NOTE - An updated and more complete example can be found here.
Here's acl.json
:
{
"acl_datacenter": "dc1",
"acl_master_token": "root",
"acl_default_policy": "deny"
}
Start the server. Note that we get the expected ACL errors since the server can't register itself with the catalog yet:
$ ./consul agent -server -data-dir=/tmp/consul-node-1 -bootstrap -config-file=acl.json
==> WARNING: Bootstrap mode enabled! Do not enable unless necessary
==> Starting Consul agent...
==> Consul agent running!
Version: 'v0.8.1'
Node ID: '774af59f-23d8-9255-a00c-066067a5db52'
Node name: 'workpad.local'
Datacenter: 'dc1'
Server: true (bootstrap: true)
Client Addr: 127.0.0.1 (HTTP: 8500, HTTPS: -1, DNS: 8600)
Cluster Addr: 10.183.189.160 (LAN: 8301, WAN: 8302)
Gossip encrypt: false, RPC-TLS: false, TLS-Incoming: false
Atlas: <disabled>
==> Log data will now stream in as it occurs:
2017/05/05 08:19:28 [INFO] raft: Initial configuration (index=1): [{Suffrage:Voter ID:10.183.189.160:8300 Address:10.183.189.160:8300}]
2017/05/05 08:19:28 [INFO] raft: Node at 10.183.189.160:8300 [Follower] entering Follower state (Leader: "")
2017/05/05 08:19:28 [INFO] serf: EventMemberJoin: workpad.local 10.183.189.160
2017/05/05 08:19:28 [INFO] consul: Adding LAN server workpad.local (Addr: tcp/10.183.189.160:8300) (DC: dc1)
2017/05/05 08:19:28 [INFO] serf: EventMemberJoin: workpad.local.dc1 10.183.189.160
2017/05/05 08:19:28 [INFO] consul: Handled member-join event for server "workpad.local.dc1" in area "wan"
2017/05/05 08:19:34 [WARN] raft: Heartbeat timeout from "" reached, starting election
2017/05/05 08:19:34 [INFO] raft: Node at 10.183.189.160:8300 [Candidate] entering Candidate state in term 2
2017/05/05 08:19:34 [INFO] raft: Election won. Tally: 1
2017/05/05 08:19:34 [INFO] raft: Node at 10.183.189.160:8300 [Leader] entering Leader state
2017/05/05 08:19:34 [INFO] consul: cluster leadership acquired
2017/05/05 08:19:34 [INFO] consul: New leader elected: workpad.local
2017/05/05 08:19:34 [INFO] consul: member 'workpad.local' joined, marking health alive
2017/05/05 08:19:35 [WARN] agent: Service 'consul' registration blocked by ACLs
2017/05/05 08:19:35 [WARN] agent: Node info update blocked by ACLs
2017/05/05 08:19:58 [ERR] agent: coordinate update error: Permission denied
...
$ curl \
--request PUT \
--data \
'{
"Name": "Server Token",
"Type": "client",
"Rules": "node \"workpad.local\" { policy = \"write\" } service \"consul\" { policy = \"write\" }"
}' http://127.0.0.1:8500/v1/acl/create?token=root
{"ID":"fe3b8d40-0ee0-8783-6cc2-ab1aa9bb16c1"}
Update acl.json
with the token from the previous step:
{
"acl_datacenter": "dc1",
"acl_master_token": "root",
"acl_agent_token": "fe3b8d40-0ee0-8783-6cc2-ab1aa9bb16c1",
"acl_default_policy": "deny"
}
Stop and start the Consul server. Note that now it can register itself and the consul
service with no ACL errors:
./consul agent -server -data-dir=/tmp/consul-node-1 -bootstrap -config-file=acl.json
==> WARNING: Bootstrap mode enabled! Do not enable unless necessary
==> Starting Consul agent...
==> Consul agent running!
Version: 'v0.8.1'
Node ID: '774af59f-23d8-9255-a00c-066067a5db52'
Node name: 'workpad.local'
Datacenter: 'dc1'
Server: true (bootstrap: true)
Client Addr: 127.0.0.1 (HTTP: 8500, HTTPS: -1, DNS: 8600)
Cluster Addr: 10.183.189.160 (LAN: 8301, WAN: 8302)
Gossip encrypt: false, RPC-TLS: false, TLS-Incoming: false
Atlas: <disabled>
==> Log data will now stream in as it occurs:
2017/05/05 08:25:18 [INFO] raft: Initial configuration (index=1): [{Suffrage:Voter ID:10.183.189.160:8300 Address:10.183.189.160:8300}]
2017/05/05 08:25:18 [INFO] raft: Node at 10.183.189.160:8300 [Follower] entering Follower state (Leader: "")
2017/05/05 08:25:18 [INFO] serf: EventMemberJoin: workpad.local 10.183.189.160
2017/05/05 08:25:18 [WARN] serf: Failed to re-join any previously known node
2017/05/05 08:25:18 [INFO] consul: Adding LAN server workpad.local (Addr: tcp/10.183.189.160:8300) (DC: dc1)
2017/05/05 08:25:18 [INFO] serf: EventMemberJoin: workpad.local.dc1 10.183.189.160
2017/05/05 08:25:18 [WARN] serf: Failed to re-join any previously known node
2017/05/05 08:25:18 [INFO] consul: Handled member-join event for server "workpad.local.dc1" in area "wan"
2017/05/05 08:25:25 [ERR] agent: failed to sync remote state: No cluster leader
2017/05/05 08:25:26 [WARN] raft: Heartbeat timeout from "" reached, starting election
2017/05/05 08:25:26 [INFO] raft: Node at 10.183.189.160:8300 [Candidate] entering Candidate state in term 3
2017/05/05 08:25:26 [INFO] raft: Election won. Tally: 1
2017/05/05 08:25:26 [INFO] raft: Node at 10.183.189.160:8300 [Leader] entering Leader state
2017/05/05 08:25:26 [INFO] consul: cluster leadership acquired
2017/05/05 08:25:26 [INFO] consul: New leader elected: workpad.local
2017/05/05 08:25:28 [INFO] agent: Synced service 'consul'
...
@beardedeagle You'd need run
consul members -token=<token>
where the token has node read rights to the nodes you want to see, or you need to give your anonymous token read access to all nodes. To runconsul info
you need to pass a token that has agent read access, or add that to anonymous as well.