hashicorp · jmurret · Sep 5, 2024 · Aug 8, 2024 · Aug 8, 2024 · Sep 4, 2024
diff --git a/.changelog/21592.txt b/.changelog/21592.txt
@@ -0,0 +1,3 @@
+```release-note:feature
+server: remove v2 tenancy, catalog, and mesh experiments
+```
diff --git a/Makefile b/Makefile
@@ -294,7 +294,6 @@ lint-container-test-deps: ## Check that the test-container module only imports a
 	@cd test/integration/consul-container && \
 		$(CURDIR)/build-support/scripts/check-allowed-imports.sh \
 			github.com/hashicorp/consul \
-			"internal/catalog/catalogtest" \
 			"internal/resource/resourcetest"
 
 ##@ Testing

@@ -59,31 +59,6 @@ func (m *MockAuthorizer) EventWrite(segment string, ctx *AuthorizerContext) Enfo
 	return ret.Get(0).(EnforcementDecision)
 }
 
-// IdentityRead checks for permission to read a given workload identity.
-func (m *MockAuthorizer) IdentityRead(segment string, ctx *AuthorizerContext) EnforcementDecision {
-	ret := m.Called(segment, ctx)
-	return ret.Get(0).(EnforcementDecision)
-}
-
-// IdentityReadAll checks for permission to read all workload identities.
-func (m *MockAuthorizer) IdentityReadAll(ctx *AuthorizerContext) EnforcementDecision {
-	ret := m.Called(ctx)
-	return ret.Get(0).(EnforcementDecision)
-}
-
-// IdentityWrite checks for permission to create or update a given
-// workload identity.
-func (m *MockAuthorizer) IdentityWrite(segment string, ctx *AuthorizerContext) EnforcementDecision {
-	ret := m.Called(segment, ctx)
-	return ret.Get(0).(EnforcementDecision)
-}
-
-// IdentityWriteAny checks for write permission on any workload identity.
-func (m *MockAuthorizer) IdentityWriteAny(ctx *AuthorizerContext) EnforcementDecision {
-	ret := m.Called(ctx)
-	return ret.Get(0).(EnforcementDecision)
-}
-
 // IntentionDefaultAllow determines the default authorized behavior
 // when no intentions match a Connect request.
 func (m *MockAuthorizer) IntentionDefaultAllow(ctx *AuthorizerContext) EnforcementDecision {

@@ -40,22 +40,6 @@ func checkAllowEventWrite(t *testing.T, authz Authorizer, prefix string, entCtx
 	require.Equal(t, Allow, authz.EventWrite(prefix, entCtx))
 }
 
-func checkAllowIdentityRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
-	require.Equal(t, Allow, authz.IdentityRead(prefix, entCtx))
-}
-
-func checkAllowIdentityReadAll(t *testing.T, authz Authorizer, _ string, entCtx *AuthorizerContext) {
-	require.Equal(t, Allow, authz.IdentityReadAll(entCtx))
-}
-
-func checkAllowIdentityWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
-	require.Equal(t, Allow, authz.IdentityWrite(prefix, entCtx))
-}
-
-func checkAllowIdentityWriteAny(t *testing.T, authz Authorizer, _ string, entCtx *AuthorizerContext) {
-	require.Equal(t, Allow, authz.IdentityWriteAny(entCtx))
-}
-
 func checkAllowIntentionDefaultAllow(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
 	require.Equal(t, Allow, authz.IntentionDefaultAllow(entCtx))
 }
@@ -196,22 +180,6 @@ func checkDenyEventWrite(t *testing.T, authz Authorizer, prefix string, entCtx *
 	require.Equal(t, Deny, authz.EventWrite(prefix, entCtx))
 }
 
-func checkDenyIdentityRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
-	require.Equal(t, Deny, authz.IdentityRead(prefix, entCtx))
-}
-
-func checkDenyIdentityReadAll(t *testing.T, authz Authorizer, _ string, entCtx *AuthorizerContext) {
-	require.Equal(t, Deny, authz.IdentityReadAll(entCtx))
-}
-
-func checkDenyIdentityWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
-	require.Equal(t, Deny, authz.IdentityWrite(prefix, entCtx))
-}
-
-func checkDenyIdentityWriteAny(t *testing.T, authz Authorizer, _ string, entCtx *AuthorizerContext) {
-	require.Equal(t, Deny, authz.IdentityWriteAny(entCtx))
-}
-
 func checkDenyIntentionDefaultAllow(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
 	require.Equal(t, Deny, authz.IntentionDefaultAllow(entCtx))
 }
@@ -360,22 +328,6 @@ func checkDefaultEventWrite(t *testing.T, authz Authorizer, prefix string, entCt
 	require.Equal(t, Default, authz.EventWrite(prefix, entCtx))
 }
 
-func checkDefaultIdentityRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
-	require.Equal(t, Default, authz.IdentityRead(prefix, entCtx))
-}
-
-func checkDefaultIdentityReadAll(t *testing.T, authz Authorizer, _ string, entCtx *AuthorizerContext) {
-	require.Equal(t, Default, authz.IdentityReadAll(entCtx))
-}
-
-func checkDefaultIdentityWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
-	require.Equal(t, Default, authz.IdentityWrite(prefix, entCtx))
-}
-
-func checkDefaultIdentityWriteAny(t *testing.T, authz Authorizer, _ string, entCtx *AuthorizerContext) {
-	require.Equal(t, Default, authz.IdentityWriteAny(entCtx))
-}
-
 func checkDefaultIntentionDefaultAllow(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
 	require.Equal(t, Default, authz.IntentionDefaultAllow(entCtx))
 }
@@ -516,10 +468,6 @@ func TestACL(t *testing.T) {
 				{name: "DenyIntentionDefaultAllow", check: checkDenyIntentionDefaultAllow},
 				{name: "DenyIntentionRead", check: checkDenyIntentionRead},
 				{name: "DenyIntentionWrite", check: checkDenyIntentionWrite},
-				{name: "DenyIdentityRead", check: checkDenyIdentityRead},
-				{name: "DenyIdentityReadAll", check: checkDenyIdentityReadAll},
-				{name: "DenyIdentityWrite", check: checkDenyIdentityWrite},
-				{name: "DenyIdentityWriteAny", check: checkDenyIdentityWriteAny},
 				{name: "DenyKeyRead", check: checkDenyKeyRead},
 				{name: "DenyKeyringRead", check: checkDenyKeyringRead},
 				{name: "DenyKeyringWrite", check: checkDenyKeyringWrite},
@@ -554,10 +502,6 @@ func TestACL(t *testing.T) {
 				{name: "AllowAgentWrite", check: checkAllowAgentWrite},
 				{name: "AllowEventRead", check: checkAllowEventRead},
 				{name: "AllowEventWrite", check: checkAllowEventWrite},
-				{name: "AllowIdentityRead", check: checkAllowIdentityRead},
-				{name: "AllowIdentityReadAll", check: checkAllowIdentityReadAll},
-				{name: "AllowIdentityWrite", check: checkAllowIdentityWrite},
-				{name: "AllowIdentityWriteAny", check: checkAllowIdentityWriteAny},
 				{name: "AllowIntentionDefaultAllow", check: checkAllowIntentionDefaultAllow},
 				{name: "AllowIntentionRead", check: checkAllowIntentionRead},
 				{name: "AllowIntentionWrite", check: checkAllowIntentionWrite},
@@ -597,10 +541,6 @@ func TestACL(t *testing.T) {
 				{name: "AllowAgentWrite", check: checkAllowAgentWrite},
 				{name: "AllowEventRead", check: checkAllowEventRead},
 				{name: "AllowEventWrite", check: checkAllowEventWrite},
-				{name: "AllowIdentityRead", check: checkAllowIdentityRead},
-				{name: "AllowIdentityReadAll", check: checkAllowIdentityReadAll},
-				{name: "AllowIdentityWrite", check: checkAllowIdentityWrite},
-				{name: "AllowIdentityWriteAny", check: checkAllowIdentityWriteAny},
 				{name: "AllowIntentionDefaultAllow", check: checkAllowIntentionDefaultAllow},
 				{name: "AllowIntentionRead", check: checkAllowIntentionRead},
 				{name: "AllowIntentionWrite", check: checkAllowIntentionWrite},
@@ -1000,134 +940,6 @@ func TestACL(t *testing.T) {
 				{name: "ChildOverrideWriteAllowed", prefix: "override", check: checkAllowAgentWrite},
 			},
 		},
-		{
-			name:          "IdentityDefaultAllowPolicyDeny",
-			defaultPolicy: AllowAll(),
-			policyStack: []*Policy{
-				{
-					PolicyRules: PolicyRules{
-						Identities: []*IdentityRule{
-							{
-								Name:   "foo",
-								Policy: PolicyDeny,
-							},
-						},
-						IdentityPrefixes: []*IdentityRule{
-							{
-								Name:   "prefix",
-								Policy: PolicyDeny,
-							},
-						},
-					},
-				},
-			},
-			checks: []aclCheck{
-				{name: "IdentityFooReadDenied", prefix: "foo", check: checkDenyIdentityRead},
-				{name: "IdentityFooWriteDenied", prefix: "foo", check: checkDenyIdentityWrite},
-				{name: "IdentityPrefixReadDenied", prefix: "prefix", check: checkDenyIdentityRead},
-				{name: "IdentityPrefixWriteDenied", prefix: "prefix", check: checkDenyIdentityWrite},
-				{name: "IdentityBarReadAllowed", prefix: "fail", check: checkAllowIdentityRead},
-				{name: "IdentityBarWriteAllowed", prefix: "fail", check: checkAllowIdentityWrite},
-			},
-		},
-		{
-			name:          "IdentityDefaultDenyPolicyAllow",
-			defaultPolicy: DenyAll(),
-			policyStack: []*Policy{
-				{
-					PolicyRules: PolicyRules{
-						Identities: []*IdentityRule{
-							{
-								Name:   "foo",
-								Policy: PolicyWrite,
-							},
-						},
-						IdentityPrefixes: []*IdentityRule{
-							{
-								Name:   "prefix",
-								Policy: PolicyRead,
-							},
-						},
-					},
-				},
-			},
-			checks: []aclCheck{
-				{name: "IdentityFooReadAllowed", prefix: "foo", check: checkAllowIdentityRead},
-				{name: "IdentityFooWriteAllowed", prefix: "foo", check: checkAllowIdentityWrite},
-				{name: "IdentityPrefixReadAllowed", prefix: "prefix", check: checkAllowIdentityRead},
-				{name: "IdentityPrefixWriteDenied", prefix: "prefix", check: checkDenyIdentityWrite},
-				{name: "IdentityBarReadDenied", prefix: "fail", check: checkDenyIdentityRead},
-				{name: "IdentityBarWriteDenied", prefix: "fail", check: checkDenyIdentityWrite},
-			},
-		},
-		{
-			name:          "IdentityDefaultDenyPolicyComplex",
-			defaultPolicy: DenyAll(),
-			policyStack: []*Policy{
-				{
-					PolicyRules: PolicyRules{
-						Identities: []*IdentityRule{
-							{
-								Name:   "football",
-								Policy: PolicyRead,
-							},
-							{
-								Name:       "prefix-forbidden",
-								Policy:     PolicyDeny,
-								Intentions: PolicyDeny,
-							},
-						},
-						IdentityPrefixes: []*IdentityRule{
-							{
-								Name:       "foo",
-								Policy:     PolicyWrite,
-								Intentions: PolicyWrite,
-							},
-							{
-								Name:       "prefix",
-								Policy:     PolicyRead,
-								Intentions: PolicyWrite,
-							},
-						},
-					},
-				},
-				{
-					PolicyRules: PolicyRules{
-						Identities: []*IdentityRule{
-							{
-								Name:       "foozball",
-								Policy:     PolicyWrite,
-								Intentions: PolicyRead,
-							},
-						},
-					},
-				},
-			},
-			checks: []aclCheck{
-				{name: "IdentityReadAllowed", prefix: "foo", check: checkAllowIdentityRead},
-				{name: "IdentityWriteAllowed", prefix: "foo", check: checkAllowIdentityWrite},
-				{name: "TrafficPermissionsReadAllowed", prefix: "foo", check: checkAllowTrafficPermissionsRead},
-				{name: "TrafficPermissionsWriteAllowed", prefix: "foo", check: checkAllowTrafficPermissionsWrite},
-				{name: "IdentityReadAllowed", prefix: "football", check: checkAllowIdentityRead},
-				{name: "IdentityWriteDenied", prefix: "football", check: checkDenyIdentityWrite},
-				{name: "TrafficPermissionsReadAllowed", prefix: "football", check: checkAllowTrafficPermissionsRead},
-				// This might be surprising but omitting intention rule gives at most intention:read
-				// if we have identity:write perms. This matches services as well.
-				{name: "TrafficPermissionsWriteDenied", prefix: "football", check: checkDenyTrafficPermissionsWrite},
-				{name: "IdentityReadAllowed", prefix: "prefix", check: checkAllowIdentityRead},
-				{name: "IdentityWriteDenied", prefix: "prefix", check: checkDenyIdentityWrite},
-				{name: "TrafficPermissionsReadAllowed", prefix: "prefix", check: checkAllowTrafficPermissionsRead},
-				{name: "TrafficPermissionsWriteDenied", prefix: "prefix", check: checkAllowTrafficPermissionsWrite},
-				{name: "IdentityReadDenied", prefix: "prefix-forbidden", check: checkDenyIdentityRead},
-				{name: "IdentityWriteDenied", prefix: "prefix-forbidden", check: checkDenyIdentityWrite},
-				{name: "TrafficPermissionsReadDenied", prefix: "prefix-forbidden", check: checkDenyTrafficPermissionsRead},
-				{name: "TrafficPermissionsWriteDenied", prefix: "prefix-forbidden", check: checkDenyTrafficPermissionsWrite},
-				{name: "IdentityReadAllowed", prefix: "foozball", check: checkAllowIdentityRead},
-				{name: "IdentityWriteAllowed", prefix: "foozball", check: checkAllowIdentityWrite},
-				{name: "TrafficPermissionsReadAllowed", prefix: "foozball", check: checkAllowTrafficPermissionsRead},
-				{name: "TrafficPermissionsWriteDenied", prefix: "foozball", check: checkDenyTrafficPermissionsWrite},
-			},
-		},
 		{
 			name:          "KeyringDefaultAllowPolicyDeny",
 			defaultPolicy: AllowAll(),

@@ -43,7 +43,6 @@ const (
 	ResourceACL       Resource = "acl"
 	ResourceAgent     Resource = "agent"
 	ResourceEvent     Resource = "event"
-	ResourceIdentity  Resource = "identity"
 	ResourceIntention Resource = "intention"
 	ResourceKey       Resource = "key"
 	ResourceKeyring   Resource = "keyring"
@@ -78,19 +77,6 @@ type Authorizer interface {
 	// EventWrite determines if a specific event may be fired.
 	EventWrite(string, *AuthorizerContext) EnforcementDecision
 
-	// IdentityRead checks for permission to read a given workload identity.
-	IdentityRead(string, *AuthorizerContext) EnforcementDecision
-
-	// IdentityReadAll checks for permission to read all workload identities.
-	IdentityReadAll(*AuthorizerContext) EnforcementDecision
-
-	// IdentityWrite checks for permission to create or update a given
-	// workload identity.
-	IdentityWrite(string, *AuthorizerContext) EnforcementDecision
-
-	// IdentityWriteAny checks for write permission on any workload identity.
-	IdentityWriteAny(*AuthorizerContext) EnforcementDecision
-
 	// IntentionDefaultAllow determines the default authorized behavior
 	// when no intentions match a Connect request.
 	//
@@ -267,40 +253,6 @@ func (a AllowAuthorizer) EventWriteAllowed(name string, ctx *AuthorizerContext)
 	return nil
 }
 
-// IdentityReadAllowed checks for permission to read a given workload identity,
-func (a AllowAuthorizer) IdentityReadAllowed(name string, ctx *AuthorizerContext) error {
-	if a.Authorizer.IdentityRead(name, ctx) != Allow {
-		return PermissionDeniedByACL(a, ctx, ResourceIdentity, AccessRead, name)
-	}
-	return nil
-}
-
-// IdentityReadAllAllowed checks for permission to read all workload identities.
-func (a AllowAuthorizer) IdentityReadAllAllowed(ctx *AuthorizerContext) error {
-	if a.Authorizer.IdentityReadAll(ctx) != Allow {
-		// This is only used to gate certain UI functions right now (e.g metrics)
-		return PermissionDeniedByACL(a, ctx, ResourceIdentity, AccessRead, "all identities") // read
-	}
-	return nil
-}
-
-// IdentityWriteAllowed checks for permission to create or update a given
-// workload identity.
-func (a AllowAuthorizer) IdentityWriteAllowed(name string, ctx *AuthorizerContext) error {
-	if a.Authorizer.IdentityWrite(name, ctx) != Allow {
-		return PermissionDeniedByACL(a, ctx, ResourceIdentity, AccessWrite, name)
-	}
-	return nil
-}
-
-// IdentityWriteAnyAllowed checks for write permission on any workload identity
-func (a AllowAuthorizer) IdentityWriteAnyAllowed(ctx *AuthorizerContext) error {
-	if a.Authorizer.IdentityWriteAny(ctx) != Allow {
-		return PermissionDeniedByACL(a, ctx, ResourceIdentity, AccessWrite, "any identity")
-	}
-	return nil
-}
-
 // IntentionReadAllowed determines if a specific intention can be read.
 func (a AllowAuthorizer) IntentionReadAllowed(name string, ctx *AuthorizerContext) error {
 	if a.Authorizer.IntentionRead(name, ctx) != Allow {
@@ -579,13 +531,6 @@ func Enforce(authz Authorizer, rsc Resource, segment string, access string, ctx
 		case "write":
 			return authz.EventWrite(segment, ctx), nil
 		}
-	case ResourceIdentity:
-		switch lowerAccess {
-		case "read":
-			return authz.IdentityRead(segment, ctx), nil
-		case "write":
-			return authz.IdentityWrite(segment, ctx), nil
-		}
 	case ResourceIntention:
 		switch lowerAccess {
 		case "read":

@@ -188,34 +188,6 @@ func TestACL_Enforce(t *testing.T) {
 			ret:      Deny,
 			err:      "Invalid access level",
 		},
-		{
-			method:   "IdentityRead",
-			resource: ResourceIdentity,
-			segment:  "foo",
-			access:   "read",
-			ret:      Deny,
-		},
-		{
-			method:   "IdentityRead",
-			resource: ResourceIdentity,
-			segment:  "foo",
-			access:   "read",
-			ret:      Allow,
-		},
-		{
-			method:   "IdentityWrite",
-			resource: ResourceIdentity,
-			segment:  "foo",
-			access:   "write",
-			ret:      Deny,
-		},
-		{
-			method:   "IdentityWrite",
-			resource: ResourceIdentity,
-			segment:  "foo",
-			access:   "write",
-			ret:      Allow,
-		},
 		{
 			method:   "IntentionRead",
 			resource: ResourceIntention,