Consul: Restrictions on access to the /v1/catalog/register for anonymous requests do not work

Created on 4 Jun 2020  路  2Comments  路  Source: hashicorp/consul

Overview of the Issue

In consul acl enabled, default_policy: deny, anonymous token without policies and roles. But anonymous requests without token allow register/deregister services:

# curl --request PUT --data @payload.json http://127.0.0.1:8500/v1/catalog/register
true

$ curl --request PUT --data @deregister.json http://node-name1:8500/v1/catalog/deregister
true



md5-7b9705f81597a77896a70417c557c149



agent:
    check_monitors = 0
    check_ttls = 0
    checks = 3
    services = 3
build:
    prerelease =
    revision = 9ea1a204
    version = 1.7.2
consul:
    acl = enabled
    bootstrap = false
    known_datacenters = 1
    leader = true
    leader_addr = [external ipv6 addr]:8300
    server = true
raft:
    applied_index = 756211
    commit_index = 756211
    fsm_pending = 0
    last_contact = 0
    last_log_index = 756211
    last_log_term = 124
    last_snapshot_index = 753784
    last_snapshot_term = 124
    latest_configuration = [{Suffrage:Voter ID:3ffc821e-2326-14b6-3ce0-11d1077aac42 Address:[external ipv6 addr]:8300} {Suffrage:Voter ID:076a6ef0-7969-d5a7-1543-6fdfef0af26a Address:[external ipv6 addr]:8300} {Suffrage:Voter ID:201767b2-d0f0-6fc0-1d4b-524eefdf9d98 Address:[external ipv6 addr]:8300}]
    latest_configuration_index = 0
    num_peers = 2
    protocol_version = 3
    protocol_version_max = 3
    protocol_version_min = 0
    snapshot_version_max = 1
    snapshot_version_min = 0
    state = Leader
    term = 124
runtime:
    arch = amd64
    cpu_count = 4
    goroutines = 134
    max_procs = 4
    os = linux
    version = go1.13.7
serf_lan:
    coordinate_resets = 0
    encrypted = true
    event_queue = 0
    event_time = 35
    failed = 0
    health_score = 0
    intent_queue = 0
    left = 0
    member_time = 140
    members = 5
    query_queue = 0
    query_time = 1
serf_wan:
    coordinate_resets = 0
    encrypted = true
    event_queue = 0
    event_time = 1
    failed = 0
    health_score = 0
    intent_queue = 0
    left = 0
    member_time = 39
    members = 3
    query_queue = 0
    query_time = 1



md5-ddabffc7791d525d5431ebebe2b76f55



{
 "acl": {
  "enabled": true,
  "default_policy": "deny",
  "tokens": {
   "default": "xxx",
   "replication": "yyy",
   "master": "zzz"
  }
 },
 "primary_datacenter": "dev1",
 "bind_addr": "ipv6addr",
 "bootstrap": false,
 "client_addr": "::",
 "data_dir": "/opt/consul",
 "datacenter": "dev1",
 "disable_anonymous_signature": true,
 "disable_host_node_id": true,
 "disable_remote_exec": true,
 "disable_update_check": true,
 "encrypt": "aaa==",
 "log_level": "TRACE",
 "node_name": "node-name1",
 "enable_local_script_checks": true,
 "enable_debug": true,
 "performance": {
  "raft_multiplier": 1
 },
 "raft_protocol": 3,
 "reconnect_timeout": "8h",
 "server": true,
 "start_join": [
  "node-name1",
  "node-name2",
  "node-name3"
 ],
 "ui": true
}

Operating system and Environment details

Xenial

typquestion
Source
picture TheSpbra1n

All 2 comments

@TheSpbra1n It looks like you configured the default token in the configuration. That token operates as a sort of agent-specific anonymous token and it is what is being used to authorize your request. My guess is that you intended to set the agent token so that the agent can register its own node in the catalog.

mkeeler picture mkeeler on 4 Jun 2020
👍1

Thanks!

TheSpbra1n picture TheSpbra1n on 4 Jun 2020
🎉1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

aravind picture aravind  路  3Comments
philsttr picture philsttr  路  3Comments
matteoturra picture matteoturra  路  4Comments
satheeshCharles picture satheeshCharles  路  3Comments
powerman picture powerman  路  3Comments