acl: bootstrap master token from config file

[skarrok]

Fixes #7777
Add support for acl master_token like in Consul

[hashicorp-cla]

All committers have signed the CLA.

[schmichael]

Thanks for the excellent PR @skarrok! From a code perspective it looks right on.

However, while we know our existing management token bootstrapping method makes automating cluster setup difficult, we're unsure about hardcoding a management token like Consul allows. A one-time (or limited-time) use token might ease bootstrapping while greatly diminish the attack surface of a master token ended in a config file.

I'm going to mark this as 🤔 for now. I don't want to close it outright as we may decide the risk is worth it since the bootstrapping is such a pain.

[schmichael]

Would it be useful to allow the AccessorID to be specified in the HCL as well? Consul doesn't for their master_token, but they do allow it for subsequent tokens created via their API in order to ease automation.

[skarrok]

Thank you for your review!

Yes, current process is not ideal. We even choose to not use acl in nomad in favor of fully automated idempotent bootstrapping.

I'm sure strong arguments for and against have been made already when this feature landed in consul, so I'm gonna wait for decision.

[apollo13]

@schmichael Hi, I have been thinking about your comment and about what would be an easier approach for automation without hard-coding the token in the config file. I only suggested that in #7777 because consul already does it and I like consistency.

What do you think about altering the /acl/bootstrap endpoint (or maybe even introduce a new one) to allow the enduser to submit a token pair to it (AccessorID & SecretID) which will be used as the initial management token? This way you can safely store the token pair in a system suitable for your automation (for example an ansible vault) but you would not leak it onto the machines.

[tgross]

@schmichael what do you think of closing this PR in lieu of the work that @lhaig is doing in #12520? I think that's closer to the suggestion you and @apollo13 had here.

[schmichael]

Sounds good to me Tim and @apollo13 gave a 👍 ! Closing this in favor of #12520.

[github-actions]

I'm going to lock this pull request because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.