API Calls to Consul lack authentication

mantl / mantl

Mantl is a modern platform for rapidly deploying globally distributed services

http://mantl.io

Apache License 2.0

3k stars 414 forks source link

API Calls to Consul lack authentication #1711

Open hpreston opened 8 years ago

hpreston commented 8 years ago

Access the Web UIs of the Mantl Services require username/passwords to access them, the APIs should as well. I haven't checked them all, but consul at least will take unauthenticated API calls. This example call works as it is:

curl -k https://10.10.10.103:8500/v1/agent/service/deregister/mesos-consul:10.10.10.103:tropo-myhero:9931

Tested with Mantl 1.1

langston-barrett commented 8 years ago

@hpreston Is this from inside or outside the cluster network?

langston-barrett commented 8 years ago

@hpreston Side note: You can (and should!) validate your cluster's SSL certs, using the generated CA. Try curl --cacert ssl/cacert.pem instead of curk -k.

hpreston commented 8 years ago

@siddharthist I've run the command from multiple locations... once from my Build server which sits on the same IP network that the Mantl cluster does, and just now I tested from my laptop directly which is on a completely different IP network from the cluster. Both work successfully...

And yeah... validating the certs would be a much better habit to get into than just ignoring... :-)