Support Consul ACL tokens

Bug #1752205 reported by Nick Maludy on 2018-02-28
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tooz
Wishlist
Unassigned

Bug Description

Consul's authentication mechanism is implemented using "ACL tokens": https://www.consul.io/docs/guides/acl.html

The python-consul module currently in use supports these tokens: http://python-consul.readthedocs.io/en/latest/#acls

It would be great if tooz could take advantage of this feature so tooz can interact with secured Consul clusters.

Nick Maludy (nmaludy) wrote :

It would be great if this token could be passed in via the URL, example: consul://<email address hidden>

I verified this could be done by hijacking the username or password portions of the URL:

In [6]: result = oslo_utils.netutils.urlsplit("consul://<email address hidden>")

In [7]: result.username
Out[7]: 'fe3b8d40-0ee0-8783-6cc2-ab1aa9bb16c1'

In [8]: result = oslo_utils.netutils.urlsplit("consul://:<email address hidden>")

In [9]: result.password
Out[9]: 'fe3b8d40-0ee0-8783-6cc2-ab1aa9bb16c1'

Ben Nemec (bnemec) on 2018-08-29
Changed in python-tooz:
status: New → Confirmed
importance: Undecided → Wishlist
Nick Maludy (nmaludy) wrote :

I've tried adding this into the Consul driver. It seems to be a bit deeper/harder than i expected.

I tried initializing the Consul client like so:

                self._acl_token = parsed_url.password
                self._client = consul.Consul(host=self._host, port=self._port,
                                             token=self._acl_token)

However, this line of code is causing an auth error (consul.base.ACLPermissionDenied:) because it's trying to send an API call to the consul service without the auth token:

                local_agent = self._client.agent.self()

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers