Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ACL support on agent force-leave endpoint #16805

Closed
andrake81 opened this issue Mar 29, 2023 · 4 comments
Closed

ACL support on agent force-leave endpoint #16805

andrake81 opened this issue Mar 29, 2023 · 4 comments
Labels
theme/acls ACL and token generation theme/api Relating to the HTTP API interface type/bug Feature does not function as expected

Comments

@andrake81
Copy link

Overview of the Issue

Can this PR be kindly reviewed? #15987

Reproduction Steps

Steps to reproduce this issue:

  1. Create a cluster with ACL, integrated with Vault
  2. agent/force-leave endpoint is ACL protected but passing a token will not help as it's not being utilized
  3. View error:
< content-length: 113
< vary: Accept-Encoding
< x-consul-default-acl-policy: deny
<
* Connection #0 to host consul.server.net left intact
Permission denied: token with AccessorID 'dacd6887-313d-cb3f-1820-0994797e4375' lacks permission 'operator:write'```
@jkirschner-hashicorp
Copy link
Contributor

Making sure I understand: the execution of the operation is ACL protected, but the token you provide in the HTTP request isn't actually passed along to the authorizer for that operation?

@jkirschner-hashicorp jkirschner-hashicorp added theme/api Relating to the HTTP API interface theme/acls ACL and token generation type/bug Feature does not function as expected labels Apr 5, 2023
@andreikom
Copy link
Contributor

Exactly @jkirschner-hashicorp

@huikang huikang mentioned this issue Apr 18, 2023
Merged
@pglass
Copy link

pglass commented Apr 18, 2023
edited
Loading

Hi, for informational purposes if others come across this issue: The api.Client supports setting a token used for all requests, so something like the following will work as a potential alternative in the meantime.

cfg := api.DefaultConfig()
cfg.Token = "<token>"

client, _ := api.NewClient(cfg)
err := client.Agent().ForceLeave("node1")

@pglass
Copy link

pglass commented May 5, 2023
edited
Loading

#15987 has merged so closing this issue.

The next release of the api package includes the ForceLeaveOptions method that accepts query parameters where the token can be specified:

cfg := api.DefaultConfig()
client, _ := api.NewClient(cfg)
err := client.Agent().ForceLeaveOptions("node1", api.ForceLeaveOpts{}, &api.QueryOptions{
     Token: "<token>",
})

@pglass pglass closed this as completed May 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
theme/acls ACL and token generation theme/api Relating to the HTTP API interface type/bug Feature does not function as expected
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@pglass @andreikom @jkirschner-hashicorp @andrake81