Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Why is ACL ID read-only? #192

Closed
rytutis opened this issue Oct 9, 2015 · 12 comments
Closed

Why is ACL ID read-only? #192

rytutis opened this issue Oct 9, 2015 · 12 comments

Comments

@rytutis
Copy link

rytutis commented Oct 9, 2015

Hi,

https://github.com/solarkennedy/puppet-consul/blob/master/lib/puppet/type/consul_acl.rb#L40

Consul allows setting the ID when creating a token, wonder why is it read only in puppet-consul?

@solarkennedy
Copy link
Contributor

It may have been read-only at the time that it was made. @mdelagrange or @michaeltchapman do you guys know? I haven't worked with acls much.

@mdelagrange
Copy link
Contributor

I don't know if there is a good puppet reason to make it read-only, but @rytutis is correct that it can be set in the API.

@aj-jester
Copy link

Right, this feature wasn't added until consul 0.5.1. We can make it read-write and hopefully folks are on one of the latest releases.

https://github.com/hashicorp/consul/blob/master/CHANGELOG.md#051-may-13-2015
hashicorp/consul#909

@michaeltchapman
Copy link
Contributor

There's nothing special about the attribute's treatment in the provider afaict so changing it to read-write shouldn't be an issue.

@reppard
Copy link

reppard commented Oct 14, 2015

I've been bang my head on my keyboard for a little while now. Is there a way to configured the Anonymous Token's policy via this module? Simply trying to disable write perms for annoymous.

    consul_acl { 'anonymous':                                                                                                                                                               
      ensure        => 'present',                                                                                                                                                           
      name          => 'Anonymous Token',                                                                                                                                                   
      acl_api_token => 'sUp3rS3cr3t',                                                                                                                                                           
      rules         => {                                                                                                                                                                    
        'key'       => {                                                                                                                                                                    
          ''        => {'policy'    => 'read'}                                                                                                                                              
        },                                                                                                                                                                                  
        'key' => {                                                                                                                                                                          
          '_rexec' => {'policy' => 'write'}                                                                                                                                                 
        },                                                                                                                                                                                  
      },                                                                                                                                                                                    
      type => 'client',                                                                                                                                                                     
    } 

I keep getting Connection Refused like consul isn't up yet when consul_acl makes the api call.

EDIT:
Also seeing this:

Could not evaluate: Cannot retrieve ACLs: invalid return code 500 uri: /v1/acl/list?token=sUp3rS3cr3t

@mdelagrange
Copy link
Contributor

@reppard it should work. I configure the Anonymous Token in much the same way without issue. Maybe it's a problem with your ACL token?

@reppard
Copy link

reppard commented Oct 14, 2015

@mdelagrange Thanks for the input. I've confirmed it to be timing with this terrible hack job

  exec { 'wait_a_damn_minute' :                                                                                                                                                               
    command => "echo 'Waiting...' && sleep 30",                                                                                                                                               
    path  => "/usr/bin:/bin",                                                                                                                                                                 
  }                                                                                                                                                                                           

  consul_acl { 'anonymous':                                                                                                                                                                   
    ensure        => 'present',                                                                                                                                                               
    name          => 'Anonymous Token',                                                                                                                                                       
    acl_api_token => 'S3Cr3tStuFFs',                                                                                                                                                               
    rules => {                                                                                                                                                                                
      'key' => {                                                                                                                                                                              
        "" => {'policy'    => 'read'},                                                                                                                                                        
        '_rexec' => {'policy' => 'write'},                                                                                                                                                    
      }                                                                                                                                                                                       
    },                                                                                                                                                                                        
    type    => 'client',                                                                                                                                                                      
    require => Exec['wait_a_damn_minute'],                                                                                                                                                    
  }  

Should I create another issue you think? Seems like a poll and wait could be added for this api call.

@mdelagrange
Copy link
Contributor

Yeah I'd recommend that. I've also experienced acl timeouts when I make a puppet change that leads to a consul restart. My guess is that Consul returns from startup before the API is available, but it could also be an issue in the puppet-consul logic somewhere.

@aj-jester
Copy link

@reppard Feel free to open a separate issue and I can take a look.

I think the general consensus here is to make this write as well, have some time this week I can look into this. If anyone else wants to work on this feel free.

@reppard
Copy link

reppard commented Oct 14, 2015

@aj-jester Thanks man! I created another issue. I want to use consul as a secret storage backend for vault. seems silly to have an anon policy that can read and write to everything for this use case. If I have time I may look into a possible solution and submit a PR if I get one going. Thanks for the great work.

@solarkennedy
Copy link
Contributor

@mdelagrange good to close?

@mdelagrange
Copy link
Contributor

yeah i think that will do it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

6 participants