spring-cloud-consul
spring-cloud-consul copied to clipboard
Ttl Heartbeats don't send acl token if configured
If heartbeat is enabled paired with acl tokens, then the heartbeat task does not configure the token to use when communicating with the consul server
spring.cloud.consul.discovery:
acl-token: ${uuid}
heartbeat.enabled: true
ConsulHeartbeatTask has this method call to agentCheckPass:
@Override
public void run() {
TtlScheduler.this.client.agentCheckPass(this.checkId);
if (log.isDebugEnabled()) {
log.debug("Sending consul heartbeat for: " + this.checkId);
}
}
Which without a token, you'll see the following stack trace:
com.ecwid.consul.v1.OperationException: OperationException(statusCode=403, statusMessage='Forbidden', statusContent='Permission denied')
at com.ecwid.consul.v1.agent.AgentConsulClient.agentCheckPass(AgentConsulClient.java:211) ~[consul-api-1.4.1.jar:na]
at com.ecwid.consul.v1.agent.AgentConsulClient.agentCheckPass(AgentConsulClient.java:198) ~[consul-api-1.4.1.jar:na]
at com.ecwid.consul.v1.agent.AgentConsulClient.agentCheckPass(AgentConsulClient.java:193) ~[consul-api-1.4.1.jar:na]
at com.ecwid.consul.v1.ConsulClient.agentCheckPass(ConsulClient.java:259) ~[consul-api-1.4.1.jar:na]
at org.springframework.cloud.consul.discovery.TtlScheduler$ConsulHeartbeatTask.run(TtlScheduler.java:95) ~[spring-cloud-consul-discovery-2.1.1.RELEASE.jar:2.1.1.RELEASE]
Which can be overridden to pass a token too (can be null too):
@Override
public void run() {
TtlScheduler.this.client.agentCheckPass(this.checkId, this.aclToken);
if (log.isDebugEnabled()) {
log.debug("Sending consul heartbeat for: " + this.checkId);
}
}
So any reason why i can't submit a simple PR to fix this (Ie am i missing something?)
PRs welcome
An AOP based approach to patch while a PR is worked on:
import com.ecwid.consul.v1.ConsulClient;
import com.ecwid.consul.v1.Response;
import javax.annotation.PostConstruct;
import lombok.RequiredArgsConstructor;
import lombok.SneakyThrows;
import lombok.extern.slf4j.Slf4j;
import org.aspectj.lang.ProceedingJoinPoint;
import org.aspectj.lang.annotation.Around;
import org.aspectj.lang.annotation.Aspect;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.cloud.consul.ConditionalOnConsulEnabled;
import org.springframework.cloud.consul.discovery.ConsulDiscoveryProperties;
import org.springframework.context.annotation.Configuration;
/**
* AOP fix to ensure the ACL token is sent when performing agent checks
*
* <p>https://github.com/spring-cloud/spring-cloud-consul/issues/559
*/
@Aspect
@Configuration
@RequiredArgsConstructor
@ConditionalOnConsulEnabled
@ConditionalOnProperty("spring.cloud.consul.discovery.acl-token")
@Slf4j
public class ConsulClientAspect {
private final ConsulDiscoveryProperties consulDiscoveryProperties;
@PostConstruct
public void init() {
log.warn("Hooking ConsulClient.agentCheckPass(String) calls to enforce acl token passing");
}
/**
* Trap calls made to {@link ConsulClient#agentCheckPass(String)} and call the overridden method variant with ACL
* token
*/
@SneakyThrows
@Around("execution (* com.ecwid.consul.v1.ConsulClient.agentCheckPass(String))")
public Response<Void> trapAgentCheckPass(final ProceedingJoinPoint joinPoint) {
final String checkId = (String) joinPoint.getArgs()[0];
final ConsulClient client = (ConsulClient) joinPoint.getThis();
return client.agentCheckPass(checkId, null, this.consulDiscoveryProperties.getAclToken());
}
}