ansible-consul
ansible-consul copied to clipboard
ansible-collections
Basic ACL config file crashes
Hello,
I'm using this role in a three servers scenario. I set the following env variables for an initial deploy
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04 LTS
Release: 18.04
Codename: bionic
#Variables set
$ export CONSUL_VERSION=1.1.0
$ export CONSUL_ACL_ENABLE=true
$ export CONSUL_ACL_MASTER_TOKEN_DISPLAY=true
$ export CONSUL_ACL_MASTER_TOKEN=$(uuidgen)
And it works, during the midplay I can recover the new uuidgen instead of the generic one (42424242... by the way, we could use the Jinja filter {{ somestring | to_uuid }} for generating a random token since Ansible 1.9 but this is not the deal of this issue).
The Issue begins when I set the variable consul_acl_policy: false to consul_acl_policy: true in default vars file. The deployment finishes successfully but consul daemon wont start.
● consul.service - Consul agent
Loaded: loaded (/lib/systemd/system/consul.service; enabled; vendor preset: enabled)
Active: activating (auto-restart) (Result: exit-code) since Wed 2018-06-13 12:41:57 UTC; 7s ago
Process: 26126 ExecStart=/usr/local/bin/consul agent -config-file=/etc/consul/config.json -config-dir=/etc/consul/consul.d -pid-file=/var/run/consul/consul.pid (code=exited, status=2)
Process: 26125 ExecStartPre=/bin/chown -R consul:bin /var/run/consul (code=exited, status=0/SUCCESS)
Process: 26117 ExecStartPre=/bin/mkdir -p /var/run/consul (code=exited, status=0/SUCCESS)
Main PID: 26126 (code=exited, status=2)
Executing consul manually this error appears:
panic: key: []map[string]interface{} with more than one element not supported: [map[:[map[policy:read]]] map[foo/:[map[policy:write]]] map[foo/private/:[map[policy:deny]]]]
goroutine 1 [running]:
github.com/hashicorp/consul/agent/config.patchValue(0xc42034b8cd, 0x3, 0x1161cc0, 0xc420324720, 0xc420397a00, 0x6, 0x6, 0x1184340, 0xc4202dd740)
/gopath/src/github.com/hashicorp/consul/agent/config/patch_hcl.go:57 +0x9fd
github.com/hashicorp/consul/agent/config.patchValue(0x0, 0x0, 0x1260040, 0xc4203a8ab0, 0xc420397a00, 0x6, 0x6, 0x0, 0x0)
/gopath/src/github.com/hashicorp/consul/agent/config/patch_hcl.go:24 +0x181
github.com/hashicorp/consul/agent/config.patchSliceOfMaps(0xc4203a8ab0, 0xc420397a00, 0x6, 0x6, 0x0)
/gopath/src/github.com/hashicorp/consul/agent/config/patch_hcl.go:8 +0x61
github.com/hashicorp/consul/agent/config.Parse(0xc4202c6e00, 0x366, 0x14f06ec, 0x3, 0x0, 0xc4203ef610, 0xc4203ef650, 0xc4203ef680, 0x0, 0xc42034a630, ...)
/gopath/src/github.com/hashicorp/consul/agent/config/config.go:80 +0x258
github.com/hashicorp/consul/agent/config.(*Builder).Build(0xc420263800, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
/gopath/src/github.com/hashicorp/consul/agent/config/builder.go:273 +0x886
github.com/hashicorp/consul/agent/config.(*Builder).BuildAndValidate(0xc420263800, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
/gopath/src/github.com/hashicorp/consul/agent/config/builder.go:212 +0x7b
github.com/hashicorp/consul/command/agent.(*cmd).readConfig(0xc420262800, 0x37)
/gopath/src/github.com/hashicorp/consul/command/agent/agent.go:101 +0x13d
github.com/hashicorp/consul/command/agent.(*cmd).run(0xc420262800, 0xc42002e160, 0x3, 0x3, 0x0)
/gopath/src/github.com/hashicorp/consul/command/agent/agent.go:319 +0x8b
github.com/hashicorp/consul/command/agent.(*cmd).Run(0xc420262800, 0xc42002e160, 0x3, 0x3, 0xc420267400)
/gopath/src/github.com/hashicorp/consul/command/agent/agent.go:78 +0x50
github.com/hashicorp/consul/vendor/github.com/mitchellh/cli.(*CLI).Run(0xc4201d3320, 0xc4201d3320, 0x40, 0xc420267900)
/gopath/src/github.com/hashicorp/consul/vendor/github.com/mitchellh/cli/cli.go:242 +0x1eb
main.realMain(0xc42007c058)
/gopath/src/github.com/hashicorp/consul/main.go:52 +0x3ee
main.main()
/gopath/src/github.com/hashicorp/consul/main.go:19 +0x22
ubuntu@consul-server-2:~$
It seems there is a problem with the hcl file created on /etc/consul/consul.d/50acl_policy.hcl
# Default all keys to read-only
key "" {
policy = "read"
}
key "foo/" {
policy = "write"
}
key "foo/private/" {
# Deny access to the dir "foo/private"
policy = "deny"
}
# Default all services to allow registration. Also permits all
# services to be discovered.
service "" {
policy = "write"
}
# Deny registration access to services prefixed "secure-".
# Discovery of the service is still allowed in read mode.
service "secure-" {
policy = "read"
}
# Allow firing any user event by default.
event "" {
policy = "write"
}
# Deny firing events prefixed with "destroy-".
event "destroy-" {
policy = "deny"
}
# Default prepared queries to read-only.
query "" {
policy = "read"
}
# Read-only mode for the encryption keyring by default (list only)
keyring = "read"
# Read-only mode for Consul operator interfaces (list only)
operator = "read"
Addming more debugging about this: I've been testing by deleting one by one and also just inserting the basic HCL policies also crashes.
key "" {
policy = "read"
}
key "foo" {
policy = "write"
}
key "bar" {
policy = "deny"
}
Moving configuration file and just setting config-dir also not working
sudo mv /etc/consul/config.json /etc/consul/consul.d/config.json
root@consul-server-2:/etc/consul/consul.d# sudo /usr/local/bin/consul agent -config-dir=/etc/consul/consul.d -pid-file=/var/run/consul/consul.pid
panic: key: []map[string]interface{} with more than one element not supported: [map[:[map[policy:deny]]] map[bar:[map[policy:list]]] map[baz:[map[policy:read]]]]
goroutine 1 [running]:
github.com/hashicorp/consul/agent/config.patchValue(0xc42009f03b, 0x3, 0x1161cc0, 0xc42038c7e0, 0xc4203e5a00, 0x6, 0x6, 0xc42002e120, 0x0)
/gopath/src/github.com/hashicorp/consul/agent/config/patch_hcl.go:57 +0x9fd
github.com/hashicorp/consul/agent/config.patchValue(0x0, 0x0, 0x1260040, 0xc4203a6630, 0xc4203e5a00, 0x6, 0x6, 0x0, 0x0)
/gopath/src/github.com/hashicorp/consul/agent/config/patch_hcl.go:24 +0x181
github.com/hashicorp/consul/agent/config.patchSliceOfMaps(0xc4203a6630, 0xc4203e5a00, 0x6, 0x6, 0x0)
/gopath/src/github.com/hashicorp/consul/agent/config/patch_hcl.go:8 +0x61
github.com/hashicorp/consul/agent/config.Parse(0xc420079ec0, 0x5c, 0x14f06ec, 0x3, 0x0, 0x0, 0xc4200a13f0, 0xc4200a1430, 0x0, 0xc42009e630, ...)
/gopath/src/github.com/hashicorp/consul/agent/config/config.go:80 +0x258
github.com/hashicorp/consul/agent/config.(*Builder).Build(0xc420263800, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
/gopath/src/github.com/hashicorp/consul/agent/config/builder.go:273 +0x886
github.com/hashicorp/consul/agent/config.(*Builder).BuildAndValidate(0xc420263800, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
/gopath/src/github.com/hashicorp/consul/agent/config/builder.go:212 +0x7b
github.com/hashicorp/consul/command/agent.(*cmd).readConfig(0xc420262800, 0x37)
/gopath/src/github.com/hashicorp/consul/command/agent/agent.go:101 +0x13d
github.com/hashicorp/consul/command/agent.(*cmd).run(0xc420262800, 0xc42002e0a0, 0x2, 0x2, 0x0)
/gopath/src/github.com/hashicorp/consul/command/agent/agent.go:319 +0x8b
github.com/hashicorp/consul/command/agent.(*cmd).Run(0xc420262800, 0xc42002e0a0, 0x2, 0x2, 0xc420267840)
/gopath/src/github.com/hashicorp/consul/command/agent/agent.go:78 +0x50
github.com/hashicorp/consul/vendor/github.com/mitchellh/cli.(*CLI).Run(0xc4201d18c0, 0xc4201d18c0, 0x40, 0xc420267900)
/gopath/src/github.com/hashicorp/consul/vendor/github.com/mitchellh/cli/cli.go:242 +0x1eb
main.realMain(0xc420078058)
/gopath/src/github.com/hashicorp/consul/main.go:52 +0x3ee
main.main()
/gopath/src/github.com/hashicorp/consul/main.go:19 +0x22
Hey @aparedero any chance you successfully worked through this? I'm hitting it as well and am getting ready to tuck in, wanted to check if you managed to solve this before I do though. I see you forked the repo but I'm not seeing any pushed commits that might fix this.
Will followup when I make more progress on this.
I took a first cut at making this work. This branch on my fork https://github.com/MikeStankavich/ansible-consul/tree/sample_acls works in my test environment but it's far from thoroughly tested yet. You're welcome to give it a try. I'll be glad to fix any issues you might find, and I can create a PR for it if/when it's good enough to consider merging.
I ran across this same issue. The problem is that this ACL configuration is actually supposed to be applied via the Consul ACL HTTP API or CLI using consul acl policy create. It is not possible to set this config via the Consul's agent config files as this role attempting to do.
The role should be modified to apply the ACL config using Ansible's consul_acl, uri, or command modules.
I'll try to find some time over the weekend to submit a PR.
I am still seeing this issue. It works when i manually delete 50acl_policy.hcl file from consul.d but thats giving complete write access to acl ui token.
