Skip to content

Commit

Permalink
Merge pull request #2844 from hashicorp/agent-acl-default
Browse files Browse the repository at this point in the history
Disables agent-level enforcement on Consul agents unless acl_datacenter is set.
  • Loading branch information
slackpad authored Mar 29, 2017
2 parents 33ab068 + 11ee9a9 commit e4eb596
Show file tree
Hide file tree
Showing 3 changed files with 25 additions and 13 deletions.
8 changes: 7 additions & 1 deletion command/agent/acl.go
Original file line number Diff line number Diff line change
Expand Up @@ -170,7 +170,7 @@ func (m *aclManager) lookupACL(agent *Agent, id string) (acl.ACL, error) {
// At this point we might have a stale cached ACL, or none at all, so
// try to contact the servers.
args := structs.ACLPolicyRequest{
Datacenter: agent.config.Datacenter,
Datacenter: agent.config.ACLDatacenter,
ACL: id,
}
if cached != nil {
Expand Down Expand Up @@ -242,6 +242,12 @@ func (a *Agent) resolveToken(id string) (acl.ACL, error) {
return nil, nil
}

// Bail if there's no ACL datacenter configured. This means that agent
// enforcement isn't on.
if a.config.ACLDatacenter == "" {
return nil, nil
}

// Bail if the ACL manager is disabled. This happens if it gets feedback
// from the servers that ACLs are disabled.
if a.acls.isDisabled() {
Expand Down
13 changes: 6 additions & 7 deletions website/source/docs/agent/options.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -422,13 +422,12 @@ Consul will not enable TLS for the HTTP API unless the `https` port has been ass

#### Configuration Key Reference

* <a name="acl_datacenter"></a><a href="#acl_datacenter">`acl_datacenter`</a> - Only
used by servers. This designates the datacenter which
is authoritative for ACL information. It must be provided to enable ACLs.
All servers and datacenters must agree on the ACL datacenter. Setting it on
the servers is all you need for enforcement, but for the APIs to forward properly
from the clients, it must be set on them too. Future changes may move
enforcement to the edges, so it's best to just set `acl_datacenter` on all nodes.
* <a name="acl_datacenter"></a><a href="#acl_datacenter">`acl_datacenter`</a> - This designates
the datacenter which is authoritative for ACL information. It must be provided to enable ACLs.
All servers and datacenters must agree on the ACL datacenter. Setting it on the servers is all
you need for cluster-level enforcement, but for the APIs to forward properly from the clients,
it must be set on them too. In Consul 0.8 and later, this also enables agent-level enforcement
of ACLs. Please see the [ACL internals guide](/docs/internals/acl.html) for more details.

* <a name="acl_default_policy"></a><a href="#acl_default_policy">`acl_default_policy`</a> - Either
"allow" or "deny"; defaults to "allow". The default policy controls the behavior of a token when
Expand Down
17 changes: 12 additions & 5 deletions website/source/docs/internals/acl.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -579,11 +579,18 @@ Since clients now resolve ACLs locally, the [`acl_down_policy`](/docs/agent/opti
now applies to Consul clients as well as Consul servers. This will determine what the
client will do in the event that the servers are down.

Consul clients *do not* need to have the [`acl_master_token`](/docs/agent/options.html#acl_agent_master_token)
or the [`acl_datacenter`](/docs/agent/options.html#acl_datacenter) configured. They will
contact the Consul servers to determine if ACLs are enabled. If they detect that ACLs are
not enabled, they will check at most every 2 minutes to see if they have become enabled, and
will start enforcing ACLs automatically.
Consul clients must have [`acl_datacenter`](/docs/agent/options.html#acl_datacenter) configured
in order to enable agent-level ACL features. If this is set, the agents will contact the Consul
servers to determine if ACLs are enabled at the cluster level. If they detect that ACLs are not
enabled, they will check at most every 2 minutes to see if they have become enabled, and will
start enforcing ACLs automatically. If an agent has an `acl_datacenter` defined, operators will
need to use the [`acl_agent_master_token`](/docs/agent/options.html#acl_agent_master_token) to
perform agent-level operations if the Consul servers aren't present (such as for a manual join
to the cluster), unless the [`acl_down_policy`](/docs/agent/options.html#acl_down_policy) on the
agent is set to "allow".

Non-server agents do not need to have the [`acl_master_token`](/docs/agent/options.html#acl_agent_master_token)
configured; it is not used by agents in any way.

#### New ACL Policies

Expand Down

0 comments on commit e4eb596

Please sign in to comment.