Question about ACL

smutel · November 19, 2019, 7:49am

Hello,

I created one policy to manage snapshot (backup), one policy to store terraform state and one policy to be able to manage DNS:

global-management:
   ID:           00000000-0000-0000-0000-000000000001
   Description:  Builtin Policy that grants unlimited access
   Datacenters:
snapshots:
   ID:           636411eb-8d95-3c11-be55-5d8bdde6c972
   Description:
   Datacenters:
tf-openstack:
   ID:           6c62290a-be5d-900d-ba6d-b5cbfdbe8825
   Description:
   Datacenters:
dns:
   ID:           8c6331d8-6636-16d6-a60c-2792c12a50df
   Description:
   Datacenters:

I am using a token linked to the DNS policy in the default agent token with command (consul acl set-agent-token default).

I have two questions:

First only the 1st server is responding to the DNS request, why ?
I have some WARNING in the logs:

2019/11/19 08:36:55 [WARN] agent: Coordinate update blocked by ACLs
2019/11/19 08:35:33 [WARN] agent: Node info update blocked by ACLs

Do I need to add more privileges to the default agent policies ?

Regards,

blake · December 3, 2019, 5:26am

Yes, it appears you need to add additional privileges to the policy used by the agent’s token.

Specifically, the token will need write privileges for its own node resource.

node "mynode" {
  policy = "write"
}

See the ACL Agent Token docs for more info.

smutel · January 20, 2020, 1:40pm

Hello,

Anyway to set the default agent token in the configuration file instead of by this command:

consul acl set-agent-token default #token#

Thanks.