mirror of https://github.com/status-im/consul.git
Merge pull request #12677 from hashicorp/expanded-token-read-docs
docs: Add examples for expanded token read CLI and API
This commit is contained in:
commit
d86bcd0583
|
@ -188,6 +188,9 @@ The corresponding CLI command is [`consul acl token read`](/commands/acl/token/r
|
||||||
the namespace will be inherited from the request's ACL token or will default
|
the namespace will be inherited from the request's ACL token or will default
|
||||||
to the `default` namespace. Added in Consul 1.7.0.
|
to the `default` namespace. Added in Consul 1.7.0.
|
||||||
|
|
||||||
|
- `expanded` `(bool: false)` - If this field is set, the contents of all policies and
|
||||||
|
roles affecting the token will also be returned.
|
||||||
|
|
||||||
### Sample Request
|
### Sample Request
|
||||||
|
|
||||||
```shell-session
|
```shell-session
|
||||||
|
@ -225,6 +228,92 @@ for reading other secrets which given even more permissions.
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Sample response when setting the `expanded` parameter:
|
||||||
|
|
||||||
|
```json
|
||||||
|
{
|
||||||
|
"AccessorID": "fbd2447f-7479-4329-ad13-b021d74f86ba",
|
||||||
|
"SecretID": "869c6e91-4de9-4dab-b56e-87548435f9c6",
|
||||||
|
"Description": "test token",
|
||||||
|
"Policies": [
|
||||||
|
{
|
||||||
|
"ID": "beb04680-815b-4d7c-9e33-3d707c24672c",
|
||||||
|
"Name": "foo"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"ID": "18788457-584c-4812-80d3-23d403148a90",
|
||||||
|
"Name": "bar"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"Local": false,
|
||||||
|
"CreateTime": "2020-05-22T18:52:31Z",
|
||||||
|
"Hash": "YWJjZGVmZ2g=",
|
||||||
|
"ExpandedPolicies": [
|
||||||
|
{
|
||||||
|
"ID": "beb04680-815b-4d7c-9e33-3d707c24672c",
|
||||||
|
"Name": "foo",
|
||||||
|
"Description": "user policy on token",
|
||||||
|
"Rules": "service_prefix \"\" {\n policy = \"read\"\n}",
|
||||||
|
"Datacenters": null,
|
||||||
|
"Hash": null,
|
||||||
|
"CreateIndex": 0,
|
||||||
|
"ModifyIndex": 0
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"ID": "18788457-584c-4812-80d3-23d403148a90",
|
||||||
|
"Name": "bar",
|
||||||
|
"Description": "other user policy on token",
|
||||||
|
"Rules": "operator = \"read\"",
|
||||||
|
"Datacenters": null,
|
||||||
|
"Hash": null,
|
||||||
|
"CreateIndex": 0,
|
||||||
|
"ModifyIndex": 0
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"ID": "6204f4cd-4709-441c-ac1b-cb029e940263",
|
||||||
|
"Name": "admin policy",
|
||||||
|
"Description": "policy for admin role",
|
||||||
|
"Rules": "operator = \"write\"",
|
||||||
|
"Datacenters": null,
|
||||||
|
"Hash": null,
|
||||||
|
"CreateIndex": 0,
|
||||||
|
"ModifyIndex": 0
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"ExpandedRoles": [
|
||||||
|
{
|
||||||
|
"ID": "3b0a78fe-b9c3-40de-b8ea-7d4d6674b366",
|
||||||
|
"Name": "admin",
|
||||||
|
"Description": "admin role",
|
||||||
|
"Policies": [
|
||||||
|
{
|
||||||
|
"ID": "6204f4cd-4709-441c-ac1b-cb029e940263",
|
||||||
|
"Name": "admin policy"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"ServiceIdentities": [
|
||||||
|
{
|
||||||
|
"ServiceName": "web",
|
||||||
|
"Datacenters": [
|
||||||
|
"southwest"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"Hash": null,
|
||||||
|
"CreateIndex": 0,
|
||||||
|
"ModifyIndex": 0
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"NamespaceDefaultPolicies": null,
|
||||||
|
"NamespaceDefaultRoles": null,
|
||||||
|
"AgentACLDefaultPolicy": "allow",
|
||||||
|
"AgentACLDownPolicy": "deny",
|
||||||
|
"ResolvedByAgent": "server-1",
|
||||||
|
"CreateIndex": 42,
|
||||||
|
"ModifyIndex": 100
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
## Read Self Token
|
## Read Self Token
|
||||||
|
|
||||||
This endpoint returns the ACL token details that matches the secret ID
|
This endpoint returns the ACL token details that matches the secret ID
|
||||||
|
|
|
@ -40,6 +40,9 @@ Usage: `consul acl token read [options] [args]`
|
||||||
- `-self` - Indicates that the current HTTP token should be read by secret ID
|
- `-self` - Indicates that the current HTTP token should be read by secret ID
|
||||||
instead of expecting a -id option.
|
instead of expecting a -id option.
|
||||||
|
|
||||||
|
- `-expanded` - Indicates that the contents of the policies and roles affecting
|
||||||
|
the token should also be shown.
|
||||||
|
|
||||||
- `-format={pretty|json}` - Command output format. The default value is `pretty`.
|
- `-format={pretty|json}` - Command output format. The default value is `pretty`.
|
||||||
|
|
||||||
#### Enterprise Options
|
#### Enterprise Options
|
||||||
|
@ -87,3 +90,39 @@ Local: false
|
||||||
Create Time: 0001-01-01 00:00:00 +0000 UTC
|
Create Time: 0001-01-01 00:00:00 +0000 UTC
|
||||||
Policies:
|
Policies:
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Get token details (Expanded)
|
||||||
|
|
||||||
|
```shell-session
|
||||||
|
$ consul acl token read -expanded -id 986
|
||||||
|
AccessorID: 986193b5-e2b5-eb26-6264-b524ea60cc6d
|
||||||
|
SecretID: ec15675e-2999-d789-832e-8c4794daa8d7
|
||||||
|
Description: Read Nodes and Services
|
||||||
|
Local: false
|
||||||
|
Create Time: 2018-10-22 15:33:39.01789 -0400 EDT
|
||||||
|
Policies:
|
||||||
|
Policy Name: foo
|
||||||
|
ID: beb04680-815b-4d7c-9e33-3d707c24672c
|
||||||
|
Description: user policy on token
|
||||||
|
Rules:
|
||||||
|
service_prefix "" {
|
||||||
|
policy = "read"
|
||||||
|
}
|
||||||
|
|
||||||
|
Policy Name: bar
|
||||||
|
ID: 18788457-584c-4812-80d3-23d403148a90
|
||||||
|
Description: other user policy on token
|
||||||
|
Rules:
|
||||||
|
operator = "read"
|
||||||
|
|
||||||
|
=== End of Authorizer Layer 0: Token ===
|
||||||
|
=== Start of Authorizer Layer 2: Agent Configuration Defaults (Inherited) ===
|
||||||
|
Description: Defined at request-time by the agent that resolves the ACL token; other agents may have different configuration defaults
|
||||||
|
Resolved By Agent: "leader"
|
||||||
|
|
||||||
|
Default Policy: allow
|
||||||
|
Description: Backstop rule used if no preceding layer has a matching rule (refer to default_policy option in agent configuration)
|
||||||
|
|
||||||
|
Down Policy: deny
|
||||||
|
Description: Defines what to do if this Token's information cannot be read from the primary_datacenter (refer to down_policy option in agent configuration)
|
||||||
|
```
|
||||||
|
|
Loading…
Reference in New Issue