Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Connect Managed Proxy + ACL with default deny policy doesn't work #4441

Closed
mkeeler opened this issue Jul 25, 2018 · 0 comments
Closed

Connect Managed Proxy + ACL with default deny policy doesn't work #4441

mkeeler opened this issue Jul 25, 2018 · 0 comments
Labels
theme/connect Anything related to Consul Connect, Service Mesh, Side Car Proxies type/bug Feature does not function as expected
Milestone
1.2.2

Comments

@mkeeler
Copy link
Member

mkeeler commented Jul 25, 2018

Overview of the Issue

When Consul starts a managed proxy it passes it a ProxyToken in the environment. This isn't a normal ACL token. It is an agent-local token tied to the proxy. The root cause of managed proxies not working with acls with a default deny policy is that many RPC endpoints aren't resolving proxy tokens but are just resolving regular tokens.

One in particular is the Health.ServiceNodes RPC endpoint. When querying /v1/health/connect/:service (as the managed proxy does) it attempts to lookup the proxy token as a regular token and fails.

Reproduction Steps

Steps to reproduce this issue, eg:

  1. Create cluster with ACLs enabled
  2. Run a connect managed proxy

Log Fragments

2018/07/23 17:11:10 [ERR] consul: "Health.ServiceNodes" RPC failed to server 192.168.44.12:58300: rpc error making call: ACL not found
2018/07/23 17:11:10 [ERR] http: Request GET /v1/health/connect/redis?connect=true&passing=1&stale=, error: rpc error making call: ACL not found from=127.0.0.1:50886
@mkeeler mkeeler added the type/bug Feature does not function as expected label Jul 26, 2018
@mkeeler mkeeler mentioned this issue Jul 26, 2018
Merged
@mkeeler mkeeler added this to the 1.2.2 milestone Jul 26, 2018
@banks banks added the theme/connect Anything related to Consul Connect, Service Mesh, Side Car Proxies label Jul 27, 2018
mkeeler added a commit that referenced this issue Jul 30, 2018
@mkeeler
Handle resolving proxy tokens when parsing HTTP requests (#4453)
870a6ad 
Fixes: #4441

This fixes the issue with Connect Managed Proxies + ACLs being broken.

The underlying problem was that the token parsed for most http endpoints was sent untouched to the servers via the RPC request. These changes make it so that at the HTTP endpoint when parsing the token we additionally attempt to convert potential proxy tokens into regular tokens before sending to the RPC endpoint. Proxy tokens are only valid on the agent with the managed proxy so the resolution has to happen before it gets forwarded anywhere.
mkeeler added a commit that referenced this issue Jul 30, 2018
@mkeeler
Update CHANGELOG.md
f5c11e1 
Update for fixing #4441
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
theme/connect Anything related to Consul Connect, Service Mesh, Side Car Proxies type/bug Feature does not function as expected
Projects
None yet
Milestone
1.2.2
Development

No branches or pull requests
2 participants
@banks @mkeeler