Consul ACL

systemd service

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
[Unit]
Description=consul agent
Requires=network-online.target
After=network-online.target

[Service]
EnvironmentFile=-/etc/sysconfig/consul
Environment=GOMAXPROCS=2
Restart=on-failure
ExecStart=/usr/local/bin/consul agent -config-dir=/opt/consul/conf -rejoin
ExecReload=/bin/kill -HUP $MAINPID
KillSignal=SIGTERM

[Install]
WantedBy=multi-user.target

acl.json

启用ACL,需在配置加载目录下添加acl配置文件

1
2
3
4
5
6
{
"acl_datacenter": "dc1",
"acl_master_token": "xxxxxxxxx",
"acl_default_policy": "deny",
"acl_down_policy": "extend-cache"
}

1562555213001

deregitster

1
curl  -X PUT http://192.168.100.140:8500/v1/agent/service/deregister/<id> -H "X-Consul-Token:xxx"

register

  • 仅node check
1
2
3
4
5
6
7
8
9
10
11
curl http://10.1.100.57:8500/v1/agent/service/register -X PUT -i -H "Content-Type:application/json" -H "X-Consul-Token:xxx" -d '{
"ID": "test.swms.api3",
"Name": "test-swms-api3",
"Tags": ["test", "swms"],
"Address": "192.168.101.35",
"Port": 9003,
"Meta": {
"version": "1.0"
},
"EnableTagOverride": false
}'
  • node check + service check
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
curl http://10.1.100.57:8500/v1/agent/service/register -X PUT -i -H "Content-Type:application/json" -H "X-Consul-Token:xxxxxxxxxxx" -d '{
"ID": "test.swms.api2",
"Name": "test-swms-api2",
"Tags": ["test", "swms"],
"Address": "192.168.101.35",
"Port": 9003,
"Check": {
"DeregisterCriticalServiceAfter": "90m",
"Args": [],
"HTTP": "http://192.168.101.35:9003/hc",
"Interval": "15s"
},
"Meta": {
"version": "1.0"
},
"EnableTagOverride": false
}'

Name不能包含小数点


创建一个agent token

1
2
3
4
5
6
7
8
9
curl \
--request PUT \
--header "X-Consul-Token: xxxxxxxxxxxxxxxx" \
--data \
'{
"Name": "Agent Token",
"Type": "client",
"Rules": "node \"\" { policy = \"write\" } service \"\" { policy = \"read\" }"
}' http://127.0.0.1:8500/v1/acl/create

Type: client

WebUI token的policy可以设置为只读:

1
2
3
4
5
6
7
8
9
service_prefix "" {
policy = "read"
}
key_prefix "" {
policy = "read"
}
node_prefix "" {
policy = "read"
}

示例:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
[root@VM_0_4_centos ins_exporter]# cat deReg.sh 
curl -i --request PUT \
--header "X-Consul-Token: xxxxxxxxxxxxxxxxxx" \
http://10.1.100.57:8500/v1/agent/service/deregister/$1

[root@VM_0_4_centos ins_exporter]# sh deReg.sh id-xxl-vm04
HTTP/1.1 200 OK
Vary: Accept-Encoding
Date: Sun, 07 Jul 2019 08:45:42 GMT
Content-Length: 0

[root@VM_0_4_centos ins_exporter]# cat regXXL.sh
curl http://10.1.100.57:8500/v1/agent/service/register -X PUT -i -H "Content-Type:application/json" \
--header "X-Consul-Token: xxxxxxxxxxxxxxxxxx" -d '{
"ID": "id-xxl-vm04",
"Name": "xxl",
"Tags": ["xxl-job", "http"],
"Address": "192.168.100.150",
"Port": 9977,
"Check": {
"DeregisterCriticalServiceAfter": "90m",
"HTTP": "http://baidu.com",
"Interval": "15s"
},
"Meta": {
"version": "1.0",
"type": "app",
"hostname": "vm03"
},
"EnableTagOverride": false
}'

[root@VM_0_4_centos ins_exporter]# sh regXXL.sh
HTTP/1.1 200 OK
Vary: Accept-Encoding
Date: Sun, 07 Jul 2019 08:47:47 GMT
Content-Length: 0

# 不带token被禁止
[root@VM_0_4_centos ins_exporter]# curl -i -X PUT http://10.1.100.57:8500/v1/agent/service/deregister/id-xxl-vm04
HTTP/1.1 403 Forbidden
Vary: Accept-Encoding
Date: Sun, 07 Jul 2019 08:48:54 GMT
Content-Length: 17
Content-Type: text/plain; charset=utf-8