Able to deregister node via UI with acl_default_policy = deny on Consul 0.6.3

[ashald]

I'm setting up a Consul cluster from 3 node for evaluation purposes using version 0.6.3.

Here is my configuration:

{
    "acl_datacenter": "main-dc",
    "acl_default_policy": "deny",
    "acl_master_token": "secret-of-consul",

    "bootstrap_expect": 3,
    "bind_addr": "192.168.1.10",

    "client_addr": "192.168.1.10",

    "encrypt": "value-removed",

    "datacenter": "main-dc",
    "data_dir": "/var/data/consul",
    "domain": "internal.",

    "log_level": "trace",

    "rejoin_after_leave": true,
    "retry_join": ["192.168.1.11", "192.168.1.12"]

    "server": true,

    "ui": true,
    "ui_dir": "/opt/consul/current/var/data/web-ui",
}

The only different thing is obviously bind_addr and client_addr.
I'm using ui_dir because of issue #1071.

Now if I open private window in my browser and go to UI I can deregister any node.
It's a bug or a feature? :) I'd like to disallow de-registering of node by anonymous.

[slackpad]

Hi @ashald thanks for opening an issue. This is indeed a "feature" in the current versions of Consul and we've got an open issue to add an ACL to protect this - #1383.

[ashald]

Thanks for quick reply!