Client using current ACL is able to list services but cannot inspect them

alvaro.castellano.ve · August 27, 2022, 11:17pm

Hi all

I have registered the following service in my Consul cluster:

{
  "Name": "AlarmManager",
  "Tags": ["alarmmanager"],
  "Address": "IP",
  "Port": PORT,
  "check": {
    "name": "Check Alarm Manager",
    "http": "http://IP:PORT",
    "method": "GET",
    "interval": "60s",
    "timeout": "5s"
  },
  "Weights": {
    "Passing": 10,
    "Warning": 1
  }
}

Using consul API:

curl     --header "X-Consul-Token: ${CONSUL_HTTP_TOKEN}"  --request PUT  --data @alarmmanager.json http://127.0.0.1:8500/v1/agent/service/register?replace-existing-checks=true

After setting the following ACL:

service "AlarmManager" { 
  policy = "read"
}

After creating a token with only that policy attached, an API call using that token is able to list this service:

curl     --header "X-Consul-Token: TOKEN"   http://127.0.0.1:8500/v1/catalog/services
{"AlarmManager":["alarmmanager"]}

But there is no info when calling directly to service:

curl     --header "X-Consul-Token: TOKEN"   http://127.0.0.1:8500/v1/catalog/servic/AlarmManager
[]

Service Check is passing green and performing the same call with Consul Master Token retrieves Service info.

Could you please tell me what I am doing wrong?

Thank you,

maxb · August 28, 2022, 7:20am

There’s a typo in your URL:

alvaro.castellano.ve · August 28, 2022, 9:05am

It was a mistake when I copied the command:

curl     --header "X-Consul-Token: Token"   http://127.0.0.1:8500/v1/catalog/service/AlarmManager
[]

alvaro.castellano.ve · August 28, 2022, 10:15am

It seems to be working with the following policy

node_prefix "" {
  policy = "read"
}

service "AlarmManager" {
  policy = "read"
}

Is ths ok or this policy is too open for reading only a service?