search

hashicorp / consul

Consul is a distributed, highly available, and data center aware solution to connect and configure applications across dynamic, distributed infrastructure.
https://www.consul.io
Other
28.25k stars 4.41k forks source link

Unexpected response code: 403 (ACL not found) - when wrong management token is used #14676

Open andrake81 opened 2 years ago

andrake81 commented 2 years ago

Overview of the Issue

Wrong status code and msg for invalid/wrong mgmt token usage with the consul CLI

I think a simple 401 would be more indicative

Reproduction Steps

  1. Run consul 1.11.4 with simple ACL config (used MacOS for local dev): 
    acl {
enabled                  = true
default_policy           = "deny"
enable_token_persistence = true
}
  2. /usr/local/Cellar/consul/1.11.4/bin/consul agent -config-file consul.hcl
  3. export CONSUL_HTTP_TOKEN=randomToken
  4. try use any consul command: 
    
/usr/local/Cellar/consul/1.11.4/bin/consul acl policy list
Failed to retrieve the policy list: Unexpected response code: 403 (ACL not found)

/usr/local/Cellar/consul/1.11.4/bin/consul members Error retrieving members: Unexpected response code: 403 (ACL not found)


to fix: just `export CONSUL_HTTP_TOKEN=correctToken`

### Consul info for both Client and Server

/usr/local/Cellar/consul/1.11.4/bin/consul info agent: check_monitors = 0 check_ttls = 0 checks = 0 services = 0 build: prerelease = revision = version = 1.11.4 consul: acl = enabled bootstrap = true known_datacenters = 1 leader = true leader_addr = ---- server = true raft: applied_index = 1611 commit_index = 1611 fsm_pending = 0 last_contact = 0 last_log_index = 1611 last_log_term = 2 last_snapshot_index = 0 last_snapshot_term = 0 latest_configuration = [{Suffrage:Voter ID:4e8d1e2e-5ac1-1d5c-d7e5-4acd0f04181b Address:-------}] latest_configuration_index = 0 num_peers = 0 protocol_version = 3 protocol_version_max = 3 protocol_version_min = 0 snapshot_version_max = 1 snapshot_version_min = 0 state = Leader term = 2 runtime: arch = amd64 cpu_count = 8 goroutines = 169 max_procs = 8 os = darwin version = go1.17.6 serf_lan: coordinate_resets = 0 encrypted = false event_queue = 0 event_time = 4 failed = 0 health_score = 0 intent_queue = 0 left = 0 member_time = 167 members = 8 query_queue = 0 query_time = 4 serf_wan: coordinate_resets = 0 encrypted = false event_queue = 0 event_time = 1 failed = 0 health_score = 0 intent_queue = 0 left = 0 member_time = 1 members = 1 query_queue = 0 query_time = 1


### Operating system and Environment details

MacOS 12.5.1 Intel

### Log Fragments

2022-09-19T13:44:34.191+0300 [ERROR] agent.http: Request error: method=GET url=/v1/acl/policies from=127.0.0.1:63170 error="ACL not found" 2022-09-19T13:48:43.237+0300 [ERROR] agent.http: Request error: method=GET url=/v1/agent/members?segment=_all from=127.0.0.1:64979 error="ACL not found"

jkirschner-hashicorp commented 1 year ago

Related to this general issue about improving "ACL not found" error messages: https://github.com/hashicorp/consul/issues/12517