Skip to content

Ttl Heartbeats don't send acl token if configured #559

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
chriswhite199 opened this issue May 16, 2019 · 2 comments
Open

Ttl Heartbeats don't send acl token if configured #559

chriswhite199 opened this issue May 16, 2019 · 2 comments
Labels
enhancement help wanted

Comments

@chriswhite199
Copy link

If heartbeat is enabled paired with acl tokens, then the heartbeat task does not configure the token to use when communicating with the consul server

spring.cloud.consul.discovery:
  acl-token: ${uuid}
  heartbeat.enabled: true

ConsulHeartbeatTask has this method call to agentCheckPass:

@Override
public void run() {
	TtlScheduler.this.client.agentCheckPass(this.checkId);
	if (log.isDebugEnabled()) {
		log.debug("Sending consul heartbeat for: " + this.checkId);
	}
}

Which without a token, you'll see the following stack trace:

com.ecwid.consul.v1.OperationException: OperationException(statusCode=403, statusMessage='Forbidden', statusContent='Permission denied')
        at com.ecwid.consul.v1.agent.AgentConsulClient.agentCheckPass(AgentConsulClient.java:211) ~[consul-api-1.4.1.jar:na]
        at com.ecwid.consul.v1.agent.AgentConsulClient.agentCheckPass(AgentConsulClient.java:198) ~[consul-api-1.4.1.jar:na]
        at com.ecwid.consul.v1.agent.AgentConsulClient.agentCheckPass(AgentConsulClient.java:193) ~[consul-api-1.4.1.jar:na]
        at com.ecwid.consul.v1.ConsulClient.agentCheckPass(ConsulClient.java:259) ~[consul-api-1.4.1.jar:na]
        at org.springframework.cloud.consul.discovery.TtlScheduler$ConsulHeartbeatTask.run(TtlScheduler.java:95) ~[spring-cloud-consul-discovery-2.1.1.RELEASE.jar:2.1.1.RELEASE]

Which can be overridden to pass a token too (can be null too):

@Override
public void run() {
	TtlScheduler.this.client.agentCheckPass(this.checkId, this.aclToken);
	if (log.isDebugEnabled()) {
		log.debug("Sending consul heartbeat for: " + this.checkId);
	}
}

So any reason why i can't submit a simple PR to fix this (Ie am i missing something?)
@spencergibb
Copy link
Member

PRs welcome

@chriswhite199
Copy link
Author

An AOP based approach to patch while a PR is worked on:

import com.ecwid.consul.v1.ConsulClient;
import com.ecwid.consul.v1.Response;
import javax.annotation.PostConstruct;
import lombok.RequiredArgsConstructor;
import lombok.SneakyThrows;
import lombok.extern.slf4j.Slf4j;
import org.aspectj.lang.ProceedingJoinPoint;
import org.aspectj.lang.annotation.Around;
import org.aspectj.lang.annotation.Aspect;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.cloud.consul.ConditionalOnConsulEnabled;
import org.springframework.cloud.consul.discovery.ConsulDiscoveryProperties;
import org.springframework.context.annotation.Configuration;

/**
 * AOP fix to ensure the ACL token is sent when performing agent checks
 *
 * <p>https://github.com/spring-cloud/spring-cloud-consul/issues/559
 */
@Aspect
@Configuration
@RequiredArgsConstructor
@ConditionalOnConsulEnabled
@ConditionalOnProperty("spring.cloud.consul.discovery.acl-token")
@Slf4j
public class ConsulClientAspect {
    private final ConsulDiscoveryProperties consulDiscoveryProperties;

    @PostConstruct
    public void init() {
        log.warn("Hooking ConsulClient.agentCheckPass(String) calls to enforce acl token passing");
    }

    /**
     * Trap calls made to {@link ConsulClient#agentCheckPass(String)} and call the overridden method variant with ACL
     * token
     */
    @SneakyThrows
    @Around("execution (* com.ecwid.consul.v1.ConsulClient.agentCheckPass(String))")
    public Response<Void> trapAgentCheckPass(final ProceedingJoinPoint joinPoint) {
        final String checkId = (String) joinPoint.getArgs()[0];
        final ConsulClient client = (ConsulClient) joinPoint.getThis();

        return client.agentCheckPass(checkId, null, this.consulDiscoveryProperties.getAclToken());
    }
}

@varnson varnson mentioned this issue Sep 20, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement help wanted
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

add acl-token to ttl varnson/spring-cloud-consul
3 participants
@spencergibb @chriswhite199 @spring-projects-issues