why? service deny policy in ACL rule of anonymous ineffective #2816

bomee · 2017-03-23T01:46:47Z

server and client both are 0.7.5

service "" {
  policy="deny"
}

curl http://host:8500/v1/catalog/services?token=anonymous
anonymous user still view all services info, isn't not safety?

The text was updated successfully, but these errors were encountered:

slackpad · 2017-03-23T02:29:16Z

Hi - we'd need more details about your configuration to figure out what's going on.

bomee · 2017-03-23T05:06:14Z

I have read source code find

func (f *aclFilter) allowService(service string) bool {
	if service == "" || service == ConsulServiceID {
		return true
	}
	return f.acl.ServiceRead(service)
}

a magic code service == ConsulServiceID.What is the intention of this code?

slackpad · 2017-03-23T16:08:04Z

The Consul servers do the registration for that server on behalf of the cluster, so it was excluded from ACLs. That exception should be removed when enforceVersion8 is set, though, so I'll remove it.

Fixes #2816.

slackpad added this to the 0.8.0 milestone Mar 23, 2017

slackpad added a commit that referenced this issue Mar 25, 2017

Gets rid of the Consul service exception under version 8.

5480270

Fixes #2816.

slackpad mentioned this issue Mar 25, 2017

Switches version 8 ACLs to opt-out, and fixes a few issues. #2829

Merged

slackpad closed this as completed in #2829 Mar 25, 2017

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

why? service deny policy in ACL rule of anonymous ineffective #2816

why? service deny policy in ACL rule of anonymous ineffective #2816

bomee commented Mar 23, 2017

slackpad commented Mar 23, 2017

bomee commented Mar 23, 2017

slackpad commented Mar 23, 2017

why? service deny policy in ACL rule of anonymous ineffective #2816

why? service deny policy in ACL rule of anonymous ineffective #2816

Comments

bomee commented Mar 23, 2017

slackpad commented Mar 23, 2017

bomee commented Mar 23, 2017

slackpad commented Mar 23, 2017