role <create|update>` commands.
hashicorp-ci
pushed a commit
that referenced
this pull request
Sep 15, 2020
Document `-node-identity` option which was added in #7970 for `acl token <create|update>` and `acl role <create|update>` commands.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
A Node Identity is very similar to a service identity. Its main targeted use is to allow creating tokens for use by Consul agents that will grant the necessary permissions for all the typical agent operations (node registration, coordinate updates, anti-entropy).
Half of the changes in this PR are for golden file based tests of the acl token and role cli output. Another big updates was to refactor many of the tests in agent/consul/acl_endpoint_test.go to use the same style of tests and the same helpers. Besides being less boiler plate in the tests it also uses a common way of starting a test server with ACLs that should operate without any warnings regarding deprecated non-uuid master tokens etc.
There is also a second commit in this PR to address some arm build issues where Gos builtin linker was having trouble linking Consul when CGO is enabled. We might be able to get rid of CGO now that a bug causing a crash on ARM was fixed in go 1.14. For the time being though, setting
-linkmode=externalwill cause Go to use the systems linker which is more robust and can handle our binary perfectly well.