Can I define ACL tokens using json files?
424 views
Skip to first unread message
Russell Simpkins
Oct 6, 2015, 2:13:46 PM10/6/15
to Consul
I've been reading and I'm not sure if I am allowed to define ACLs using JSON. Maybe my approach is flawed. I would prefer to have a .json file in a conf directory that I can manage under version control.
Something like this is what I was thinking as configuration for a server node (in addition to :
{
"acl_datacenter": "dc1",
"acl_default_policy": "deny",
"acl_down_policy": "allow",
"acl_master_token": "xxx-xxx-xxx-xxx-xxx"
"tokens": [
{"id": "yyy-yyy-yyy-yyy-yyy",
"name": "group/teama",
"type": "client",
"ruleset": {
"key": {
"": {
"policy": "deny"
},
"group/teama": {
"policy": "write"
}
},
"service": {
"": {
"policy": "read"
},
"group-teama-": {
"policy": "write"
}
}
}
},
{"id": "zzz-zzz-zzz-zzz-zzz",
"name": "group/teamb",
"type": "client",
"ruleset": {
"key": {
"": {
"policy": "deny"
},
"group/teamb": {
"policy": "write"
}
},
"service": {
"": {
"policy": "read"
},
"group-teamb-": {
"policy": "write"
}
}
}
}]}
Is that possible and if so, what's the correct format?
Thanks,
Russ
ja...@fpcomplete.com
Oct 7, 2015, 4:01:33 AM10/7/15
to Consul
Hi Russell,
I have had problems understanding these details too, but I think the following is mostly correct:
Good luck..
I have had problems understanding these details too, but I think the following is mostly correct:
- you can store the json somewhere in git, but it would not go into the server/agent config
- instead, use the agent APIs for tokens/ACL management, documented here: https://consul.io/docs/agent/http/acl.html
- as an added point of simplicity, you can very easily create tokens and update policies with the consul ui.
Good luck..
Armon Dadgar
Oct 7, 2015, 11:25:18 AM10/7/15
to consu...@googlegroups.com, ja...@fpcomplete.com
Hey,
I think Jason touched on all the right points. Currently the ACLs cannot be directly inserted into
a configuration file that Consul will read. The API is the primary way of interaction with ACLs.
That said, 0.5.2 (or perhaps earlier) introduced the ability to specify the ACL ID. Previously, this
would always generate a new UUID, which makes it hard to specify the policies since you need
a way to capture the UUID.
Now, you can create a folder of desired ACLs, and a simple script to hit the API and ensure
they all exist, since the API call is idempotent.
Hope that helps!
Best Regards,
Armon Dadgar
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/consul/issues
IRC: #consul on Freenode
---
You received this message because you are subscribed to the Google Groups "Consul" group.
To unsubscribe from this group and stop receiving emails from it, send an email to consul-tool...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/consul-tool/0b746685-af4f-4f88-ada2-274e3b57ec39%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Russell Simpkins
Oct 7, 2015, 6:03:06 PM10/7/15
to Consul
Thanks!
On Tuesday, October 6, 2015 at 2:13:46 PM UTC-4, Russell Simpkins wrote:
On Tuesday, October 6, 2015 at 2:13:46 PM UTC-4, Russell Simpkins wrote:
Russell Simpkins
Oct 29, 2015, 10:40:17 AM10/29/15
to Consul
All,
I ended up creating a small program that reads a YAML file to update the consul cluster.
Russ
On Tuesday, October 6, 2015 at 2:13:46 PM UTC-4, Russell Simpkins wrote:
Reply all
Reply to author
Forward
0 new messages