Added some missing ACL info, updated details around some permissions, added missing HTTP API refs

This commit is contained in:
Matt Siegel 2022-01-11 09:41:54 -05:00
parent f7b1208fc3
commit 565bfce4ac
18 changed files with 208 additions and 36 deletions

View File

@ -7,7 +7,7 @@ page_title: 'Commands: ACL Policy Read'
Command: `consul acl policy read` Command: `consul acl policy read`
Corresponding HTTP API Endpoint: [\[GET\] /v1/acl/policy/:id](/api-docs/acl/policies#read-a-policy) Corresponding HTTP API Endpoints: [\[GET\] /v1/acl/policy/:id](/api-docs/acl/policies#read-a-policy), [\[GET\] /v1/acl/policy/name/:name](/api-docs/acl/policies#read-a-policy-by-name)
The `acl policy read` command reads and displays a policies details. The `acl policy read` command reads and displays a policies details.

View File

@ -17,9 +17,22 @@ The table below shows this command's [required ACLs](/api#authentication). Confi
[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching) [blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
are not supported from commands, but may be from the corresponding HTTP endpoint. are not supported from commands, but may be from the corresponding HTTP endpoint.
| ACL Required | | ACL Required<sup>1</sup> |
| ----------------------------------- | | ------------------------------------------------------------- |
| `service:write` or `operator:write` | | `service:write`<br />`operator:write`<br />`intentions:write` |
<sup>1</sup> The ACL required depends on the config entry kind being deleted:
| Config Entry Kind | Required ACL |
| ------------------- | ------------------ |
| ingress-gateway | `operator:write` |
| proxy-defaults | `operator:write` |
| service-defaults | `service:write` |
| service-intentions | `intentions:write` |
| service-resolver | `service:write` |
| service-router | `service:write` |
| service-splitter | `service:write` |
| terminating-gateway | `operator:write ` |
## Usage ## Usage

View File

@ -17,9 +17,22 @@ The table below shows this command's [required ACLs](/api#authentication). Confi
[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching) [blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
are not supported from commands, but may be from the corresponding HTTP endpoint. are not supported from commands, but may be from the corresponding HTTP endpoint.
| ACL Required | | ACL Required<sup>1</sup> |
| -------------- | | ------------------------------------- |
| `service:read` | | `service:read`<br />`intentions:read` |
<sup>1</sup> The ACL required depends on the config entry kind being read:
| Config Entry Kind | Required ACL |
| ------------------- | ----------------- |
| ingress-gateway | `service:read` |
| proxy-defaults | `<none>` |
| service-defaults | `service:read` |
| service-intentions | `intentions:read` |
| service-resolver | `service:read` |
| service-router | `service:read` |
| service-splitter | `service:read` |
| terminating-gateway | `service:read` |
## Usage ## Usage

View File

@ -18,9 +18,22 @@ The table below shows this command's [required ACLs](/api#authentication). Confi
[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching) [blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
are not supported from commands, but may be from the corresponding HTTP endpoint. are not supported from commands, but may be from the corresponding HTTP endpoint.
| ACL Required | | ACL Required<sup>1</sup> |
| -------------- | | ------------------------------------- |
| `service:read` | | `service:read`<br />`intentions:read` |
<sup>1</sup> The ACL required depends on the config entry kind being read:
| Config Entry Kind | Required ACL |
| ------------------- | ----------------- |
| ingress-gateway | `service:read` |
| proxy-defaults | `<none>` |
| service-defaults | `service:read` |
| service-intentions | `intentions:read` |
| service-resolver | `service:read` |
| service-router | `service:read` |
| service-splitter | `service:read` |
| terminating-gateway | `service:read` |
## Usage ## Usage

View File

@ -17,9 +17,25 @@ The table below shows this command's [required ACLs](/api#authentication). Confi
[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching) [blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
are not supported from commands, but may be from the corresponding HTTP endpoint. are not supported from commands, but may be from the corresponding HTTP endpoint.
| ACL Required | | ACL Required<sup>1</sup> |
| ----------------------------------- | | ------------------------------------------------------------- |
| `service:write` or `operator:write` | | `service:write`<br />`operator:write`<br />`intentions:write` |
<p>
<sup>1</sup> The actual ACL required depends on the config entry kind being
updated:
</p>
| Config Entry Kind | Required ACL |
| ------------------- | ------------------ |
| ingress-gateway | `operator:write` |
| proxy-defaults | `operator:write` |
| service-defaults | `service:write` |
| service-intentions | `intentions:write` |
| service-resolver | `service:write` |
| service-router | `service:write` |
| service-splitter | `service:write` |
| terminating-gateway | `operator:write` |
## Usage ## Usage

View File

@ -23,6 +23,23 @@ intention read permissions and don't evaluate the result.
defined as _deny_ intentions during evaluation, as this endpoint is only suited defined as _deny_ intentions during evaluation, as this endpoint is only suited
for networking layer 4 (e.g. TCP) integration. for networking layer 4 (e.g. TCP) integration.
The table below shows this command's [required ACLs](/api#authentication). Configuration of
[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
are not supported from commands, but may be from the corresponding HTTP endpoint.
| ACL Required |
| ----------------------------- |
| `intentions:read`<sup>1</sup> |
<p>
<sup>1</sup> Intention ACL rules are specified as part of a{' '}
<code>service</code> rule. See{' '}
<a href="/docs/connect/intentions#intention-management-permissions">
Intention Management Permissions
</a>{' '}
for more details.
</p>
## Usage ## Usage
Usage: `consul intention check [options] SRC DST` Usage: `consul intention check [options] SRC DST`

View File

@ -22,8 +22,17 @@ The table below shows this command's [required ACLs](/api#authentication). Confi
are not supported from commands, but may be from the corresponding HTTP endpoint. are not supported from commands, but may be from the corresponding HTTP endpoint.
| ACL Required | | ACL Required |
| ------------------ | | ------------------------------ |
| `intentions:write` | | `intentions:write`<sup>1</sup> |
<p>
<sup>1</sup> Intention ACL rules are specified as part of a{' '}
<code>service</code> rule. See{' '}
<a href="/docs/connect/intentions#intention-management-permissions">
Intention Management Permissions
</a>{' '}
for more details.
</p>
## Usage ## Usage

View File

@ -7,7 +7,7 @@ page_title: 'Commands: Intention Delete'
Command: `consul intention delete` Command: `consul intention delete`
Corresponding HTTP API Endpoint: [\[DELETE\] /v1/connect/intentions/exact](/api-docs/connect/intentions#delete-intention-by-name) Corresponding HTTP API Endpoints: [\[DELETE\] /v1/connect/intentions/exact](/api-docs/connect/intentions#delete-intention-by-name), [\[DELETE\] /v1/connect/intentions/:uuid](/api-docs/connect/intentions#delete-intention-by-id)
The `intention delete` command deletes a matching intention. The `intention delete` command deletes a matching intention.
@ -16,8 +16,17 @@ The table below shows this command's [required ACLs](/api#authentication). Confi
are not supported from commands, but may be from the corresponding HTTP endpoint. are not supported from commands, but may be from the corresponding HTTP endpoint.
| ACL Required | | ACL Required |
| ------------------ | | ------------------------------ |
| `intentions:write` | | `intentions:write`<sup>1</sup> |
<p>
<sup>1</sup> Intention ACL rules are specified as part of a{' '}
<code>service</code> rule. See{' '}
<a href="/docs/connect/intentions#intention-management-permissions">
Intention Management Permissions
</a>{' '}
for more details.
</p>
-> **Deprecated** - The one argument form of this command is deprecated in -> **Deprecated** - The one argument form of this command is deprecated in
Consul 1.9.0. Intentions no longer need IDs when represented as Consul 1.9.0. Intentions no longer need IDs when represented as

View File

@ -7,7 +7,7 @@ page_title: 'Commands: Intention Get'
Command: `consul intention get` Command: `consul intention get`
Corresponding HTTP API Endpoint: [\[GET\] /v1/connect/intentions/exact](/api-docs/connect/intentions##read-specific-intention-by-name) Corresponding HTTP API Endpoints: [\[GET\] /v1/connect/intentions/exact](/api-docs/connect/intentions#read-specific-intention-by-name), [\[GET\] /v1/connect/intentions/:uuid](/api-docs/connect/intentions#read-specific-intention-by-id)
The `intention get` command shows a single intention. The `intention get` command shows a single intention.
@ -21,8 +21,17 @@ The table below shows this command's [required ACLs](/api#authentication). Confi
are not supported from commands, but may be from the corresponding HTTP endpoint. are not supported from commands, but may be from the corresponding HTTP endpoint.
| ACL Required | | ACL Required |
| ----------------- | | ----------------------------- |
| `intentions:read` | | `intentions:read`<sup>1</sup> |
<p>
<sup>1</sup> Intention ACL rules are specified as part of a{' '}
<code>service</code> rule. See{' '}
<a href="/docs/connect/intentions#intention-management-permissions">
Intention Management Permissions
</a>{' '}
for more details.
</p>
## Usage ## Usage

View File

@ -11,6 +11,23 @@ Corresponding HTTP API Endpoint: [\[GET\] /v1/connect/intentions](/api-docs/conn
The `intention list` command shows all intentions including ID and precedence. The `intention list` command shows all intentions including ID and precedence.
The table below shows this command's [required ACLs](/api#authentication). Configuration of
[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
are not supported from commands, but may be from the corresponding HTTP endpoint.
| ACL Required |
| ----------------------------- |
| `intentions:read`<sup>1</sup> |
<p>
<sup>1</sup> Intention ACL rules are specified as part of a{' '}
<code>service</code> rule. See{' '}
<a href="/docs/connect/intentions#intention-management-permissions">
Intention Management Permissions
</a>{' '}
for more details.
</p>
## Usage ## Usage
Usage: Usage:

View File

@ -21,8 +21,17 @@ The table below shows this command's [required ACLs](/api#authentication). Confi
are not supported from commands, but may be from the corresponding HTTP endpoint. are not supported from commands, but may be from the corresponding HTTP endpoint.
| ACL Required | | ACL Required |
| ----------------- | | ----------------------------- |
| `intentions:read` | | `intentions:read`<sup>1</sup> |
<p>
<sup>1</sup> Intention ACL rules are specified as part of a{' '}
<code>service</code> rule. See{' '}
<a href="/docs/connect/intentions#intention-management-permissions">
Intention Management Permissions
</a>{' '}
for more details.
</p>
## Usage ## Usage

View File

@ -29,6 +29,19 @@ All variations of the `keyring` command return 0 if all nodes reply and there
are no errors. If any node fails to reply or reports failure, the exit code are no errors. If any node fails to reply or reports failure, the exit code
will be 1. will be 1.
The table below shows this command's [required ACLs](/api#authentication). Configuration of
[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
are not supported from commands, but may be from the corresponding HTTP endpoint.
| ACL Required<sup>1</sup> |
| ----------------------------------- |
| `keyring:read`<br />`keyring:write` |
<p>
<sup>1</sup> The actual ACL required depends on the flags being used in the
command.
</p>
## Usage ## Usage
Usage: `consul keyring [options]` Usage: `consul keyring [options]`

View File

@ -12,6 +12,14 @@ prefix from Consul's KV store, and write a JSON representation to
stdout. This can be used with the command "consul kv import" to move entire stdout. This can be used with the command "consul kv import" to move entire
trees between Consul clusters. trees between Consul clusters.
The table below shows this command's [required ACLs](/api#authentication). Configuration of
[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
are not supported from commands, but may be from the corresponding HTTP endpoint.
| ACL Required |
| ------------ |
| `key:read` |
## Usage ## Usage
Usage: `consul kv export [options] [PREFIX]` Usage: `consul kv export [options] [PREFIX]`

View File

@ -10,6 +10,14 @@ Command: `consul kv import`
The `kv import` command is used to import KV pairs from the JSON representation The `kv import` command is used to import KV pairs from the JSON representation
generated by the `kv export` command. generated by the `kv export` command.
The table below shows this command's [required ACLs](/api#authentication). Configuration of
[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
are not supported from commands, but may be from the corresponding HTTP endpoint.
| ACL Required |
| ------------ |
| `key:write` |
## Usage ## Usage
Usage: `consul kv import [options] [DATA]` Usage: `consul kv import [options] [DATA]`

View File

@ -21,8 +21,11 @@ The table below shows this command's [required ACLs](/api#authentication). Confi
are not supported from commands, but may be from the corresponding HTTP endpoint. are not supported from commands, but may be from the corresponding HTTP endpoint.
| ACL Required | | ACL Required |
| ------------------------------------- | | ------------------------------------------------- |
| `operator:read` or `namespace:* read` | | `operator:read` or `namespace:*:read`<sup>1</sup> |
<sup>1</sup> Access can be granted to list the Namespace if the token used when making
the request has been granted any access in the namespace (read, list or write).
## Usage ## Usage

View File

@ -20,8 +20,11 @@ The table below shows this command's [required ACLs](/api#authentication). Confi
are not supported from commands, but may be from the corresponding HTTP endpoint. are not supported from commands, but may be from the corresponding HTTP endpoint.
| ACL Required | | ACL Required |
| ------------------------------------- | | ------------------------------------------------- |
| `operator:read` or `namespace:* read` | | `operator:read` or `namespace:*:read`<sup>1</sup> |
<sup>1</sup> Access can be granted to list the Namespace if the token used when making
the request has been granted any access in the namespace (read, list or write).
## Usage ## Usage

View File

@ -13,6 +13,14 @@ Corresponding HTTP API Endpoint: [\[PUT\] /v1/namespace/:name](/api-docs/namespa
This `namespace write` command creates or updates a namespace's configuration from its full definition. This was added in Consul Enterprise 1.7.0. This `namespace write` command creates or updates a namespace's configuration from its full definition. This was added in Consul Enterprise 1.7.0.
The table below shows this command's [required ACLs](/api#authentication). Configuration of
[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
are not supported from commands, but may be from the corresponding HTTP endpoint.
| ACL Required |
| ---------------- |
| `operator:write` |
## Usage ## Usage
Usage: `consul namespace write <namespace definition>` Usage: `consul namespace write <namespace definition>`

View File

@ -22,8 +22,12 @@ The table below shows this command's [required ACLs](/api#authentication). Confi
are not supported from commands, but may be from the corresponding HTTP endpoint. are not supported from commands, but may be from the corresponding HTTP endpoint.
| ACL Required | | ACL Required |
| ------------ | | ----------------------- |
| `node:read` | | `node:read`<sup>1</sup> |
<p>
<sup>1</sup> When referencing WAN coordinates, no ACL permission is needed.
</p>
## Usage ## Usage