consul icon indicating copy to clipboard operation
consul copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Unexpected response code: 403 (ACL not found) - when wrong management token is used

Open andrake81 opened this issue 3 years ago • 1 comments

Overview of the Issue

Wrong status code and msg for invalid/wrong mgmt token usage with the consul CLI

I think a simple 401 would be more indicative

Reproduction Steps

  1. Run consul 1.11.4 with simple ACL config (used MacOS for local dev):
acl {
  enabled                  = true
  default_policy           = "deny"
  enable_token_persistence = true
}
  1. /usr/local/Cellar/consul/1.11.4/bin/consul agent -config-file consul.hcl
  2. export CONSUL_HTTP_TOKEN=randomToken
  3. try use any consul command:
/usr/local/Cellar/consul/1.11.4/bin/consul acl policy list
Failed to retrieve the policy list: Unexpected response code: 403 (ACL not found)

/usr/local/Cellar/consul/1.11.4/bin/consul members
Error retrieving members: Unexpected response code: 403 (ACL not found)

to fix: just export CONSUL_HTTP_TOKEN=correctToken

Consul info for both Client and Server

/usr/local/Cellar/consul/1.11.4/bin/consul info
agent:
	check_monitors = 0
	check_ttls = 0
	checks = 0
	services = 0
build:
	prerelease =
	revision =
	version = 1.11.4
consul:
	acl = enabled
	bootstrap = true
	known_datacenters = 1
	leader = true
	leader_addr = ----
	server = true
raft:
	applied_index = 1611
	commit_index = 1611
	fsm_pending = 0
	last_contact = 0
	last_log_index = 1611
	last_log_term = 2
	last_snapshot_index = 0
	last_snapshot_term = 0
	latest_configuration = [{Suffrage:Voter ID:4e8d1e2e-5ac1-1d5c-d7e5-4acd0f04181b Address:-------}]
	latest_configuration_index = 0
	num_peers = 0
	protocol_version = 3
	protocol_version_max = 3
	protocol_version_min = 0
	snapshot_version_max = 1
	snapshot_version_min = 0
	state = Leader
	term = 2
runtime:
	arch = amd64
	cpu_count = 8
	goroutines = 169
	max_procs = 8
	os = darwin
	version = go1.17.6
serf_lan:
	coordinate_resets = 0
	encrypted = false
	event_queue = 0
	event_time = 4
	failed = 0
	health_score = 0
	intent_queue = 0
	left = 0
	member_time = 167
	members = 8
	query_queue = 0
	query_time = 4
serf_wan:
	coordinate_resets = 0
	encrypted = false
	event_queue = 0
	event_time = 1
	failed = 0
	health_score = 0
	intent_queue = 0
	left = 0
	member_time = 1
	members = 1
	query_queue = 0
	query_time = 1

Operating system and Environment details

MacOS 12.5.1 Intel

Log Fragments

2022-09-19T13:44:34.191+0300 [ERROR] agent.http: Request error: method=GET url=/v1/acl/policies from=127.0.0.1:63170 error="ACL not found"
2022-09-19T13:48:43.237+0300 [ERROR] agent.http: Request error: method=GET url=/v1/agent/members?segment=_all from=127.0.0.1:64979 error="ACL not found"

andrake81 avatar Sep 19 '22 11:09 andrake81

Related to this general issue about improving "ACL not found" error messages: https://github.com/hashicorp/consul/issues/12517

jkirschner-hashicorp avatar Jan 19 '23 21:01 jkirschner-hashicorp