search

fabiolb / fabio

Consul Load-Balancing made simple
https://fabiolb.net
MIT License
7.25k stars 621 forks source link

Correct Consul ACL Policy for Fabio #831

Open ziazon opened 3 years ago

ziazon commented 3 years ago

When I set Consul's default_policy to "allow" fabio works as expected. when this is set to "deny" (as it should be in production) fabio stops working.

I've even tried using this policy to generate a token for fabio:

service "fabio" {
  policy = "write"
}
service "" {
  policy  = "read"
}
key_prefix "" {
  policy = "read"
}
key_prefix "fabio/" {
  policy = "write"
}
key_prefix "vault/" {
  policy = "deny"
}
node_prefix "" {
  policy = "read"
}
agent_prefix "" {
  policy = "read"
}
session_prefix "" {
  policy = "read"
}
event_prefix "" {
  policy = "read"
}
query_prefix "" {
  policy = "read"
}

and it still doesn't work as expected.

What is the needed policy for fabio to work with an ACL secured Consul cluster? I also couldn't seem to find anything about it in the docs.

Consul: 1.9.5 Fabio: 1.5.15

ziazon commented 3 years ago

@magiconair or anyone else able to help with this?

tristanmorgan commented 3 years ago

I'm running some consul connect (native) services with default_policy "deny" and using this policy.

key_prefix "_rexec/" {
  policy = "deny"
}
key_prefix "vault/" {
  policy = "deny"
}
key_prefix "fabio" {
  policy = "write"
}
service_prefix "" {
  policy = "write"
}
node_prefix "" {
  policy = "read"
}
agent_prefix "" {
  policy = "read"
}
rbarrette commented 2 years ago

@tristanmorgan Thank you! This helped me out last night.