docs: Fix JSON formatted example ACL policies

Commit 9333fad added JSON formatted examples for all ACL polices.
Most of these these examples are not valid JSON, and thus an error is
raised when attempting to create the example policies/rules in Consul.

This commit fixes the example JSON formatted ACL rules so that they
are valid JSON. This enables readers to use the policies as-is from
the documentation to successfully create policies in Consul.

It also removes unnecessary arrays from the example policies so that
the policies are easier for practitioners to read and write.
This commit is contained in:
Blake Covarrubias 2022-05-08 13:44:50 -07:00
parent 51dc26db4e
commit 1ec836f6fe
2 changed files with 272 additions and 307 deletions

View File

@ -32,13 +32,15 @@ A rule is composed of a resource declaration and an access level defined with th
```hcl ```hcl
<resource> { <resource> {
policy = "<policy disposition>" policy = "<policy disposition>"
} }
``` ```
```json ```json
"<resource>": [{ {
"policy": "<policy disposition>" "<resource>": {
}] "policy": "<policy disposition>"
}
}
``` ```
</CodeTabs> </CodeTabs>
@ -60,11 +62,13 @@ The following syntax describes how to include a resource label in the rule:
``` ```
```json ```json
"<resource>": [{ {
"<label>": [{ "<resource>": {
"policy": "<policy disposition>" "<label>": {
}] "policy": "<policy disposition>"
}] }
}
}
``` ```
</CodeTabs> </CodeTabs>
@ -85,7 +89,9 @@ Use the following syntax to create rules for these resources:
``` ```
```json ```json
"<resource>": "<policy disposition>" {
"<resource>": "<policy disposition>"
}
``` ```
</CodeTabs> </CodeTabs>
@ -115,11 +121,13 @@ service "web-prod" {
``` ```
```json ```json
"service": [{ {
"web-prod" : [{ "service": {
"policy" : "deny" "web-prod": {
}] "policy": "deny"
}] }
}
}
``` ```
</CodeTabs> </CodeTabs>
@ -135,11 +143,13 @@ service_prefix "web" {
``` ```
```json ```json
"service_prefix": [{ {
"web" : [{ "service_prefix": {
"policy" : "write" "web": {
}] "policy": "write"
}] }
}
}
``` ```
</CodeTabs> </CodeTabs>
@ -155,11 +165,13 @@ service_prefix "" {
``` ```
```json ```json
"service_prefix" : [{ {
"" : [{ "service_prefix": {
"policy" :"read" "": {
}] "policy":"read"
}] }
}
}
``` ```
</CodeTabs> </CodeTabs>
@ -209,38 +221,22 @@ operator = "read"
```json ```json
{ {
"key": [ "key_prefix": {
{ "": {
"foo/bar/secret": [ "policy": "read"
{
"policy": "deny"
}
]
}
],
"key_prefix": [
{
"": [
{
"policy": "read"
}
]
}, },
{ "foo/": {
"foo/": [ "policy": "write"
{
"policy": "write"
}
]
}, },
{ "foo/private/": {
"foo/private/": [ "policy": "deny"
{
"policy": "deny"
}
]
} }
], },
"key": {
"foo/bar/secret": {
"policy": "deny"
}
},
"operator": "read" "operator": "read"
} }
``` ```
@ -482,6 +478,11 @@ session_prefix "" {
```json ```json
{ {
"agent_prefix": {
"": {
"policy": "read"
}
},
"key_prefix": { "key_prefix": {
"vault/": { "vault/": {
"policy": "write" "policy": "write"
@ -492,11 +493,6 @@ session_prefix "" {
"policy": "write" "policy": "write"
} }
}, },
"agent_prefix": {
"": {
"policy": "read"
}
},
"session_prefix": { "session_prefix": {
"": { "": {
"policy": "write" "policy": "write"

View File

@ -56,7 +56,9 @@ acl = "write"
``` ```
```json ```json
"acl" : "write" {
"acl": "write"
}
``` ```
</CodeTabs> </CodeTabs>
@ -77,91 +79,64 @@ partition "example" {
node "my-node" { node "my-node" {
policy = "write" policy = "write"
} }
...
namespace "ex-namespace" { namespace "ex-namespace" {
... policy = "write"
} }
namespace_prefix "exns-" { namespace_prefix "exns-" {
... policy = "write"
} }
} }
partition_prefix "ex-" {
... (Same as above) partition_prefix "example-" {
mesh = "read"
node "my-node" {
policy = "read"
}
namespace "ex-namespace" {
policy = "read"
}
} }
``` ```
```json ```json
{ {
"partition": [ "partition": {
{ "example": {
"example": [ "mesh": "write",
{ "node": {
"mesh": "write", "my-node": {
"node": [ "policy": "write"
{
"my-node": [
{
"policy": "write"
}
],
"namespace": [
{
"ex-namespace": [
{
"policy": "read"
}
]
}
],
"namespace_prefix": [
{
"exns-": [
{
"policy": "read"
}
]
}
]
}
]
} }
] },
"namespace": {
"ex-namespace": {
"policy": "write"
}
},
"namespace_prefix": {
"exns-": {
"policy": "write"
}
}
} }
] },
}, "partition_prefix": {
{ "example-": {
"partition_prefix": [ "mesh": "read",
{ "node": {
"": [ "my-node": {
{
"policy": "read" "policy": "read"
} }
], },
"example": [ "namespace": {
{ "ex-namespace": {
"mesh": "read", "policy": "read"
"node": [
{
"my-node": [
{
"policy": "read"
}
]
}
],
"namespace": [
{
"ex-namespace": [
{
"policy": "read"
}
]
}
]
} }
] }
} }
] }
} }
``` ```
@ -176,31 +151,33 @@ and [`service` or `service_prefix`](#service-rules) policies instead.
<CodeTabs heading="Example agent rules"> <CodeTabs heading="Example agent rules">
```hcl ```hcl
agent_prefix "" {
policy = "read"
}
agent "foo" { agent "foo" {
policy = "write" policy = "write"
} }
agent_prefix "" {
policy = "read"
}
agent_prefix "bar" { agent_prefix "bar" {
policy = "deny" policy = "deny"
} }
``` ```
```json ```json
"agent_prefix" : [{ {
"" : [{ "agent": {
"policy" : "read" "foo": {
}], "policy": "write"
"bar" : [{ }
"policy" : "deny" },
}] "agent_prefix": {
}], "": {
"agent" : [{ "policy": "read"
"foo" : [{ },
"policy" : "write" "bar": {
}] "policy": "deny"
}] }
}
}
``` ```
</CodeTabs> </CodeTabs>
@ -232,16 +209,18 @@ event "deploy" {
``` ```
```json ```json
"event_prefix" : [{ {
"" : [{ "event_prefix": {
"policy" : "read" "": {
}] "policy": "read"
}], }
"event" : [{ },
"deploy" : [{ "event": {
"policy" : "write" "deploy": {
}] "policy": "write"
}] }
}
}
``` ```
</CodeTabs> </CodeTabs>
@ -273,19 +252,21 @@ key "bar" {
``` ```
```json ```json
"key_prefix" : [{ {
"" : [{ "key_prefix": {
"policy" : "read" "": {
}] "policy": "read"
}], }
"key" : [{ },
"foo" : [{ "key": {
"policy" : "write" "foo": {
}], "policy": "write"
"bar" : [{ },
"policy" : "deny" "bar": {
}] "policy": "deny"
}] }
}
}
``` ```
</CodeTabs> </CodeTabs>
@ -314,17 +295,19 @@ key_prefix "baz" {
``` ```
```json ```json
"key_prefix" : [{ {
"" : [{ "key_prefix": {
"policy" : "deny" "": {
}], "policy": "deny"
"bar" : [{ },
"policy" : "list" "bar": {
}], "policy": "list"
"baz" : [{ },
"policy" : "read" "baz": {
}] "policy": "read"
}] }
}
}
``` ```
</CodeTabs> </CodeTabs>
@ -364,7 +347,9 @@ keyring = "write"
``` ```
```json ```json
"keyring" : "write" {
"keyring": "write"
}
``` ```
</CodeTabs> </CodeTabs>
@ -380,7 +365,9 @@ mesh = "write"
``` ```
```json ```json
"mesh" : "write" {
"mesh": "write"
}
``` ```
</CodeTabs> </CodeTabs>
@ -399,6 +386,8 @@ The following examples describe how namespace rules can be defined in a policy:
```hcl ```hcl
namespace_prefix "" { namespace_prefix "" {
# grants permission to create and edit all namespaces
policy = "write"
# grant service:read for all services in all namespaces # grant service:read for all services in all namespaces
service_prefix "" { service_prefix "" {
@ -409,8 +398,6 @@ namespace_prefix "" {
node_prefix "" { node_prefix "" {
policy = "read" policy = "read"
} }
# grants permission to create and edit all namespace
policy = "write"
} }
namespace "foo" { namespace "foo" {
@ -444,79 +431,47 @@ namespace "foo" {
```json ```json
{ {
"namespace": [ "namespace_prefix": {
{ "": {
"foo": [ "policy": "write",
{ "service_prefix": {
"acl": "write", "": {
"key_prefix": [ "policy": "read"
{
"": [
{
"policy": "write"
}
]
}
],
"node_prefix": [
{
"": [
{
"policy": "read"
}
]
}
],
"policy": "write",
"service_prefix": [
{
"": [
{
"policy": "write"
}
]
}
],
"session_prefix": [
{
"": [
{
"policy": "write"
}
]
}
]
} }
] },
} "node_prefix": {
], "": {
"namespace_prefix": [ "policy": "read"
{
"": [
{
"node_prefix": [
{
"": [
{
"policy": "read"
}
]
}
],
"policy": "write",
"service_prefix": [
{
"": [
{
"policy": "read"
}
]
}
]
} }
] }
} }
] },
"namespace": {
"foo": {
"acl": "write",
"policy": "write",
"key_prefix": {
"": {
"policy": "write"
}
},
"session_prefix": {
"": {
"policy": "write"
}
},
"service_prefix": {
"": {
"policy": "write"
}
},
"node_prefix": {
"": {
"policy": "read"
}
}
}
}
} }
``` ```
@ -571,17 +526,21 @@ node "admin" {
``` ```
```json ```json
"node_prefix" : [{ {
"" : [{ "node_prefix": {
"policy" : "read" "": {
}], "policy": "read"
"app" : [{ },
"policy" : "write" },
}], "node": {
"admin" : [{ "app": {
"policy" : "deny" "policy": "write"
}] },
}] "admin": {
"policy": "deny"
}
}
}
``` ```
</CodeTabs> </CodeTabs>
@ -621,7 +580,9 @@ operator = "read"
``` ```
```json ```json
"operator" : "read" {
"operator": "read"
}
``` ```
</CodeTabs> </CodeTabs>
@ -645,16 +606,18 @@ query "foo" {
``` ```
```json ```json
"query_prefix" : [{ {
"" : [{ "query_prefix": {
"policy" : "read" "": {
}] "policy": "read"
}], }
"query" : [{ },
"foo" : [{ "query": {
"policy" : "write" "foo": {
}] "policy": "write"
}] }
}
}
``` ```
</CodeTabs> </CodeTabs>
@ -752,19 +715,21 @@ service "admin" {
``` ```
```json ```json
"service_prefix" : [{ {
"" : [{ "service_prefix": {
"policy" : "read" "": {
}] "policy": "read"
}], }
"service" : [{ },
"app" : [{ "service": {
"policy" : "write" "app": {
}], "policy": "write"
"admin" : [{ },
"policy" : "deny" "admin": {
}] "policy": "deny"
}] }
}
}
``` ```
</CodeTabs> </CodeTabs>
@ -815,12 +780,14 @@ service "app" {
``` ```
```json ```json
"service" : [{ {
"app" : [{ "service": {
"policy" : "write" "app": {
}], "policy": "write",
"intentions" : "read" "intentions": "read"
}] }
}
}
``` ```
</CodeTabs> </CodeTabs>
@ -851,19 +818,21 @@ session "admin" {
``` ```
```json ```json
"session_prefix" : [{ {
"" : [{ "session_prefix": {
"policy" : "read" "": {
}] "policy": "read"
}], }
"session" : [{ },
"app" : [{ "session": {
"policy" : "write" "app": {
}], "policy": "write"
"admin" : [{ },
"policy" : "deny" "admin": {
}] "policy": "deny"
}] }
}
}
``` ```
</CodeTabs> </CodeTabs>