ACLs and Consul server which acts as an anonymous node
691 views
Skip to first unread message
Antoine Lang-Cavelier
Dec 13, 2015, 10:40:59 PM12/13/15
to Consul
Hi people!
NB: I'm working in a test environment which will explain the topology used: I want to register a service on a consul server with the ACL policy enabled ans without using the anonymous token.
In the config file load by my first and only Consul server, I try to register a service: MyService-Foo. Eveything worked when I don't use ACL.
However, since I added ACL support to my cluster (with I think, proper ACL rules), the registration of MyService-Foo is blocked even if the check are done locally.
I expect my consul-server to follow rules put in the Master token but it's not the case. Nevertheless, when I change the anonymous token policy for service to "write", everything works as expected and the service is finally registered. I also tried to add, in addition to the master token declaration, another acl_token to the consul-server but as it is the server, it seems it can't have an acl_token in its config at the same time as serving an acl_master_token (that seems logic to me but if the consul-server acts as a node without a token and gets permissions from the anonymous token).
# Log
2015/12/13 18:52:14 [DEBUG] agent: Check 'service:MyService-Foo' is passing
2015/12/13 18:52:24 [DEBUG] agent: check 'service:MyService-Foo' script '/usr/bin/pgrep -x 'myservicedaemon'' output: 1423
2015/12/13 18:52:24 [DEBUG] agent: Check 'service:MyService-Foo' is passing
2015/12/13 18:52:34 [DEBUG] agent: check 'service:MyService-Foo' script '/usr/bin/pgrep -x 'myservicedaemon'' output: 1423
2015/12/13 18:52:34 [DEBUG] agent: Check 'service:MyService-Foo' is passing
2015/12/13 18:52:39 [DEBUG] agent: Service 'consul' in sync
2015/12/13 18:52:39 [WARN] consul.catalog: Register of service 'MyService-Foo' on 'ip-10-18-230-89.example.com' denied due to ACLs
2015/12/13 18:52:39 [WARN] agent: Service 'MyService-Foo' registration blocked by ACLs
# The configuration runs as followed:
exec /home/consul/bin/consul agent -server -config-file=/home/consul/bin/config.json
exec /home/consul/acl/consul-acl.sh
# Here is my config file for my consul-server:
{
"bootstrap": true,
"server": true,
"datacenter": "d1",
"data_dir": "/home/consul/data/",
"ui_dir": "/home/consul/ui",
"log_level": "debug",
"addresses": {
"http": "10.18.230.89"
},
"service": {
"name": "MyService-Foo",
"port": 6060,
"tags": [
"master"
],
"check": {
"notes": "Retrieve the service pid if it's running",
"script": "/usr/bin/pgrep -x 'myservicedaemon'",
"interval": "10s"
}
},
"acl_datacenter": "d1",
"acl_master_token": "'"$master_token"'",
"acl_default_policy": "deny",
"acl_down_policy": "deny",
"encrypt": "'"$encrypt_key"'"
}
# After launching the Consul startup script, I launch a script with some ACL rules:
curl -X PUT http://consul.example.com:8500/v1/acl/update?token=$master_token -d '{
"ID": "'"$master_token"'",
"Name": "Master token",
"Type": "management",
"Rules": "{\"service\": {\"\": {\"policy\": \"write\"}},\"event\": {\"\": {\"policy\": \"write\"}},\"keyring\": \"write\"}"
}'
# anonymous token
curl -X PUT http://consul.example.com:8500/v1/acl/update?token=$master_token -d '{
"ID": "anonymous",
"Name": "Anonymous Token",
"Type": "client",
"Rules": "{\"service\": {\"\": {\"policy\": \"read\"}},\"event\": {\"\": {\"policy\": \"read\"}},\"keyring\": \"read\"}"
}'
Armon Dadgar
Dec 15, 2015, 5:18:42 PM12/15/15
to consu...@googlegroups.com, Antoine Lang-Cavelier
Antoine,
I’m not sure if I perfectly follow, however the “acl_master_token” is not used by the servers for
registering services. It is used to bootstrap the ACL system, e.g. when you start the ACL system
in a “deny” mode there is no way to do anything. The “acl_master_token” breaks the chicken-and-egg
and gives you the initial root password if you will.
The “acl_token” however is used to register services, both on clients and servers, no specialized
behavior. In your configuration, that is not specified, so the anonymous token is used instead.
Given that you are using the “deny” mode, you can either create a token with the proper permissions
and provide that as the “acl_token”, or allow the anonymous token to register the service as you’ve
done.
Hope that helps!
Best Regards,
Armon Dadgar
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/consul/issues
IRC: #consul on Freenode
---
You received this message because you are subscribed to the Google Groups "Consul" group.
To unsubscribe from this group and stop receiving emails from it, send an email to consul-tool...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/consul-tool/d980ea27-38e9-4fe4-9cdd-d079aa990f25%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Antoine Lang-Cavelier
Dec 16, 2015, 6:54:59 PM12/16/15
to Consul, langcaveli...@gmail.com
Thank you Armon, I added an "acl_token" to my server config and everything is fine now. I must have made a mistake the first time I tried it.
On Wednesday, December 16, 2015 at 9:18:42 AM UTC+11, Armon Dadgar wrote:
Antoine,I’m not sure if I perfectly follow, however the “acl_master_token” is not used by the servers forregistering services. It is used to bootstrap the ACL system, e.g. when you start the ACL systemin a “deny” mode there is no way to do anything. The “acl_master_token” breaks the chicken-and-eggand gives you the initial root password if you will.The “acl_token” however is used to register services, both on clients and servers, no specializedbehavior. In your configuration, that is not specified, so the anonymous token is used instead.Given that you are using the “deny” mode, you can either create a token with the proper permissionsand provide that as the “acl_token”, or allow the anonymous token to register the service as you’vedone.Hope that helps!Best Regards,Armon Dadgar
Reply all
Reply to author
Forward
0 new messages