From 763f728df408fb41e659a4b30afed287e31ed5db Mon Sep 17 00:00:00 2001 From: Kyle Havlovitz Date: Thu, 31 Mar 2022 15:03:41 -0700 Subject: [PATCH] Add doc examples for expanded token read CLI and API --- website/content/api-docs/acl/tokens.mdx | 89 +++++++++++++++++++++ website/content/commands/acl/token/read.mdx | 39 +++++++++ 2 files changed, 128 insertions(+) diff --git a/website/content/api-docs/acl/tokens.mdx b/website/content/api-docs/acl/tokens.mdx index b73acc50e2..7afada6372 100644 --- a/website/content/api-docs/acl/tokens.mdx +++ b/website/content/api-docs/acl/tokens.mdx @@ -188,6 +188,9 @@ The corresponding CLI command is [`consul acl token read`](/commands/acl/token/r the namespace will be inherited from the request's ACL token or will default to the `default` namespace. Added in Consul 1.7.0. +- `expanded` `(bool: false)` - If this field is set, the contents of all policies and + roles affecting the token will also be returned. + ### Sample Request ```shell-session @@ -225,6 +228,92 @@ for reading other secrets which given even more permissions. } ``` +Sample response when setting the `expanded` parameter: + +```json +{ + "AccessorID": "fbd2447f-7479-4329-ad13-b021d74f86ba", + "SecretID": "869c6e91-4de9-4dab-b56e-87548435f9c6", + "Description": "test token", + "Policies": [ + { + "ID": "beb04680-815b-4d7c-9e33-3d707c24672c", + "Name": "foo" + }, + { + "ID": "18788457-584c-4812-80d3-23d403148a90", + "Name": "bar" + } + ], + "Local": false, + "CreateTime": "2020-05-22T18:52:31Z", + "Hash": "YWJjZGVmZ2g=", + "ExpandedPolicies": [ + { + "ID": "beb04680-815b-4d7c-9e33-3d707c24672c", + "Name": "foo", + "Description": "user policy on token", + "Rules": "service_prefix \"\" {\n policy = \"read\"\n}", + "Datacenters": null, + "Hash": null, + "CreateIndex": 0, + "ModifyIndex": 0 + }, + { + "ID": "18788457-584c-4812-80d3-23d403148a90", + "Name": "bar", + "Description": "other user policy on token", + "Rules": "operator = \"read\"", + "Datacenters": null, + "Hash": null, + "CreateIndex": 0, + "ModifyIndex": 0 + }, + { + "ID": "6204f4cd-4709-441c-ac1b-cb029e940263", + "Name": "admin policy", + "Description": "policy for admin role", + "Rules": "operator = \"write\"", + "Datacenters": null, + "Hash": null, + "CreateIndex": 0, + "ModifyIndex": 0 + } + ], + "ExpandedRoles": [ + { + "ID": "3b0a78fe-b9c3-40de-b8ea-7d4d6674b366", + "Name": "admin", + "Description": "admin role", + "Policies": [ + { + "ID": "6204f4cd-4709-441c-ac1b-cb029e940263", + "Name": "admin policy" + } + ], + "ServiceIdentities": [ + { + "ServiceName": "web", + "Datacenters": [ + "southwest" + ] + } + ], + "Hash": null, + "CreateIndex": 0, + "ModifyIndex": 0 + } + ], + "NamespaceDefaultPolicies": null, + "NamespaceDefaultRoles": null, + "AgentACLDefaultPolicy": "allow", + "AgentACLDownPolicy": "deny", + "ResolvedByAgent": "server-1", + "CreateIndex": 42, + "ModifyIndex": 100 +} +``` + ## Read Self Token This endpoint returns the ACL token details that matches the secret ID diff --git a/website/content/commands/acl/token/read.mdx b/website/content/commands/acl/token/read.mdx index e249e1b38d..85f0f6a4e0 100644 --- a/website/content/commands/acl/token/read.mdx +++ b/website/content/commands/acl/token/read.mdx @@ -40,6 +40,9 @@ Usage: `consul acl token read [options] [args]` - `-self` - Indicates that the current HTTP token should be read by secret ID instead of expecting a -id option. +- `-expanded` - Indicates that the contents of the policies and roles affecting + the token should also be shown. + - `-format={pretty|json}` - Command output format. The default value is `pretty`. #### Enterprise Options @@ -87,3 +90,39 @@ Local: false Create Time: 0001-01-01 00:00:00 +0000 UTC Policies: ``` + +Get token details (Expanded) + +```shell-session +$ consul acl token read -expanded -id 986 +AccessorID: 986193b5-e2b5-eb26-6264-b524ea60cc6d +SecretID: ec15675e-2999-d789-832e-8c4794daa8d7 +Description: Read Nodes and Services +Local: false +Create Time: 2018-10-22 15:33:39.01789 -0400 EDT +Policies: + Policy Name: foo + ID: beb04680-815b-4d7c-9e33-3d707c24672c + Description: user policy on token + Rules: + service_prefix "" { + policy = "read" + } + + Policy Name: bar + ID: 18788457-584c-4812-80d3-23d403148a90 + Description: other user policy on token + Rules: + operator = "read" + +=== End of Authorizer Layer 0: Token === +=== Start of Authorizer Layer 2: Agent Configuration Defaults (Inherited) === +Description: Defined at request-time by the agent that resolves the ACL token; other agents may have different configuration defaults +Resolved By Agent: "leader" + +Default Policy: allow + Description: Backstop rule used if no preceding layer has a matching rule (refer to default_policy option in agent configuration) + +Down Policy: deny + Description: Defines what to do if this Token's information cannot be read from the primary_datacenter (refer to down_policy option in agent configuration) +```