diff --git a/acl/acl.go b/acl/acl.go index 12100966a..a42698e83 100644 --- a/acl/acl.go +++ b/acl/acl.go @@ -1,9 +1,22 @@ package acl import ( + "fmt" + iradix "github.com/hashicorp/go-immutable-radix" ) +// ManagementACL is a singleton used for management tokens +var ManagementACL *ACL + +func init() { + var err error + ManagementACL, err = NewACL(true, nil) + if err != nil { + panic(fmt.Errorf("failed to setup management ACL: %v", err)) + } +} + // capabilitySet is a type wrapper to help managing a set of capabilities type capabilitySet map[string]struct{} diff --git a/nomad/acl.go b/nomad/acl.go index 2d6f009ae..259180d96 100644 --- a/nomad/acl.go +++ b/nomad/acl.go @@ -3,7 +3,6 @@ package nomad import ( "crypto/sha1" "encoding/binary" - "errors" "fmt" "time" @@ -14,23 +13,6 @@ import ( "github.com/hashicorp/nomad/nomad/structs" ) -var ( - // tokenNotFound indicates the Token was not found - tokenNotFound = errors.New("ACL token not found") - - // managementACL is used for all management tokens - managementACL *acl.ACL -) - -func init() { - // managementACL has management flag enabled - var err error - managementACL, err = acl.NewACL(true, nil) - if err != nil { - panic(fmt.Errorf("failed to setup management ACL: %v", err)) - } -} - // resolveToken is used to translate an ACL Token Secret ID into // an ACL object, nil if ACLs are disabled, or an error. func (s *Server) resolveToken(secretID string) (*acl.ACL, error) { @@ -60,12 +42,12 @@ func resolveTokenFromSnapshotCache(snap *state.StateSnapshot, cache *lru.TwoQueu return nil, err } if token == nil { - return nil, tokenNotFound + return nil, structs.TokenNotFound } // Check if this is a management token if token.Type == structs.ACLManagementToken { - return managementACL, nil + return acl.ManagementACL, nil } // Get all associated policies diff --git a/nomad/acl_test.go b/nomad/acl_test.go index dab23094c..50a739106 100644 --- a/nomad/acl_test.go +++ b/nomad/acl_test.go @@ -38,7 +38,7 @@ func TestResolveACLToken(t *testing.T) { // Attempt resolution of unknown token. Should fail. randID := structs.GenerateUUID() aclObj, err := resolveTokenFromSnapshotCache(snap, cache, randID) - assert.Equal(t, tokenNotFound, err) + assert.Equal(t, structs.TokenNotFound, err) assert.Nil(t, aclObj) // Attempt resolution of management token. Should get singleton. @@ -46,7 +46,7 @@ func TestResolveACLToken(t *testing.T) { assert.Nil(t, err) assert.NotNil(t, aclObj) assert.Equal(t, true, aclObj.IsManagement()) - if aclObj != managementACL { + if aclObj != acl.ManagementACL { t.Fatalf("expected singleton") } diff --git a/nomad/structs/structs.go b/nomad/structs/structs.go index 42c399376..9fac8fcfa 100644 --- a/nomad/structs/structs.go +++ b/nomad/structs/structs.go @@ -5421,6 +5421,9 @@ type ACLPolicyUpsertRequest struct { WriteRequest } +// TokenNotFound indicates the Token was not found +var TokenNotFound = errors.New("ACL token not found") + // ACLToken represents a client token which is used to Authenticate type ACLToken struct { AccessorID string // Public Accessor ID (UUID) @@ -5434,6 +5437,18 @@ type ACLToken struct { ModifyIndex uint64 } +var ( + // AnonymousACLToken is used no SecretID is provided, and the + // request is made anonymously. + AnonymousACLToken = &ACLToken{ + AccessorID: "anonymous", + Name: "Anonymous Token", + Type: ACLClientToken, + Policies: []string{"anonymous"}, + Global: false, + } +) + type ACLTokenListStub struct { AccessorID string Name string