Skip to content

[consul] Enable ACL authentication #521

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
zippolyte merged 7 commits into from
Jul 10, 2017
Merged

[consul] Enable ACL authentication #521

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
cd6db9b
[consul] Enable ACL authentication
zippolyte Jul 5, 2017
ec480be
Merge branch 'master' into hippo/consul_acl
zippolyte Jul 7, 2017
e47fa40
Merge branch 'master' into hippo/consul_acl
truthbk Jul 10, 2017
e0fb838
Address comments
zippolyte Jul 10, 2017
79dc85c
Merge branch 'hippo/consul_acl' of github.com:DataDog/integrations-co…
zippolyte Jul 10, 2017
3996f70
Fix tests
zippolyte Jul 10, 2017
0232c94
Merge branch 'master' into hippo/consul_acl
truthbk Jul 10, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions consul/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
==================

* [Fix] Fix duplicate service check with same tags but different status being sent (one per Node).
* [FEATURE] Support ACL token for authentication.

1.0.003-22-2017
==================
Expand Down
11 changes: 8 additions & 3 deletions consul/check.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,14 +84,19 @@ def consul_request(self, instance, endpoint):
clientcertfile = instance.get('client_cert_file', self.init_config.get('client_cert_file', False))
privatekeyfile = instance.get('private_key_file', self.init_config.get('private_key_file', False))
cabundlefile = instance.get('ca_bundle_file', self.init_config.get('ca_bundle_file', True))
acl_token = instance.get('acl_token', None)

headers = {}
if acl_token:
headers['X-Consul-Token'] = acl_token

if clientcertfile:
if privatekeyfile:
resp = requests.get(url, cert=(clientcertfile,privatekeyfile), verify=cabundlefile)
resp = requests.get(url, cert=(clientcertfile,privatekeyfile), verify=cabundlefile, headers=headers)
else:
resp = requests.get(url, cert=clientcertfile, verify=cabundlefile)
resp = requests.get(url, cert=clientcertfile, verify=cabundlefile, headers=headers)
else:
resp = requests.get(url, verify=cabundlefile)
resp = requests.get(url, verify=cabundlefile, headers=headers)

except requests.exceptions.Timeout:
self.log.exception('Consul request to {0} timed out'.format(url))
Expand Down
4 changes: 3 additions & 1 deletion consul/ci/consul.rake
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,8 +22,10 @@ namespace :ci do
task :install do
Rake::Task['ci:common:install'].invoke('consul')
# sample docker usage
sh %( docker run -d --expose 8301 --expose 8500 -p 8500:8500 --name #{container_name_1} \
sh %( docker create --expose 8301 --expose 8500 -p 8500:8500 --name #{container_name_1} \
consul:#{consul_version} agent -dev -bind=0.0.0.0 -client=0.0.0.0 )
sh %( docker cp #{__dir__}/server.json #{container_name_1}:/consul/config/server.json )
Copy link
Copy Markdown
Member

@truthbk truthbk Jul 10, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice job with the test infastructure setup! 🍰

sh %( docker start #{container_name_1} )
Wait.for 8500
wait_on_docker_logs(container_name_1, 30, 'agent: Node info in sync', "agent: Synced service 'consul'")

Expand Down
5 changes: 5 additions & 0 deletions consul/ci/server.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
{
"acl_datacenter": "dc1",
"acl_default_policy": "deny",
"acl_master_token": "token"
}
3 changes: 3 additions & 0 deletions consul/conf.yaml.example
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,9 @@ instances:
# Possible values: True, False or '/path/to/your/trusted_ca_bundle_file'
# ca_bundle_file: '/path/to/trusted_ca_bundle_file'

# ACL token to use for authentication
# acl_token: 'token'

# Whether to perform checks against the Consul service Catalog
catalog_checks: yes

Expand Down
29 changes: 28 additions & 1 deletion consul/test_consul.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@

# 3p
from nose.plugins.attrib import attr
from requests import HTTPError

from tests.checks.common import AgentCheckTest, load_check
from utils.containers import hash_mutable
Expand Down Expand Up @@ -703,7 +704,8 @@ def simple_integration_test(self):
'network_latency_checks': True,
'new_leader_checks': True,
'catalog_checks': True,
'self_leader_check': True
'self_leader_check': True,
'acl_token': 'token'
}]
}

Expand All @@ -720,3 +722,28 @@ def simple_integration_test(self):
self.assertServiceCheck('consul.up')

self.coverage_report()

def test_acl_forbidden(self):
"""
Testing Consul Integration
"""

config = {
"instances": [{
'url': 'http://localhost:8500',
'catalog_checks': True,
'network_latency_checks': True,
'new_leader_checks': True,
'catalog_checks': True,
'self_leader_check': True,
'acl_token': 'wrong_token'
}]
}
got_error_403 = False
try:
self.run_check(config)
except HTTPError as e:
if e.response.status_code == 403:
got_error_403 = True

self.assertTrue(got_error_403)