diff --git a/website/source/api/acl/policies.html.md b/website/source/api/acl/policies.html.md index 6696a6cb98..3cc1b20838 100644 --- a/website/source/api/acl/policies.html.md +++ b/website/source/api/acl/policies.html.md @@ -3,7 +3,7 @@ layout: api page_title: ACL Policies - HTTP API sidebar_current: api-acl-policies description: |- - The /acl/policy endpoints manage Consul's ACL Policies. + The /acl/policy endpoints manage Consul's ACL policies. --- -> **1.4.0+:** The APIs are available in Consul versions 1.4.0 and later. The documentation for the legacy ACL API is [here](/api/acl/legacy.html) @@ -12,7 +12,7 @@ description: |- The `/acl/policy` endpoints [create](#create-a-policy), [read](#read-a-policy), [update](#update-a-policy), [list](#list-policies) and -[delete](#delete-a-policy) ACL policies in Consul. +[delete](#delete-a-policy) ACL policies in Consul. For more information on how to setup ACLs, please see the [ACL Guide](https://learn.hashicorp.com/consul/advanced/day-1-operations/production-acls). @@ -49,11 +49,11 @@ The table below shows this endpoint's support for - `Datacenters` `(array)` - Specifies the datacenters the policy is valid within. When no datacenters are provided the policy is valid in all datacenters including those which do not yet exist but may in the future. - -- `Namespace` `(string: "")` - **(Enterprise Only)** Specifies the namespace to + +- `Namespace` `(string: "")` - **(Enterprise Only)** Specifies the namespace to create the policy. If not provided in the JSON body, the value of - the `ns` URL query parameter or in the `X-Consul-Namespace` header will be used. - If not provided at all, the namespace will be inherited from the request's ACL + the `ns` URL query parameter or in the `X-Consul-Namespace` header will be used. + If not provided at all, the namespace will be inherited from the request's ACL token or will default to the `default` namespace. Added in Consul 1.7.0. ### Sample Payload @@ -115,9 +115,9 @@ The table below shows this endpoint's support for - `id` `(string: )` - Specifies the UUID of the ACL policy to read. This is required and is specified as part of the URL path. - + - `ns` `(string: "")` - **(Enterprise Only)** Specifies the namespace to lookup - the policy. This value can be specified as the `ns` URL query + the policy. This value can be specified as the `ns` URL query parameter or the `X-Consul-Namespace` header. If not provided by either, the namespace will be inherited from the request's ACL token or will default to the `default` namespace. Added in Consul 1.7.0. @@ -165,7 +165,7 @@ The table below shows this endpoint's support for ### Parameters -- `ID` `(string: )` - Specifies the ID of the policy to update. This is +- `ID` `(string: )` - Specifies the UUID of the policy to update. This is required in the URL path but may also be specified in the JSON body. If specified in both places then they must match exactly. @@ -181,11 +181,11 @@ The table below shows this endpoint's support for - `Datacenters` `(array)` - Specifies the datacenters this policy is valid within. When no datacenters are provided the policy is valid in all datacenters including those which do not yet exist but may in the future. - + - `Namespace` `(string: "")` - **(Enterprise Only)** Specifies the namespace of the policy to update. If not provided in the JSON body, the value of - the `ns` URL query parameter or in the `X-Consul-Namespace` header will be used. - If not provided at all, the namespace will be inherited from the request's ACL + the `ns` URL query parameter or in the `X-Consul-Namespace` header will be used. + If not provided at all, the namespace will be inherited from the request's ACL token or will default to the `default` namespace. Added in Consul 1.7.0. ### Sample Payload @@ -246,9 +246,9 @@ The table below shows this endpoint's support for - `id` `(string: )` - Specifies the UUID of the ACL policy to delete. This is required and is specified as part of the URL path. - + - `ns` `(string: "")` - **(Enterprise Only)** Specifies the namespace of the - policy to delete. This value can be specified as the `ns` URL query + policy to delete. This value can be specified as the `ns` URL query parameter or the `X-Consul-Namespace` header. If not provided by either, the namespace will be inherited from the request's ACL token or will default to the `default` namespace. Added in Consul 1.7.0. @@ -286,7 +286,7 @@ The table below shows this endpoint's support for ### Parameters - `ns` `(string: "")` - **(Enterprise Only)** Specifies the namespace to list - the Policies for. This value can be specified as the `ns` URL query + the Policies for. This value can be specified as the `ns` URL query parameter or the `X-Consul-Namespace` header. If not provided by either, the namespace will be inherited from the request's ACL token or will default to the `default` namespace. The namespace may be specified as '*' and then diff --git a/website/source/api/acl/tokens.html.md b/website/source/api/acl/tokens.html.md index 45bc421ca7..b13b8b4bb5 100644 --- a/website/source/api/acl/tokens.html.md +++ b/website/source/api/acl/tokens.html.md @@ -11,7 +11,7 @@ description: |- # ACL Token HTTP API The `/acl/token` endpoints [create](#create-a-token), [read](#read-a-token), -[update](#update-a-token), [list](#list-tokens), [clone](#clone-a-token) and [delete](#delete-a-token) ACL policies in Consul. +[update](#update-a-token), [list](#list-tokens), [clone](#clone-a-token) and [delete](#delete-a-token) ACL tokens in Consul. For more information on how to setup ACLs, please see the [ACL Guide](https://learn.hashicorp.com/consul/advanced/day-1-operations/production-acls). @@ -89,11 +89,11 @@ The table below shows this endpoint's support for specified in the form of `"60s"` or `"5m"` (i.e., 60 seconds or 5 minutes, respectively). This value must be no smaller than 1 minute and no longer than 24 hours. Added in Consul 1.5.0. - -- `Namespace` `(string: "")` - **(Enterprise Only)** Specifies the namespace to + +- `Namespace` `(string: "")` - **(Enterprise Only)** Specifies the namespace to create the token. If not provided in the JSON body, the value of - the `ns` URL query parameter or in the `X-Consul-Namespace` header will be used. - If not provided at all, the namespace will be inherited from the request's ACL + the `ns` URL query parameter or in the `X-Consul-Namespace` header will be used. + If not provided at all, the namespace will be inherited from the request's ACL token or will default to the `default` namespace. Added in Consul 1.7.0. ### Sample Payload @@ -169,9 +169,9 @@ The table below shows this endpoint's support for - `AccessorID` `(string: )` - Specifies the accessor ID of the ACL token to read. This is required and is specified as part of the URL path. - + - `ns` `(string: "")` - **(Enterprise Only)** Specifies the namespace to lookup - the token. This value can be specified as the `ns` URL query + the token. This value can be specified as the `ns` URL query parameter or the `X-Consul-Namespace` header. If not provided by either, the namespace will be inherited from the request's ACL token or will default to the `default` namespace. Added in Consul 1.7.0. @@ -343,8 +343,8 @@ The table below shows this endpoint's support for - `Namespace` `(string: "")` - **(Enterprise Only)** Specifies the namespace of the token to update. If not provided in the JSON body, the value of - the `ns` URL query parameter or in the `X-Consul-Namespace` header will be used. - If not provided at all, the namespace will be inherited from the request's ACL + the `ns` URL query parameter or in the `X-Consul-Namespace` header will be used. + If not provided at all, the namespace will be inherited from the request's ACL token or will default to the `default` namespace. Added in Consul 1.7.0. ### Sample Payload @@ -431,8 +431,8 @@ The table below shows this endpoint's support for - `Namespace` `(string: "")` - **(Enterprise Only)** Specifies the namespace of the token to be cloned. If not provided in the JSON body, the value of - the `ns` URL query parameter or in the `X-Consul-Namespace` header will be used. - If not provided at all, the namespace will be inherited from the request's ACL + the `ns` URL query parameter or in the `X-Consul-Namespace` header will be used. + If not provided at all, the namespace will be inherited from the request's ACL token or will default to the `default` namespace. Added in Consul 1.7.0. ### Sample Payload @@ -503,11 +503,11 @@ The table below shows this endpoint's support for ### Parameters -- `AccessorID` `(string: )` - Specifies the accessor ID of the ACL policy to +- `AccessorID` `(string: )` - Specifies the accessor ID of the ACL token to delete. This is required and is specified as part of the URL path. - + - `ns` `(string: "")` - **(Enterprise Only)** Specifies the namespace of the - token to delete. This value can be specified as the `ns` URL query + token to delete. This value can be specified as the `ns` URL query parameter or the `X-Consul-Namespace` header. If not provided by either, the namespace will be inherited from the request's ACL token or will default to the `default` namespace. Added in Consul 1.7.0. @@ -552,15 +552,15 @@ The table below shows this endpoint's support for - `authmethod` `(string: "")` - Filters the token list to those tokens that are linked with the specific named auth method. - + - `authmethod-ns` `(string: "")` - **(Enterprise Only)** Specifics the namespace of the `authmethod` being used for token lookup. If not provided, the namespace provided by the `ns` parameter will be used. If neither of those is provided - then the namespace will be inherited from the request's ACL token. Added in + then the namespace will be inherited from the request's ACL token. Added in Consul 1.7.0. - + - `ns` `(string: "")` - **(Enterprise Only)** Specifies the namespace to list - the tokens for. This value can be specified as the `ns` URL query + the tokens for. This value can be specified as the `ns` URL query parameter or the `X-Consul-Namespace` header. If not provided by either, the namespace will be inherited from the request's ACL token or will default to the `default` namespace. The namespace may be specified as '*' and then diff --git a/website/source/docs/guides/agent-encryption.html.md b/website/source/docs/guides/agent-encryption.html.md index 50cb36f596..56ae7c0c92 100644 --- a/website/source/docs/guides/agent-encryption.html.md +++ b/website/source/docs/guides/agent-encryption.html.md @@ -14,7 +14,7 @@ To complete the RPC encryption section, you must have [configured agent certific ## Gossip Encryption -To enable gossip encryption, you need to use an encryption key when starting the Consul agent. The key can be simple set with the `encrypt` parameter in the agent configuration file. Alternatively, the encryption key can be placed in a seperate configuration file with only the `encrypt` field, since the agent can merge multiple configuration files. The key must be 32-bytes, Base64 encoded. +To enable gossip encryption, you need to use an encryption key when starting the Consul agent. The key can be simple set with the `encrypt` parameter in the agent configuration file. Alternatively, the encryption key can be placed in a separate configuration file with only the `encrypt` field, since the agent can merge multiple configuration files. The key must be 32-bytes, Base64 encoded. You can use the Consul CLI command, [`consul keygen`](/docs/commands/keygen.html), to generate a cryptographically suitable key. @@ -58,7 +58,7 @@ Note: all nodes within a cluster must share the same encryption key in order to ### Enable Gossip Encryption: Existing Cluster -Gossip encryption can also be enabled on an existing cluster, but requires several extra steps. The additional configuration of the agent configuration parameters, [`encrypt_verify_incoming`](/docs/agent/options.html#encrypt_verify_incoming) and [`encrypt_verify_outgoing`](/docs/agent/options.html#encrypt_verify_outgoing) is necessary. +Gossip encryption can also be enabled on an existing cluster, but requires several extra steps. The additional configuration of the agent configuration parameters, [`encrypt_verify_incoming`](/docs/agent/options.html#encrypt_verify_incoming) and [`encrypt_verify_outgoing`](/docs/agent/options.html#encrypt_verify_outgoing) is necessary. **Step 1**: Generate an encryption key using `consul keygen`. @@ -95,9 +95,9 @@ A rolling update can be made by restarting the Consul agents (clients and server "encrypt_verify_incoming": false, "encrypt_verify_outgoing": true } -``` +``` -**Step 4**: The previous step, enabling verify outgoing, must be completed on all agents before continuing. Update the `encrypt_verify_incoming` setting to `true` and perform a final rolling update of the cluster. +**Step 4**: The previous step, enabling verify outgoing, must be completed on all agents before continuing. Update the `encrypt_verify_incoming` setting to `true` and perform a final rolling update of the cluster. ```javascript { @@ -113,7 +113,7 @@ A rolling update can be made by restarting the Consul agents (clients and server All the agents will now be strictly enforcing encrypted gossip. Note, the default behavior of both `encrypt_verify_incoming` and `encrypt_verify_outgoing` is `true`. -We have set them in the configuration file as an explicit example. +We have set them in the configuration file as an explicit example. ## TLS Encryption for RPC @@ -122,12 +122,12 @@ Consul requires that all servers have certificates that are signed by a single Certificate Authority. Clients may optionally authenticate with a client certificate generated by the same CA. Please see [this tutorial on creating a CA and signing certificates](/docs/guides/creating-certificates.html). -TLS can be used to verify the authenticity of the servers with [`verify_outgoing`](/docs/agent/options.html#verify_outgoing) and [`verify_server_hostname`](/docs/agent/options.html#verify_server_hostname). It can also optionally verify client certificates when using [`verify_incoming`](/docs/agent/options.html#verify_incoming) +TLS can be used to verify the authenticity of the servers with [`verify_outgoing`](/docs/agent/options.html#verify_outgoing) and [`verify_server_hostname`](/docs/agent/options.html#verify_server_hostname). It can also optionally verify client certificates when using [`verify_incoming`](/docs/agent/options.html#verify_incoming) Review the [docs for specifics](https://www.consul.io/docs/agent/encryption.html). In Consul version 0.8.4 and newer, migrating to TLS encrypted traffic on a running cluster -is supported. +is supported. ### Enable TLS: New Cluster @@ -151,7 +151,7 @@ After TLS has been configured on all the agents, you can start the agents and RP Note, for clients, the default `cert_file` and `key_file` will be named according to their cluster for. For example, `consul-client-dc1-0.pem`. -The `verify_outgoing` parameter enables agents to verify the authenticity of Consul servers for outgoing connections. The `verify_server_hostname` parameter requires outgoing connections to perform hostname verification and is critically important to prevent compromised client agents from becoming servers and revealing all state to the attacker. Finally, the `verify_incoming` parameter enables the servers to verify the authenticity of all incoming connections. +The `verify_outgoing` parameter enables agents to verify the authenticity of Consul servers for outgoing connections. The `verify_server_hostname` parameter requires outgoing connections to perform hostname verification and is critically important to prevent compromised client agents from becoming servers and revealing all state to the attacker. Finally, the `verify_incoming` parameter enables the servers to verify the authenticity of all incoming connections. ### Enable TLS: Existing Cluster @@ -204,5 +204,5 @@ the [agent configuration](https://www.consul.io/docs/agent/options.html#ports). ## Summary -In this guide we configured both gossip encryption and TLS for RPC. Securing agent communication is a recommended set in setting up a production ready cluster. +In this guide we configured both gossip encryption and TLS for RPC. Securing agent communication is a recommended set in setting up a production ready cluster. diff --git a/website/source/docs/guides/autopilot.html.md b/website/source/docs/guides/autopilot.html.md index 784b485bcf..7a7293e50e 100644 --- a/website/source/docs/guides/autopilot.html.md +++ b/website/source/docs/guides/autopilot.html.md @@ -52,7 +52,7 @@ following are the defaults. ``` All Consul servers should have Autopilot and its features either enabled -or disabled to ensure consistency accross servers in case of a failure. Additionally, +or disabled to ensure consistency across servers in case of a failure. Additionally, Autopilot must be enabled to use any of the features, but the features themselves can be configured independently. Meaning you can enable or disable any of the features separately, at any time.