如何创建领事ACL,仅允许通过令牌访问kv-group?
[英]How to create consul ACL that allow access to kv-group only by token?
问题描述
I'm trying to understand Consul ACL system and it's looks impossible to create ACL that allow acces to some key only by token with default policy "allow": 
我正在尝试了解Consul ACL系统,并且似乎无法创建仅允许使用默认策略“ allow”通过令牌访问某些密钥的ACL:
user@server01:~$ cat /etc/consul/conf.d/acl.json
{
"acl_datacenter": "dc-example-com",
"acl_master_token": "00000000-1111-2222-3333-444444444444",
"acl_default_policy": "allow",
"acl_down_policy": "allow"
}
I created client rule in ACL Rules: 我在ACL规则中创建了客户端规则:
key "group1/" {
policy = "write"
}
I want consul to enable writings in v1/kv/group1/* only via token I've got by my new rule. 我希望领事只能通过新规则获得的令牌启用v1 / kv / group1 / *中的写作。
It's to hard just to change default_policy to deny, because it is production. 仅仅将default_policy更改为deny很难,因为它是生产环境。
1 个解决方案
解决方案1
0 已采纳 2018-02-27 16:19:16
Looks like, I've found the workaround: 看起来,我找到了解决方法:
Anonymous token:
key "group1/" {
policy = "deny"
}
acl_group1_allow:
key "group1/" {
policy = "write"
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.