Replication token needs acl write on all ns's

If namespaces are enabled, the replication token will need to be able to replicate all tokens and policies from all namespaces. Without this functionality, users won't be able to use namespaced tokens/policies/roles in secondary datacenters (since they won't be replicated).
hashicorp · Oct 27, 2020 · b25cb0c · b25cb0c
1 parent 1b515f4
commit b25cb0c
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 5 deletions.
diff --git a/subcommand/server-acl-init/rules.go b/subcommand/server-acl-init/rules.go
@@ -222,7 +222,6 @@ func (c *Command) aclReplicationRules() (string, error) {
 	// datacenters during federation since in order to start ACL replication,
 	// we need a token with both replication and agent permissions.
 	aclReplicationRulesTpl := `
-acl = "write"
 operator = "write"
 agent_prefix "" {
   policy = "read"
@@ -233,6 +232,7 @@ node_prefix "" {
 {{- if .EnableNamespaces }}
 namespace_prefix "" {
 {{- end }}
+  acl = "write"
   service_prefix "" {
     policy = "read"
     intentions = "read"

diff --git a/subcommand/server-acl-init/rules_test.go b/subcommand/server-acl-init/rules_test.go
@@ -537,14 +537,14 @@ func TestReplicationTokenRules(t *testing.T) {
 		{
 			"Namespaces are disabled",
 			false,
-			`acl = "write"
-operator = "write"
+			`operator = "write"
 agent_prefix "" {
   policy = "read"
 }
 node_prefix "" {
   policy = "write"
 }
+  acl = "write"
   service_prefix "" {
     policy = "read"
     intentions = "read"
@@ -553,15 +553,15 @@ node_prefix "" {
 		{
 			"Namespaces are enabled",
 			true,
-			`acl = "write"
-operator = "write"
+			`operator = "write"
 agent_prefix "" {
   policy = "read"
 }
 node_prefix "" {
   policy = "write"
 }
 namespace_prefix "" {
+  acl = "write"
   service_prefix "" {
     policy = "read"
     intentions = "read"