/v1/agent/check/register Permission denied 0.8.1

[Induja Vijayaraghavan]

Hello,

Recently switched over to Consul 0.8.1 from 0.7.4.

Vault is at 0.7.1

Consul Log in the vault_master:

2017-05-12

11:41:05.715

May 12 11:41:05 vault_master1 consul: 2017/05/12 11:41:05 [ERR] http: Request PUT /v1/agent/check/pass/vault:redacted:8200:vault-sealed-check?note=Vault+Unsealed, error: Unknown check "vault:redacted:8200:vault-sealed-check" from=127.0.0.1:53338

2017-05-12

11:41:05.215

May 12 11:41:05 vault_master1 consul[25193]: http: Request PUT /v1/agent/check/pass/vault:redacted:8200:vault-sealed-check?note=Vault+Unsealed, error: Unknown check "vault:redacted:8200:vault-sealed-check" from=127.0.0.1:53338

2017-05-12

11:41:05.215

May 12 11:41:04 vault_master1 consul: 2017/05/12 11:41:04 [ERR] http: Request PUT /v1/agent/check/register, error: Permission denied from=127.0.0.1:53338

2017-05-12

11:41:04.994

May 12 11:41:04 vault_master1 consul[25193]: http: Request PUT /v1/agent/check/register, error: Permission denied from=127.0.0.1:53338

2017-05-12

11:41:04.994

May 12 11:41:04 vault_master1 consul[25193]: agent: Synced service 'vault:redacted:8200'

I have added the following ACLs in the consul master:

{

   "Name": "agent-node-write-consul",

   "Type": "client",

   "Rules": "{

     \"agent\": {

       \"\": {

          \"policy\": \"write\"

        }

      },

      \"node\": {

        \"\": {

          \"policy\": \"write\"

        }

      }

   }"

}

{

  "Name": "service-write",

  "Type": "client",

  "Rules": "{

    \"service\": {

      \"\": {

         \"policy\": \"write\"

       }

     }

  }"

}

{

  "Name": "vault-write-consul",

  "Type": "client",

  "Rules": "{

    \"key\": {

      \"vault/\": {

         \"policy\": \"write\"

       }

     },

     \"service\": {

       \"vault\": {

         \"policy\": \"write\"

       }

     }

  }"

}

{

   "Name": "session-write-consul",

   "Type": "client",

   "Rules": "{

     \"session\": {

       \"\": {

          \"policy\": \"write\"

        }

      }

   }"

}

Server Config:

       config_hash => {

          'data_dir'           => '/var/lib/consul',

          'ui_dir'             => '/usr/share/consul-ui',

          'datacenter'         => 'ho',

          'log_level'          => 'INFO',

          'enable_syslog'      => true,

          'server'             => true,

          'bootstrap_expect'   => $bootstrap_expect,

          'acl_datacenter'     => 'ho',

          'acl_master_token'   => $consul_encrypt_key,

          'acl_agent_token'    => $consul_encrypt_key,

          'acl_default_policy' => 'deny',

          'encrypt'            => $consul_encrypt_key,

          'client_addr'        => '0.0.0.0',

          'bind_addr'          => $bind_addr_node,

          'start_join'         => $masters,

}

Client config:

config_hash => {

        'data_dir'        => '/opt/consul',

        'datacenter'      => 'ho',

        'acl_datacenter'  => 'ho',

        'acl_agent_token' => $consul_encrypt_key,

        'acl_token'       => $consul_encrypt_key,

        'log_level'       => 'INFO',

        'enable_syslog'   => true,

        'encrypt'         => $consul_encrypt_key,

        'node_name'       => $::hostname,

        'client_addr'     => '127.0.0.1',

        'bind_addr'       => $bind_addr_node,

        'retry_join'      => $masters,

      }

I am reading the ACL documentation over and again and can't seem to find my issue.

Thanks in advance.

[Induja Vijayaraghavan]

I see this when i do a consul status:

vault_master1:/data #sudo service consul status

Redirecting to /bin/systemctl status  consul.service

● consul.service - Consul Agent

   Loaded: loaded (/usr/lib/systemd/system/consul.service; enabled; vendor preset: disabled)

   Active: active (running) since Fri 2017-05-12 15:21:29 CDT; 11min ago

  Process: 28842 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)

 Main PID: 28863 (consul)

   CGroup: /system.slice/consul.service

           └─28863 /usr/local/bin/consul agent -config-dir /etc/consul

May 12 15:32:38 vault_master1 consul[28863]: 2017/05/12 15:32:38 [WARN] agent: Check 'service:vault' is now warning

May 12 15:32:38 vault_master1 consul[28863]: agent: Check 'service:vault' is now warning

May 12 15:32:48 vault_master1 consul[28863]: agent: Check 'service:vault' is now warning

May 12 15:32:48 vault_master1 consul[28863]: 2017/05/12 15:32:48 [WARN] agent: Check 'service:vault' is now warning

May 12 15:32:58 vault_master1 consul[28863]: 2017/05/12 15:32:58 [WARN] agent: Check 'service:vault' is now warning

May 12 15:32:58 vault_master1 consul[28863]: agent: Check 'service:vault' is now warning

May 12 15:32:59 vault_master1 consul[28863]: http: Request GET /v1/agent/self, error: Permission denied from=127.0.0.1:58090

May 12 15:32:59 vault_master1 consul[28863]: 2017/05/12 15:32:59 [ERR] http: Request GET /v1/agent/self, error: Permission denied from=127.0.0.1:58090

[James Phillips]

Hi,

/v1/agent/self requires agent "read" permissions -
https://www.consul.io/docs/guides/acl.html#agent-rules. If you add
that to the token Vault is using, it should be allowed to read from
that endpoint.

-- James

> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/consul/issues
> IRC: #consul on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Consul" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to consul-tool...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/consul-tool/f8fffca2-ec7d-4a0a-abac-12dc774635d9%40googlegroups.com.
>
> For more options, visit https://groups.google.com/d/optout.