From 00b0633bda36db4e19062fe89f84c9093b81927f Mon Sep 17 00:00:00 2001 From: Blake Covarrubias Date: Mon, 9 Aug 2021 09:00:33 -0700 Subject: [PATCH] cli: Test API access using /status/leader in consul watch (#10795) Replace call to /agent/self with /status/leader to verify agent reachability before initializing a watch. This endpoint is not guarded by ACLs, and as such can be queried by any API client regardless of their permissions. Fixes #9353 --- .changelog/10795.txt | 4 ++++ command/watch/watch.go | 10 ++++++++-- 2 files changed, 12 insertions(+), 2 deletions(-) create mode 100644 .changelog/10795.txt diff --git a/.changelog/10795.txt b/.changelog/10795.txt new file mode 100644 index 000000000..361500836 --- /dev/null +++ b/.changelog/10795.txt @@ -0,0 +1,4 @@ +```release-note:bug +cli: Fix a bug which prevented initializing a watch when using a namespaced +token. +``` diff --git a/command/watch/watch.go b/command/watch/watch.go index 915463330..f4e9211c9 100644 --- a/command/watch/watch.go +++ b/command/watch/watch.go @@ -158,13 +158,19 @@ func (c *cmd) Run(args []string) int { return 1 } - // Create and test the HTTP client + // Create and test that the API is accessible before starting a blocking + // loop for the watch. + // + // Consul does not have a /ping endpoint, so the /status/leader endpoint + // will be used as a substitute since it does not require an ACL token to + // query, and will always return a response to the client, unless there is a + // network communication error. client, err := c.http.APIClient() if err != nil { c.UI.Error(fmt.Sprintf("Error connecting to Consul agent: %s", err)) return 1 } - _, err = client.Agent().NodeName() + _, err = client.Status().Leader() if err != nil { c.UI.Error(fmt.Sprintf("Error querying Consul agent: %s", err)) return 1