Empty response for key/value request with insufficient permissions instead of 403

OverDrone · October 11, 2021, 12:08pm

Hello!
When java client requests config data using /v1/kv request (seen in KeyValueConsulClient.getKVValue(…)) if user doesn’t have permissions (acl token was not provided and default_policy: deny), consul just returns empty data instead of correctly returning HTTP 403 Forbidden error. This leads to exceptions in spring boot application during property binding process. This is very confusing because first thought is incorrect application config or consul key/value store. It’s very hard to determine that actually acl token was not provided to consul (spring boot misconfiguration, token property name changed in new versions). Is it possible to somehow configure consul to return 403 error (or any other error) in case when user lacks required permissions? If there is no such feature in consul currently is it possible to add it in some later release?
I’ve added kv tag to this topic, although I’m not sure it’s correct.
I use Consul 1.6.2.

mkeeler · October 12, 2021, 1:44pm

@OverDrone I am not familiar with the Java client you are using. When using the consul kv get command which in turn utilizes a GET request on the /v1/kv endpoint, attempting to read a single KV entry with a token that does not have permissions does return a 403 (using v1.10.3 for my tests).

If the recurse flag is specified to that endpoint then it will perform a recursive listing of all keys under a given prefix instead of reading an individual key. In this case, instead of returning a 403, it will filter the result set with the provided tokens privileges. I suspect your Java client might be doing this.

There is no way to control this behavior. You may therefore end up with an empty set when either there is no data or if all the existing data was filtered out. There is an open issue currently that the Consul team is planning to address regarding API clients not being able to distinguish between those two reasons for no results:

github.com/hashicorp/consul

Indicate when list in API endpoint response is filtered by ACLs

opened 12:31AM - 12 Oct 21 UTC

jkirschner-hashicorp

type/enhancement theme/api theme/acls theme/operator-usability

#### Feature Description Endpoints that return list of items will typically e…nforce ACLs by filtering the result set, such as: - Agent endpoints for local checks/services - RPC endpoints for queries to Consul servers However, Consul doesn't give any indication that the results were filtered by ACLs. For a user looking at the list of results, it is unclear whether they are viewing the full list, or whether they are seeing a partial (or empty) list due to incorrect permissions. This information could be exposed through returning a new header. For the service mesh use case, we could log in the proxycfg package when a query is filtered by ACLs. This would help discover and troubleshoot ACL permissions issues. A separate issue can be created in the future to consider propagating this information to the Consul GUI. #### Use Case(s) General discovery and troubleshooting of ACL issues via the API endpoints. Potentially enabling surfacing this information on the Consul GUI in the future.

Feel free to add your use case details in a comment on that issue.

OverDrone · October 12, 2021, 2:08pm

I’ve entered debug and extracted the request, which is:
http://consul-host:8500/v1/kv/config/service-name/?recurse&token=acl-token
Yes, recurse is in parameter list

Topic		Replies	Views
Requesting re-assessment of closure of bug 8428 - Get Token call to API, returns 403 rather than 404 if token not found Consul	2	252	August 10, 2020
Consul Agent access to KV denied by ACL Consul acl	8	7935	August 11, 2020
Consul keyring -list error Consul	1	508	March 25, 2021
Permission denied: token with AccessorID lacks permission 'key:read' Consul	1	1098	August 21, 2022
KV storage - get data only if authenticated Consul	9	762	June 22, 2021

Empty response for key/value request with insufficient permissions instead of 403

Related topics