ACL policy for DNS and UI

smutel · September 22, 2020, 3:17pm

Hello,

As defined in the documentation …

Consul's DNS interface is also affected by restrictions on node rules. If the acl.token.default used by the agent does not have "read" access to a given node, then the DNS interface will return no records when queried for it.

So I changed on my consul cluster this parameter with the appropriate policy.
It is working correctly for DNS.

However the UI is open in readonly mode. Is-it possible to restrict the usage of UI by ACL but to keep the DNS working ?

When I changed the ACL policies, the web UI was asking for a token but the DNS didn’t work anymore.

Thanks.

mkeeler · September 22, 2020, 4:27pm

There is currently no way to use a different token for the HTTP API vs DNS.

There is the open issue which somewhere buried in there brings up this fact: https://github.com/hashicorp/consul/issues/4478.

I would recommend you add information about your use case and needs to that issue so that we can gauge community interest and needs to plan work appropriately.

Topic		Replies	Views
DNS resolution issue after enabling Consul ACL Consul dns , acl	7	1014	May 28, 2021
Consul UI ACL policy edit issue Consul	5	604	October 28, 2021
Deny Anonymous Read - Consul Consul acl , consul	7	1696	December 13, 2021
Access consul DNS from outside consul (dnsmasq) with default ACL policy deny Consul	3	646	March 28, 2023
DNS Lookups on consul.service.consul when ACL set to deny? Consul	3	1127	January 25, 2020

ACL policy for DNS and UI

Related topics