I use docker image gliderlabs/docker-consul to set up a single consul and have the consul.json config like below:
{
"datacenter": "redbook1",
"acl_master_token": "redbook",
"acl_datacenter": "redbook1",
"acl_default_policy": "deny",
"data_dir": "/data",
"ui_dir": "/ui",
"client_addr": "0.0.0.0",
"ports": {
"dns": 53
},
"recursor": "8.8.8.8",
"disable_update_check": true
}
So most things work as expected (i.e cannot register service without token, cannot update key/value without proper rules), except:
- I can still deregister node without token on UI.
- I can still see all the nodes and services without token on UI.
Is it possible to deny those requests from ACL? Thanks!
anklos
All 22 comments
As per the ACL System documentation, ACLs are currently only supported for the K/V store and Services.
So no, at this time, it's not possible to do what you want. I believe the Hashicorp guys have stated it's on the roadmap for the future but it's not available right now.
For deregister specifically, you could try using a proxy to deny access to the URI/method needed to deregister nodes but it would still show up in the UI and return a 403 if someone clicked on it.
highlyunavailable
on 5 Nov 2015
Service discovery ACLs were added in https://github.com/hashicorp/consul/pull/1024 and are part of the upcoming Consul 0.6. Deregister isn't currently covered so I'll mark this as an enhancement.
slackpad
on 5 Nov 2015
Thanks!
anklos
on 6 Nov 2015
How come the UI on the demo (http://nyc3.demo.consul.io/ui/#/nyc3/nodes/nyc3-server-1) not have the "Deregister" button? Is it because it's running an older version of Consul/UI before #364 was implemented?
calvn
on 2 Dec 2015
Hi Calvin - yes we are in the process of updating it. The demo has some
extra branding for Digital Ocean so we need to update a fork with those
changes and the latest ui code.
On Wed, Dec 2, 2015 at 8:37 AM, Calvin Leung Huang <[email protected]
wrote:
How come the UI on the demo (
http://nyc3.demo.consul.io/ui/#/nyc3/nodes/nyc3-server-1) not have the
"Deregister" button? Is it because it's running an older version of
Consul/UI before #364 https://github.com/hashicorp/consul/issues/364
was implemented?—
Reply to this email directly or view it on GitHub
https://github.com/hashicorp/consul/issues/1383#issuecomment-161357998.
slackpad
on 2 Dec 2015
Is there any1 working for this issue? Since 0.6 is out and it still doesnt control deregister request. we need this before production deployment, i will make fix for our deployments and pull here.
zeldal
on 9 Dec 2015
Hi @zeldal this didn't make it into 0.6.1 but we will try to get it into the next release.
slackpad
on 8 Jan 2016
We are gonna make some protections with different tools to avoid this for now. I will be eager to upgrade newer version when this is fixed.
Best regards.
zeldal
on 8 Jan 2016
Hi, any plans to release this shortly ? Unfortunately given the nature of SSL certs it's going to be wide open in my company and would like to lock this down.
fatlazycat
on 27 Apr 2016
+1 on the need to deny node de-registration from the UI
rbrutas
on 6 Jun 2016
+1 same to me, need to disable "deregister" in the UI for anonymous ACL
antimack
on 12 Jun 2016
Version 0.6.4. ACL can't control the "deregister" button in the UI?
zhwmega
on 29 Jun 2016
+1 giving persons an acl to manage their configuration values on a kv tree also allows them to deregister nodes. If these nodes drive consul-template it could cause havoc in an environment. deregister could be, in the short-term, limited to only the master token (but should not affect consul agent behavior).
bbanzai
on 3 Jul 2016
+1 for this feature. Deregister is a very powerful option to have it wide open.
For now I'm working around it commenting out the HTML code for the ui to disable showing the button, but this is ugly.
danlsgiga
on 6 Jul 2016
This is needed!
claudio-viola
on 27 Jul 2016
It appears that the demo Consul instance at demo.consul.io is returning a 403 whenever you attempt to deregister a node. How does that work at the moment if this is still an open issue?
jwbennet
on 1 Sep 2016
@jwbennet that setup is behind a proxy.
slackpad
on 1 Sep 2016
I see, thank you for the information. Is there any documentation on endpoints which should be disabled behind the proxy like that until proper ACLs are in place? I'm assuming at least "/v1/catalog/deregister" to handle this for the UI and probably "/v1/agent/force-leave/
jwbennet
on 1 Sep 2016
Did this change make it into 0.7.0?
claudio-viola
on 22 Sep 2016
@claudio-viola it didn't make it into 0.7.0 - it's high on the list for a follow-on release.
slackpad
on 22 Sep 2016
thanks for letting us know @slackpad !
claudio-viola
on 22 Sep 2016
Support for this was added in 0.7.2 on an opt-in basis and will be opt-out in 0.8 - https://www.consul.io/docs/internals/acl.html#version_8_acls.
slackpad
on 14 Feb 2017
Related issues
satheeshCharles
·
3Comments
nicholasjackson
·
3Comments
darron
·
4Comments
hooksie1
·
3Comments
achille-roussel
·
4Comments
Most helpful comment
+1 for this feature. Deregister is a very powerful option to have it wide open.
For now I'm working around it commenting out the HTML code for the ui to disable showing the button, but this is ugly.