cli: Test API access using /status/leader in consul watch (#10795)

Replace call to /agent/self with /status/leader to verify agent
reachability before initializing a watch. This endpoint is not guarded
by ACLs, and as such can be queried by any API client regardless of
their permissions.

Fixes #9353
This commit is contained in:
Blake Covarrubias 2021-08-09 09:00:33 -07:00 committed by GitHub
parent 87fb26fd65
commit 00b0633bda
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 12 additions and 2 deletions

4
.changelog/10795.txt Normal file
View File

@ -0,0 +1,4 @@
```release-note:bug
cli: Fix a bug which prevented initializing a watch when using a namespaced
token.
```

View File

@ -158,13 +158,19 @@ func (c *cmd) Run(args []string) int {
return 1 return 1
} }
// Create and test the HTTP client // Create and test that the API is accessible before starting a blocking
// loop for the watch.
//
// Consul does not have a /ping endpoint, so the /status/leader endpoint
// will be used as a substitute since it does not require an ACL token to
// query, and will always return a response to the client, unless there is a
// network communication error.
client, err := c.http.APIClient() client, err := c.http.APIClient()
if err != nil { if err != nil {
c.UI.Error(fmt.Sprintf("Error connecting to Consul agent: %s", err)) c.UI.Error(fmt.Sprintf("Error connecting to Consul agent: %s", err))
return 1 return 1
} }
_, err = client.Agent().NodeName() _, err = client.Status().Leader()
if err != nil { if err != nil {
c.UI.Error(fmt.Sprintf("Error querying Consul agent: %s", err)) c.UI.Error(fmt.Sprintf("Error querying Consul agent: %s", err))
return 1 return 1