2018-05-29 21:07:40 +00:00
|
|
|
---
|
2020-09-01 15:14:13 +00:00
|
|
|
layout: commands
|
2020-04-07 18:55:19 +00:00
|
|
|
page_title: 'Commands: Intention Check'
|
2018-05-29 21:07:40 +00:00
|
|
|
---
|
|
|
|
|
|
|
|
# Consul Intention Check
|
|
|
|
|
|
|
|
Command: `consul intention check`
|
|
|
|
|
2022-01-11 13:26:58 +00:00
|
|
|
Corresponding HTTP API Endpoint: [\[GET\] /v1/connect/intentions/check](/api-docs/connect/intentions#check-intention-result)
|
2022-01-10 17:40:11 +00:00
|
|
|
|
2018-05-29 21:07:40 +00:00
|
|
|
The `intention check` command checks whether a connection attempt between
|
|
|
|
two services would be authorized given the current set of intentions and
|
|
|
|
Consul configuration.
|
|
|
|
|
|
|
|
This command requires less ACL permissions than other intention-related
|
|
|
|
tasks because no information about the intention is revealed. Therefore,
|
|
|
|
callers only need to have `service:read` access for the destination. Richer
|
2020-10-14 15:23:05 +00:00
|
|
|
commands like [match](/commands/intention/match) require full
|
2018-05-29 21:07:40 +00:00
|
|
|
intention read permissions and don't evaluate the result.
|
|
|
|
|
2020-10-14 15:23:05 +00:00
|
|
|
-> **Note:** This command will always treat intentions with `Permissions`
|
2020-12-08 23:24:36 +00:00
|
|
|
defined as _deny_ intentions during evaluation, as this endpoint is only suited
|
2020-10-14 15:23:05 +00:00
|
|
|
for networking layer 4 (e.g. TCP) integration.
|
|
|
|
|
2022-01-11 14:41:54 +00:00
|
|
|
The table below shows this command's [required ACLs](/api#authentication). Configuration of
|
2022-03-30 21:16:26 +00:00
|
|
|
[blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching)
|
2022-01-11 14:41:54 +00:00
|
|
|
are not supported from commands, but may be from the corresponding HTTP endpoint.
|
|
|
|
|
|
|
|
| ACL Required |
|
|
|
|
| ----------------------------- |
|
|
|
|
| `intentions:read`<sup>1</sup> |
|
|
|
|
|
|
|
|
<p>
|
|
|
|
<sup>1</sup> Intention ACL rules are specified as part of a{' '}
|
|
|
|
<code>service</code> rule. See{' '}
|
|
|
|
<a href="/docs/connect/intentions#intention-management-permissions">
|
|
|
|
Intention Management Permissions
|
|
|
|
</a>{' '}
|
|
|
|
for more details.
|
|
|
|
</p>
|
|
|
|
|
2018-05-29 21:07:40 +00:00
|
|
|
## Usage
|
|
|
|
|
|
|
|
Usage: `consul intention check [options] SRC DST`
|
|
|
|
|
2020-10-14 15:23:05 +00:00
|
|
|
`SRC` and `DST` can both take [several forms](/commands/intention#source-and-destination-naming).
|
2020-06-26 21:59:15 +00:00
|
|
|
|
|
|
|
#### Enterprise Options
|
|
|
|
|
2022-07-27 06:17:11 +00:00
|
|
|
@include 'http_api_partition_options.mdx'
|
|
|
|
|
2020-06-26 21:59:15 +00:00
|
|
|
@include 'http_api_namespace_options.mdx'
|
|
|
|
|
2022-07-27 06:17:11 +00:00
|
|
|
#### API Options
|
|
|
|
|
|
|
|
@include 'http_api_options_client.mdx'
|
2021-12-15 01:55:21 +00:00
|
|
|
|
2018-05-29 21:07:40 +00:00
|
|
|
## Examples
|
|
|
|
|
2020-05-19 18:32:38 +00:00
|
|
|
```shell-session
|
2018-05-29 21:07:40 +00:00
|
|
|
$ consul intention check web db
|
|
|
|
Denied
|
|
|
|
|
|
|
|
$ consul intention check web billing
|
|
|
|
Allowed
|
|
|
|
```
|