token with AccessorID '00000000-0000-0000-0000-000000000002' lacks permission 'service:write' on "demo20221017"

[Din-He]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.

---

Overview of the Issue

k8s环境下使用helm部署consul。之后在springboot应用中使用global-management token将服务注册到consul报错 token with AccessorID '00000000-0000-0000-0000-000000000002' lacks permission 'service:write' on "demo20221017"

Reproduction Steps

1. 我自定义了一个config-secure.yaml如下：

   
   # Configure global settings in this section.
   global:
   name: consul
   # Bootstrap ACLs within Consul. This is highly recommended.
   datacenter: test-hdy
   image: hashicorp/consul:1.12.3
   enabled: true
   gossipEncryption:
   autoGenerate: true
   acls:
   manageSystemACLs: true
   # Configure your Consul servers in this section.
   server:
   # Specify three servers that wait until all are healthy to bootstrap the Consul cluster.
   replicas: 1
   # Specify the resources that servers request for placement. These values will serve a large environment.
   resources:
   requests:
     memory: 200Mi
     cpu: 200m
   limits:
     memory: 200Mi
     cpu: 200m
   storageClass: nfs-client
   exposeService:
   enabled: true
   type: NodePort
   nodePort:
     http: 30088
   securityContext:
   runAsNonRoot: false
   runAsUser: 0
   # Configure Consul clients in this section
   client:
   # Specify the resources that clients request for deployment.
   resources:
   requests:
     memory: 200Mi
     cpu: 200m
   limits:
     memory: 200Mi
     cpu: 200m
   # Enable and configure the Consul UI.
   ui:
   enabled: true
   service:
   enabled: true
   # Enable Consul connect pod injection
   connectInject:
   enabled: true
   controller:
   enabled: true

这里面的 storageClass: nfs-client 是我提前使用nfs在k8s中安装好了一个 storageClass名字叫 nfs-client。
2. 我运行了命令
```shell
helm install consul hashicorp/consul --values config-secure.yaml --create-namespace --namespace consul1 --atomic --debug

kubectl get pod -n consul1 查看所有pod运行都正常，其他组件也是正常的，然后我在chrom输入ip:30088/ 访问ui页面看到services中consul instance也是正常的 同时自动生成了一些token

3. 然后在springboot应用中使用global-management token（上面截图中e985dc44）企图将服务注册到consul上，然后程序报错 com.ecwid.consul.v1.OperationException: OperationException(statusCode=403, statusMessage='Forbidden', statusContent='Permission denied: token with AccessorID '00000000-0000-0000-0000-000000000002' lacks permission 'service:write' on "demo20221017"') 其中demo20221017是我的应用名称。 我自己分析：报错显示0002这个token没有写入服务的权限，但是我并没有用那个token我用的是global-management token。（这也正是我的问题，我并没有用0002那个token，他为什么会自动用0002token请求consul，导致报错呢？）据我所知， 00002是anonymous-token-policy 应该是consul默认创建的权限非常小的一个token。

Logs

Expected behavior

Environment details

Additional Context

[Din-He]

问题解决了。 整个过程描述： 我部署consul的服务器ping不通我启动springboot程序的电脑，我电脑可以ping通consul所在服务器。 我在springboot程序bootstrap.yml开启了consul健康检查（consul-server 请求我的电脑，自然是请求不通），所以在consul ui页面上看到我的服务是红叉的状态，然后我在网上搜索为什么consul服务会有红叉？看到一个解决办法是说加上heartbeat.enabled: true 配置。然后我的服务就报上面的错了。首先heartbeat.enabled: true这段配置的意思是说开启心跳检测，就是我主动向consul-server报告我的服务状态，我猜测应该是这过程中用到了000002这个token，然而consul-server可能需要serveice:write权限，这样就报错了。。。。还是有待深入研究consul的心跳检测是怎么回事。

综上，是因为自己对consul的原理不理解所导致的。唉，，，困扰了我很久这问题。

good good study，day day up。