LIGHT

  • News
  • Docs
  • Community
  • Reddit
  • GitHub
Star

What's on this Page

  • Introduction
  • Starting Consul
  • Configuring Consul
  • Configuring the Servers
  • Starting the servers

Securing Consul with acl_token

Securing Consul by requiring a secret token that will only allow services which own that token to register thus ensuring discovered instances are valid.

Introduction

In previous steps, we have set up Consul with acl_default_policy=allow so that all operations to the Consul server are allowed. This should be only used for internal testing. For official environments, we must set acl_default_policy=deny while having all operations to the Consul server provide an acl_token in the header.

Now let’s copy our previous state from tag to token for each API:

cd ~/networknt
cp -r light-example-4j/discovery/api_a/tag light-example-4j/discovery/api_a/token
cp -r light-example-4j/discovery/api_b/tag light-example-4j/discovery/api_b/token
cp -r light-example-4j/discovery/api_c/tag light-example-4j/discovery/api_c/token
cp -r light-example-4j/discovery/api_d/tag light-example-4j/discovery/api_d/token

Starting Consul

If your consul server is still running, please stop it and restart it with the following:

docker run -d -p 8400:8400 -p 8500:8500/tcp -p 8600:53/udp -e 'CONSUL_LOCAL_CONFIG={"acl_datacenter":"dc1","acl_default_policy":"deny","acl_down_policy":"extend-cache","acl_master_token":"the_one_ring","bootstrap_expect":1,"datacenter":"dc1","data_dir":"/usr/local/bin/consul.d/data","server":true}' consul agent -server -ui -bind=127.0.0.1 -client=0.0.0.0

The above command will ensure the default policy is to deny access, and configure the master ACL token so that services which have the token can register.

Configuring Consul

Create agent token

curl \
    --request PUT \
    --header "X-Consul-Token: the_one_ring" \
    --data \
'{
  "Name": "Agent Token",
  "Type": "client",
  "Rules": "node \"\" { policy = \"write\" } service \"\" { policy = \"read\" }"
}' http://127.0.0.1:8500/v1/acl/create

And we get the token like this.

{"ID":"67ccac85-36a3-e912-d0b3-bce1194119a0"}

Introduce the token through an API.

curl \
    --request PUT \
    --header "X-Consul-Token: the_one_ring" \
    --data \
'{
  "Token": "67ccac85-36a3-e912-d0b3-bce1194119a0"
}' http://127.0.0.1:8500/v1/agent/token/acl_agent_token

And let’s give anonymous users read permissions.

curl \
    --request PUT \
    --header "X-Consul-Token: the_one_ring" \
    --data \
'{
  "ID": "anonymous",
  "Type": "client",
  "Rules": "node \"\" { policy = \"read\" } service \"\" { policy = \"read\" }"
}' http://127.0.0.1:8500/v1/acl/update

It should return something like this:

{"ID":"anonymous"}

Configuring the Servers

The next step we are going to update consul.yml to add consulToken in order to access the Consul for service registry and discovery.

For each server, go ahead and update secret.yml to add consulToken: the_one_ring. Please be aware that the consul.yml copied from light-4j consul module has the consulToken: the_one_ring already. In case it is not available, you can add the following line into the consul.yml

consulToken: the_one_ring

Starting the servers

Now let’s start four terminals to start servers.

API A

cd ~/networknt/light-example-4j/discovery/api_a/token
mvn clean install -Prelease
java -jar target/aa-1.0.0.jar

API B

cd ~/networknt/light-example-4j/discovery/api_b/token
mvn clean install -Prelease
java -jar target/ab-1.0.0.jar

API C

cd ~/networknt/light-example-4j/discovery/api_c/token
mvn clean install -Prelease
java -jar target/ac-1.0.0.jar

API D

And start the first instance that listen to 7444 as default

cd ~/networknt/light-example-4j/discovery/api_d/token
mvn clean install -Prelease
java -jar target/ad-1.0.0.jar

Now you should be able to see the registered service from the Consul UI.

http://localhost:8500/ui

In this step, we secured our consul access from services so that we can be sure that the services registered on the consul are the valid ones. In the next step, we are going to start services with Docker containers.

  • About Light
    • Overview
    • Testimonials
    • What is Light
    • Features
    • Principles
    • Benefits
    • Roadmap
    • Community
    • Articles
    • Videos
    • License
    • Why Light Platform
  • Getting Started
    • Get Started Overview
    • Environment
    • Light Codegen Tool
    • Light Rest 4j
    • Light Tram 4j
    • Light Graphql 4j
    • Light Hybrid 4j
    • Light Eventuate 4j
    • Light Oauth2
    • Light Portal Service
    • Light Proxy Server
    • Light Router Server
    • Light Config Server
    • Light Saga 4j
    • Light Session 4j
    • Webserver
    • Websocket
    • Spring Boot Servlet
  • Architecture
    • Architecture Overview
    • API Category
    • API Gateway
    • Architecture Patterns
    • CQRS
    • Eco System
    • Event Sourcing
    • Fail Fast vs Fail Slow
    • Integration Patterns
    • JavaEE declining
    • Key Distribution
    • Microservices Architecture
    • Microservices Monitoring
    • Microservices Security
    • Microservices Traceability
    • Modular Monolith
    • Platform Ecosystem
    • Plugin Architecture
    • Scalability and Performance
    • Serverless
    • Service Collaboration
    • Service Mesh
    • SOA
    • Spring is bloated
    • Stages of API Adoption
    • Transaction Management
    • Microservices Cross-cutting Concerns Options
    • Service Mesh Plus
    • Service Discovery
  • Design
    • Design Overview
    • Design First vs Code First
    • Desgin Pattern
    • Service Evolution
    • Consumer Contract and Consumer Driven Contract
    • Handling Partial Failure
    • Idempotency
    • Server Life Cycle
    • Environment Segregation
    • Database
    • Decomposition Patterns
    • Http2
    • Test Driven
    • Multi-Tenancy
    • Why check token expiration
    • WebServices to Microservices
  • Cross-Cutting Concerns
    • Concerns Overview
  • API Styles
    • Light-4j for absolute performance
    • Style Overview
    • Distributed session on IMDG
    • Hybrid Serverless Modularized Monolithic
    • Kafka - Event Sourcing and CQRS
    • REST - Representational state transfer
    • Web Server with Light
    • Websocket with Light
    • Spring Boot Integration
    • Single Page Application
    • GraphQL - A query language for your API
    • Light IBM MQ
    • Light AWS Lambda
    • Chaos Monkey
  • Infrastructure Services
    • Service Overview
    • Light Proxy
    • Light Mesh
    • Light Router
    • Light Portal
    • Messaging Infrastructure
    • Centralized Logging
    • COVID-19
    • Light OAuth2
    • Metrics and Alerts
    • Config Server
    • Tokenization
    • Light Controller
  • Tool Chain
    • Tool Chain Overview
  • Utility Library
  • Service Consumer
    • Service Consumer
  • Development
    • Development Overview
  • Deployment
    • Deployment Overview
    • Frontend Backend
    • Linux Service
    • Windows Service
    • Install Eventuate on Windows
    • Secure API
    • Client vs light-router
    • Memory Limit
    • Deploy to Kubernetes
  • Benchmark
    • Benchmark Overview
  • Tutorial
    • Tutorial Overview
  • Troubleshooting
    • Troubleshoot
  • FAQ
    • FAQ Overview
  • Milestones
  • Contribute
    • Contribute to Light
    • Development
    • Documentation
    • Example
    • Tutorial
“Securing Consul with acl_token” was last updated: July 5, 2021: fixes #275 checked and corrected grammar/spelling for majority of pages (#276) (b3bbb7b)
Improve this page
  • News
  • Docs
  • Community
  • Reddit
  • GitHub
  • About Light
  • Getting Started
  • Architecture
  • Design
  • Cross-Cutting Concerns
  • API Styles
  • Infrastructure Services
  • Tool Chain
  • Utility Library
  • Service Consumer
  • Development
  • Deployment
  • Benchmark
  • Tutorial
  • Troubleshooting
  • FAQ
  • Milestones
  • Contribute