From c046d1a4d870639227baff629ff304a1b72deede Mon Sep 17 00:00:00 2001 From: "Chris S. Kim" Date: Mon, 5 Dec 2022 11:26:10 -0500 Subject: [PATCH] Add warn log when all ACL policies are filtered out (#15632) --- agent/consul/acl.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/agent/consul/acl.go b/agent/consul/acl.go index e063d96cac..e0d244b5d6 100644 --- a/agent/consul/acl.go +++ b/agent/consul/acl.go @@ -632,6 +632,10 @@ func (r *ACLResolver) resolvePoliciesForIdentity(identity structs.ACLIdentity) ( policies = append(policies, syntheticPolicies...) filtered := r.filterPoliciesByScope(policies) + if len(policies) > 0 && len(filtered) == 0 { + r.logger.Warn("ACL token used lacks permissions in this datacenter: its associated ACL policies, service identities, and/or node identities are scoped to other datacenters", "accessor_id", identity.ID(), "datacenter", r.config.Datacenter) + } + return filtered, nil }