Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Connect does not work correctly with ACLs when service.ID != service.Name #4619

Closed
pierresouchay opened this issue Aug 30, 2018 · 6 comments
Closed

Connect does not work correctly with ACLs when service.ID != service.Name #4619

pierresouchay opened this issue Aug 30, 2018 · 6 comments
Labels
theme/connect Anything related to Consul Connect, Service Mesh, Side Car Proxies type/bug Feature does not function as expected

Comments

@pierresouchay
Copy link
Contributor

pierresouchay commented Aug 30, 2018
edited
Loading

Overview of the Issue

When using Connect, the proxy service uses the ID of the proxied service.

So, given a Service:

{
  "ID": "my-id",
  "Name": "web",
}

Consul Connect will create a service:

{
  "ID": "my-id-proxy",
  "Name": "my-id-proxy"
}

If ACL for the user is

"service": {
    "": {
      "policy": "read"
    },
    "web": {
      "policy": "write"
    }
}

the proxy will fail to register in the cluster.

Consul info for both Client and Server

Consul 1.2.2 with patches
@uepoch uepoch mentioned this issue Aug 30, 2018
Merged
@pierresouchay
Copy link
Contributor Author

@banks @mkeeler Fix provided here: #4620

@pierresouchay
Copy link
Contributor Author

pierresouchay commented Aug 30, 2018
edited
Loading

This fix has been tested successfully on a real cluster

@pearkes pearkes added type/bug Feature does not function as expected theme/connect Anything related to Consul Connect, Service Mesh, Side Car Proxies labels Aug 30, 2018
@banks
Copy link
Member

banks commented Sep 4, 2018

Thanks Pierre.

This is a slightly broader issue than the fix PR as I mentioned there although that is worth merging for now.

The biggest problem is that soon ACLs will be exact-match by default and so even with the fix an ACL allowing web service registration will not automatically allow web-proxy too.

I think the correct fix for that is to manage proxy ACLs a little differently based on their destination instead of their actual name, and/or make it easier to grant ACLs for a service and it's proxy. Both need more thought though.

We can close this once the PR merges but we'll consider that case again for new ACLs.

@pierresouchay
Copy link
Contributor Author

ACL will exact match?
Huh... We are counting a lot on the prefix mechanism now

@banks
Copy link
Member

banks commented Sep 5, 2018

Prefix will still be possible of course just not the default since it allows too many "footguns" where things have much more access than the operator intended. Will also continue to support existing ACLs without breaking back-compat and provide a simple way to migrate the policies to equivalent new ones if you want to upgrade them in bulk too so don't worry too much. It's more a thing for us to consider since the general default/recommendation would be for precise exact-match service ACLs but we still need connect proxies to work.

@banks
Copy link
Member

banks commented Sep 5, 2018

Going to close this as #4620 fixes the immediate issue.

Thanks @pierresouchay and @uepoch!

@banks banks closed this as completed Sep 5, 2018
@banks banks mentioned this issue Sep 17, 2018
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
theme/connect Anything related to Consul Connect, Service Mesh, Side Car Proxies type/bug Feature does not function as expected
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@banks @pearkes @pierresouchay