diff --git a/api/api.go b/api/api.go index e6a1c9321..50b97954b 100644 --- a/api/api.go +++ b/api/api.go @@ -45,8 +45,8 @@ type QueryOptions struct { // Set HTTP parameters on the query. Params map[string]string - // SecretID is the secret ID of an ACL token - SecretID string + // AuthToken is the secret ID of an ACL token + AuthToken string } // WriteOptions are used to parameterize a write @@ -58,8 +58,8 @@ type WriteOptions struct { // Namespace is the target namespace for the write. Namespace string - // SecretID is the secret ID of an ACL token - SecretID string + // AuthToken is the secret ID of an ACL token + AuthToken string } // QueryMeta is used to return meta data about a query @@ -411,8 +411,8 @@ func (r *request) setQueryOptions(q *QueryOptions) { if q.Namespace != "" { r.params.Set("namespace", q.Namespace) } - if q.SecretID != "" { - r.token = q.SecretID + if q.AuthToken != "" { + r.token = q.AuthToken } if q.AllowStale { r.params.Set("stale", "") @@ -448,8 +448,8 @@ func (r *request) setWriteOptions(q *WriteOptions) { if q.Namespace != "" { r.params.Set("namespace", q.Namespace) } - if q.SecretID != "" { - r.token = q.SecretID + if q.AuthToken != "" { + r.token = q.AuthToken } } diff --git a/api/api_test.go b/api/api_test.go index a3e3c821a..79c86a2d4 100644 --- a/api/api_test.go +++ b/api/api_test.go @@ -173,7 +173,7 @@ func TestSetQueryOptions(t *testing.T) { AllowStale: true, WaitIndex: 1000, WaitTime: 100 * time.Second, - SecretID: "foobar", + AuthToken: "foobar", } r.setQueryOptions(q) @@ -206,7 +206,7 @@ func TestSetWriteOptions(t *testing.T) { q := &WriteOptions{ Region: "foo", Namespace: "bar", - SecretID: "foobar", + AuthToken: "foobar", } r.setWriteOptions(q) @@ -230,7 +230,7 @@ func TestRequestToHTTP(t *testing.T) { q := &QueryOptions{ Region: "foo", Namespace: "bar", - SecretID: "foobar", + AuthToken: "foobar", } r.setQueryOptions(q) req, err := r.toHTTP() diff --git a/client/acl.go b/client/acl.go index 87ca8badd..eb45115cf 100644 --- a/client/acl.go +++ b/client/acl.go @@ -190,7 +190,7 @@ func (c *Client) resolvePolicies(secretID string, policies []string) ([]*structs Names: fetch, QueryOptions: structs.QueryOptions{ Region: c.Region(), - SecretID: secretID, + AuthToken: secretID, AllowStale: true, }, } diff --git a/client/alloc_watcher.go b/client/alloc_watcher.go index 4fb819978..17c0f7f26 100644 --- a/client/alloc_watcher.go +++ b/client/alloc_watcher.go @@ -428,7 +428,7 @@ func (p *remotePrevAlloc) migrateAllocDir(ctx context.Context, nodeAddr string) } url := fmt.Sprintf("/v1/client/allocation/%v/snapshot", p.prevAllocID) - qo := &nomadapi.QueryOptions{SecretID: p.migrateToken} + qo := &nomadapi.QueryOptions{AuthToken: p.migrateToken} resp, err := apiClient.Raw().Response(url, qo) if err != nil { prevAllocDir.Destroy() diff --git a/command/agent/acl_endpoint_test.go b/command/agent/acl_endpoint_test.go index 103ff6685..4ae3a8429 100644 --- a/command/agent/acl_endpoint_test.go +++ b/command/agent/acl_endpoint_test.go @@ -19,8 +19,8 @@ func TestHTTP_ACLPolicyList(t *testing.T) { args := structs.ACLPolicyUpsertRequest{ Policies: []*structs.ACLPolicy{p1, p2, p3}, WriteRequest: structs.WriteRequest{ - Region: "global", - SecretID: s.RootToken.SecretID, + Region: "global", + AuthToken: s.RootToken.SecretID, }, } var resp structs.GenericResponse @@ -68,8 +68,8 @@ func TestHTTP_ACLPolicyQuery(t *testing.T) { args := structs.ACLPolicyUpsertRequest{ Policies: []*structs.ACLPolicy{p1}, WriteRequest: structs.WriteRequest{ - Region: "global", - SecretID: s.RootToken.SecretID, + Region: "global", + AuthToken: s.RootToken.SecretID, }, } var resp structs.GenericResponse @@ -152,8 +152,8 @@ func TestHTTP_ACLPolicyDelete(t *testing.T) { args := structs.ACLPolicyUpsertRequest{ Policies: []*structs.ACLPolicy{p1}, WriteRequest: structs.WriteRequest{ - Region: "global", - SecretID: s.RootToken.SecretID, + Region: "global", + AuthToken: s.RootToken.SecretID, }, } var resp structs.GenericResponse @@ -231,8 +231,8 @@ func TestHTTP_ACLTokenList(t *testing.T) { args := structs.ACLTokenUpsertRequest{ Tokens: []*structs.ACLToken{p1, p2, p3}, WriteRequest: structs.WriteRequest{ - Region: "global", - SecretID: s.RootToken.SecretID, + Region: "global", + AuthToken: s.RootToken.SecretID, }, } var resp structs.ACLTokenUpsertResponse @@ -281,8 +281,8 @@ func TestHTTP_ACLTokenQuery(t *testing.T) { args := structs.ACLTokenUpsertRequest{ Tokens: []*structs.ACLToken{p1}, WriteRequest: structs.WriteRequest{ - Region: "global", - SecretID: s.RootToken.SecretID, + Region: "global", + AuthToken: s.RootToken.SecretID, }, } var resp structs.ACLTokenUpsertResponse @@ -364,8 +364,8 @@ func TestHTTP_ACLTokenDelete(t *testing.T) { args := structs.ACLTokenUpsertRequest{ Tokens: []*structs.ACLToken{p1}, WriteRequest: structs.WriteRequest{ - Region: "global", - SecretID: s.RootToken.SecretID, + Region: "global", + AuthToken: s.RootToken.SecretID, }, } var resp structs.ACLTokenUpsertResponse diff --git a/command/agent/http.go b/command/agent/http.go index 79641f0ba..7ccec71b6 100644 --- a/command/agent/http.go +++ b/command/agent/http.go @@ -447,7 +447,7 @@ func (s *HTTPServer) parseToken(req *http.Request, token *string) { // parse is a convenience method for endpoints that need to parse multiple flags func (s *HTTPServer) parse(resp http.ResponseWriter, req *http.Request, r *string, b *structs.QueryOptions) bool { s.parseRegion(req, r) - s.parseToken(req, &b.SecretID) + s.parseToken(req, &b.AuthToken) parseConsistency(req, b) parsePrefix(req, b) parseNamespace(req, &b.Namespace) @@ -458,6 +458,6 @@ func (s *HTTPServer) parse(resp http.ResponseWriter, req *http.Request, r *strin // write request. func (s *HTTPServer) parseWriteRequest(req *http.Request, w *structs.WriteRequest) { parseNamespace(req, &w.Namespace) - s.parseToken(req, &w.SecretID) + s.parseToken(req, &w.AuthToken) s.parseRegion(req, &w.Region) } diff --git a/command/agent/job_endpoint.go b/command/agent/job_endpoint.go index 2dc8a5811..83b29fc4c 100644 --- a/command/agent/job_endpoint.go +++ b/command/agent/job_endpoint.go @@ -358,8 +358,8 @@ func (s *HTTPServer) jobUpdate(resp http.ResponseWriter, req *http.Request, JobModifyIndex: args.JobModifyIndex, PolicyOverride: args.PolicyOverride, WriteRequest: structs.WriteRequest{ - Region: args.WriteRequest.Region, - SecretID: args.WriteRequest.SecretID, + Region: args.WriteRequest.Region, + AuthToken: args.WriteRequest.SecretID, }, } s.parseWriteRequest(req, ®Req.WriteRequest) diff --git a/nomad/acl_endpoint.go b/nomad/acl_endpoint.go index 374a37b7c..135e77ad7 100644 --- a/nomad/acl_endpoint.go +++ b/nomad/acl_endpoint.go @@ -44,7 +44,7 @@ func (a *ACL) UpsertPolicies(args *structs.ACLPolicyUpsertRequest, reply *struct defer metrics.MeasureSince([]string{"nomad", "acl", "upsert_policies"}, time.Now()) // Check management level permissions - if acl, err := a.srv.ResolveToken(args.SecretID); err != nil { + if acl, err := a.srv.ResolveToken(args.AuthToken); err != nil { return err } else if acl == nil || !acl.IsManagement() { return structs.ErrPermissionDenied @@ -88,7 +88,7 @@ func (a *ACL) DeletePolicies(args *structs.ACLPolicyDeleteRequest, reply *struct defer metrics.MeasureSince([]string{"nomad", "acl", "delete_policies"}, time.Now()) // Check management level permissions - if acl, err := a.srv.ResolveToken(args.SecretID); err != nil { + if acl, err := a.srv.ResolveToken(args.AuthToken); err != nil { return err } else if acl == nil || !acl.IsManagement() { return structs.ErrPermissionDenied @@ -121,7 +121,7 @@ func (a *ACL) ListPolicies(args *structs.ACLPolicyListRequest, reply *structs.AC defer metrics.MeasureSince([]string{"nomad", "acl", "list_policies"}, time.Now()) // Check management level permissions - if acl, err := a.srv.ResolveToken(args.SecretID); err != nil { + if acl, err := a.srv.ResolveToken(args.AuthToken); err != nil { return err } else if acl == nil || !acl.IsManagement() { return structs.ErrPermissionDenied @@ -183,7 +183,7 @@ func (a *ACL) GetPolicy(args *structs.ACLPolicySpecificRequest, reply *structs.S defer metrics.MeasureSince([]string{"nomad", "acl", "get_policy"}, time.Now()) // Check management level permissions - if acl, err := a.srv.ResolveToken(args.SecretID); err != nil { + if acl, err := a.srv.ResolveToken(args.AuthToken); err != nil { return err } else if acl == nil || !acl.IsManagement() { return structs.ErrPermissionDenied @@ -229,14 +229,14 @@ func (a *ACL) GetPolicies(args *structs.ACLPolicySetRequest, reply *structs.ACLP var token *structs.ACLToken var err error - if args.SecretID == "" { + if args.AuthToken == "" { // No need to look up the anonymous token token = structs.AnonymousACLToken } else { // For client typed tokens, allow them to query any policies associated with that token. // This is used by clients which are resolving the policies to enforce. Any associated // policies need to be fetched so that the client can determine what to allow. - token, err = a.srv.State().ACLTokenBySecretID(nil, args.SecretID) + token, err = a.srv.State().ACLTokenBySecretID(nil, args.AuthToken) if err != nil { return err } @@ -420,7 +420,7 @@ func (a *ACL) UpsertTokens(args *structs.ACLTokenUpsertRequest, reply *structs.A defer metrics.MeasureSince([]string{"nomad", "acl", "upsert_tokens"}, time.Now()) // Check management level permissions - if acl, err := a.srv.ResolveToken(args.SecretID); err != nil { + if acl, err := a.srv.ResolveToken(args.AuthToken); err != nil { return err } else if acl == nil || !acl.IsManagement() { return structs.ErrPermissionDenied @@ -507,7 +507,7 @@ func (a *ACL) DeleteTokens(args *structs.ACLTokenDeleteRequest, reply *structs.G defer metrics.MeasureSince([]string{"nomad", "acl", "delete_tokens"}, time.Now()) // Check management level permissions - if acl, err := a.srv.ResolveToken(args.SecretID); err != nil { + if acl, err := a.srv.ResolveToken(args.AuthToken); err != nil { return err } else if acl == nil || !acl.IsManagement() { return structs.ErrPermissionDenied @@ -574,7 +574,7 @@ func (a *ACL) ListTokens(args *structs.ACLTokenListRequest, reply *structs.ACLTo defer metrics.MeasureSince([]string{"nomad", "acl", "list_tokens"}, time.Now()) // Check management level permissions - if acl, err := a.srv.ResolveToken(args.SecretID); err != nil { + if acl, err := a.srv.ResolveToken(args.AuthToken); err != nil { return err } else if acl == nil || !acl.IsManagement() { return structs.ErrPermissionDenied @@ -631,7 +631,7 @@ func (a *ACL) GetToken(args *structs.ACLTokenSpecificRequest, reply *structs.Sin } defer metrics.MeasureSince([]string{"nomad", "acl", "get_token"}, time.Now()) - acl, err := a.srv.ResolveToken(args.SecretID) + acl, err := a.srv.ResolveToken(args.AuthToken) if err != nil { return err } @@ -661,7 +661,7 @@ func (a *ACL) GetToken(args *structs.ACLTokenSpecificRequest, reply *structs.Sin // Check management level permissions or that the secret ID matches the // accessor ID - } else if !acl.IsManagement() && out.SecretID != args.SecretID { + } else if !acl.IsManagement() && out.SecretID != args.AuthToken { return structs.ErrPermissionDenied } @@ -693,7 +693,7 @@ func (a *ACL) GetTokens(args *structs.ACLTokenSetRequest, reply *structs.ACLToke defer metrics.MeasureSince([]string{"nomad", "acl", "get_tokens"}, time.Now()) // Check management level permissions - if acl, err := a.srv.ResolveToken(args.SecretID); err != nil { + if acl, err := a.srv.ResolveToken(args.AuthToken); err != nil { return err } else if acl == nil || !acl.IsManagement() { return structs.ErrPermissionDenied diff --git a/nomad/acl_endpoint_test.go b/nomad/acl_endpoint_test.go index d694777f9..e9e7e9286 100644 --- a/nomad/acl_endpoint_test.go +++ b/nomad/acl_endpoint_test.go @@ -32,8 +32,8 @@ func TestACLEndpoint_GetPolicy(t *testing.T) { get := &structs.ACLPolicySpecificRequest{ Name: policy.Name, QueryOptions: structs.QueryOptions{ - Region: "global", - SecretID: root.SecretID, + Region: "global", + AuthToken: root.SecretID, }, } var resp structs.SingleACLPolicyResponse @@ -86,7 +86,7 @@ func TestACLEndpoint_GetPolicy_Blocking(t *testing.T) { QueryOptions: structs.QueryOptions{ Region: "global", MinQueryIndex: 150, - SecretID: root.SecretID, + AuthToken: root.SecretID, }, } var resp structs.SingleACLPolicyResponse @@ -147,8 +147,8 @@ func TestACLEndpoint_GetPolicies(t *testing.T) { get := &structs.ACLPolicySetRequest{ Names: []string{policy.Name, policy2.Name}, QueryOptions: structs.QueryOptions{ - Region: "global", - SecretID: root.SecretID, + Region: "global", + AuthToken: root.SecretID, }, } var resp structs.ACLPolicySetResponse @@ -190,8 +190,8 @@ func TestACLEndpoint_GetPolicies_TokenSubset(t *testing.T) { get := &structs.ACLPolicySetRequest{ Names: []string{policy.Name}, QueryOptions: structs.QueryOptions{ - Region: "global", - SecretID: token.SecretID, + Region: "global", + AuthToken: token.SecretID, }, } var resp structs.ACLPolicySetResponse @@ -244,7 +244,7 @@ func TestACLEndpoint_GetPolicies_Blocking(t *testing.T) { QueryOptions: structs.QueryOptions{ Region: "global", MinQueryIndex: 150, - SecretID: root.SecretID, + AuthToken: root.SecretID, }, } var resp structs.ACLPolicySetResponse @@ -307,8 +307,8 @@ func TestACLEndpoint_ListPolicies(t *testing.T) { // Lookup the policies get := &structs.ACLPolicyListRequest{ QueryOptions: structs.QueryOptions{ - Region: "global", - SecretID: root.SecretID, + Region: "global", + AuthToken: root.SecretID, }, } var resp structs.ACLPolicyListResponse @@ -321,9 +321,9 @@ func TestACLEndpoint_ListPolicies(t *testing.T) { // Lookup the policies by prefix get = &structs.ACLPolicyListRequest{ QueryOptions: structs.QueryOptions{ - Region: "global", - Prefix: "aaaabb", - SecretID: root.SecretID, + Region: "global", + Prefix: "aaaabb", + AuthToken: root.SecretID, }, } var resp2 structs.ACLPolicyListResponse @@ -356,7 +356,7 @@ func TestACLEndpoint_ListPolicies_Blocking(t *testing.T) { QueryOptions: structs.QueryOptions{ Region: "global", MinQueryIndex: 1, - SecretID: root.SecretID, + AuthToken: root.SecretID, }, } start := time.Now() @@ -409,8 +409,8 @@ func TestACLEndpoint_DeletePolicies(t *testing.T) { req := &structs.ACLPolicyDeleteRequest{ Names: []string{p1.Name}, WriteRequest: structs.WriteRequest{ - Region: "global", - SecretID: root.SecretID, + Region: "global", + AuthToken: root.SecretID, }, } var resp structs.GenericResponse @@ -434,8 +434,8 @@ func TestACLEndpoint_UpsertPolicies(t *testing.T) { req := &structs.ACLPolicyUpsertRequest{ Policies: []*structs.ACLPolicy{p1}, WriteRequest: structs.WriteRequest{ - Region: "global", - SecretID: root.SecretID, + Region: "global", + AuthToken: root.SecretID, }, } var resp structs.GenericResponse @@ -465,8 +465,8 @@ func TestACLEndpoint_UpsertPolicies_Invalid(t *testing.T) { req := &structs.ACLPolicyUpsertRequest{ Policies: []*structs.ACLPolicy{p1}, WriteRequest: structs.WriteRequest{ - Region: "global", - SecretID: root.SecretID, + Region: "global", + AuthToken: root.SecretID, }, } var resp structs.GenericResponse @@ -492,8 +492,8 @@ func TestACLEndpoint_GetToken(t *testing.T) { get := &structs.ACLTokenSpecificRequest{ AccessorID: token.AccessorID, QueryOptions: structs.QueryOptions{ - Region: "global", - SecretID: root.SecretID, + Region: "global", + AuthToken: root.SecretID, }, } var resp structs.SingleACLTokenResponse @@ -513,7 +513,7 @@ func TestACLEndpoint_GetToken(t *testing.T) { // Lookup the token by accessor id using the tokens secret ID get.AccessorID = token.AccessorID - get.SecretID = token.SecretID + get.AuthToken = token.SecretID var resp2 structs.SingleACLTokenResponse if err := msgpackrpc.CallWithCodec(codec, "ACL.GetToken", get, &resp2); err != nil { t.Fatalf("err: %v", err) @@ -556,7 +556,7 @@ func TestACLEndpoint_GetToken_Blocking(t *testing.T) { QueryOptions: structs.QueryOptions{ Region: "global", MinQueryIndex: 150, - SecretID: root.SecretID, + AuthToken: root.SecretID, }, } var resp structs.SingleACLTokenResponse @@ -617,8 +617,8 @@ func TestACLEndpoint_GetTokens(t *testing.T) { get := &structs.ACLTokenSetRequest{ AccessorIDS: []string{token.AccessorID, token2.AccessorID}, QueryOptions: structs.QueryOptions{ - Region: "global", - SecretID: root.SecretID, + Region: "global", + AuthToken: root.SecretID, }, } var resp structs.ACLTokenSetResponse @@ -673,7 +673,7 @@ func TestACLEndpoint_GetTokens_Blocking(t *testing.T) { QueryOptions: structs.QueryOptions{ Region: "global", MinQueryIndex: 150, - SecretID: root.SecretID, + AuthToken: root.SecretID, }, } var resp structs.ACLTokenSetResponse @@ -737,8 +737,8 @@ func TestACLEndpoint_ListTokens(t *testing.T) { // Lookup the tokens get := &structs.ACLTokenListRequest{ QueryOptions: structs.QueryOptions{ - Region: "global", - SecretID: root.SecretID, + Region: "global", + AuthToken: root.SecretID, }, } var resp structs.ACLTokenListResponse @@ -751,9 +751,9 @@ func TestACLEndpoint_ListTokens(t *testing.T) { // Lookup the tokens by prefix get = &structs.ACLTokenListRequest{ QueryOptions: structs.QueryOptions{ - Region: "global", - Prefix: "aaaabb", - SecretID: root.SecretID, + Region: "global", + Prefix: "aaaabb", + AuthToken: root.SecretID, }, } var resp2 structs.ACLTokenListResponse @@ -767,8 +767,8 @@ func TestACLEndpoint_ListTokens(t *testing.T) { get = &structs.ACLTokenListRequest{ GlobalOnly: true, QueryOptions: structs.QueryOptions{ - Region: "global", - SecretID: root.SecretID, + Region: "global", + AuthToken: root.SecretID, }, } var resp3 structs.ACLTokenListResponse @@ -801,7 +801,7 @@ func TestACLEndpoint_ListTokens_Blocking(t *testing.T) { QueryOptions: structs.QueryOptions{ Region: "global", MinQueryIndex: 2, - SecretID: root.SecretID, + AuthToken: root.SecretID, }, } start := time.Now() @@ -854,8 +854,8 @@ func TestACLEndpoint_DeleteTokens(t *testing.T) { req := &structs.ACLTokenDeleteRequest{ AccessorIDs: []string{p1.AccessorID}, WriteRequest: structs.WriteRequest{ - Region: "global", - SecretID: root.SecretID, + Region: "global", + AuthToken: root.SecretID, }, } var resp structs.GenericResponse @@ -979,8 +979,8 @@ func TestACLEndpoint_UpsertTokens(t *testing.T) { req := &structs.ACLTokenUpsertRequest{ Tokens: []*structs.ACLToken{p1}, WriteRequest: structs.WriteRequest{ - Region: "global", - SecretID: root.SecretID, + Region: "global", + AuthToken: root.SecretID, }, } var resp structs.ACLTokenUpsertResponse @@ -1035,8 +1035,8 @@ func TestACLEndpoint_UpsertTokens_Invalid(t *testing.T) { req := &structs.ACLTokenUpsertRequest{ Tokens: []*structs.ACLToken{p1}, WriteRequest: structs.WriteRequest{ - Region: "global", - SecretID: root.SecretID, + Region: "global", + AuthToken: root.SecretID, }, } var resp structs.GenericResponse diff --git a/nomad/alloc_endpoint.go b/nomad/alloc_endpoint.go index a431380b6..f53764a79 100644 --- a/nomad/alloc_endpoint.go +++ b/nomad/alloc_endpoint.go @@ -23,7 +23,7 @@ func (a *Alloc) List(args *structs.AllocListRequest, reply *structs.AllocListRes defer metrics.MeasureSince([]string{"nomad", "alloc", "list"}, time.Now()) // Check namespace read-job permissions - if aclObj, err := a.srv.ResolveToken(args.SecretID); err != nil { + if aclObj, err := a.srv.ResolveToken(args.AuthToken); err != nil { return err } else if aclObj != nil && !aclObj.AllowNsOp(args.RequestNamespace(), acl.NamespaceCapabilityReadJob) { return structs.ErrPermissionDenied @@ -80,7 +80,7 @@ func (a *Alloc) GetAlloc(args *structs.AllocSpecificRequest, defer metrics.MeasureSince([]string{"nomad", "alloc", "get_alloc"}, time.Now()) // Check namespace read-job permissions - if aclObj, err := a.srv.ResolveToken(args.SecretID); err != nil { + if aclObj, err := a.srv.ResolveToken(args.AuthToken); err != nil { return err } else if aclObj != nil && !aclObj.AllowNsOp(args.RequestNamespace(), acl.NamespaceCapabilityReadJob) { return structs.ErrPermissionDenied diff --git a/nomad/alloc_endpoint_test.go b/nomad/alloc_endpoint_test.go index 0a941286d..d1a9cb370 100644 --- a/nomad/alloc_endpoint_test.go +++ b/nomad/alloc_endpoint_test.go @@ -117,19 +117,19 @@ func TestAllocEndpoint_List_ACL(t *testing.T) { assert.NotNil(msgpackrpc.CallWithCodec(codec, "Alloc.List", get, &resp), "RPC") // Try with a valid token - get.SecretID = validToken.SecretID + get.AuthToken = validToken.SecretID assert.Nil(msgpackrpc.CallWithCodec(codec, "Alloc.List", get, &resp), "RPC") assert.EqualValues(resp.Index, 1000, "resp.Index") assert.Equal(stubAllocs, resp.Allocations, "Returned alloc list not equal") // Try with a invalid token - get.SecretID = invalidToken.SecretID + get.AuthToken = invalidToken.SecretID err := msgpackrpc.CallWithCodec(codec, "Alloc.List", get, &resp) assert.NotNil(err, "RPC") assert.Equal(err.Error(), structs.ErrPermissionDenied.Error()) // Try with a root token - get.SecretID = root.SecretID + get.AuthToken = root.SecretID assert.Nil(msgpackrpc.CallWithCodec(codec, "Alloc.List", get, &resp), "RPC") assert.EqualValues(resp.Index, 1000, "resp.Index") assert.Equal(stubAllocs, resp.Allocations, "Returned alloc list not equal") @@ -276,19 +276,19 @@ func TestAllocEndpoint_GetAlloc_ACL(t *testing.T) { assert.NotNil(msgpackrpc.CallWithCodec(codec, "Alloc.GetAlloc", get, &resp), "RPC") // Try with a valid token - get.SecretID = validToken.SecretID + get.AuthToken = validToken.SecretID assert.Nil(msgpackrpc.CallWithCodec(codec, "Alloc.GetAlloc", get, &resp), "RPC") assert.EqualValues(resp.Index, 1000, "resp.Index") assert.Equal(alloc, resp.Alloc, "Returned alloc not equal") // Try with a invalid token - get.SecretID = invalidToken.SecretID + get.AuthToken = invalidToken.SecretID err := msgpackrpc.CallWithCodec(codec, "Alloc.GetAlloc", get, &resp) assert.NotNil(err, "RPC") assert.Equal(err.Error(), structs.ErrPermissionDenied.Error()) // Try with a root token - get.SecretID = root.SecretID + get.AuthToken = root.SecretID var resp2 structs.SingleAllocResponse assert.Nil(msgpackrpc.CallWithCodec(codec, "Alloc.GetAlloc", get, &resp2), "RPC") assert.EqualValues(resp2.Index, 1000, "resp.Index") diff --git a/nomad/deployment_endpoint.go b/nomad/deployment_endpoint.go index 941de35c2..23489be55 100644 --- a/nomad/deployment_endpoint.go +++ b/nomad/deployment_endpoint.go @@ -25,7 +25,7 @@ func (d *Deployment) GetDeployment(args *structs.DeploymentSpecificRequest, defer metrics.MeasureSince([]string{"nomad", "deployment", "get_deployment"}, time.Now()) // Check namespace read-job permissions - if aclObj, err := d.srv.ResolveToken(args.SecretID); err != nil { + if aclObj, err := d.srv.ResolveToken(args.AuthToken); err != nil { return err } else if aclObj != nil && !aclObj.AllowNsOp(args.RequestNamespace(), acl.NamespaceCapabilityReadJob) { return structs.ErrPermissionDenied @@ -75,7 +75,7 @@ func (d *Deployment) Fail(args *structs.DeploymentFailRequest, reply *structs.De defer metrics.MeasureSince([]string{"nomad", "deployment", "fail"}, time.Now()) // Check namespace submit-job permissions - if aclObj, err := d.srv.ResolveToken(args.SecretID); err != nil { + if aclObj, err := d.srv.ResolveToken(args.AuthToken); err != nil { return err } else if aclObj != nil && !aclObj.AllowNsOp(args.RequestNamespace(), acl.NamespaceCapabilitySubmitJob) { return structs.ErrPermissionDenied @@ -117,7 +117,7 @@ func (d *Deployment) Pause(args *structs.DeploymentPauseRequest, reply *structs. defer metrics.MeasureSince([]string{"nomad", "deployment", "pause"}, time.Now()) // Check namespace submit-job permissions - if aclObj, err := d.srv.ResolveToken(args.SecretID); err != nil { + if aclObj, err := d.srv.ResolveToken(args.AuthToken); err != nil { return err } else if aclObj != nil && !aclObj.AllowNsOp(args.RequestNamespace(), acl.NamespaceCapabilitySubmitJob) { return structs.ErrPermissionDenied @@ -163,7 +163,7 @@ func (d *Deployment) Promote(args *structs.DeploymentPromoteRequest, reply *stru defer metrics.MeasureSince([]string{"nomad", "deployment", "promote"}, time.Now()) // Check namespace submit-job permissions - if aclObj, err := d.srv.ResolveToken(args.SecretID); err != nil { + if aclObj, err := d.srv.ResolveToken(args.AuthToken); err != nil { return err } else if aclObj != nil && !aclObj.AllowNsOp(args.RequestNamespace(), acl.NamespaceCapabilitySubmitJob) { return structs.ErrPermissionDenied @@ -206,7 +206,7 @@ func (d *Deployment) SetAllocHealth(args *structs.DeploymentAllocHealthRequest, defer metrics.MeasureSince([]string{"nomad", "deployment", "set_alloc_health"}, time.Now()) // Check namespace submit-job permissions - if aclObj, err := d.srv.ResolveToken(args.SecretID); err != nil { + if aclObj, err := d.srv.ResolveToken(args.AuthToken); err != nil { return err } else if aclObj != nil && !aclObj.AllowNsOp(args.RequestNamespace(), acl.NamespaceCapabilitySubmitJob) { return structs.ErrPermissionDenied @@ -252,7 +252,7 @@ func (d *Deployment) List(args *structs.DeploymentListRequest, reply *structs.De defer metrics.MeasureSince([]string{"nomad", "deployment", "list"}, time.Now()) // Check namespace read-job permissions - if aclObj, err := d.srv.ResolveToken(args.SecretID); err != nil { + if aclObj, err := d.srv.ResolveToken(args.AuthToken); err != nil { return err } else if aclObj != nil && !aclObj.AllowNsOp(args.RequestNamespace(), acl.NamespaceCapabilityReadJob) { return structs.ErrPermissionDenied @@ -308,7 +308,7 @@ func (d *Deployment) Allocations(args *structs.DeploymentSpecificRequest, reply defer metrics.MeasureSince([]string{"nomad", "deployment", "allocations"}, time.Now()) // Check namespace read-job permissions - if aclObj, err := d.srv.ResolveToken(args.SecretID); err != nil { + if aclObj, err := d.srv.ResolveToken(args.AuthToken); err != nil { return err } else if aclObj != nil && !aclObj.AllowNsOp(args.RequestNamespace(), acl.NamespaceCapabilityReadJob) { return structs.ErrPermissionDenied diff --git a/nomad/deployment_endpoint_test.go b/nomad/deployment_endpoint_test.go index aba18810d..ffa507588 100644 --- a/nomad/deployment_endpoint_test.go +++ b/nomad/deployment_endpoint_test.go @@ -80,19 +80,19 @@ func TestDeploymentEndpoint_GetDeployment_ACL(t *testing.T) { assert.NotNil(msgpackrpc.CallWithCodec(codec, "Deployment.GetDeployment", get, &resp), "RPC") // Try with a good token - get.SecretID = validToken.SecretID + get.AuthToken = validToken.SecretID assert.Nil(msgpackrpc.CallWithCodec(codec, "Deployment.GetDeployment", get, &resp), "RPC") assert.EqualValues(resp.Index, 1000, "resp.Index") assert.Equal(d, resp.Deployment, "Returned deployment not equal") // Try with a bad token - get.SecretID = invalidToken.SecretID + get.AuthToken = invalidToken.SecretID err := msgpackrpc.CallWithCodec(codec, "Deployment.GetDeployment", get, &resp) assert.NotNil(err, "RPC") assert.Equal(err.Error(), structs.ErrPermissionDenied.Error()) // Try with a root token - get.SecretID = root.SecretID + get.AuthToken = root.SecretID assert.Nil(msgpackrpc.CallWithCodec(codec, "Deployment.GetDeployment", get, &resp), "RPC") assert.EqualValues(resp.Index, 1000, "resp.Index") assert.Equal(d, resp.Deployment, "Returned deployment not equal") @@ -237,7 +237,7 @@ func TestDeploymentEndpoint_Fail_ACL(t *testing.T) { // Try with an invalid token { - req.SecretID = invalidToken.SecretID + req.AuthToken = invalidToken.SecretID var resp structs.DeploymentUpdateResponse err := msgpackrpc.CallWithCodec(codec, "Deployment.Fail", req, &resp) assert.NotNil(err) @@ -246,7 +246,7 @@ func TestDeploymentEndpoint_Fail_ACL(t *testing.T) { // Try with a valid token { - req.SecretID = validToken.SecretID + req.AuthToken = validToken.SecretID var resp structs.DeploymentUpdateResponse assert.Nil(msgpackrpc.CallWithCodec(codec, "Deployment.Fail", req, &resp), "RPC") assert.NotEqual(resp.Index, uint64(0), "bad response index") @@ -430,7 +430,7 @@ func TestDeploymentEndpoint_Pause_ACL(t *testing.T) { // Try with an invalid token { - req.SecretID = invalidToken.SecretID + req.AuthToken = invalidToken.SecretID var resp structs.DeploymentUpdateResponse err := msgpackrpc.CallWithCodec(codec, "Deployment.Pause", req, &resp) assert.NotNil(err) @@ -439,7 +439,7 @@ func TestDeploymentEndpoint_Pause_ACL(t *testing.T) { // Fetch the response with a valid token { - req.SecretID = validToken.SecretID + req.AuthToken = validToken.SecretID var resp structs.DeploymentUpdateResponse assert.Nil(msgpackrpc.CallWithCodec(codec, "Deployment.Pause", req, &resp), "RPC") assert.NotEqual(resp.Index, uint64(0), "bad response index") @@ -573,7 +573,7 @@ func TestDeploymentEndpoint_Promote_ACL(t *testing.T) { // Try with an invalid token { - req.SecretID = invalidToken.SecretID + req.AuthToken = invalidToken.SecretID var resp structs.DeploymentUpdateResponse err := msgpackrpc.CallWithCodec(codec, "Deployment.Promote", req, &resp) assert.NotNil(err) @@ -582,7 +582,7 @@ func TestDeploymentEndpoint_Promote_ACL(t *testing.T) { // Fetch the response with a valid token { - req.SecretID = validToken.SecretID + req.AuthToken = validToken.SecretID var resp structs.DeploymentUpdateResponse assert.Nil(msgpackrpc.CallWithCodec(codec, "Deployment.Promote", req, &resp), "RPC") assert.NotEqual(resp.Index, uint64(0), "bad response index") @@ -725,7 +725,7 @@ func TestDeploymentEndpoint_SetAllocHealth_ACL(t *testing.T) { // Try with an invalid token { - req.SecretID = invalidToken.SecretID + req.AuthToken = invalidToken.SecretID var resp structs.DeploymentUpdateResponse err := msgpackrpc.CallWithCodec(codec, "Deployment.SetAllocHealth", req, &resp) assert.NotNil(err) @@ -734,7 +734,7 @@ func TestDeploymentEndpoint_SetAllocHealth_ACL(t *testing.T) { // Fetch the response with a valid token { - req.SecretID = validToken.SecretID + req.AuthToken = validToken.SecretID var resp structs.DeploymentUpdateResponse assert.Nil(msgpackrpc.CallWithCodec(codec, "Deployment.SetAllocHealth", req, &resp), "RPC") assert.NotZero(resp.Index, "bad response index") @@ -943,7 +943,7 @@ func TestDeploymentEndpoint_List_ACL(t *testing.T) { // Try with an invalid token { - get.SecretID = invalidToken.SecretID + get.AuthToken = invalidToken.SecretID var resp structs.DeploymentUpdateResponse err := msgpackrpc.CallWithCodec(codec, "Deployment.List", get, &resp) assert.NotNil(err) @@ -952,7 +952,7 @@ func TestDeploymentEndpoint_List_ACL(t *testing.T) { // Lookup the deployments with a root token { - get.SecretID = root.SecretID + get.AuthToken = root.SecretID var resp structs.DeploymentListResponse assert.Nil(msgpackrpc.CallWithCodec(codec, "Deployment.List", get, &resp), "RPC") assert.EqualValues(resp.Index, 1000, "Wrong Index") @@ -962,7 +962,7 @@ func TestDeploymentEndpoint_List_ACL(t *testing.T) { // Lookup the deployments with a valid token { - get.SecretID = validToken.SecretID + get.AuthToken = validToken.SecretID var resp structs.DeploymentListResponse assert.Nil(msgpackrpc.CallWithCodec(codec, "Deployment.List", get, &resp), "RPC") assert.EqualValues(resp.Index, 1000, "Wrong Index") @@ -1111,7 +1111,7 @@ func TestDeploymentEndpoint_Allocations_ACL(t *testing.T) { // Try with an invalid token { - get.SecretID = invalidToken.SecretID + get.AuthToken = invalidToken.SecretID var resp structs.DeploymentUpdateResponse err := msgpackrpc.CallWithCodec(codec, "Deployment.Allocations", get, &resp) assert.NotNil(err) @@ -1120,7 +1120,7 @@ func TestDeploymentEndpoint_Allocations_ACL(t *testing.T) { // Lookup the allocations with a valid token { - get.SecretID = validToken.SecretID + get.AuthToken = validToken.SecretID var resp structs.AllocListResponse assert.Nil(msgpackrpc.CallWithCodec(codec, "Deployment.Allocations", get, &resp), "RPC") assert.EqualValues(1001, resp.Index, "Wrong Index") @@ -1130,7 +1130,7 @@ func TestDeploymentEndpoint_Allocations_ACL(t *testing.T) { // Lookup the allocations with a root token { - get.SecretID = root.SecretID + get.AuthToken = root.SecretID var resp structs.AllocListResponse assert.Nil(msgpackrpc.CallWithCodec(codec, "Deployment.Allocations", get, &resp), "RPC") assert.EqualValues(1001, resp.Index, "Wrong Index") diff --git a/nomad/eval_endpoint.go b/nomad/eval_endpoint.go index c021bbdf3..bcbdfb7ce 100644 --- a/nomad/eval_endpoint.go +++ b/nomad/eval_endpoint.go @@ -32,7 +32,7 @@ func (e *Eval) GetEval(args *structs.EvalSpecificRequest, defer metrics.MeasureSince([]string{"nomad", "eval", "get_eval"}, time.Now()) // Check for read-job permissions - if aclObj, err := e.srv.ResolveToken(args.SecretID); err != nil { + if aclObj, err := e.srv.ResolveToken(args.AuthToken); err != nil { return err } else if aclObj != nil && !aclObj.AllowNsOp(args.RequestNamespace(), acl.NamespaceCapabilityReadJob) { return structs.ErrPermissionDenied @@ -326,7 +326,7 @@ func (e *Eval) List(args *structs.EvalListRequest, defer metrics.MeasureSince([]string{"nomad", "eval", "list"}, time.Now()) // Check for read-job permissions - if aclObj, err := e.srv.ResolveToken(args.SecretID); err != nil { + if aclObj, err := e.srv.ResolveToken(args.AuthToken); err != nil { return err } else if aclObj != nil && !aclObj.AllowNsOp(args.RequestNamespace(), acl.NamespaceCapabilityReadJob) { return structs.ErrPermissionDenied @@ -383,7 +383,7 @@ func (e *Eval) Allocations(args *structs.EvalSpecificRequest, defer metrics.MeasureSince([]string{"nomad", "eval", "allocations"}, time.Now()) // Check for read-job permissions - if aclObj, err := e.srv.ResolveToken(args.SecretID); err != nil { + if aclObj, err := e.srv.ResolveToken(args.AuthToken); err != nil { return err } else if aclObj != nil && !aclObj.AllowNsOp(args.RequestNamespace(), acl.NamespaceCapabilityReadJob) { return structs.ErrPermissionDenied diff --git a/nomad/eval_endpoint_test.go b/nomad/eval_endpoint_test.go index 7ed5bf75c..f46f4e1d9 100644 --- a/nomad/eval_endpoint_test.go +++ b/nomad/eval_endpoint_test.go @@ -93,7 +93,7 @@ func TestEvalEndpoint_GetEval_ACL(t *testing.T) { // Try with an invalid token and expect permission denied { - get.SecretID = invalidToken.SecretID + get.AuthToken = invalidToken.SecretID var resp structs.SingleEvalResponse err := msgpackrpc.CallWithCodec(codec, "Eval.GetEval", get, &resp) assert.NotNil(err) @@ -102,7 +102,7 @@ func TestEvalEndpoint_GetEval_ACL(t *testing.T) { // Lookup the eval using a valid token { - get.SecretID = validToken.SecretID + get.AuthToken = validToken.SecretID var resp structs.SingleEvalResponse assert.Nil(msgpackrpc.CallWithCodec(codec, "Eval.GetEval", get, &resp)) assert.Equal(uint64(1000), resp.Index, "Bad index: %d %d", resp.Index, 1000) @@ -111,7 +111,7 @@ func TestEvalEndpoint_GetEval_ACL(t *testing.T) { // Lookup the eval using a root token { - get.SecretID = root.SecretID + get.AuthToken = root.SecretID var resp structs.SingleEvalResponse assert.Nil(msgpackrpc.CallWithCodec(codec, "Eval.GetEval", get, &resp)) assert.Equal(uint64(1000), resp.Index, "Bad index: %d %d", resp.Index, 1000) @@ -633,7 +633,7 @@ func TestEvalEndpoint_List_ACL(t *testing.T) { // Try with an invalid token and expect permission denied { - get.SecretID = invalidToken.SecretID + get.AuthToken = invalidToken.SecretID var resp structs.EvalListResponse err := msgpackrpc.CallWithCodec(codec, "Eval.List", get, &resp) assert.NotNil(err) @@ -642,7 +642,7 @@ func TestEvalEndpoint_List_ACL(t *testing.T) { // List evals with a valid token { - get.SecretID = validToken.SecretID + get.AuthToken = validToken.SecretID var resp structs.EvalListResponse assert.Nil(msgpackrpc.CallWithCodec(codec, "Eval.List", get, &resp)) assert.Equal(uint64(1000), resp.Index, "Bad index: %d %d", resp.Index, 1000) @@ -651,7 +651,7 @@ func TestEvalEndpoint_List_ACL(t *testing.T) { // List evals with a root token { - get.SecretID = root.SecretID + get.AuthToken = root.SecretID var resp structs.EvalListResponse assert.Nil(msgpackrpc.CallWithCodec(codec, "Eval.List", get, &resp)) assert.Equal(uint64(1000), resp.Index, "Bad index: %d %d", resp.Index, 1000) @@ -801,7 +801,7 @@ func TestEvalEndpoint_Allocations_ACL(t *testing.T) { // Try with an invalid token and expect permission denied { - get.SecretID = invalidToken.SecretID + get.AuthToken = invalidToken.SecretID var resp structs.EvalAllocationsResponse err := msgpackrpc.CallWithCodec(codec, "Eval.Allocations", get, &resp) assert.NotNil(err) @@ -810,7 +810,7 @@ func TestEvalEndpoint_Allocations_ACL(t *testing.T) { // Lookup the eval with a valid token { - get.SecretID = validToken.SecretID + get.AuthToken = validToken.SecretID var resp structs.EvalAllocationsResponse assert.Nil(msgpackrpc.CallWithCodec(codec, "Eval.Allocations", get, &resp)) assert.Equal(uint64(1000), resp.Index, "Bad index: %d %d", resp.Index, 1000) @@ -819,7 +819,7 @@ func TestEvalEndpoint_Allocations_ACL(t *testing.T) { // Lookup the eval with a root token { - get.SecretID = root.SecretID + get.AuthToken = root.SecretID var resp structs.EvalAllocationsResponse assert.Nil(msgpackrpc.CallWithCodec(codec, "Eval.Allocations", get, &resp)) assert.Equal(uint64(1000), resp.Index, "Bad index: %d %d", resp.Index, 1000) diff --git a/nomad/job_endpoint.go b/nomad/job_endpoint.go index a89f4472b..b57003b68 100644 --- a/nomad/job_endpoint.go +++ b/nomad/job_endpoint.go @@ -74,7 +74,7 @@ func (j *Job) Register(args *structs.JobRegisterRequest, reply *structs.JobRegis reply.Warnings = structs.MergeMultierrorWarnings(warnings, canonicalizeWarnings) // Check job submission permissions - if aclObj, err := j.srv.ResolveToken(args.SecretID); err != nil { + if aclObj, err := j.srv.ResolveToken(args.AuthToken); err != nil { return err } else if aclObj != nil { if !aclObj.AllowNsOp(structs.DefaultNamespace, acl.NamespaceCapabilitySubmitJob) { @@ -313,7 +313,7 @@ func (j *Job) Summary(args *structs.JobSummaryRequest, defer metrics.MeasureSince([]string{"nomad", "job_summary", "get_job_summary"}, time.Now()) // Check for read-job permissions - if aclObj, err := j.srv.ResolveToken(args.SecretID); err != nil { + if aclObj, err := j.srv.ResolveToken(args.AuthToken); err != nil { return err } else if aclObj != nil && !aclObj.AllowNsOp(args.RequestNamespace(), acl.NamespaceCapabilityReadJob) { return structs.ErrPermissionDenied @@ -355,7 +355,7 @@ func (j *Job) Validate(args *structs.JobValidateRequest, reply *structs.JobValid defer metrics.MeasureSince([]string{"nomad", "job", "validate"}, time.Now()) // Check for read-job permissions - if aclObj, err := j.srv.ResolveToken(args.SecretID); err != nil { + if aclObj, err := j.srv.ResolveToken(args.AuthToken); err != nil { return err } else if aclObj != nil && !aclObj.AllowNsOp(args.RequestNamespace(), acl.NamespaceCapabilityReadJob) { return structs.ErrPermissionDenied @@ -395,7 +395,7 @@ func (j *Job) Revert(args *structs.JobRevertRequest, reply *structs.JobRegisterR defer metrics.MeasureSince([]string{"nomad", "job", "revert"}, time.Now()) // Check for submit-job permissions - if aclObj, err := j.srv.ResolveToken(args.SecretID); err != nil { + if aclObj, err := j.srv.ResolveToken(args.AuthToken); err != nil { return err } else if aclObj != nil && !aclObj.AllowNsOp(args.RequestNamespace(), acl.NamespaceCapabilitySubmitJob) { return structs.ErrPermissionDenied @@ -460,7 +460,7 @@ func (j *Job) Stable(args *structs.JobStabilityRequest, reply *structs.JobStabil defer metrics.MeasureSince([]string{"nomad", "job", "stable"}, time.Now()) // Check for read-job permissions - if aclObj, err := j.srv.ResolveToken(args.SecretID); err != nil { + if aclObj, err := j.srv.ResolveToken(args.AuthToken); err != nil { return err } else if aclObj != nil && !aclObj.AllowNsOp(args.RequestNamespace(), acl.NamespaceCapabilitySubmitJob) { return structs.ErrPermissionDenied @@ -506,7 +506,7 @@ func (j *Job) Evaluate(args *structs.JobEvaluateRequest, reply *structs.JobRegis defer metrics.MeasureSince([]string{"nomad", "job", "evaluate"}, time.Now()) // Check for read-job permissions - if aclObj, err := j.srv.ResolveToken(args.SecretID); err != nil { + if aclObj, err := j.srv.ResolveToken(args.AuthToken); err != nil { return err } else if aclObj != nil && !aclObj.AllowNsOp(args.RequestNamespace(), acl.NamespaceCapabilityReadJob) { return structs.ErrPermissionDenied @@ -576,7 +576,7 @@ func (j *Job) Deregister(args *structs.JobDeregisterRequest, reply *structs.JobD defer metrics.MeasureSince([]string{"nomad", "job", "deregister"}, time.Now()) // Check for submit-job permissions - if aclObj, err := j.srv.ResolveToken(args.SecretID); err != nil { + if aclObj, err := j.srv.ResolveToken(args.AuthToken); err != nil { return err } else if aclObj != nil && !aclObj.AllowNsOp(args.RequestNamespace(), acl.NamespaceCapabilitySubmitJob) { return structs.ErrPermissionDenied @@ -655,7 +655,7 @@ func (j *Job) GetJob(args *structs.JobSpecificRequest, defer metrics.MeasureSince([]string{"nomad", "job", "get_job"}, time.Now()) // Check for read-job permissions - if aclObj, err := j.srv.ResolveToken(args.SecretID); err != nil { + if aclObj, err := j.srv.ResolveToken(args.AuthToken); err != nil { return err } else if aclObj != nil && !aclObj.AllowNsOp(args.RequestNamespace(), acl.NamespaceCapabilityReadJob) { return structs.ErrPermissionDenied @@ -701,7 +701,7 @@ func (j *Job) GetJobVersions(args *structs.JobVersionsRequest, defer metrics.MeasureSince([]string{"nomad", "job", "get_job_versions"}, time.Now()) // Check for read-job permissions - if aclObj, err := j.srv.ResolveToken(args.SecretID); err != nil { + if aclObj, err := j.srv.ResolveToken(args.AuthToken); err != nil { return err } else if aclObj != nil && !aclObj.AllowNsOp(args.RequestNamespace(), acl.NamespaceCapabilityReadJob) { return structs.ErrPermissionDenied @@ -759,7 +759,7 @@ func (j *Job) List(args *structs.JobListRequest, defer metrics.MeasureSince([]string{"nomad", "job", "list"}, time.Now()) // Check for list-job permissions - if aclObj, err := j.srv.ResolveToken(args.SecretID); err != nil { + if aclObj, err := j.srv.ResolveToken(args.AuthToken); err != nil { return err } else if aclObj != nil && !aclObj.AllowNsOp(args.RequestNamespace(), acl.NamespaceCapabilityListJobs) { return structs.ErrPermissionDenied @@ -820,7 +820,7 @@ func (j *Job) Allocations(args *structs.JobSpecificRequest, defer metrics.MeasureSince([]string{"nomad", "job", "allocations"}, time.Now()) // Check for read-job permissions - if aclObj, err := j.srv.ResolveToken(args.SecretID); err != nil { + if aclObj, err := j.srv.ResolveToken(args.AuthToken); err != nil { return err } else if aclObj != nil && !aclObj.AllowNsOp(args.RequestNamespace(), acl.NamespaceCapabilityReadJob) { return structs.ErrPermissionDenied @@ -869,7 +869,7 @@ func (j *Job) Evaluations(args *structs.JobSpecificRequest, defer metrics.MeasureSince([]string{"nomad", "job", "evaluations"}, time.Now()) // Check for read-job permissions - if aclObj, err := j.srv.ResolveToken(args.SecretID); err != nil { + if aclObj, err := j.srv.ResolveToken(args.AuthToken); err != nil { return err } else if aclObj != nil && !aclObj.AllowNsOp(args.RequestNamespace(), acl.NamespaceCapabilityReadJob) { return structs.ErrPermissionDenied @@ -911,7 +911,7 @@ func (j *Job) Deployments(args *structs.JobSpecificRequest, defer metrics.MeasureSince([]string{"nomad", "job", "deployments"}, time.Now()) // Check for read-job permissions - if aclObj, err := j.srv.ResolveToken(args.SecretID); err != nil { + if aclObj, err := j.srv.ResolveToken(args.AuthToken); err != nil { return err } else if aclObj != nil && !aclObj.AllowNsOp(args.RequestNamespace(), acl.NamespaceCapabilityReadJob) { return structs.ErrPermissionDenied @@ -953,7 +953,7 @@ func (j *Job) LatestDeployment(args *structs.JobSpecificRequest, defer metrics.MeasureSince([]string{"nomad", "job", "latest_deployment"}, time.Now()) // Check for read-job permissions - if aclObj, err := j.srv.ResolveToken(args.SecretID); err != nil { + if aclObj, err := j.srv.ResolveToken(args.AuthToken); err != nil { return err } else if aclObj != nil && !aclObj.AllowNsOp(args.RequestNamespace(), acl.NamespaceCapabilityReadJob) { return structs.ErrPermissionDenied @@ -1020,7 +1020,7 @@ func (j *Job) Plan(args *structs.JobPlanRequest, reply *structs.JobPlanResponse) reply.Warnings = structs.MergeMultierrorWarnings(warnings, canonicalizeWarnings) // Check job submission permissions, which we assume is the same for plan - if aclObj, err := j.srv.ResolveToken(args.SecretID); err != nil { + if aclObj, err := j.srv.ResolveToken(args.AuthToken); err != nil { return err } else if aclObj != nil { if !aclObj.AllowNsOp(structs.DefaultNamespace, acl.NamespaceCapabilitySubmitJob) { @@ -1238,7 +1238,7 @@ func (j *Job) Dispatch(args *structs.JobDispatchRequest, reply *structs.JobDispa defer metrics.MeasureSince([]string{"nomad", "job", "dispatch"}, time.Now()) // Check for submit-job permissions - if aclObj, err := j.srv.ResolveToken(args.SecretID); err != nil { + if aclObj, err := j.srv.ResolveToken(args.AuthToken); err != nil { return err } else if aclObj != nil && !aclObj.AllowNsOp(args.RequestNamespace(), acl.NamespaceCapabilityDispatchJob) { return structs.ErrPermissionDenied diff --git a/nomad/job_endpoint_test.go b/nomad/job_endpoint_test.go index ec153242b..c9357594e 100644 --- a/nomad/job_endpoint_test.go +++ b/nomad/job_endpoint_test.go @@ -121,7 +121,7 @@ func TestJobEndpoint_Register_ACL(t *testing.T) { } // Try with a token - req.SecretID = root.SecretID + req.AuthToken = root.SecretID if err := msgpackrpc.CallWithCodec(codec, "Job.Register", req, &resp); err != nil { t.Fatalf("err: %v", err) } @@ -1067,14 +1067,14 @@ func TestJobEndpoint_Revert_ACL(t *testing.T) { invalidToken := mock.CreatePolicyAndToken(t, state, 1001, "test-invalid", mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) - revertReq.SecretID = invalidToken.SecretID + revertReq.AuthToken = invalidToken.SecretID var invalidResp structs.JobRegisterResponse err = msgpackrpc.CallWithCodec(codec, "Job.Revert", revertReq, &invalidResp) assert.NotNil(err) assert.Contains(err.Error(), "Permission denied") // Fetch the response with a valid management token - revertReq.SecretID = root.SecretID + revertReq.AuthToken = root.SecretID var validResp structs.JobRegisterResponse err = msgpackrpc.CallWithCodec(codec, "Job.Revert", revertReq, &validResp) assert.Nil(err) @@ -1083,7 +1083,7 @@ func TestJobEndpoint_Revert_ACL(t *testing.T) { validToken := mock.CreatePolicyAndToken(t, state, 1003, "test-valid", mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilitySubmitJob})) - revertReq.SecretID = validToken.SecretID + revertReq.AuthToken = validToken.SecretID var validResp2 structs.JobRegisterResponse err = msgpackrpc.CallWithCodec(codec, "Job.Revert", revertReq, &validResp2) assert.Nil(err) @@ -1190,14 +1190,14 @@ func TestJobEndpoint_Stable_ACL(t *testing.T) { invalidToken := mock.CreatePolicyAndToken(t, state, 1003, "test-invalid", mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) - stableReq.SecretID = invalidToken.SecretID + stableReq.AuthToken = invalidToken.SecretID var invalidStableResp structs.JobStabilityResponse err = msgpackrpc.CallWithCodec(codec, "Job.Stable", stableReq, &invalidStableResp) assert.NotNil(err) assert.Contains("Permission denied", err.Error()) // Attempt to fetch with a management token - stableReq.SecretID = root.SecretID + stableReq.AuthToken = root.SecretID var validStableResp structs.JobStabilityResponse err = msgpackrpc.CallWithCodec(codec, "Job.Stable", stableReq, &validStableResp) assert.Nil(err) @@ -1206,7 +1206,7 @@ func TestJobEndpoint_Stable_ACL(t *testing.T) { validToken := mock.CreatePolicyAndToken(t, state, 1005, "test-invalid", mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilitySubmitJob})) - stableReq.SecretID = validToken.SecretID + stableReq.AuthToken = validToken.SecretID var validStableResp2 structs.JobStabilityResponse err = msgpackrpc.CallWithCodec(codec, "Job.Stable", stableReq, &validStableResp2) assert.Nil(err) @@ -1334,14 +1334,14 @@ func TestJobEndpoint_Evaluate_ACL(t *testing.T) { invalidToken := mock.CreatePolicyAndToken(t, state, 1003, "test-invalid", mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) - reEval.SecretID = invalidToken.SecretID + reEval.AuthToken = invalidToken.SecretID var invalidResp structs.JobRegisterResponse err = msgpackrpc.CallWithCodec(codec, "Job.Evaluate", reEval, &invalidResp) assert.NotNil(err) assert.Contains(err.Error(), "Permission denied") // Fetch the response with a valid management token - reEval.SecretID = root.SecretID + reEval.AuthToken = root.SecretID var validResp structs.JobRegisterResponse err = msgpackrpc.CallWithCodec(codec, "Job.Evaluate", reEval, &validResp) assert.Nil(err) @@ -1350,7 +1350,7 @@ func TestJobEndpoint_Evaluate_ACL(t *testing.T) { validToken := mock.CreatePolicyAndToken(t, state, 1005, "test-valid", mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) - reEval.SecretID = validToken.SecretID + reEval.AuthToken = validToken.SecretID var validResp2 structs.JobRegisterResponse err = msgpackrpc.CallWithCodec(codec, "Job.Evaluate", reEval, &validResp2) assert.Nil(err) @@ -1638,7 +1638,7 @@ func TestJobEndpoint_Deregister_ACL(t *testing.T) { // Expect failure for request with an invalid token invalidToken := mock.CreatePolicyAndToken(t, state, 1003, "test-invalid", mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) - req.SecretID = invalidToken.SecretID + req.AuthToken = invalidToken.SecretID var invalidResp structs.JobDeregisterResponse err = msgpackrpc.CallWithCodec(codec, "Job.Deregister", req, &invalidResp) @@ -1646,7 +1646,7 @@ func TestJobEndpoint_Deregister_ACL(t *testing.T) { assert.Contains(err.Error(), "Permission denied") // Expect success with a valid management token - req.SecretID = root.SecretID + req.AuthToken = root.SecretID var validResp structs.JobDeregisterResponse err = msgpackrpc.CallWithCodec(codec, "Job.Deregister", req, &validResp) @@ -1656,7 +1656,7 @@ func TestJobEndpoint_Deregister_ACL(t *testing.T) { // Expect success with a valid token validToken := mock.CreatePolicyAndToken(t, state, 1005, "test-valid", mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilitySubmitJob})) - req.SecretID = validToken.SecretID + req.AuthToken = validToken.SecretID var validResp2 structs.JobDeregisterResponse err = msgpackrpc.CallWithCodec(codec, "Job.Deregister", req, &validResp2) @@ -1973,14 +1973,14 @@ func TestJobEndpoint_GetJob_ACL(t *testing.T) { invalidToken := mock.CreatePolicyAndToken(t, state, 1003, "test-invalid", mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) - get.SecretID = invalidToken.SecretID + get.AuthToken = invalidToken.SecretID var invalidResp structs.SingleJobResponse err = msgpackrpc.CallWithCodec(codec, "Job.GetJob", get, &invalidResp) assert.NotNil(err) assert.Contains(err.Error(), "Permission denied") // Looking up the job with a management token should succeed - get.SecretID = root.SecretID + get.AuthToken = root.SecretID var validResp structs.SingleJobResponse err = msgpackrpc.CallWithCodec(codec, "Job.GetJob", get, &validResp) assert.Nil(err) @@ -1990,7 +1990,7 @@ func TestJobEndpoint_GetJob_ACL(t *testing.T) { validToken := mock.CreatePolicyAndToken(t, state, 1005, "test-valid", mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) - get.SecretID = validToken.SecretID + get.AuthToken = validToken.SecretID var validResp2 structs.SingleJobResponse err = msgpackrpc.CallWithCodec(codec, "Job.GetJob", get, &validResp2) assert.Nil(err) @@ -2184,14 +2184,14 @@ func TestJobEndpoint_GetJobVersions_ACL(t *testing.T) { invalidToken := mock.CreatePolicyAndToken(t, state, 1003, "test-invalid", mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) - get.SecretID = invalidToken.SecretID + get.AuthToken = invalidToken.SecretID var invalidResp structs.JobVersionsResponse err = msgpackrpc.CallWithCodec(codec, "Job.GetJobVersions", get, &invalidResp) assert.NotNil(err) assert.Contains(err.Error(), "Permission denied") // Expect success for request with a valid management token - get.SecretID = root.SecretID + get.AuthToken = root.SecretID var validResp structs.JobVersionsResponse err = msgpackrpc.CallWithCodec(codec, "Job.GetJobVersions", get, &validResp) assert.Nil(err) @@ -2200,7 +2200,7 @@ func TestJobEndpoint_GetJobVersions_ACL(t *testing.T) { validToken := mock.CreatePolicyAndToken(t, state, 1005, "test-valid", mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) - get.SecretID = validToken.SecretID + get.AuthToken = validToken.SecretID var validResp2 structs.JobVersionsResponse err = msgpackrpc.CallWithCodec(codec, "Job.GetJobVersions", get, &validResp2) assert.Nil(err) @@ -2474,7 +2474,7 @@ func TestJobEndpoint_Summary_ACL(t *testing.T) { Namespace: job.Namespace, }, } - reg.SecretID = root.SecretID + reg.AuthToken = root.SecretID var err error @@ -2512,7 +2512,7 @@ func TestJobEndpoint_Summary_ACL(t *testing.T) { } // Expect success when using a management token - req.SecretID = root.SecretID + req.AuthToken = root.SecretID var mgmtResp structs.JobSummaryResponse err = msgpackrpc.CallWithCodec(codec, "Job.Summary", req, &mgmtResp) assert.Nil(err) @@ -2525,7 +2525,7 @@ func TestJobEndpoint_Summary_ACL(t *testing.T) { invalidToken := mock.CreatePolicyAndToken(t, state, 1003, "test-invalid", mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) - req.SecretID = invalidToken.SecretID + req.AuthToken = invalidToken.SecretID var invalidResp structs.JobSummaryResponse err = msgpackrpc.CallWithCodec(codec, "Job.Summary", req, &invalidResp) assert.NotNil(err) @@ -2534,7 +2534,7 @@ func TestJobEndpoint_Summary_ACL(t *testing.T) { validToken := mock.CreatePolicyAndToken(t, state, 1001, "test-valid", mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) - req.SecretID = validToken.SecretID + req.AuthToken = validToken.SecretID var authResp structs.JobSummaryResponse err = msgpackrpc.CallWithCodec(codec, "Job.Summary", req, &authResp) assert.Nil(err) @@ -2728,7 +2728,7 @@ func TestJobEndpoint_ListJobs_WithACL(t *testing.T) { // Expect success for request with a management token var mgmtResp structs.JobListResponse - req.SecretID = root.SecretID + req.AuthToken = root.SecretID err = msgpackrpc.CallWithCodec(codec, "Job.List", req, &mgmtResp) assert.Nil(err) assert.Equal(1, len(mgmtResp.Jobs)) @@ -2738,7 +2738,7 @@ func TestJobEndpoint_ListJobs_WithACL(t *testing.T) { invalidToken := mock.CreatePolicyAndToken(t, state, 1003, "test-invalid", mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) - req.SecretID = invalidToken.SecretID + req.AuthToken = invalidToken.SecretID var invalidResp structs.JobListResponse err = msgpackrpc.CallWithCodec(codec, "Job.List", req, &invalidResp) assert.NotNil(err) @@ -2747,7 +2747,7 @@ func TestJobEndpoint_ListJobs_WithACL(t *testing.T) { validToken := mock.CreatePolicyAndToken(t, state, 1001, "test-valid", mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) var validResp structs.JobListResponse - req.SecretID = validToken.SecretID + req.AuthToken = validToken.SecretID err = msgpackrpc.CallWithCodec(codec, "Job.List", req, &validResp) assert.Nil(err) @@ -2901,14 +2901,14 @@ func TestJobEndpoint_Allocations_ACL(t *testing.T) { invalidToken := mock.CreatePolicyAndToken(t, state, 1001, "test-invalid", mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) - get.SecretID = invalidToken.SecretID + get.AuthToken = invalidToken.SecretID var invalidResp structs.JobAllocationsResponse err = msgpackrpc.CallWithCodec(codec, "Job.Allocations", get, &invalidResp) assert.NotNil(err) assert.Contains(err.Error(), "Permission denied") // Attempt to fetch the response with valid management token should succeed - get.SecretID = root.SecretID + get.AuthToken = root.SecretID var validResp structs.JobAllocationsResponse err = msgpackrpc.CallWithCodec(codec, "Job.Allocations", get, &validResp) assert.Nil(err) @@ -2917,7 +2917,7 @@ func TestJobEndpoint_Allocations_ACL(t *testing.T) { validToken := mock.CreatePolicyAndToken(t, state, 1005, "test-valid", mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) - get.SecretID = validToken.SecretID + get.AuthToken = validToken.SecretID var validResp2 structs.JobAllocationsResponse err = msgpackrpc.CallWithCodec(codec, "Job.Allocations", get, &validResp2) assert.Nil(err) @@ -3058,14 +3058,14 @@ func TestJobEndpoint_Evaluations_ACL(t *testing.T) { invalidToken := mock.CreatePolicyAndToken(t, state, 1001, "test-invalid", mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) - get.SecretID = invalidToken.SecretID + get.AuthToken = invalidToken.SecretID var invalidResp structs.JobEvaluationsResponse err = msgpackrpc.CallWithCodec(codec, "Job.Evaluations", get, &invalidResp) assert.NotNil(err) assert.Contains(err.Error(), "Permission denied") // Attempt to fetch with valid management token should succeed - get.SecretID = root.SecretID + get.AuthToken = root.SecretID var validResp structs.JobEvaluationsResponse err = msgpackrpc.CallWithCodec(codec, "Job.Evaluations", get, &validResp) assert.Nil(err) @@ -3075,7 +3075,7 @@ func TestJobEndpoint_Evaluations_ACL(t *testing.T) { validToken := mock.CreatePolicyAndToken(t, state, 1003, "test-valid", mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) - get.SecretID = validToken.SecretID + get.AuthToken = validToken.SecretID var validResp2 structs.JobEvaluationsResponse err = msgpackrpc.CallWithCodec(codec, "Job.Evaluations", get, &validResp2) assert.Nil(err) @@ -3208,14 +3208,14 @@ func TestJobEndpoint_Deployments_ACL(t *testing.T) { invalidToken := mock.CreatePolicyAndToken(t, state, 1001, "test-invalid", mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) - get.SecretID = invalidToken.SecretID + get.AuthToken = invalidToken.SecretID var invalidResp structs.DeploymentListResponse err = msgpackrpc.CallWithCodec(codec, "Job.Deployments", get, &invalidResp) assert.NotNil(err) assert.Contains(err.Error(), "Permission denied") // Lookup with valid management token should succeed - get.SecretID = root.SecretID + get.AuthToken = root.SecretID var validResp structs.DeploymentListResponse assert.Nil(msgpackrpc.CallWithCodec(codec, "Job.Deployments", get, &validResp), "RPC") assert.EqualValues(1002, validResp.Index, "response index") @@ -3225,7 +3225,7 @@ func TestJobEndpoint_Deployments_ACL(t *testing.T) { validToken := mock.CreatePolicyAndToken(t, state, 1005, "test-valid", mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) - get.SecretID = validToken.SecretID + get.AuthToken = validToken.SecretID var validResp2 structs.DeploymentListResponse assert.Nil(msgpackrpc.CallWithCodec(codec, "Job.Deployments", get, &validResp2), "RPC") assert.EqualValues(1002, validResp2.Index, "response index") @@ -3355,14 +3355,14 @@ func TestJobEndpoint_LatestDeployment_ACL(t *testing.T) { invalidToken := mock.CreatePolicyAndToken(t, state, 1001, "test-invalid", mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) - get.SecretID = invalidToken.SecretID + get.AuthToken = invalidToken.SecretID var invalidResp structs.SingleDeploymentResponse err = msgpackrpc.CallWithCodec(codec, "Job.LatestDeployment", get, &invalidResp) assert.NotNil(err) assert.Contains(err.Error(), "Permission denied") // Fetching latest deployment with a valid management token should succeed - get.SecretID = root.SecretID + get.AuthToken = root.SecretID var validResp structs.SingleDeploymentResponse assert.Nil(msgpackrpc.CallWithCodec(codec, "Job.LatestDeployment", get, &validResp), "RPC") assert.EqualValues(1002, validResp.Index, "response index") @@ -3373,7 +3373,7 @@ func TestJobEndpoint_LatestDeployment_ACL(t *testing.T) { validToken := mock.CreatePolicyAndToken(t, state, 1004, "test-valid", mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) - get.SecretID = validToken.SecretID + get.AuthToken = validToken.SecretID var validResp2 structs.SingleDeploymentResponse assert.Nil(msgpackrpc.CallWithCodec(codec, "Job.LatestDeployment", get, &validResp2), "RPC") assert.EqualValues(1002, validResp2.Index, "response index") @@ -3454,7 +3454,7 @@ func TestJobEndpoint_Plan_ACL(t *testing.T) { } // Try with a token - planReq.SecretID = root.SecretID + planReq.AuthToken = root.SecretID if err := msgpackrpc.CallWithCodec(codec, "Job.Plan", planReq, &planResp); err != nil { t.Fatalf("err: %v", err) } @@ -3808,7 +3808,7 @@ func TestJobEndpoint_ValidateJobUpdate_ACL(t *testing.T) { assert.NotNil(err) // Update with a valid token - req.SecretID = root.SecretID + req.AuthToken = root.SecretID var validResp structs.JobValidateResponse err = msgpackrpc.CallWithCodec(codec, "Job.Validate", req, &validResp) assert.Nil(err) @@ -3854,7 +3854,7 @@ func TestJobEndpoint_Dispatch_ACL(t *testing.T) { // Attempt to fetch the response with an invalid token should fail invalidToken := mock.CreatePolicyAndToken(t, state, 1001, "test-invalid", mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) - req.SecretID = invalidToken.SecretID + req.AuthToken = invalidToken.SecretID var invalidResp structs.JobDispatchResponse err = msgpackrpc.CallWithCodec(codec, "Job.Dispatch", req, &invalidResp) @@ -3862,7 +3862,7 @@ func TestJobEndpoint_Dispatch_ACL(t *testing.T) { assert.Contains(err.Error(), "Permission denied") // Dispatch with a valid management token should succeed - req.SecretID = root.SecretID + req.AuthToken = root.SecretID var validResp structs.JobDispatchResponse err = msgpackrpc.CallWithCodec(codec, "Job.Dispatch", req, &validResp) @@ -3874,7 +3874,7 @@ func TestJobEndpoint_Dispatch_ACL(t *testing.T) { // Dispatch with a valid token should succeed validToken := mock.CreatePolicyAndToken(t, state, 1003, "test-valid", mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityDispatchJob})) - req.SecretID = validToken.SecretID + req.AuthToken = validToken.SecretID var validResp2 structs.JobDispatchResponse err = msgpackrpc.CallWithCodec(codec, "Job.Dispatch", req, &validResp2) diff --git a/nomad/leader.go b/nomad/leader.go index 97712dd00..70cd16363 100644 --- a/nomad/leader.go +++ b/nomad/leader.go @@ -721,7 +721,7 @@ START: // Fetch the list of policies var resp structs.ACLPolicyListResponse - req.SecretID = s.ReplicationToken() + req.AuthToken = s.ReplicationToken() err := s.forwardRegion(s.config.AuthoritativeRegion, "ACL.ListPolicies", &req, &resp) if err != nil { @@ -751,7 +751,7 @@ START: Names: update, QueryOptions: structs.QueryOptions{ Region: s.config.AuthoritativeRegion, - SecretID: s.ReplicationToken(), + AuthToken: s.ReplicationToken(), AllowStale: true, MinQueryIndex: resp.Index - 1, }, @@ -863,7 +863,7 @@ START: // Fetch the list of tokens var resp structs.ACLTokenListResponse - req.SecretID = s.ReplicationToken() + req.AuthToken = s.ReplicationToken() err := s.forwardRegion(s.config.AuthoritativeRegion, "ACL.ListTokens", &req, &resp) if err != nil { @@ -893,7 +893,7 @@ START: AccessorIDS: update, QueryOptions: structs.QueryOptions{ Region: s.config.AuthoritativeRegion, - SecretID: s.ReplicationToken(), + AuthToken: s.ReplicationToken(), AllowStale: true, MinQueryIndex: resp.Index - 1, }, diff --git a/nomad/node_endpoint.go b/nomad/node_endpoint.go index 3d6b6d04c..8ee0c49e3 100644 --- a/nomad/node_endpoint.go +++ b/nomad/node_endpoint.go @@ -390,7 +390,7 @@ func (n *Node) UpdateDrain(args *structs.NodeUpdateDrainRequest, defer metrics.MeasureSince([]string{"nomad", "client", "update_drain"}, time.Now()) // Check node write permissions - if aclObj, err := n.srv.ResolveToken(args.SecretID); err != nil { + if aclObj, err := n.srv.ResolveToken(args.AuthToken); err != nil { return err } else if aclObj != nil && !aclObj.AllowNodeWrite() { return structs.ErrPermissionDenied @@ -452,7 +452,7 @@ func (n *Node) Evaluate(args *structs.NodeEvaluateRequest, reply *structs.NodeUp defer metrics.MeasureSince([]string{"nomad", "client", "evaluate"}, time.Now()) // Check node write permissions - if aclObj, err := n.srv.ResolveToken(args.SecretID); err != nil { + if aclObj, err := n.srv.ResolveToken(args.AuthToken); err != nil { return err } else if aclObj != nil && !aclObj.AllowNodeWrite() { return structs.ErrPermissionDenied @@ -859,7 +859,7 @@ func (n *Node) List(args *structs.NodeListRequest, defer metrics.MeasureSince([]string{"nomad", "client", "list"}, time.Now()) // Check node read permissions - if aclObj, err := n.srv.ResolveToken(args.SecretID); err != nil { + if aclObj, err := n.srv.ResolveToken(args.AuthToken); err != nil { return err } else if aclObj != nil && !aclObj.AllowNodeRead() { return structs.ErrPermissionDenied diff --git a/nomad/node_endpoint_test.go b/nomad/node_endpoint_test.go index 709242711..abbc1b2b3 100644 --- a/nomad/node_endpoint_test.go +++ b/nomad/node_endpoint_test.go @@ -691,14 +691,14 @@ func TestClientEndpoint_UpdateDrain_ACL(t *testing.T) { } // Try with a valid token - dereg.SecretID = validToken.SecretID + dereg.AuthToken = validToken.SecretID { var resp structs.NodeDrainUpdateResponse assert.Nil(msgpackrpc.CallWithCodec(codec, "Node.UpdateDrain", dereg, &resp), "RPC") } // Try with a invalid token - dereg.SecretID = invalidToken.SecretID + dereg.AuthToken = invalidToken.SecretID { var resp structs.NodeDrainUpdateResponse err := msgpackrpc.CallWithCodec(codec, "Node.UpdateDrain", dereg, &resp) @@ -707,7 +707,7 @@ func TestClientEndpoint_UpdateDrain_ACL(t *testing.T) { } // Try with a root token - dereg.SecretID = root.SecretID + dereg.AuthToken = root.SecretID { var resp structs.NodeDrainUpdateResponse assert.Nil(msgpackrpc.CallWithCodec(codec, "Node.UpdateDrain", dereg, &resp), "RPC") @@ -1932,14 +1932,14 @@ func TestClientEndpoint_Evaluate_ACL(t *testing.T) { } // Try with a valid token - req.SecretID = validToken.SecretID + req.AuthToken = validToken.SecretID { var resp structs.NodeUpdateResponse assert.Nil(msgpackrpc.CallWithCodec(codec, "Node.Evaluate", req, &resp), "RPC") } // Try with a invalid token - req.SecretID = invalidToken.SecretID + req.AuthToken = invalidToken.SecretID { var resp structs.NodeUpdateResponse err := msgpackrpc.CallWithCodec(codec, "Node.Evaluate", req, &resp) @@ -1948,7 +1948,7 @@ func TestClientEndpoint_Evaluate_ACL(t *testing.T) { } // Try with a root token - req.SecretID = root.SecretID + req.AuthToken = root.SecretID { var resp structs.NodeUpdateResponse assert.Nil(msgpackrpc.CallWithCodec(codec, "Node.Evaluate", req, &resp), "RPC") @@ -2045,7 +2045,7 @@ func TestClientEndpoint_ListNodes_ACL(t *testing.T) { } // Try with a valid token - req.SecretID = validToken.SecretID + req.AuthToken = validToken.SecretID { var resp structs.NodeListResponse assert.Nil(msgpackrpc.CallWithCodec(codec, "Node.List", req, &resp), "RPC") @@ -2053,7 +2053,7 @@ func TestClientEndpoint_ListNodes_ACL(t *testing.T) { } // Try with a invalid token - req.SecretID = invalidToken.SecretID + req.AuthToken = invalidToken.SecretID { var resp structs.NodeListResponse err := msgpackrpc.CallWithCodec(codec, "Node.List", req, &resp) @@ -2062,7 +2062,7 @@ func TestClientEndpoint_ListNodes_ACL(t *testing.T) { } // Try with a root token - req.SecretID = root.SecretID + req.AuthToken = root.SecretID { var resp structs.NodeListResponse assert.Nil(msgpackrpc.CallWithCodec(codec, "Node.List", req, &resp), "RPC") diff --git a/nomad/operator_endpoint.go b/nomad/operator_endpoint.go index a45339c07..69bc81294 100644 --- a/nomad/operator_endpoint.go +++ b/nomad/operator_endpoint.go @@ -21,7 +21,7 @@ func (op *Operator) RaftGetConfiguration(args *structs.GenericRequest, reply *st } // Check management permissions - if aclObj, err := op.srv.ResolveToken(args.SecretID); err != nil { + if aclObj, err := op.srv.ResolveToken(args.AuthToken); err != nil { return err } else if aclObj != nil && !aclObj.IsManagement() { return structs.ErrPermissionDenied @@ -77,7 +77,7 @@ func (op *Operator) RaftRemovePeerByAddress(args *structs.RaftPeerByAddressReque } // Check management permissions - if aclObj, err := op.srv.ResolveToken(args.SecretID); err != nil { + if aclObj, err := op.srv.ResolveToken(args.AuthToken); err != nil { return err } else if aclObj != nil && !aclObj.IsManagement() { return structs.ErrPermissionDenied diff --git a/nomad/operator_endpoint_test.go b/nomad/operator_endpoint_test.go index a72c75f90..303a2ef58 100644 --- a/nomad/operator_endpoint_test.go +++ b/nomad/operator_endpoint_test.go @@ -85,7 +85,7 @@ func TestOperator_RaftGetConfiguration_ACL(t *testing.T) { // Try with an invalid token and expect permission denied { - arg.SecretID = invalidToken.SecretID + arg.AuthToken = invalidToken.SecretID var reply structs.RaftConfigurationResponse err := msgpackrpc.CallWithCodec(codec, "Operator.RaftGetConfiguration", &arg, &reply) assert.NotNil(err) @@ -94,7 +94,7 @@ func TestOperator_RaftGetConfiguration_ACL(t *testing.T) { // Use management token { - arg.SecretID = root.SecretID + arg.AuthToken = root.SecretID var reply structs.RaftConfigurationResponse assert.Nil(msgpackrpc.CallWithCodec(codec, "Operator.RaftGetConfiguration", &arg, &reply)) @@ -209,7 +209,7 @@ func TestOperator_RaftRemovePeerByAddress_ACL(t *testing.T) { // Try with an invalid token and expect permission denied { - arg.SecretID = invalidToken.SecretID + arg.AuthToken = invalidToken.SecretID err := msgpackrpc.CallWithCodec(codec, "Operator.RaftRemovePeerByAddress", &arg, &reply) assert.NotNil(err) assert.Equal(err.Error(), structs.ErrPermissionDenied.Error()) @@ -217,7 +217,7 @@ func TestOperator_RaftRemovePeerByAddress_ACL(t *testing.T) { // Try with a management token { - arg.SecretID = root.SecretID + arg.AuthToken = root.SecretID err := msgpackrpc.CallWithCodec(codec, "Operator.RaftRemovePeerByAddress", &arg, &reply) assert.Nil(err) } diff --git a/nomad/periodic_endpoint.go b/nomad/periodic_endpoint.go index a28331f4e..2cf355b6e 100644 --- a/nomad/periodic_endpoint.go +++ b/nomad/periodic_endpoint.go @@ -23,7 +23,7 @@ func (p *Periodic) Force(args *structs.PeriodicForceRequest, reply *structs.Peri defer metrics.MeasureSince([]string{"nomad", "periodic", "force"}, time.Now()) // Check for write-job permissions - if aclObj, err := p.srv.ResolveToken(args.SecretID); err != nil { + if aclObj, err := p.srv.ResolveToken(args.AuthToken); err != nil { return err } else if aclObj != nil && !aclObj.AllowNsOp(args.RequestNamespace(), acl.NamespaceCapabilitySubmitJob) { return structs.ErrPermissionDenied diff --git a/nomad/periodic_endpoint_test.go b/nomad/periodic_endpoint_test.go index 1a085cb6a..7547de5ac 100644 --- a/nomad/periodic_endpoint_test.go +++ b/nomad/periodic_endpoint_test.go @@ -100,7 +100,7 @@ func TestPeriodicEndpoint_Force_ACL(t *testing.T) { // Try with an invalid token and expect permission denied { invalidToken := mock.CreatePolicyAndToken(t, state, 1003, "invalid", mock.NodePolicy(acl.PolicyWrite)) - req.SecretID = invalidToken.SecretID + req.AuthToken = invalidToken.SecretID var resp structs.PeriodicForceResponse err := msgpackrpc.CallWithCodec(codec, "Periodic.Force", req, &resp) assert.NotNil(err) @@ -111,7 +111,7 @@ func TestPeriodicEndpoint_Force_ACL(t *testing.T) { { policy := mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilitySubmitJob}) token := mock.CreatePolicyAndToken(t, state, 1005, "valid", policy) - req.SecretID = token.SecretID + req.AuthToken = token.SecretID var resp structs.PeriodicForceResponse assert.Nil(msgpackrpc.CallWithCodec(codec, "Periodic.Force", req, &resp)) assert.NotEqual(0, resp.Index) @@ -126,7 +126,7 @@ func TestPeriodicEndpoint_Force_ACL(t *testing.T) { // Fetch the response with management token { - req.SecretID = root.SecretID + req.AuthToken = root.SecretID var resp structs.PeriodicForceResponse assert.Nil(msgpackrpc.CallWithCodec(codec, "Periodic.Force", req, &resp)) assert.NotEqual(0, resp.Index) diff --git a/nomad/search_endpoint.go b/nomad/search_endpoint.go index 14aa98cb9..daeead918 100644 --- a/nomad/search_endpoint.go +++ b/nomad/search_endpoint.go @@ -113,7 +113,7 @@ func roundUUIDDownIfOdd(prefix string, context structs.Context) string { // PrefixSearch is used to list matches for a given prefix, and returns // matching jobs, evaluations, allocations, and/or nodes. func (s *Search) PrefixSearch(args *structs.SearchRequest, reply *structs.SearchResponse) error { - aclObj, err := s.srv.ResolveToken(args.SecretID) + aclObj, err := s.srv.ResolveToken(args.AuthToken) if err != nil { return err } diff --git a/nomad/search_endpoint_test.go b/nomad/search_endpoint_test.go index 6f55bba10..7cd6fe6b2 100644 --- a/nomad/search_endpoint_test.go +++ b/nomad/search_endpoint_test.go @@ -98,7 +98,7 @@ func TestSearch_PrefixSearch_ACL(t *testing.T) { { invalidToken := mock.CreatePolicyAndToken(t, state, 1003, "test-invalid", mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) - req.SecretID = invalidToken.SecretID + req.AuthToken = invalidToken.SecretID var resp structs.SearchResponse err := msgpackrpc.CallWithCodec(codec, "Search.PrefixSearch", req, &resp) assert.NotNil(err) @@ -108,7 +108,7 @@ func TestSearch_PrefixSearch_ACL(t *testing.T) { // Try with a node:read token and expect failure due to Jobs being the context { validToken := mock.CreatePolicyAndToken(t, state, 1005, "test-invalid2", mock.NodePolicy(acl.PolicyRead)) - req.SecretID = validToken.SecretID + req.AuthToken = validToken.SecretID var resp structs.SearchResponse err := msgpackrpc.CallWithCodec(codec, "Search.PrefixSearch", req, &resp) assert.NotNil(err) @@ -119,7 +119,7 @@ func TestSearch_PrefixSearch_ACL(t *testing.T) { { validToken := mock.CreatePolicyAndToken(t, state, 1007, "test-valid", mock.NodePolicy(acl.PolicyRead)) req.Context = structs.All - req.SecretID = validToken.SecretID + req.AuthToken = validToken.SecretID var resp structs.SearchResponse assert.Nil(msgpackrpc.CallWithCodec(codec, "Search.PrefixSearch", req, &resp)) assert.Equal(uint64(1001), resp.Index) @@ -133,7 +133,7 @@ func TestSearch_PrefixSearch_ACL(t *testing.T) { { validToken := mock.CreatePolicyAndToken(t, state, 1009, "test-valid2", mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) - req.SecretID = validToken.SecretID + req.AuthToken = validToken.SecretID var resp structs.SearchResponse assert.Nil(msgpackrpc.CallWithCodec(codec, "Search.PrefixSearch", req, &resp)) assert.Len(resp.Matches[structs.Jobs], 1) @@ -152,7 +152,7 @@ func TestSearch_PrefixSearch_ACL(t *testing.T) { mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob}), mock.NodePolicy(acl.PolicyRead), }, "\n")) - req.SecretID = validToken.SecretID + req.AuthToken = validToken.SecretID var resp structs.SearchResponse assert.Nil(msgpackrpc.CallWithCodec(codec, "Search.PrefixSearch", req, &resp)) assert.Len(resp.Matches[structs.Jobs], 1) @@ -163,7 +163,7 @@ func TestSearch_PrefixSearch_ACL(t *testing.T) { // Try with a management token { - req.SecretID = root.SecretID + req.AuthToken = root.SecretID var resp structs.SearchResponse assert.Nil(msgpackrpc.CallWithCodec(codec, "Search.PrefixSearch", req, &resp)) assert.Equal(uint64(1001), resp.Index) diff --git a/nomad/status_endpoint.go b/nomad/status_endpoint.go index 42e7fb477..cbe2af325 100644 --- a/nomad/status_endpoint.go +++ b/nomad/status_endpoint.go @@ -73,7 +73,7 @@ func (s *Status) Peers(args *structs.GenericRequest, reply *[]string) error { // aware of func (s *Status) Members(args *structs.GenericRequest, reply *structs.ServerMembersResponse) error { // Check node read permissions - if aclObj, err := s.srv.ResolveToken(args.SecretID); err != nil { + if aclObj, err := s.srv.ResolveToken(args.AuthToken); err != nil { return err } else if aclObj != nil && !aclObj.AllowNodeRead() { return structs.ErrPermissionDenied diff --git a/nomad/status_endpoint_test.go b/nomad/status_endpoint_test.go index da42d0835..ab48ab7f0 100644 --- a/nomad/status_endpoint_test.go +++ b/nomad/status_endpoint_test.go @@ -146,7 +146,7 @@ func TestStatusMembers_ACL(t *testing.T) { // Try with an invalid token and expect failure { - arg.SecretID = invalidToken.SecretID + arg.AuthToken = invalidToken.SecretID var out structs.ServerMembersResponse err := msgpackrpc.CallWithCodec(codec, "Status.Members", arg, &out) assert.NotNil(err) @@ -155,7 +155,7 @@ func TestStatusMembers_ACL(t *testing.T) { // Try with a valid token { - arg.SecretID = validToken.SecretID + arg.AuthToken = validToken.SecretID var out structs.ServerMembersResponse assert.Nil(msgpackrpc.CallWithCodec(codec, "Status.Members", arg, &out)) assert.Len(out.Members, 1) @@ -163,7 +163,7 @@ func TestStatusMembers_ACL(t *testing.T) { // Try with a management token { - arg.SecretID = root.SecretID + arg.AuthToken = root.SecretID var out structs.ServerMembersResponse assert.Nil(msgpackrpc.CallWithCodec(codec, "Status.Members", arg, &out)) assert.Len(out.Members, 1) diff --git a/nomad/structs/structs.go b/nomad/structs/structs.go index 1c0b6dc71..2baa5dfb7 100644 --- a/nomad/structs/structs.go +++ b/nomad/structs/structs.go @@ -166,8 +166,8 @@ type QueryOptions struct { // If set, used as prefix for resource list searches Prefix string - // SecretID is secret portion of the ACL token used for the request - SecretID string + // AuthToken is secret portion of the ACL token used for the request + AuthToken string } func (q QueryOptions) RequestRegion() string { @@ -197,8 +197,8 @@ type WriteRequest struct { // Namespace is the target namespace for the write. Namespace string - // SecretID is secret portion of the ACL token used for the request - SecretID string + // AuthToken is secret portion of the ACL token used for the request + AuthToken string } func (w WriteRequest) RequestRegion() string { diff --git a/nomad/system_endpoint.go b/nomad/system_endpoint.go index 6a314385e..0c290db31 100644 --- a/nomad/system_endpoint.go +++ b/nomad/system_endpoint.go @@ -19,7 +19,7 @@ func (s *System) GarbageCollect(args *structs.GenericRequest, reply *structs.Gen } // Check management level permissions - if acl, err := s.srv.ResolveToken(args.SecretID); err != nil { + if acl, err := s.srv.ResolveToken(args.AuthToken); err != nil { return err } else if acl != nil && !acl.IsManagement() { return structs.ErrPermissionDenied @@ -43,7 +43,7 @@ func (s *System) ReconcileJobSummaries(args *structs.GenericRequest, reply *stru } // Check management level permissions - if acl, err := s.srv.ResolveToken(args.SecretID); err != nil { + if acl, err := s.srv.ResolveToken(args.AuthToken); err != nil { return err } else if acl != nil && !acl.IsManagement() { return structs.ErrPermissionDenied diff --git a/nomad/system_endpoint_test.go b/nomad/system_endpoint_test.go index 46d08ae12..09f4e7dbd 100644 --- a/nomad/system_endpoint_test.go +++ b/nomad/system_endpoint_test.go @@ -93,7 +93,7 @@ func TestSystemEndpoint_GarbageCollect_ACL(t *testing.T) { // Try with an invalid token and expect failure { - req.SecretID = invalidToken.SecretID + req.AuthToken = invalidToken.SecretID var resp structs.GenericResponse err := msgpackrpc.CallWithCodec(codec, "System.GarbageCollect", req, &resp) assert.NotNil(err) @@ -102,7 +102,7 @@ func TestSystemEndpoint_GarbageCollect_ACL(t *testing.T) { // Try with a management token { - req.SecretID = root.SecretID + req.AuthToken = root.SecretID var resp structs.GenericResponse assert.Nil(msgpackrpc.CallWithCodec(codec, "System.GarbageCollect", req, &resp)) } @@ -199,7 +199,7 @@ func TestSystemEndpoint_ReconcileJobSummaries_ACL(t *testing.T) { // Try with an invalid token and expect failure { - req.SecretID = invalidToken.SecretID + req.AuthToken = invalidToken.SecretID var resp structs.GenericResponse err := msgpackrpc.CallWithCodec(codec, "System.ReconcileJobSummaries", req, &resp) assert.NotNil(err) @@ -208,7 +208,7 @@ func TestSystemEndpoint_ReconcileJobSummaries_ACL(t *testing.T) { // Try with a management token { - req.SecretID = root.SecretID + req.AuthToken = root.SecretID var resp structs.GenericResponse assert.Nil(msgpackrpc.CallWithCodec(codec, "System.ReconcileJobSummaries", req, &resp)) }