Skip to content

Ttl Heartbeats don't send acl token if configured #559

New issue
New issue
Open
Open
Ttl Heartbeats don't send acl token if configured#559
Labels
enhancementhelp wanted
@chriswhite199

Description

@chriswhite199
chriswhite199
opened on May 16, 2019

If heartbeat is enabled paired with acl tokens, then the heartbeat task does not configure the token to use when communicating with the consul server

spring.cloud.consul.discovery:
  acl-token: ${uuid}
  heartbeat.enabled: true

ConsulHeartbeatTask has this method call to agentCheckPass:

@Override
public void run() {
	TtlScheduler.this.client.agentCheckPass(this.checkId);
	if (log.isDebugEnabled()) {
		log.debug("Sending consul heartbeat for: " + this.checkId);
	}
}

Which without a token, you'll see the following stack trace:

com.ecwid.consul.v1.OperationException: OperationException(statusCode=403, statusMessage='Forbidden', statusContent='Permission denied')
        at com.ecwid.consul.v1.agent.AgentConsulClient.agentCheckPass(AgentConsulClient.java:211) ~[consul-api-1.4.1.jar:na]
        at com.ecwid.consul.v1.agent.AgentConsulClient.agentCheckPass(AgentConsulClient.java:198) ~[consul-api-1.4.1.jar:na]
        at com.ecwid.consul.v1.agent.AgentConsulClient.agentCheckPass(AgentConsulClient.java:193) ~[consul-api-1.4.1.jar:na]
        at com.ecwid.consul.v1.ConsulClient.agentCheckPass(ConsulClient.java:259) ~[consul-api-1.4.1.jar:na]
        at org.springframework.cloud.consul.discovery.TtlScheduler$ConsulHeartbeatTask.run(TtlScheduler.java:95) ~[spring-cloud-consul-discovery-2.1.1.RELEASE.jar:2.1.1.RELEASE]

Which can be overridden to pass a token too (can be null too):

@Override
public void run() {
	TtlScheduler.this.client.agentCheckPass(this.checkId, this.aclToken);
	if (log.isDebugEnabled()) {
		log.debug("Sending consul heartbeat for: " + this.checkId);
	}
}

So any reason why i can't submit a simple PR to fix this (Ie am i missing something?)

Activity

spring-projects-issues
added
waiting-for-triage
on May 16, 2019
spencergibb

spencergibb commented on May 16, 2019

@spencergibb
spencergibb
on May 16, 2019
Member

PRs welcome

spencergibb
added
enhancement
help wanted
and removed
waiting-for-triage
on May 16, 2019
chriswhite199

chriswhite199 commented on May 16, 2019

@chriswhite199
chriswhite199
on May 16, 2019
Author

An AOP based approach to patch while a PR is worked on:

import com.ecwid.consul.v1.ConsulClient;
import com.ecwid.consul.v1.Response;
import javax.annotation.PostConstruct;
import lombok.RequiredArgsConstructor;
import lombok.SneakyThrows;
import lombok.extern.slf4j.Slf4j;
import org.aspectj.lang.ProceedingJoinPoint;
import org.aspectj.lang.annotation.Around;
import org.aspectj.lang.annotation.Aspect;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.cloud.consul.ConditionalOnConsulEnabled;
import org.springframework.cloud.consul.discovery.ConsulDiscoveryProperties;
import org.springframework.context.annotation.Configuration;

/**
 * AOP fix to ensure the ACL token is sent when performing agent checks
 *
 * <p>https://github.com/spring-cloud/spring-cloud-consul/issues/559
 */
@Aspect
@Configuration
@RequiredArgsConstructor
@ConditionalOnConsulEnabled
@ConditionalOnProperty("spring.cloud.consul.discovery.acl-token")
@Slf4j
public class ConsulClientAspect {
    private final ConsulDiscoveryProperties consulDiscoveryProperties;

    @PostConstruct
    public void init() {
        log.warn("Hooking ConsulClient.agentCheckPass(String) calls to enforce acl token passing");
    }

    /**
     * Trap calls made to {@link ConsulClient#agentCheckPass(String)} and call the overridden method variant with ACL
     * token
     */
    @SneakyThrows
    @Around("execution (* com.ecwid.consul.v1.ConsulClient.agentCheckPass(String))")
    public Response<Void> trapAgentCheckPass(final ProceedingJoinPoint joinPoint) {
        final String checkId = (String) joinPoint.getArgs()[0];
        final ConsulClient client = (ConsulClient) joinPoint.getThis();

        return client.agentCheckPass(checkId, null, this.consulDiscoveryProperties.getAclToken());
    }
}
varnson
mentioned this on Sep 20, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementhelp wanted

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      Participants

      @spencergibb@chriswhite199@spring-projects-issues

      Issue actions
        Ttl Heartbeats don't send acl token if configured · Issue #559 · spring-cloud/spring-cloud-consul