mirror of
https://github.com/status-im/consul.git
synced 2025-02-11 21:27:20 +00:00
654528ca60
* CD-556 rename partition partial that's only used in CLI Update CLI pages for partial rename API: Add partial for partition as body option API: Add partial for partition as query parameter Update API peering and members pages * acl/auth-methods.mdx Update partition partials to be generic * binding-rules.mdx, policies.mdx * roles.mdx, templated-policies.mdx * tokens.mdx, catalog.mdx, config.mdx, intentions.mdx * service.mdx, exported-services.mdx, kv.mdx, namespaces.mdx * Apply suggestions from code review Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> * Add partial to acl/auth-methods.mdx Fix headings indent in a few files. * Update website/content/api-docs/acl/auth-methods.mdx Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> --------- Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
61 lines
2.1 KiB
Plaintext
61 lines
2.1 KiB
Plaintext
---
|
|
layout: commands
|
|
page_title: 'Commands: Intention Check'
|
|
description: >-
|
|
The `consul intention check` command tests whether a connection between two services is authorized under the current set of intentions.
|
|
---
|
|
|
|
# Consul Intention Check
|
|
|
|
Command: `consul intention check`
|
|
|
|
Corresponding HTTP API Endpoint: [\[GET\] /v1/connect/intentions/check](/consul/api-docs/connect/intentions#check-intention-result)
|
|
|
|
The `intention check` command checks whether a connection attempt between
|
|
two services would be authorized given the current set of intentions and
|
|
Consul configuration.
|
|
|
|
This command requires less ACL permissions than other intention-related
|
|
tasks because no information about the intention is revealed. Therefore,
|
|
callers only need to have `service:read` access for the destination. Richer
|
|
commands like [match](/consul/commands/intention/match) require full
|
|
intention read permissions and don't evaluate the result.
|
|
|
|
-> **Note:** This command will always treat intentions with `Permissions`
|
|
defined as _deny_ intentions during evaluation, as this endpoint is only suited
|
|
for networking layer 4 (e.g. TCP) integration.
|
|
|
|
The table below shows this command's [required ACLs](/consul/api-docs/api-structure#authentication). Configuration of
|
|
[blocking queries](/consul/api-docs/features/blocking) and [agent caching](/consul/api-docs/features/caching)
|
|
are not supported from commands, but may be from the corresponding HTTP endpoint.
|
|
|
|
| ACL Required |
|
|
| ----------------------------- |
|
|
| `intentions:read`<p> Define intention rules in the `service` policy. Refer to [ACL requirements for intentions](/consul/docs/connect/intentions/create-manage-intentions#acl-requirements) for additional information.</p> |
|
|
|
|
## Usage
|
|
|
|
Usage: `consul intention check [options] SRC DST`
|
|
|
|
`SRC` and `DST` can both take [several forms](/consul/commands/intention#source-and-destination-naming).
|
|
|
|
#### Enterprise Options
|
|
|
|
@include 'cli-http-api-partition-options.mdx'
|
|
|
|
@include 'http_api_namespace_options.mdx'
|
|
|
|
#### API Options
|
|
|
|
@include 'http_api_options_client.mdx'
|
|
|
|
## Examples
|
|
|
|
```shell-session
|
|
$ consul intention check web db
|
|
Denied
|
|
|
|
$ consul intention check web billing
|
|
Allowed
|
|
```
|