tooz

Support Consul ACL tokens

Bug #1752205 reported by Nick Maludy
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
tooz
Fix Released
Wishlist
punkrokk

Bug Description

Consul's authentication mechanism is implemented using "ACL tokens": https://www.consul.io/docs/guides/acl.html

The python-consul module currently in use supports these tokens: http://python-consul.readthedocs.io/en/latest/#acls

It would be great if tooz could take advantage of this feature so tooz can interact with secured Consul clusters.

Revision history for this message
Nick Maludy (nmaludy) wrote :

It would be great if this token could be passed in via the URL, example: consul://<email address hidden>

I verified this could be done by hijacking the username or password portions of the URL:

In [6]: result = oslo_utils.netutils.urlsplit("consul://<email address hidden>")

In [7]: result.username
Out[7]: 'fe3b8d40-0ee0-8783-6cc2-ab1aa9bb16c1'

In [8]: result = oslo_utils.netutils.urlsplit("consul://:<email address hidden>")

In [9]: result.password
Out[9]: 'fe3b8d40-0ee0-8783-6cc2-ab1aa9bb16c1'

Ben Nemec (bnemec)
Changed in python-tooz:
status: New → Confirmed
importance: Undecided → Wishlist
Revision history for this message
Nick Maludy (nmaludy) wrote :

I've tried adding this into the Consul driver. It seems to be a bit deeper/harder than i expected.

I tried initializing the Consul client like so:

                self._acl_token = parsed_url.password
                self._client = consul.Consul(host=self._host, port=self._port,
                                             token=self._acl_token)

However, this line of code is causing an auth error (consul.base.ACLPermissionDenied:) because it's trying to send an API call to the consul service without the auth token:

                local_agent = self._client.agent.self()

Revision history for this message
punkrokk (punkrokk) wrote :

How can I help get this done? Can anyone comment on Nick's question from a year ago?

punkrokk (punkrokk)
Changed in python-tooz:
assignee: nobody → punkrokk (punkrokk)
punkrokk (punkrokk)
Changed in python-tooz:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tooz (master)

Fix proposed to branch: master
Review: https://review.opendev.org/723300

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on tooz (master)

Change abandoned by punkrokk (<email address hidden>) on branch: master
Review: https://review.opendev.org/723300
Reason: Abandoning in favor of: https://review.opendev.org/718488

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tooz (master)

Reviewed: https://review.opendev.org/718488
Committed: https://git.openstack.org/cgit/openstack/tooz/commit/?id=08b2d93226071c74ce8bf85265429511e417af73
Submitter: Zuul
Branch: master

commit 08b2d93226071c74ce8bf85265429511e417af73
Author: JP Bourget <email address hidden>
Date: Wed Apr 8 11:19:34 2020 -0400

    Add support for Consul ACL token parameter.

    When running Consul with ACLs enabled, the best practice is to
    default deny all. In order to support applying a policy to the
    tooz coordination KV store path, passing through an ACL is needed.

    Closes-Bug: #1752205
    Change-Id: I98fc96468b21368ce66365e3fc38c495b1f2918a

Changed in python-tooz:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.