Re: [consul] service acl token not working
45 views
Skip to first unread message
James Phillips
Dec 19, 2016, 10:30:53 PM12/19/16
to consu...@googlegroups.com
Hi Tim,
Sorry for the late reply on this one - the field should be called
"token". I suspect that your issue might have been related to the
policy associated with that token. Were you able to figure this one
out?
-- James
On Wed, Nov 30, 2016 at 5:23 AM, Tim Sales <andys...@comcast.net> wrote:
> I cant seem to get any token used inside of a service definition to work and
> the service is actually still using anonymous. I know it is using anonymous
> because I can modify the anonymous acl and impact the service permissions
> live. So can anyone tell me why the below would not work and is behaving
> this way?
>
> The below will only work if anonymous has write to service and will not use
> the token in the service. If anonymous does not have service write I get:
>
> Agent: Check 'service:test-service' registration blocked by ACLs
>
>
>
> What is going on and why is this not working? In the consul docs, I see
> this:
>
>> Services may also contain a token field to provide an ACL token
>
>
> So I tried to use the key "token" as well and when I looked at other
> examples it appeared that "acl_token" was correct?? (the acl_default_policy
> is deny)
>
>
> service ( I am just trying to test exposing the unsealed vault instances via
> DNS api. This service is running on a consul server which also has a local
> vault instance..)
>
> {
> "service": {
> "acl_token": "45096584-3751-d07b-6698-23ca17003713",
> "tags": [
> "vault-dns-check"
> ],
> "port": 8200,
> "name": "test-service",
> "id": "test-service",
> "enableTagOverride": false,
> "checks": [
> {
> "tls_skip_verify": true,
> "timeout": "5s",
> "service_id": "test-service",
> "notes": "This will is a test service",
> "interval": "30s",
> "id": "test-service",
> "http": "https://testnode.test:8200/v1/sys/seal-status"
> }
> ]
> }
> }
>
>
>
> ACL for the token used above
>
> {
> "service": {
> "": {
> "policy": "write"
> }
> }
> }
>
>
> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/consul/issues
> IRC: #consul on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Consul" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to consul-tool...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/consul-tool/d687e064-fad1-4705-9585-77c592d1d0d4%40googlegroups.com.
>
> For more options, visit https://groups.google.com/d/optout.
Sorry for the late reply on this one - the field should be called
"token". I suspect that your issue might have been related to the
policy associated with that token. Were you able to figure this one
out?
-- James
On Wed, Nov 30, 2016 at 5:23 AM, Tim Sales <andys...@comcast.net> wrote:
> I cant seem to get any token used inside of a service definition to work and
> the service is actually still using anonymous. I know it is using anonymous
> because I can modify the anonymous acl and impact the service permissions
> live. So can anyone tell me why the below would not work and is behaving
> this way?
>
> The below will only work if anonymous has write to service and will not use
> the token in the service. If anonymous does not have service write I get:
>
> Agent: Check 'service:test-service' registration blocked by ACLs
>
>
>
> What is going on and why is this not working? In the consul docs, I see
> this:
>
>> Services may also contain a token field to provide an ACL token
>
>
> So I tried to use the key "token" as well and when I looked at other
> examples it appeared that "acl_token" was correct?? (the acl_default_policy
> is deny)
>
>
> service ( I am just trying to test exposing the unsealed vault instances via
> DNS api. This service is running on a consul server which also has a local
> vault instance..)
>
> {
> "service": {
> "acl_token": "45096584-3751-d07b-6698-23ca17003713",
> "tags": [
> "vault-dns-check"
> ],
> "port": 8200,
> "name": "test-service",
> "id": "test-service",
> "enableTagOverride": false,
> "checks": [
> {
> "tls_skip_verify": true,
> "timeout": "5s",
> "service_id": "test-service",
> "notes": "This will is a test service",
> "interval": "30s",
> "id": "test-service",
> "http": "https://testnode.test:8200/v1/sys/seal-status"
> }
> ]
> }
> }
>
>
>
> ACL for the token used above
>
> {
> "service": {
> "": {
> "policy": "write"
> }
> }
> }
>
>
> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/consul/issues
> IRC: #consul on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Consul" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to consul-tool...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/consul-tool/d687e064-fad1-4705-9585-77c592d1d0d4%40googlegroups.com.
>
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages