luxolus
/
open-consul
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity

Merge pull request #2844 from hashicorp/agent-acl-default 

Disables agent-level enforcement on Consul agents unless acl_datacenter is set.
This commit is contained in:
James Phillips 2017-03-29 13:01:35 -07:00 committed by GitHub
parent 75b8ff44e3 4259ecd8bc
commit dd8a14df3e
3 changed files with 25 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
command/agent/acl.go
View File

@ -170,7 +170,7 @@ func (m *aclManager) lookupACL(agent *Agent, id string) (acl.ACL, error) {
// At this point we might have a stale cached ACL, or none at all, so
// try to contact the servers.
args := structs.ACLPolicyRequest{
Datacenter: agent.config.Datacenter,
Datacenter: agent.config.ACLDatacenter,
ACL: id,
}
if cached != nil {
@ -242,6 +242,12 @@ func (a *Agent) resolveToken(id string) (acl.ACL, error) {
return nil, nil
}
// Bail if there's no ACL datacenter configured. This means that agent
// enforcement isn't on.
if a.config.ACLDatacenter == "" {
return nil, nil
}
// Bail if the ACL manager is disabled. This happens if it gets feedback
// from the servers that ACLs are disabled.
if a.acls.isDisabled() {

13
website/source/docs/agent/options.html.markdown
View File

@ -422,13 +422,12 @@ Consul will not enable TLS for the HTTP API unless the `https` port has been ass
#### Configuration Key Reference
* <a name="acl_datacenter"></a><a href="#acl_datacenter">`acl_datacenter`</a> - Only
used by servers. This designates the datacenter which
is authoritative for ACL information. It must be provided to enable ACLs.
All servers and datacenters must agree on the ACL datacenter. Setting it on
the servers is all you need for enforcement, but for the APIs to forward properly
from the clients, it must be set on them too. Future changes may move
enforcement to the edges, so it's best to just set `acl_datacenter` on all nodes.
* <a name="acl_datacenter"></a><a href="#acl_datacenter">`acl_datacenter`</a> - This designates
the datacenter which is authoritative for ACL information. It must be provided to enable ACLs.
All servers and datacenters must agree on the ACL datacenter. Setting it on the servers is all
you need for cluster-level enforcement, but for the APIs to forward properly from the clients,
it must be set on them too. In Consul 0.8 and later, this also enables agent-level enforcement
of ACLs. Please see the [ACL internals guide](/docs/internals/acl.html) for more details.
* <a name="acl_default_policy"></a><a href="#acl_default_policy">`acl_default_policy`</a> - Either
"allow" or "deny"; defaults to "allow". The default policy controls the behavior of a token when

17
website/source/docs/internals/acl.html.markdown
View File

@ -579,11 +579,18 @@ Since clients now resolve ACLs locally, the [`acl_down_policy`](/docs/agent/opti
now applies to Consul clients as well as Consul servers. This will determine what the
client will do in the event that the servers are down.
Consul clients *do not* need to have the [`acl_master_token`](/docs/agent/options.html#acl_agent_master_token)
or the [`acl_datacenter`](/docs/agent/options.html#acl_datacenter) configured. They will
contact the Consul servers to determine if ACLs are enabled. If they detect that ACLs are
not enabled, they will check at most every 2 minutes to see if they have become enabled, and
will start enforcing ACLs automatically.
Consul clients must have [`acl_datacenter`](/docs/agent/options.html#acl_datacenter) configured
in order to enable agent-level ACL features. If this is set, the agents will contact the Consul
servers to determine if ACLs are enabled at the cluster level. If they detect that ACLs are not
enabled, they will check at most every 2 minutes to see if they have become enabled, and will
start enforcing ACLs automatically. If an agent has an `acl_datacenter` defined, operators will
need to use the [`acl_agent_master_token`](/docs/agent/options.html#acl_agent_master_token) to
perform agent-level operations if the Consul servers aren't present (such as for a manual join
to the cluster), unless the [`acl_down_policy`](/docs/agent/options.html#acl_down_policy) on the
agent is set to "allow".
Non-server agents do not need to have the [`acl_master_token`](/docs/agent/options.html#acl_agent_master_token)
configured; it is not used by agents in any way.
#### New ACL Policies