Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

consul_acl makes api call before ACL api is available #193

Closed
reppard opened this issue Oct 14, 2015 · 3 comments · Fixed by #274
Closed

consul_acl makes api call before ACL api is available #193

reppard opened this issue Oct 14, 2015 · 3 comments · Fixed by #274

Comments

@reppard
Copy link

reppard commented Oct 14, 2015

I get connection refused when trying to create/modify an acl policy via the consul_acl type. I was able to create one by hacking in a wait, showing it to be a timing issue:

  exec { 'wait_a_damn_minute' :                                                                                                                                                               
    command => "echo 'Waiting...' && sleep 30",                                                                                                                                               
    path  => "/usr/bin:/bin",                                                                                                                                                                 
  }                                                                                                                                                                                           

  consul_acl { 'anonymous':                                                                                                                                                                   
    ensure        => 'present',                                                                                                                                                               
    name          => 'Anonymous Token',                                                                                                                                                       
    acl_api_token => 'S3Cr3tStuFFs',                                                                                                                                                               
    rules => {                                                                                                                                                                                
      'key' => {                                                                                                                                                                              
        "" => {'policy'    => 'read'},                                                                                                                                                        
        '_rexec' => {'policy' => 'write'},                                                                                                                                                    
      }                                                                                                                                                                                       
    },                                                                                                                                                                                        
    type    => 'client',                                                                                                                                                                      
    require => Exec['wait_a_damn_minute'],                                                                                                                                                    
  }
@aj-jester
Copy link

@reppard quick question, when you mean the API call is made before ACL api is available...is this happening right after consul has recently restarted? I can't imagine the API not being available during normal usage.

@reppard
Copy link
Author

reppard commented Oct 14, 2015

Yes this is on a new node. The service is started and the acl policy apply
is attempted directly after. The failing request is /v1/acl/list I believe.

@sigerber
Copy link
Contributor

sigerber commented Jan 6, 2016

You need to have a leader elected before you can use the rest API. This is how we implemented bootstrapping a cluster with ACLS in an idempotent way.

exec { 'leader_elected':
  command     => "/usr/bin/test \"$(curl -s http://localhost:6500/v1/status/leader)\" != '\"\"'",
  tries       => 5,
  try_sleep   => 1,
  unless      => "/usr/bin/test \"$(curl -s http://localhost:6500/v1/status/leader)\" != '\"\"'",
}

Consul_acl <||> { require => Exec['leader_elected'] }

@cjdaniel cjdaniel mentioned this issue Aug 15, 2016
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

add retry logic when contacting the REST API for listing ACL resources Ensighten/puppet-consul
3 participants
@reppard @aj-jester @sigerber