Why is ACL ID read-only?

[rytutis]

Hi,

https://github.com/solarkennedy/puppet-consul/blob/master/lib/puppet/type/consul_acl.rb#L40

Consul allows setting the ID when creating a token, wonder why is it read only in puppet-consul?

[solarkennedy]

It may have been read-only at the time that it was made. @mdelagrange or @michaeltchapman do you guys know? I haven't worked with acls much.

[mdelagrange]

I don't know if there is a good puppet reason to make it read-only, but @rytutis is correct that it can be set in the API.

[aj-jester]

Right, this feature wasn't added until consul 0.5.1. We can make it read-write and hopefully folks are on one of the latest releases.

https://github.com/hashicorp/consul/blob/master/CHANGELOG.md#051-may-13-2015
hashicorp/consul#909

[michaeltchapman]

There's nothing special about the attribute's treatment in the provider afaict so changing it to read-write shouldn't be an issue.

[reppard]

I've been bang my head on my keyboard for a little while now. Is there a way to configured the Anonymous Token's policy via this module? Simply trying to disable write perms for annoymous.

    consul_acl { 'anonymous':                                                                                                                                                               
      ensure        => 'present',                                                                                                                                                           
      name          => 'Anonymous Token',                                                                                                                                                   
      acl_api_token => 'sUp3rS3cr3t',                                                                                                                                                           
      rules         => {                                                                                                                                                                    
        'key'       => {                                                                                                                                                                    
          ''        => {'policy'    => 'read'}                                                                                                                                              
        },                                                                                                                                                                                  
        'key' => {                                                                                                                                                                          
          '_rexec' => {'policy' => 'write'}                                                                                                                                                 
        },                                                                                                                                                                                  
      },                                                                                                                                                                                    
      type => 'client',                                                                                                                                                                     
    } 

I keep getting Connection Refused like consul isn't up yet when consul_acl makes the api call.

EDIT:
Also seeing this:

Could not evaluate: Cannot retrieve ACLs: invalid return code 500 uri: /v1/acl/list?token=sUp3rS3cr3t

[mdelagrange]

@reppard it should work. I configure the Anonymous Token in much the same way without issue. Maybe it's a problem with your ACL token?

[reppard]

@mdelagrange Thanks for the input. I've confirmed it to be timing with this terrible hack job

  exec { 'wait_a_damn_minute' :                                                                                                                                                               
    command => "echo 'Waiting...' && sleep 30",                                                                                                                                               
    path  => "/usr/bin:/bin",                                                                                                                                                                 
  }                                                                                                                                                                                           

  consul_acl { 'anonymous':                                                                                                                                                                   
    ensure        => 'present',                                                                                                                                                               
    name          => 'Anonymous Token',                                                                                                                                                       
    acl_api_token => 'S3Cr3tStuFFs',                                                                                                                                                               
    rules => {                                                                                                                                                                                
      'key' => {                                                                                                                                                                              
        "" => {'policy'    => 'read'},                                                                                                                                                        
        '_rexec' => {'policy' => 'write'},                                                                                                                                                    
      }                                                                                                                                                                                       
    },                                                                                                                                                                                        
    type    => 'client',                                                                                                                                                                      
    require => Exec['wait_a_damn_minute'],                                                                                                                                                    
  }  

Should I create another issue you think? Seems like a poll and wait could be added for this api call.

[mdelagrange]

Yeah I'd recommend that. I've also experienced acl timeouts when I make a puppet change that leads to a consul restart. My guess is that Consul returns from startup before the API is available, but it could also be an issue in the puppet-consul logic somewhere.

[aj-jester]

@reppard Feel free to open a separate issue and I can take a look.

I think the general consensus here is to make this write as well, have some time this week I can look into this. If anyone else wants to work on this feel free.

[reppard]

@aj-jester Thanks man! I created another issue. I want to use consul as a secret storage backend for vault. seems silly to have an anon policy that can read and write to everything for this use case. If I have time I may look into a possible solution and submit a PR if I get one going. Thanks for the great work.

[solarkennedy]

@mdelagrange good to close?

[mdelagrange]

yeah i think that will do it