CODEWITHSUNDEEP
amazon-web-servicesconsul
Ajeet Khan
Ajeet Khan

Reputation: 9190

ACL not getting enabled in consul

I have setup consul on a single instance. The web-ui is running perfectly but the ACL are not enabled. Previously I was not having any config file but now I have created a config.json file in /etc/consul.d/bootstrap/ with the following content.

{
    "bootstrap": true,
    "server": true,
    "datacenter": "dc1",
    "acl_datacenter": "dc1",
    "data_dir": "/var/consul",
    "encrypt": "consul keygen output",
    "ca_file": "/etc/consul.d/ssl/ca.cert",
    "cert_file": "/etc/consul.d/ssl/consul.cert",
    "key_file": "/etc/consul.d/ssl/consul.key",
    "verify_incoming": true,
    "verify_outgoing": true,
    "log_level": "INFO",
    "enable_syslog": true
}

Than I ran the following command

consul agent -server -bootstrap -data-dir /tmp/consul -ui-dir /home/ubuntu/dist/ -client=X.X.X.X

where X.X.X.X is the private ip of my instance

But the ACL are not getting enabled.

/etc/consul.d/server/config.json

{
    "bootstrap": false,
    "server": false,
    "log_level": "DEBUG",
    "enable_syslog": true,
    "datacenter": "dc1",
    "data_dir": "/var/consul",
    "ui_dir": "/home/ubuntu/dist",
    "acl_datacenter": "dc1"
    "encrypt": "SECRET"
}

/etc/consul.d/server/config.json

{
    "bootstrap": false,
    "server": true,
    "log_level": "DEBUG",
    "enable_syslog": true,
    "datacenter": "dc1",
    "data_dir": "/var/consul",
    "acl_datacenter": "dc1",
    "acl_default_policy": "allow",
    "encrypt": "SECRET"
}

Working config file

{
    "bootstrap": true,
    "server": true,
    "log_level": "DEBUG",
    "enable_syslog": true,
    "datacenter": "dc1",
    "addresses" : {
      "http": "X.X.X.X"
    },
    "bind_addr": "X.X.X.X",
    "node_name": "X.X.X.X",
    "data_dir": "/tmp/consul",
    "ui_dir": "~/dist",
    "acl_datacenter": "dc1",
    "acl_master_token": "secret",
    "encrypt": "secret"
}

Now run the following command

consul agent -config-dir ~/server -ui-dir ~/dist -bootstrap true -client=X.X.X.X

Upvotes: 9

Views: 5143

Answers (1)

cskksc
cskksc

Reputation: 68

You are missing the master token in your configuration. If you add this,

"acl_master_token": "secret", and use the same token in your UI, you should be able to use the ACL.

Note: If you are using a single node instance, do not set the acl_token property same as your master token. This would mean anyone with access to the UI would have access to the master token, essentially bypassing all your ACL rules. This property should only be set only on server nodes.

After getting it running well, I created a screencast to demonstrate how to setup consul on a single server. Here is the link

Upvotes: 4

Related Questions