NOTE - An updated and more complete example can be found here.
Here's acl.json
:
{
"acl_datacenter": "dc1",
"acl_master_token": "root",
"acl_default_policy": "deny"
}
Start the server. Note that we get the expected ACL errors since the server can't register itself with the catalog yet:
$ ./consul agent -server -data-dir=/tmp/consul-node-1 -bootstrap -config-file=acl.json
==> WARNING: Bootstrap mode enabled! Do not enable unless necessary
==> Starting Consul agent...
==> Consul agent running!
Version: 'v0.8.1'
Node ID: '774af59f-23d8-9255-a00c-066067a5db52'
Node name: 'workpad.local'
Datacenter: 'dc1'
Server: true (bootstrap: true)
Client Addr: 127.0.0.1 (HTTP: 8500, HTTPS: -1, DNS: 8600)
Cluster Addr: 10.183.189.160 (LAN: 8301, WAN: 8302)
Gossip encrypt: false, RPC-TLS: false, TLS-Incoming: false
Atlas: <disabled>
==> Log data will now stream in as it occurs:
2017/05/05 08:19:28 [INFO] raft: Initial configuration (index=1): [{Suffrage:Voter ID:10.183.189.160:8300 Address:10.183.189.160:8300}]
2017/05/05 08:19:28 [INFO] raft: Node at 10.183.189.160:8300 [Follower] entering Follower state (Leader: "")
2017/05/05 08:19:28 [INFO] serf: EventMemberJoin: workpad.local 10.183.189.160
2017/05/05 08:19:28 [INFO] consul: Adding LAN server workpad.local (Addr: tcp/10.183.189.160:8300) (DC: dc1)
2017/05/05 08:19:28 [INFO] serf: EventMemberJoin: workpad.local.dc1 10.183.189.160
2017/05/05 08:19:28 [INFO] consul: Handled member-join event for server "workpad.local.dc1" in area "wan"
2017/05/05 08:19:34 [WARN] raft: Heartbeat timeout from "" reached, starting election
2017/05/05 08:19:34 [INFO] raft: Node at 10.183.189.160:8300 [Candidate] entering Candidate state in term 2
2017/05/05 08:19:34 [INFO] raft: Election won. Tally: 1
2017/05/05 08:19:34 [INFO] raft: Node at 10.183.189.160:8300 [Leader] entering Leader state
2017/05/05 08:19:34 [INFO] consul: cluster leadership acquired
2017/05/05 08:19:34 [INFO] consul: New leader elected: workpad.local
2017/05/05 08:19:34 [INFO] consul: member 'workpad.local' joined, marking health alive
2017/05/05 08:19:35 [WARN] agent: Service 'consul' registration blocked by ACLs
2017/05/05 08:19:35 [WARN] agent: Node info update blocked by ACLs
2017/05/05 08:19:58 [ERR] agent: coordinate update error: Permission denied
...
$ curl \
--request PUT \
--data \
'{
"Name": "Server Token",
"Type": "client",
"Rules": "node \"workpad.local\" { policy = \"write\" } service \"consul\" { policy = \"write\" }"
}' http://127.0.0.1:8500/v1/acl/create?token=root
{"ID":"fe3b8d40-0ee0-8783-6cc2-ab1aa9bb16c1"}
Update acl.json
with the token from the previous step:
{
"acl_datacenter": "dc1",
"acl_master_token": "root",
"acl_agent_token": "fe3b8d40-0ee0-8783-6cc2-ab1aa9bb16c1",
"acl_default_policy": "deny"
}
Stop and start the Consul server. Note that now it can register itself and the consul
service with no ACL errors:
./consul agent -server -data-dir=/tmp/consul-node-1 -bootstrap -config-file=acl.json
==> WARNING: Bootstrap mode enabled! Do not enable unless necessary
==> Starting Consul agent...
==> Consul agent running!
Version: 'v0.8.1'
Node ID: '774af59f-23d8-9255-a00c-066067a5db52'
Node name: 'workpad.local'
Datacenter: 'dc1'
Server: true (bootstrap: true)
Client Addr: 127.0.0.1 (HTTP: 8500, HTTPS: -1, DNS: 8600)
Cluster Addr: 10.183.189.160 (LAN: 8301, WAN: 8302)
Gossip encrypt: false, RPC-TLS: false, TLS-Incoming: false
Atlas: <disabled>
==> Log data will now stream in as it occurs:
2017/05/05 08:25:18 [INFO] raft: Initial configuration (index=1): [{Suffrage:Voter ID:10.183.189.160:8300 Address:10.183.189.160:8300}]
2017/05/05 08:25:18 [INFO] raft: Node at 10.183.189.160:8300 [Follower] entering Follower state (Leader: "")
2017/05/05 08:25:18 [INFO] serf: EventMemberJoin: workpad.local 10.183.189.160
2017/05/05 08:25:18 [WARN] serf: Failed to re-join any previously known node
2017/05/05 08:25:18 [INFO] consul: Adding LAN server workpad.local (Addr: tcp/10.183.189.160:8300) (DC: dc1)
2017/05/05 08:25:18 [INFO] serf: EventMemberJoin: workpad.local.dc1 10.183.189.160
2017/05/05 08:25:18 [WARN] serf: Failed to re-join any previously known node
2017/05/05 08:25:18 [INFO] consul: Handled member-join event for server "workpad.local.dc1" in area "wan"
2017/05/05 08:25:25 [ERR] agent: failed to sync remote state: No cluster leader
2017/05/05 08:25:26 [WARN] raft: Heartbeat timeout from "" reached, starting election
2017/05/05 08:25:26 [INFO] raft: Node at 10.183.189.160:8300 [Candidate] entering Candidate state in term 3
2017/05/05 08:25:26 [INFO] raft: Election won. Tally: 1
2017/05/05 08:25:26 [INFO] raft: Node at 10.183.189.160:8300 [Leader] entering Leader state
2017/05/05 08:25:26 [INFO] consul: cluster leadership acquired
2017/05/05 08:25:26 [INFO] consul: New leader elected: workpad.local
2017/05/05 08:25:28 [INFO] agent: Synced service 'consul'
...
Hi @slackpad
I still use this “solution” for my servers (not client).
But I also still not understand why a server needs the acl_agent_token. The server uses already the most possible privileged acl token. Why he needs this token to call himself, or why there is no internal mapping of acl_agent_token=acl_master_token when the node is a server?