Merge pull request #2844 from hashicorp/agent-acl-default

Disables agent-level enforcement on Consul agents unless acl_datacenter is set.
This commit is contained in:
James Phillips 2017-03-29 13:01:35 -07:00 committed by GitHub
commit e4eb5960fe
3 changed files with 25 additions and 13 deletions

View File

@ -170,7 +170,7 @@ func (m *aclManager) lookupACL(agent *Agent, id string) (acl.ACL, error) {
// At this point we might have a stale cached ACL, or none at all, so // At this point we might have a stale cached ACL, or none at all, so
// try to contact the servers. // try to contact the servers.
args := structs.ACLPolicyRequest{ args := structs.ACLPolicyRequest{
Datacenter: agent.config.Datacenter, Datacenter: agent.config.ACLDatacenter,
ACL: id, ACL: id,
} }
if cached != nil { if cached != nil {
@ -242,6 +242,12 @@ func (a *Agent) resolveToken(id string) (acl.ACL, error) {
return nil, nil return nil, nil
} }
// Bail if there's no ACL datacenter configured. This means that agent
// enforcement isn't on.
if a.config.ACLDatacenter == "" {
return nil, nil
}
// Bail if the ACL manager is disabled. This happens if it gets feedback // Bail if the ACL manager is disabled. This happens if it gets feedback
// from the servers that ACLs are disabled. // from the servers that ACLs are disabled.
if a.acls.isDisabled() { if a.acls.isDisabled() {

View File

@ -422,13 +422,12 @@ Consul will not enable TLS for the HTTP API unless the `https` port has been ass
#### Configuration Key Reference #### Configuration Key Reference
* <a name="acl_datacenter"></a><a href="#acl_datacenter">`acl_datacenter`</a> - Only * <a name="acl_datacenter"></a><a href="#acl_datacenter">`acl_datacenter`</a> - This designates
used by servers. This designates the datacenter which the datacenter which is authoritative for ACL information. It must be provided to enable ACLs.
is authoritative for ACL information. It must be provided to enable ACLs. All servers and datacenters must agree on the ACL datacenter. Setting it on the servers is all
All servers and datacenters must agree on the ACL datacenter. Setting it on you need for cluster-level enforcement, but for the APIs to forward properly from the clients,
the servers is all you need for enforcement, but for the APIs to forward properly it must be set on them too. In Consul 0.8 and later, this also enables agent-level enforcement
from the clients, it must be set on them too. Future changes may move of ACLs. Please see the [ACL internals guide](/docs/internals/acl.html) for more details.
enforcement to the edges, so it's best to just set `acl_datacenter` on all nodes.
* <a name="acl_default_policy"></a><a href="#acl_default_policy">`acl_default_policy`</a> - Either * <a name="acl_default_policy"></a><a href="#acl_default_policy">`acl_default_policy`</a> - Either
"allow" or "deny"; defaults to "allow". The default policy controls the behavior of a token when "allow" or "deny"; defaults to "allow". The default policy controls the behavior of a token when

View File

@ -579,11 +579,18 @@ Since clients now resolve ACLs locally, the [`acl_down_policy`](/docs/agent/opti
now applies to Consul clients as well as Consul servers. This will determine what the now applies to Consul clients as well as Consul servers. This will determine what the
client will do in the event that the servers are down. client will do in the event that the servers are down.
Consul clients *do not* need to have the [`acl_master_token`](/docs/agent/options.html#acl_agent_master_token) Consul clients must have [`acl_datacenter`](/docs/agent/options.html#acl_datacenter) configured
or the [`acl_datacenter`](/docs/agent/options.html#acl_datacenter) configured. They will in order to enable agent-level ACL features. If this is set, the agents will contact the Consul
contact the Consul servers to determine if ACLs are enabled. If they detect that ACLs are servers to determine if ACLs are enabled at the cluster level. If they detect that ACLs are not
not enabled, they will check at most every 2 minutes to see if they have become enabled, and enabled, they will check at most every 2 minutes to see if they have become enabled, and will
will start enforcing ACLs automatically. start enforcing ACLs automatically. If an agent has an `acl_datacenter` defined, operators will
need to use the [`acl_agent_master_token`](/docs/agent/options.html#acl_agent_master_token) to
perform agent-level operations if the Consul servers aren't present (such as for a manual join
to the cluster), unless the [`acl_down_policy`](/docs/agent/options.html#acl_down_policy) on the
agent is set to "allow".
Non-server agents do not need to have the [`acl_master_token`](/docs/agent/options.html#acl_agent_master_token)
configured; it is not used by agents in any way.
#### New ACL Policies #### New ACL Policies