Configure anonymous token policy for connect #230
Merged
Commits on Mar 19, 2020
-
Configure anonymous token policy for connect
When running Consul Connect, cross-dc calls require that the anonymous token has read permissions on all services. This change updates the server-acl-init command to give the anonymous token those permissions if connect is enabled. Since we already set those permissions in the case of dns being enabled, the change was to also set those permissions in the case of connect being enabled. To detect connect being enabled, we used the presence of the -create-inject-auth-method flag since that's set when connect is enabled. The policy was renamed from dns-policy to anonymous-token-policy since it applies for more than just dns now. In existing installations, a new policy with that name will be created and attached to the anonymous token that will duplicate the old dns-policy but will have no detrimental effects.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.