Complete example of ACL

[Antoine Lang-Cavelier]

Hi,

1/

I tried to get my ACLs in a json file but the format is really not nice. And I don't succeed in using 

Actually, I want to create my ACL with that kind of command:

curl -X PUT -d @/home/consul/bin/acl-farm-write.json http://mydomain.com:8500/v1/acl/create?token=XXXX-XX-XX-XX-XXXXXX

with in /home/consul/bin/acl-farm-write.json

{

    "Name": "my-token",

    "Type": "client",

    "Rules": "

    {

        \"service\": {

            \"\": {

                \"policy\": \"write\"

            }

        }

    }"

}

that example with all those escaping characters took me a while to code as there is no concrete example in the documentation. 100% of the time the example is just:

"Rules": "..."

With a link after that with well formatted rules

So it's really confusing.

I don't really get how I can have something like the following (with a writable/readable format) as a rule:

# Enable all services to be registered

service "" {

    policy = "write"

}

2/

I don't get how I can have several rules in that kind of files, do I just have to add a coma after one rule and add a new one?

3/

It looks like a node can only follow one set of rules at the same time. So if I understand it well, when I have a node which demands a minor alteration of the ACL commonly used, I need to clone those regular ACL and alterate it accordingly, then register it and update the ACL-token of that node?

Cheers,

[Brian Lalor]

On Dec 8, 2015, at 12:32 AM, Antoine Lang-Cavelier <langcaveli...@gmail.com> wrote:

Hi,

1/

I tried to get my ACLs in a json file but the format is really not nice. And I don't succeed in using 

It’s not very pretty to do with HCL-formatted ones, either. :-)

Here’s part of a script I use, and it depends on the “jq” utility:

policy=$( cat "/var/lib/consul/agent_acl_policy.hcl" )

jq \

    -n \

    --arg token_name "agent: ${HOSTNAME}" \

    --arg policy "${policy}" \

    '{"Name": $token_name, "Type": "client", "Rules": $policy}' \

    > acl_request.json

curl -s -S -f \

    -X PUT \

    -o create_resp.json \

    -d @acl_request.json \

    localhost:8500/v1/acl/create?token="${mgmt_token}"

I think you could also just “sed” to escape the double quotes. Something like

sed -e ’s#”#\”#g’ < policy.json

I agree the documentation examples could be much better (and frankly the documentation around ACLs seems kind of buried in the Internals section, anyway).

2/

I don't get how I can have several rules in that kind of files, do I just have to add a coma after one rule and add a new one?

This is the HCL for multiple rules in a single ACL:

    service "" {

        policy = "write"

    }

    

    event "" {

        policy = "write"

    }

    

    keyring = "read"

I believe this is the equivalent JSON:

    {

        "service": {

            "": {

                "policy": "write"

            }

        },

        "event": {

            "": {

                "policy": "write"

            }

        },

        "keyring": "read"

    }

3/

It looks like a node can only follow one set of rules at the same time. So if I understand it well, when I have a node which demands a minor alteration of the ACL commonly used, I need to clone those regular ACL and alterate it accordingly, then register it and update the ACL-token of that node?

Yes, that’s correct.  But your applications that interact with the agent via the HTTP API can provide their own token different from what the agent has configured.

I also prefer to give each agent its own ACL token, rather than sharing one for a particular class of usage.

[Antoine Lang-Cavelier]

Hi Brian, thank you for your reply!

[Armon Dadgar]

Hey,

You may want to look at the Cisco consul CLI tool as it makes the API nicer to work with: https://github.com/CiscoCloud/consul-cli

Best Regards,

Armon Dadgar

Sent from my iPhone

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/consul/issues
IRC: #consul on Freenode
---
You received this message because you are subscribed to the Google Groups "Consul" group.
To unsubscribe from this group and stop receiving emails from it, send an email to consul-tool...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/consul-tool/b859bc0d-ae85-46a9-8614-e72e2b26f9c4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.