Node Identity field sanitises too aggressively to match FQDNs

[lukebigum]

Overview of the Issue

I can register nodes in Consul with their FQDN by using the node_name configuration directive. I can't however target these FQDN nodes with an ACL Policy Node Identity field because it does not allow . characters.

---

Reproduction Steps

$ consul acl token create -node-identity "foo.bar.baz:internal"
Failed to create new token: Unexpected response code: 500 (Node identity has an invalid name. Only lowercase alphanumeric characters, '-' and '_' are allowed)

Consul info for both Client and Server

Client info

{
    "acl": {
        "default_policy": "deny",
        "enable_token_persistence": true,
        "enabled": true
    },
    "auto_encrypt": {
        "allow_tls": false
    },
    "bind_addr": "10.1.1.58",
    "bootstrap_expect": 3,
    "ca_file": "/etc/consul.d/ssl/consul-agent-ca.pem",
    "cert_file": "/etc/consul.d/ssl/server-consul.pem",
    "client_addr": "0.0.0.0",
    "data_dir": "/var/lib/consul",
    "datacenter": "internal",
    "disable_update_check": true,
    "enable_local_script_checks": true,
    "key_file": "/etc/consul.d/ssl/server-consul-key.pem",
    "log_level": "info",
    "node_name": "sanitised.internal.domain",
    "ports": {
        "http": -1,
        "https": 8501
    },
    "retry_join": [
        "10.1.1.57",
        "10.1.1.61"
    ],
    "server": true,
    "ui": true,
    "verify_incoming": false,
    "verify_incoming_rpc": false,
    "verify_outgoing": true,
    "verify_server_hostname": true
}

Server info

agent:
	check_monitors = 3
	check_ttls = 0
	checks = 3
	services = 3
build:
	prerelease = 
	revision = 192df66a
	version = 1.16.0
	version_metadata = 
consul:
	acl = enabled
	bootstrap = false
	known_datacenters = 1
	leader = true
	leader_addr = 10.1.1.58:8300
	server = true
raft:
	applied_index = 5128916
	commit_index = 5128916
	fsm_pending = 0
	last_contact = 0
	last_log_index = 5128916
	last_log_term = 711824
	last_snapshot_index = 5112642
	last_snapshot_term = 711822
	latest_configuration = [{Suffrage:Voter ID:cd01b228-f7ab-cbb5-75af-0c5b04a79917 Address:10.1.1.61:8300} {Suffrage:Voter ID:44434873-4034-4775-6680-3b740a890fa4 Address:10.1.1.57:8300} {Suffrage:Voter ID:17a5a068-ec9d-c694-40e2-ba7148e6ad4f Address:10.1.1.58:8300}]
	latest_configuration_index = 0
	num_peers = 2
	protocol_version = 3
	protocol_version_max = 3
	protocol_version_min = 0
	snapshot_version_max = 1
	snapshot_version_min = 0
	state = Leader
	term = 711824
runtime:
	arch = amd64
	cpu_count = 2
	goroutines = 213
	max_procs = 2
	os = linux
	version = go1.20.4
serf_lan:
	coordinate_resets = 0
	encrypted = true
	event_queue = 0
	event_time = 104
	failed = 0
	health_score = 0
	intent_queue = 0
	left = 0
	member_time = 7881
	members = 5
	query_queue = 0
	query_time = 1
serf_wan:
	coordinate_resets = 0
	encrypted = true
	event_queue = 0
	event_time = 1
	failed = 0
	health_score = 0
	intent_queue = 0
	left = 0
	member_time = 111
	members = 3
	query_queue = 0
	query_time = 1

Operating system and Environment details

CentOS 8, Consul 1.16.0

[blake]

@lukebigum The node_name parameter / -node CLI flag are intended to be used to specify the short name of the system, not a fully-qualified domain name.

The docs for these parameters also state "To query the node from DNS, the name must only contain alphanumeric characters and hyphens (-).", similarly indicating that characters like . – which are used in fully-qualified names – should be omitted.