Search code examples
aclconsul

Consul ACLs using a global blacklist still lists services/nodes with anonymous token

When configuring the consul-server like this:

{
  "acl_datacenter": "stable",
  "acl_default_policy": "deny",
  "acl_down_policy": "deny"
  "datacenter": "stable",
  "data_dir": "/consul/data",
  "ui": true,
  "log_level": "INFO",
  "node_name": "consul",
  "client_addr" : "0.0.0.0",
  "server": true,
  "bootstrap": true,
  "encrypt":"GdKfGQLlnziTxh/Vt4DW4A==
  "acl_master_token:"474238df-2199-4e67-a1e6-638bdb8f6740"
}

so using a blacklist for everything, i can still list all services

curl http://consul:8500/v1/catalog/services
{"consul":[]}%

without providing a token - so using the anonymous token. Even if i add a explicit rule (which should not be needed)

service "" {
   policy="deny"
}

Still the same results. Same goes for listing nodes and anything else. I cannot list any KV though - so that is secured ( or add any ACL with the anon token ).

Questions

  • Why does the blacklist allow listing services / nodes?
  • Is there a way to deny that?

Meta informations

consul --version
Consul v0.6.4
Consul Protocol: 3 (Understands back to: 1)
Solution

  • The answer splits into 2 branches

    services

    Listing services is denied by ACL, but an exception is made for the consul service. So every other service would not show up

    Source https://twitter.com/slackpad/status/750322795704352768

    nodes

    ACLs are yet not applied on nodes, thus you cannot secure the spying eyes on the nodes using ACL for now. See

    Source https://twitter.com/slackpad/status/750323727330533376