Question about ACL

Hello,

I created one policy to manage snapshot (backup), one policy to store terraform state and one policy to be able to manage DNS:

global-management:
   ID:           00000000-0000-0000-0000-000000000001
   Description:  Builtin Policy that grants unlimited access
   Datacenters:
snapshots:
   ID:           636411eb-8d95-3c11-be55-5d8bdde6c972
   Description:
   Datacenters:
tf-openstack:
   ID:           6c62290a-be5d-900d-ba6d-b5cbfdbe8825
   Description:
   Datacenters:
dns:
   ID:           8c6331d8-6636-16d6-a60c-2792c12a50df
   Description:
   Datacenters:

I am using a token linked to the DNS policy in the default agent token with command (consul acl set-agent-token default).

I have two questions:

  • First only the 1st server is responding to the DNS request, why ?
  • I have some WARNING in the logs:
2019/11/19 08:36:55 [WARN] agent: Coordinate update blocked by ACLs
2019/11/19 08:35:33 [WARN] agent: Node info update blocked by ACLs

Do I need to add more privileges to the default agent policies ?

Regards,

Yes, it appears you need to add additional privileges to the policy used by the agent’s token.

Specifically, the token will need write privileges for its own node resource.

node "mynode" {
  policy = "write"
}

See the ACL Agent Token docs for more info.