Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve server-acl-init: Avoid forcibly creating the anonymous token policy when it already exists #2732

Closed
inisitijitty opened this issue Aug 4, 2023 · 3 comments · Fixed by #2790
Closed

Improve server-acl-init: Avoid forcibly creating the anonymous token policy when it already exists #2732

inisitijitty opened this issue Aug 4, 2023 · 3 comments · Fixed by #2790
Labels
type/enhancement New feature or request

Comments

@inisitijitty
Copy link

inisitijitty commented Aug 4, 2023
edited
Loading

Is your feature request related to a problem? Please describe.

I am using Consul with admin partitions, each with its own Helm deployment. In my setup, I've observed that the server-acl-init subcommand forcefully wants to create the anonymous token policy in the default admin partition, even if it already exists. This behavior requires me to grant the bootstrap token acl = "write" permissions, which is not ideal for the security model I am aiming for.

Feature Description

I propose a change where the server-acl-init subcommand first checks if the anonymous token policy already exists before creating it. If the policy is already present, then no action is taken. This would reduce the scope of the bootstrap token permissions, enhancing the overall security and reducing the possibility of privilege escalation.

Here are the relevant code sections:

  • Current server-acl-init behavior: Link
  • Desired behavior from partition-init: Link

Use Case(s)

This feature is particularly useful in scenarios where you are running Consul on Kubernetes in a multi-tenant environment with admin partitions. Each partition requires its own Helm deployment and managing ACL policies becomes crucial to maintaining secure boundaries between different partitions.

Contributions

I would be happy to contribute to this feature, but I may need some guidance on how to get started as this is my first time contributing to Consul.
@inisitijitty inisitijitty added the type/enhancement New feature or request label Aug 4, 2023
@david-yu
Copy link
Contributor

david-yu commented Aug 7, 2023

Thanks for filing, this has also been raised internally as a feature request for triaging and prioritization since this is coming from a Consul Enterprise customer.

@david-yu david-yu linked a pull request Aug 18, 2023 that will close this issue
added check if anonymous token policy exists #2790
Merged
2 tasks
@aahel
Copy link
Contributor

aahel commented Aug 28, 2023
edited
Loading

Is your feature request related to a problem? Please describe.

I am using Consul with admin partitions, each with its own Helm deployment. In my setup, I've observed that the server-acl-init subcommand forcefully wants to create the anonymous token policy in the default admin partition, even if it already exists. This behavior requires me to grant the bootstrap token acl = "write" permissions, which is not ideal for the security model I am aiming for.

Feature Description

I propose a change where the server-acl-init subcommand first checks if the anonymous token policy already exists before creating it. If the policy is already present, then no action is taken. This would reduce the scope of the bootstrap token permissions, enhancing the overall security and reducing the possibility of privilege escalation.

Here are the relevant code sections:

  • Current server-acl-init behavior: Link
  • Desired behavior from partition-init: Link

Use Case(s)

This feature is particularly useful in scenarios where you are running Consul on Kubernetes in a multi-tenant environment with admin partitions. Each partition requires its own Helm deployment and managing ACL policies becomes crucial to maintaining secure boundaries between different partitions.

Contributions

I would be happy to contribute to this feature, but I may need some guidance on how to get started as this is my first time contributing to Consul.

@inisitijitty do you want to use the acl:read for the partition token ? the partition token requires acl:write privilage to create other policies like the cross-namespace-policy.

@inisitijitty
Copy link
Author

@inisitijitty do you want to use the acl:read for the partition token ? the partition token requires acl:write privilage to create other policies like the cross-namespace-policy.

The cross-namespace-policy is established within the admin partition targeted by my deployment. Therefore, I can grant the acl:write permission directly to the partition.

partition "my-partition" {
  acl = "write"
  ...skipped...
}

To offer a bit more background, I'm giving my users a bootstrap token and I intend to associate it with the following policies:

acl = "read"
operator = "read"
agent_prefix "" {
  policy = "read"
}

partition "my-partition" {
  acl = "write"
  mesh = "write"
  peering = "write"
  namespace_prefix "" {
    policy = "write"
  }
  service_prefix "" {
    policy = "write"
  }
}

This setup doesn't work as intended. As highlighted earlier, the server-acl-init subcommand forcefully wants to create the anonymous token policy within the default admin partition. This happens regardless of whether the policy already exists, compelling me to modify the initial policy to:

acl = "write"
operator = "read"
agent_prefix "" {
  policy = "read"
}

And this doesn't fit the security model I have in mind.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type/enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

added check if anonymous token policy exists hashicorp/consul-k8s
3 participants
@david-yu @inisitijitty @aahel