You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
During securing of my consul cluster I suddenly found that anonymous client agents (which don't have ACL enabled) could join consul cluster with ACL enabled. In my case, anonymous agents could stable join the cluster only on "serf" level but fortunately couldn't publish any service.
I hope I made something wrong in my configuration, but lots of checks and RTFMs show that this is a security bug. It's very strange that anyone could join the cluster despite ACL enabled in it.
Reproduction Steps
Bootstrap the cluster (I have only one server in it).
consul | 2020-05-18T23:53:56.990+0300 [WARN] agent: Coordinate update blocked by ACLs: accessorID=
consul | 2020-05-18T23:54:06.252+0300 [DEBUG] agent.server.autopilot: Failed to remove dead servers: error="denied, because removing the majority of servers 1/1 is not safe"
consul | 2020-05-18T23:54:08.135+0300 [DEBUG] agent.server.router.manager: Rebalanced servers, new active server: number_of_servers=1 active_server="demo-dir.dc1 (Addr: tcp/192.168.0.254:8300) (DC: dc1)"
consul | 2020-05-18T23:54:14.074+0300 [DEBUG] agent.server.memberlist.lan: memberlist: Stream connection from=192.168.0.2:55562
consul | 2020-05-18T23:54:14.076+0300 [INFO] agent.server.serf.lan: serf: EventMemberJoin: demo-ref-en 192.168.0.2
consul | 2020-05-18T23:54:14.076+0300 [INFO] agent.server: member joined, marking health alive: member=demo-ref-en
consul | 2020-05-18T23:54:14.270+0300 [INFO] agent.server.serf.lan: serf: EventMemberUpdate: demo-ref-en
consul | 2020-05-18T23:54:14.270+0300 [DEBUG] agent.server.serf.lan: serf: messageJoinType: demo-ref-en
consul | 2020-05-18T23:54:14.460+0300 [DEBUG] agent.acl: dropping check from result due to ACLs: check=serfHealth
consul | 2020-05-18T23:54:14.469+0300 [DEBUG] agent.server.serf.lan: serf: messageJoinType: demo-ref-en
consul | 2020-05-18T23:54:14.669+0300 [DEBUG] agent.server.serf.lan: serf: messageJoinType: demo-ref-en
consul | 2020-05-18T23:54:14.869+0300 [DEBUG] agent.server.serf.lan: serf: messageJoinType: demo-ref-en
consul | 2020-05-18T23:54:15.623+0300 [DEBUG] agent.server: Skipping self join check for node since the cluster is too small: node=demo-dir
consul | 2020-05-18T23:54:16.252+0300 [DEBUG] agent.server.autopilot: Failed to remove dead servers: error="denied, because removing the majority of servers 1/1 is not safe"
consul | 2020-05-18T23:54:16.334+0300 [DEBUG] agent.server.memberlist.lan: memberlist: Initiating push/pull sync with: demo-ref-en 192.168.0.2:8301
consul | 2020-05-18T23:54:25.863+0300 [WARN] agent: Coordinate update blocked by ACLs: accessorID=
consul | 2020-05-18T23:54:26.252+0300 [DEBUG] agent.server.autopilot: Failed to remove dead servers: error="denied, because removing the majority of servers 1/1 is not safe"
consul | 2020-05-18T23:54:36.252+0300 [DEBUG] agent.server.autopilot: Failed to remove dead servers: error="denied, because removing the majority of servers 1/1 is not safe"
consul | 2020-05-18T23:54:46.252+0300 [DEBUG] agent.server.autopilot: Failed to remove dead servers: error="denied, because removing the majority of servers 1/1 is not safe"
consul | 2020-05-18T23:54:46.341+0300 [DEBUG] agent.server.memberlist.lan: memberlist: Initiating push/pull sync with: demo-ref-en 192.168.0.2:8301
consul | 2020-05-18T23:54:46.602+0300 [WARN] agent: Coordinate update blocked by ACLs: accessorID=
consul | 2020-05-18T23:54:56.252+0300 [DEBUG] agent.server.autopilot: Failed to remove dead servers: error="denied, because removing the majority of servers 1/1 is not safe"
consul | 2020-05-18T23:55:04.950+0300 [WARN] agent: Coordinate update blocked by ACLs: accessorID=
consul | 2020-05-18T23:55:06.252+0300 [DEBUG] agent.server.autopilot: Failed to remove dead servers: error="denied, because removing the majority of servers 1/1 is not safe"
consul | 2020-05-18T23:55:06.361+0300 [DEBUG] agent.server.memberlist.lan: memberlist: Stream connection from=192.168.0.2:55564
Cluster nodes (on server agent):
# consul catalog nodes
Node ID Address DC
demo-dir 6508cb69 192.168.0.254 dc1
demo-ref-en 47925609 192.168.0.2 dc1
The text was updated successfully, but these errors were encountered:
Overview of the Issue
During securing of my consul cluster I suddenly found that anonymous client agents (which don't have ACL enabled) could join consul cluster with ACL enabled. In my case, anonymous agents could stable join the cluster only on "serf" level but fortunately couldn't publish any service.
I hope I made something wrong in my configuration, but lots of checks and RTFMs show that this is a security bug. It's very strange that anyone could join the cluster despite ACL enabled in it.
Reproduction Steps
Consul info for both Client and Server
Client info
Server info
Operating system and Environment details
The cluster with one server agent in docker (with host network) on Debian 10. Client agent running natively on Debian 10.
Server config (
demo-dir
):Client config (
demo-ref-en
):Log Fragments
Client log:
Server log (partial, see full):
Cluster nodes (on server agent):
The text was updated successfully, but these errors were encountered: