why? service deny policy in ACL rule of anonymous ineffective #2816

Closed

Closed

why? service deny policy in ACL rule of anonymous ineffective#2816

Milestone

server and client both are 0.7.5

service "" {
  policy="deny"
}

curl http://host:8500/v1/catalog/services?token=anonymous
anonymous user still view all services info, isn't not safety?

Contributor

Hi - we'd need more details about your configuration to figure out what's going on.

Author

I have read source code find

func (f *aclFilter) allowService(service string) bool {
	if service == "" || service == ConsulServiceID {
		return true
	}
	return f.acl.ServiceRead(service)
}

a magic code service == ConsulServiceID.What is the intention of this code?

Contributor

The Consul servers do the registration for that server on behalf of the cluster, so it was excluded from ACLs. That exception should be removed when enforceVersion8 is set, though, so I'll remove it.

added this to the 0.8.0 milestone

on Mar 23, 2017

added a commit that references this issue

on Mar 25, 2017

Gets rid of the Consul service exception under version 8.

mentioned this

on Mar 25, 2017

Switches version 8 ACLs to opt-out, and fixes a few issues. #2829

closed this as completedin #2829

on Mar 25, 2017

to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

No one assigned

Labels

No labels

No labels

Type

No type

Projects

No projects

Milestone

0.8.0
Closed Apr 5, 2017, 100% complete

Relationships

None yet

Development

Code with Copilot Agent Mode

Switches version 8 ACLs to opt-out, and fixes a few issues.hashicorp/consul

Participants