[docs] ACL Legacy Docs (#5625)

* updating the acl legacy doc

* Updatine ACLs based on PR #5002
This commit is contained in:
kaitlincarter-hc 2019-05-07 14:27:30 -05:00 committed by GitHub
parent 3a6935aa18
commit b64bda8808
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 24 additions and 12 deletions

View File

@ -292,3 +292,9 @@ $ curl \
} }
] ]
``` ```
## Check ACL Replication
The check ACL replication endpoint has not changed between the legacy system and the new system. Review the [latest documentation](/api/acl/acl.html#check-acl-replication) to learn more about this endpoint.

View File

@ -1,11 +1,13 @@
--- ---
layout: "docs" layout: "docs"
page_title: "ACL System (Legacy)" page_title: "ACL System (Legacy Mode)"
sidebar_current: "docs-acl-legacy" sidebar_current: "docs-acl-legacy"
description: |- description: |-
Consul provides an optional Access Control List (ACL) system which can be used to control access to data and APIs. The ACL system is a Capability-based system that relies on tokens which can have fine grained rules applied to them. It is very similar to AWS IAM in many ways. Consul provides an optional Access Control List (ACL) system which can be used to control access to data and APIs. The ACL system is a Capability-based system that relies on tokens which can have fine grained rules applied to them. It is very similar to AWS IAM in many ways.
--- ---
# ACL System in Legacy Mode
-> **1.3.0 and earlier:** This guide only applies in Consul versions 1.3.0 and before. If you are using the 1.4.0 or later please use the updated guide [here](/docs/acl/acl-system.html) -> **1.3.0 and earlier:** This guide only applies in Consul versions 1.3.0 and before. If you are using the 1.4.0 or later please use the updated guide [here](/docs/acl/acl-system.html)
@ -85,6 +87,10 @@ and [Policies](/api/acl/policies.html).
# Legacy ACL System # Legacy ACL System
~> **Warning**: In this document we use the deprecated
configuration parameter `acl_datacenter`. In Consul 1.4 and newer the
parameter has been updated to [`primary_datacenter`](https://www.consul.io/docs/agent/options.html#primary_datacenter).
Consul provides an optional Access Control List (ACL) system which can be used to control Consul provides an optional Access Control List (ACL) system which can be used to control
access to data and APIs. The ACL is access to data and APIs. The ACL is
[Capability-based](https://en.wikipedia.org/wiki/Capability-based_security), relying [Capability-based](https://en.wikipedia.org/wiki/Capability-based_security), relying
@ -163,7 +169,7 @@ Constructing rules from these policies is covered in detail in the
#### ACL Datacenter #### ACL Datacenter
All nodes (clients and servers) must be configured with a All nodes (clients and servers) must be configured with a
[`primary_datacenter`](/docs/agent/options.html#primary_datacenter) which enables ACL [`acl_datacenter`](/docs/agent/options.html#acl_datacenter) which enables ACL
enforcement but also specifies the authoritative datacenter. Consul relies on enforcement but also specifies the authoritative datacenter. Consul relies on
[RPC forwarding](/docs/internals/architecture.html) to support multi-datacenter [RPC forwarding](/docs/internals/architecture.html) to support multi-datacenter
configurations. However, because requests can be made across datacenter boundaries, configurations. However, because requests can be made across datacenter boundaries,
@ -192,7 +198,7 @@ as to whether they are set on servers, clients, or both.
| Configuration Option | Servers | Clients | Purpose | | Configuration Option | Servers | Clients | Purpose |
| -------------------- | ------- | ------- | ------- | | -------------------- | ------- | ------- | ------- |
| [`primary_datacenter`](/docs/agent/options.html#primary_datacenter) | `REQUIRED` | `REQUIRED` | Master control that enables ACLs by defining the authoritative Consul datacenter for ACLs | | [`acl_datacenter`](/docs/agent/options.html#acl_datacenter) | `REQUIRED` | `REQUIRED` | Master control that enables ACLs by defining the authoritative Consul datacenter for ACLs |
| [`acl_default_policy`](/docs/agent/options.html#acl_default_policy_legacy) | `OPTIONAL` | `N/A` | Determines whitelist or blacklist mode | | [`acl_default_policy`](/docs/agent/options.html#acl_default_policy_legacy) | `OPTIONAL` | `N/A` | Determines whitelist or blacklist mode |
| [`acl_down_policy`](/docs/agent/options.html#acl_down_policy_legacy) | `OPTIONAL` | `OPTIONAL` | Determines what to do when the ACL datacenter is offline | | [`acl_down_policy`](/docs/agent/options.html#acl_down_policy_legacy) | `OPTIONAL` | `OPTIONAL` | Determines what to do when the ACL datacenter is offline |
| [`acl_ttl`](/docs/agent/options.html#acl_ttl_legacy) | `OPTIONAL` | `OPTIONAL` | Determines time-to-live for cached ACLs | | [`acl_ttl`](/docs/agent/options.html#acl_ttl_legacy) | `OPTIONAL` | `OPTIONAL` | Determines time-to-live for cached ACLs |
@ -277,7 +283,7 @@ Here's the corresponding JSON configuration file:
```json ```json
{ {
"primary_datacenter": "dc1", "acl_datacenter": "dc1",
"acl_master_token": "b1gs33cr3t", "acl_master_token": "b1gs33cr3t",
"acl_default_policy": "deny", "acl_default_policy": "deny",
"acl_down_policy": "extend-cache" "acl_down_policy": "extend-cache"
@ -350,7 +356,7 @@ configuration and restart the servers once more to apply it:
```json ```json
{ {
"primary_datacenter": "dc1", "acl_datacenter": "dc1",
"acl_master_token": "b1gs33cr3t", "acl_master_token": "b1gs33cr3t",
"acl_default_policy": "deny", "acl_default_policy": "deny",
"acl_down_policy": "extend-cache", "acl_down_policy": "extend-cache",
@ -387,7 +393,7 @@ with a configuration file that enables ACLs:
```json ```json
{ {
"primary_datacenter": "dc1", "acl_datacenter": "dc1",
"acl_down_policy": "extend-cache", "acl_down_policy": "extend-cache",
"acl_agent_token": "fe3b8d40-0ee0-8783-6cc2-ab1aa9bb16c1" "acl_agent_token": "fe3b8d40-0ee0-8783-6cc2-ab1aa9bb16c1"
} }
@ -1109,7 +1115,7 @@ name that starts with "admin".
#### Outages and ACL Replication #### Outages and ACL Replication
The Consul ACL system is designed with flexible rules to accommodate for an outage The Consul ACL system is designed with flexible rules to accommodate for an outage
of the [`primary_datacenter`](/docs/agent/options.html#primary_datacenter) or networking of the [`acl_datacenter`](/docs/agent/options.html#acl_datacenter) or networking
issues preventing access to it. In this case, it may be impossible for issues preventing access to it. In this case, it may be impossible for
agents in non-authoritative datacenters to resolve tokens. Consul provides agents in non-authoritative datacenters to resolve tokens. Consul provides
a number of configurable [`acl_down_policy`](/docs/agent/options.html#acl_down_policy) a number of configurable [`acl_down_policy`](/docs/agent/options.html#acl_down_policy)
@ -1162,10 +1168,10 @@ using the [ACL replication status](/api/acl/acl.html#acl_replication_status)
endpoint. endpoint.
2. Turn down the old authoritative datacenter servers. 2. Turn down the old authoritative datacenter servers.
3. Rolling restart the agents in the target datacenter and change the 3. Rolling restart the agents in the target datacenter and change the
`primary_datacenter` servers to itself. This will automatically turn off `acl_datacenter` servers to itself. This will automatically turn off
replication and will enable the datacenter to start acting as the authoritative replication and will enable the datacenter to start acting as the authoritative
datacenter, using its replicated ACLs from before. datacenter, using its replicated ACLs from before.
3. Rolling restart the agents in other datacenters and change their `primary_datacenter` 3. Rolling restart the agents in other datacenters and change their `acl_datacenter`
configuration to the target datacenter. configuration to the target datacenter.
<a name="version_8_acls"></a> <a name="version_8_acls"></a>
@ -1213,11 +1219,11 @@ Since clients now resolve ACLs locally, the [`acl_down_policy`](/docs/agent/opti
now applies to Consul clients as well as Consul servers. This will determine what the now applies to Consul clients as well as Consul servers. This will determine what the
client will do in the event that the servers are down. client will do in the event that the servers are down.
Consul clients must have [`primary_datacenter`](/docs/agent/options.html#primary_datacenter) configured Consul clients must have [`acl_datacenter`](/docs/agent/options.html#acl_datacenter) configured
in order to enable agent-level ACL features. If this is set, the agents will contact the Consul in order to enable agent-level ACL features. If this is set, the agents will contact the Consul
servers to determine if ACLs are enabled at the cluster level. If they detect that ACLs are not servers to determine if ACLs are enabled at the cluster level. If they detect that ACLs are not
enabled, they will check at most every 2 minutes to see if they have become enabled, and will enabled, they will check at most every 2 minutes to see if they have become enabled, and will
start enforcing ACLs automatically. If an agent has an `primary_datacenter` defined, operators will start enforcing ACLs automatically. If an agent has an `acl_datacenter` defined, operators will
need to use the [`acl_agent_master_token`](/docs/agent/options.html#acl_agent_master_token) to need to use the [`acl_agent_master_token`](/docs/agent/options.html#acl_agent_master_token) to
perform agent-level operations if the Consul servers aren't present (such as for a manual join perform agent-level operations if the Consul servers aren't present (such as for a manual join
to the cluster), unless the [`acl_down_policy`](/docs/agent/options.html#acl_down_policy) on the to the cluster), unless the [`acl_down_policy`](/docs/agent/options.html#acl_down_policy) on the

View File

@ -445,7 +445,7 @@
<a href="/docs/acl/acl-rules.html">ACL Rules</a> <a href="/docs/acl/acl-rules.html">ACL Rules</a>
</li> </li>
<li<%= sidebar_current("docs-acl-legacy") %>> <li<%= sidebar_current("docs-acl-legacy") %>>
<a href="/docs/acl/acl-legacy.html">Legacy ACLs</a> <a href="/docs/acl/acl-legacy.html">Legacy Mode</a>
</li> </li>
<li<%= sidebar_current("docs-acl-migration") %>> <li<%= sidebar_current("docs-acl-migration") %>>
<a href="/docs/acl/acl-migrate-tokens.html">Token Migration</a> <a href="/docs/acl/acl-migrate-tokens.html">Token Migration</a>