mirror of https://github.com/status-im/consul.git
Docs Proofing (#5424)
* Docs: Remove default_policy From Code Example It is not needed according to: https://www.consul.io/docs/agent/acl-system.html#configuring-acls * Docs: Cleanup Commands And Their Output On ACL Guide Page Remove extra spaces and newlines Ensure rules match input rules * Docs: Remove Incomplete "Added In Version" Statement Version added is specified on parent option * Docs: Fix Broken Links * Docs: Minor Sentence Tweaks
This commit is contained in:
parent
33d0922db3
commit
585978ab94
|
@ -189,7 +189,7 @@ with `bar`.
|
|||
|
||||
Since [Agent API](/api/agent.html) utility operations may be reqired before an agent is joined to
|
||||
a cluster, or during an outage of the Consul servers or ACL datacenter, a special token may be
|
||||
configured with [`acl_agent_master_token`](/docs/agent/options.html#acl_agent_master_token) to allow
|
||||
configured with [`acl.tokens.agent_master`](/docs/agent/options.html#acl_tokens_agent_master) to allow
|
||||
write access to these operations even if no ACL resolution capability is available.
|
||||
|
||||
#### Event Rules
|
||||
|
|
|
@ -124,8 +124,8 @@ Consul datacenters, and does not allow modification of any state.
|
|||
|
||||
3. The [connect CA roots endpoint](/api/connect/ca.html#list-ca-root-certificates) exposes just the public TLS certificate which other systems can use to verify the TLS connection with Consul.
|
||||
|
||||
Constructing rules from these policies is covered in detail in the
|
||||
[Rule Specification](#rule-specification) section below.
|
||||
Constructing rules from these policies is covered in detail on the
|
||||
[ACL Rules](/docs/agent/acl-rules.html) page.
|
||||
|
||||
## Configuring ACLs
|
||||
|
||||
|
@ -147,7 +147,7 @@ system, or accessing Consul in special situations:
|
|||
| ------------- | ------- | ------- | ------- |
|
||||
| [`acl.tokens.agent_master`](/docs/agent/options.html#acl_tokens_agent_master) | `OPTIONAL` | `OPTIONAL` | Special token that can be used to access [Agent API](/api/agent.html) when remote bearer token resolution fails; used for setting up the cluster such as doing initial join operations, see the [ACL Agent Master Token](#acl-agent-master-token) section for more details |
|
||||
| [`acl.tokens.agent`](/docs/agent/options.html#acl_tokens_agent) | `OPTIONAL` | `OPTIONAL` | Special token that is used for an agent's internal operations, see the [ACL Agent Token](#acl-agent-token) section for more details |
|
||||
| [`acl.tokens.master`](/docs/agent/options.html#acl_tokens_master) | `OPTIONAL` | `N/A` | Special token used to bootstrap the ACL system, see the [Bootstrapping ACLs](#bootstrapping-acls) section for more details |
|
||||
| [`acl.tokens.master`](/docs/agent/options.html#acl_tokens_master) | `OPTIONAL` | `N/A` | Special token used to bootstrap the ACL system, see the [Bootstrapping ACLs](https://learn.hashicorp.com/consul/advanced/day-1-operations/acl-guide) guide for more details |
|
||||
| [`acl.tokens.default`](/docs/agent/options.html#acl_tokens_default) | `OPTIONAL` | `OPTIONAL` | Default token to use for client requests where no token is supplied; this is often configured with read-only access to services to enable DNS service discovery on agents |
|
||||
|
||||
All of these tokens except the `master` token can all be introduced or updated via the [/v1/agent/token API](/api/agent.html#update-acl-tokens).
|
||||
|
|
|
@ -59,7 +59,7 @@ There are several different kinds of checks:
|
|||
Certificate verification can be turned off by setting the `tls_skip_verify`
|
||||
field to `true` in the check definition.
|
||||
|
||||
* TCP + Interval - These checks make an TCP connection attempt every Interval
|
||||
* TCP + Interval - These checks make a TCP connection attempt every Interval
|
||||
(e.g. every 30 seconds) to the specified IP/hostname and port. If no hostname
|
||||
is specified, it defaults to "localhost". The status of the service depends on
|
||||
whether the connection attempt is successful (ie - the port is currently
|
||||
|
|
|
@ -584,7 +584,7 @@ default will automatically work with some tooling.
|
|||
|
||||
* <a name="acl_tokens_agent"></a><a href="#acl_tokens_agent">`agent`</a> - Used for clients
|
||||
and servers to perform internal operations. If this isn't specified, then the
|
||||
<a href="#acl_tokens_default">`default`</a> will be used. This was added in Consul
|
||||
<a href="#acl_tokens_default">`default`</a> will be used.
|
||||
<br/><br/>
|
||||
This token must at least have write access to the node name it will register as in order to set any
|
||||
of the node-level information in the catalog such as metadata, or the node's tagged addresses. There
|
||||
|
|
|
@ -130,7 +130,7 @@ We only need to create one policy and can do this on any of the servers. If you
|
|||
`CONSUL_HTTP_TOKEN` environment variable to the bootstrap token, please refer to the previous step.
|
||||
|
||||
```
|
||||
$ consul acl policy create -name "agent-token" -description "Agent Token Policy" -rules @agent-policy.hcl
|
||||
$ consul acl policy create -name "agent-token" -description "Agent Token Policy" -rules @agent-policy.hcl
|
||||
ID: 5102b76c-6058-9fe7-82a4-315c353eb7f7
|
||||
Name: agent-policy
|
||||
Description: Agent Token Policy
|
||||
|
@ -139,7 +139,6 @@ Rules:
|
|||
node_prefix "" {
|
||||
policy = "write"
|
||||
}
|
||||
|
||||
service_prefix "" {
|
||||
policy = "read"
|
||||
}
|
||||
|
@ -247,7 +246,6 @@ with a configuration file that enables ACLs. We can use the same ACL agent token
|
|||
{
|
||||
"acl" : {
|
||||
"enabled" : true,
|
||||
"default_policy" : "deny",
|
||||
"down_policy" : "extend-cache",
|
||||
"tokens" : {
|
||||
"agent" : "da666809-98ca-0e94-a99c-893c4bf5f9eb"
|
||||
|
@ -296,7 +294,6 @@ we will give the anonymous token read privileges for all nodes:
|
|||
|
||||
```bash
|
||||
$ consul acl policy create -name 'list-all-nodes' -rules 'node_prefix "" { policy = "read" }'
|
||||
|
||||
ID: e96d0a33-28b4-d0dd-9b3f-08301700ac72
|
||||
Name: list-all-nodes
|
||||
Description:
|
||||
|
@ -305,7 +302,6 @@ Rules:
|
|||
node_prefix "" { policy = "read" }
|
||||
|
||||
$ consul acl token update -id 00000000-0000-0000-0000-000000000002 -policy-name list-all-nodes -description "Anonymous Token - Can List Nodes"
|
||||
|
||||
Token updated successfully.
|
||||
AccessorID: 00000000-0000-0000-0000-000000000002
|
||||
SecretID: anonymous
|
||||
|
@ -424,20 +420,18 @@ First create the new policy.
|
|||
$ consul acl policy create -name "ui-policy" \
|
||||
-description "Necessary permissions for UI functionality" \
|
||||
-rules 'key_prefix "" { policy = "write" } node_prefix "" { policy = "read" } service_prefix "" { policy = "read" }'
|
||||
|
||||
ID: 9cb99b2b-3c20-81d4-a7c0-9ffdc2fbf08a
|
||||
Name: ui-policy
|
||||
Description: Necessary permissions for UI functionality
|
||||
Datacenters:
|
||||
Rules:
|
||||
key "" { policy = "write" } node "" { policy = "read" } service "" { policy = "read" }
|
||||
key_prefix "" { policy = "write" } node_prefix "" { policy = "read" } service_prefix "" { policy = "read" }
|
||||
```
|
||||
|
||||
With the new policy, create a token.
|
||||
|
||||
```sh
|
||||
$ consul acl token create -description "UI Token" -policy-name "ui-policy"
|
||||
|
||||
AccessorID: 56e605cf-a6f9-5f9d-5c08-a0e1323cf016
|
||||
SecretID: 117842b6-6208-446a-0d1e-daf93854857d
|
||||
Description: UI Token
|
||||
|
@ -445,7 +439,6 @@ Local: false
|
|||
Create Time: 2018-10-19 14:55:44.254063 -0400 EDT
|
||||
Policies:
|
||||
9cb99b2b-3c20-81d4-a7c0-9ffdc2fbf08a - ui-policy
|
||||
|
||||
```
|
||||
|
||||
The token can then be set on the "settings" page of the UI.
|
||||
|
|
Loading…
Reference in New Issue