Introduction
The behaviour of policies related to recursive reads changes from Consul v.1.9.x to v.1.10.x.
The read policy rule can no longer recursively read from the KV for a key_prefix "" stanza.
Prerequisites (if applicable)
- Consul version 1.10.x+
Use Case
Imagine the following sample KV structure:
root1 - branch1 - leaf11
- leaf12
- branch2 - leaf21
- leaf22
In Consul 1.9.x and earlier, the following stanza for root1 would have been enough for you to be able to list branch1 and branch2:
key_prefix "root1" {
policy = "read"
}
In Consul 1.10.x and later, the latter prefix will let you see branch1 and branch2 but not let you see the leaf keys. In order to be able to do that, you will need the following policy:
key_prefix "root1" {
policy = "list"
}
Troubleshooting
How to inspect the permission is missing via the UI:
Open up the specific KV path that you are looking at, then open up the Inspect panel of your browser of choice and navigate to the Network - Fetch/XHR section. Click on the root key and observe the requests:
If you see Access: "list" as false, then you are missing the needed permission for this current key based on the token you are using to login to the UI.
The fix
Locate your policies that need recursive reads and change the read policy to list.
Additional Information
-
List policy for Keys documentation