Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ACL config file error on server startup #4770

Closed
ADeane6 opened this issue Oct 9, 2018 · 1 comment
Closed

ACL config file error on server startup #4770

ADeane6 opened this issue Oct 9, 2018 · 1 comment
Labels
theme/acls ACL and token generation

Comments

@ADeane6
Copy link

ADeane6 commented Oct 9, 2018

Overview of the Issue

With ACL enabled and a default acl policy file, consul fails to start with a GO panic

Reproduction Steps

Steps to reproduce this issue, eg:

  1. Create a cluster with 3 server nodes
  2. with the following ACL config
# Default all keys to read-only
key "" {
    policy = "read"
}
key "foo/" {
    policy = "write"
}

# Default all services to allow registration. Also permits all
# services to be discovered.
service "" {
    policy = "write"
}

# Deny registration access to services prefixed "secure-".
# Discovery of the service is still allowed in read mode.
service "secure-" {
    policy = "read"
}

# Allow firing any user event by default.
event "" {
    policy = "write"
}

# Deny firing events prefixed with "destroy-".
event "destroy" {
    policy = "deny"
}

# Default prepared queries to read-only.
query "" {
    policy = "read"
}

# Read-only mode for the encryption keyring by default (list only)
keyring = "read"

# Read-only mode for Consul operator interfaces (list only)
operator = "read"
  1. panic: key: []map[string]interface{} with more than one element not supported: [map[:[map[policy:read]]] map[foo/:[map[policy:write]]]]

Consul info for both Client and Server

Server info

Consul Version: 1.2.3

Operating system and Environment details

RHEL 7, AWS

Log Fragments

Oct 09 10:06:54 hostname consul[16710]: panic: key: []map[string]interface{} with more than one element not supported: [map[:[map[policy:read]]] map[foo/:[map[policy:write]]]]
Oct 09 10:06:54 hostname consul[16710]: goroutine 1 [running]:
Oct 09 10:06:54 hostname consul[16710]: github.com/hashicorp/consul/agent/config.patchValue(0xc420404e83, 0x3, 0x16a93c0, 0xc420464740, 0xc4204f8f30, 0x8, 0x8, 0xc420438ca0, 0xc420404f50)
Oct 09 10:06:54 hostname consul[16710]: /go/src/github.com/hashicorp/consul/agent/config/patch_hcl.go:57 +0x9fd
Oct 09 10:06:54 hostname consul[16710]: github.com/hashicorp/consul/agent/config.patchValue(0x0, 0x0, 0x17fda20, 0xc4203a4fc0, 0xc4204f8f30, 0x8, 0x8, 0x0, 0x0)
Oct 09 10:06:54 hostname consul[16710]: /go/src/github.com/hashicorp/consul/agent/config/patch_hcl.go:24 +0x181
Oct 09 10:06:54 hostname consul[16710]: github.com/hashicorp/consul/agent/config.patchSliceOfMaps(0xc4203a4fc0, 0xc4204f8f30, 0x8, 0x8, 0x0)
Oct 09 10:06:54 hostname consul[16710]: /go/src/github.com/hashicorp/consul/agent/config/patch_hcl.go:8 +0x61
Oct 09 10:06:54 hostname consul[16710]: github.com/hashicorp/consul/agent/config.Parse(0xc42047a000, 0x318, 0x1c29c1a, 0x3, 0xc4200b4bd0, 0xc4200b4c10, 0xc4200b4c40, 0xc4200b4c70, 0x0, 0xc
@pearkes pearkes added the theme/acls ACL and token generation label Oct 26, 2018
@pearkes
Copy link
Contributor

pearkes commented Oct 26, 2018

#4791 will likely have fixed parsing errors such as these for policies that are incorrect, hopefully we can supply a better error message.

@pearkes pearkes closed this as completed Oct 26, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
theme/acls ACL and token generation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pearkes @ADeane6