From 1004d0ec0e2980a139540a2c64316210ce07b560 Mon Sep 17 00:00:00 2001 From: James Phillips Date: Sun, 16 Jul 2017 20:08:26 -0700 Subject: [PATCH] Adds node read privileges to the acl_agent_master_token. (#3277) Fixes #3113. --- agent/acl.go | 6 ++++++ agent/acl_test.go | 6 ++++++ website/source/docs/agent/options.html.md | 8 ++++---- website/source/docs/guides/acl.html.md | 20 +++++++++++++++++--- 4 files changed, 33 insertions(+), 7 deletions(-) diff --git a/agent/acl.go b/agent/acl.go index b84f40ffca..2e30848a43 100644 --- a/agent/acl.go +++ b/agent/acl.go @@ -104,6 +104,12 @@ func newACLManager(config *Config) (*aclManager, error) { Policy: acl.PolicyWrite, }, }, + Nodes: []*acl.NodePolicy{ + &acl.NodePolicy{ + Name: "", + Policy: acl.PolicyRead, + }, + }, } acl, err := acl.New(acl.DenyAll(), policy) if err != nil { diff --git a/agent/acl_test.go b/agent/acl_test.go index bcee072d77..44980abcf4 100644 --- a/agent/acl_test.go +++ b/agent/acl_test.go @@ -166,6 +166,12 @@ func TestACL_Special_IDs(t *testing.T) { if !acl.AgentWrite(cfg.NodeName) { t.Fatalf("should be able to write agent") } + if !acl.NodeRead("hello") { + t.Fatalf("should be able to read any node") + } + if acl.NodeWrite("hello") { + t.Fatalf("should not be able to write any node") + } } func TestACL_Down_Deny(t *testing.T) { diff --git a/website/source/docs/agent/options.html.md b/website/source/docs/agent/options.html.md index 75c597afe6..be8a6fbf0b 100644 --- a/website/source/docs/agent/options.html.md +++ b/website/source/docs/agent/options.html.md @@ -453,10 +453,10 @@ Consul will not enable TLS for the HTTP API unless the `https` port has been ass * `acl_agent_master_token` - Used to access agent endpoints that require agent read - or write privileges even if Consul servers aren't present to validate any tokens. This should only - be used by operators during outages, regular ACL tokens should normally be used by applications. - This was added in Consul 0.7.2 and is only used when `acl_enforce_version_8` - is set to true. + or write privileges, or node read privileges, even if Consul servers aren't present to validate + any tokens. This should only be used by operators during outages, regular ACL tokens should normally + be used by applications. This was added in Consul 0.7.2 and is only used when + `acl_enforce_version_8` is set to true. * `acl_agent_token` - Used for clients and servers to perform internal operations to the service catalog. If this isn't specified, then diff --git a/website/source/docs/guides/acl.html.md b/website/source/docs/guides/acl.html.md index 8ef73c5c9c..a8a9296d1c 100644 --- a/website/source/docs/guides/acl.html.md +++ b/website/source/docs/guides/acl.html.md @@ -133,6 +133,20 @@ system, or accessing Consul in special situations: | [`acl_master_token`](/docs/agent/options.html#acl_master_token) | `REQUIRED` | `N/A` | Special token used to bootstrap the ACL system, see details below | | [`acl_token`](/docs/agent/options.html#acl_token) | `OPTIONAL` | `OPTIONAL` | Default token to use for client requests where no token is supplied; this is often configured with read-only access to services to enable DNS service discovery on agents | +Since it is designed to be used when the Consul servers are not available, the +`acl_agent_master_token` is managed locally on the agent and does not need to have a +policy defined on the Consul servers via the ACL API. Once set, it implicitly has the +following policy associated with it (the `node` policy was added in Consul 0.9.0): + +```text +agent "" { + policy = "write" +} +node "" { + policy = "read" +} +``` + #### Bootstrapping ACLs Bootstrapping ACLs on a new cluster requires a few steps, outlined in the example in this @@ -933,9 +947,9 @@ Two new configuration options are used once version 8 ACLs are enabled: * [`acl_agent_master_token`](/docs/agent/options.html#acl_agent_master_token) is used as a special access token that has `agent` ACL policy `write` privileges on each agent where - it is configured. This token should only be used by operators during outages when Consul - servers aren't available to resolve ACL tokens. Applications should use regular ACL - tokens during normal operation. + it is configured, as well as `node` ACL policy `read` privileges for all nodes. This token + should only be used by operators during outages when Consul servers aren't available to + resolve ACL tokens. Applications should use regular ACL tokens during normal operation. * [`acl_agent_token`](/docs/agent/options.html#acl_agent_token) is used internally by Consul agents to perform operations to the service catalog when registering themselves or sending network coordinates to the servers. This token must at least have `node` ACL