diff --git a/website/content/api-docs/acl/roles.mdx b/website/content/api-docs/acl/roles.mdx index f76ab9e31..4c4766a32 100644 --- a/website/content/api-docs/acl/roles.mdx +++ b/website/content/api-docs/acl/roles.mdx @@ -50,7 +50,7 @@ The corresponding CLI command is [`consul acl role create`](/commands/acl/role/c breaking tokens. - `ServiceIdentities` `(array)` - The list of [service - identities](/docs/security/acl/acl-system#acl-service-identities) that should be + identities](/docs/security/acl#service-identities) that should be applied to the role. Added in Consul 1.5.0. - `ServiceName` `(string: )` - The name of the service. The name @@ -64,7 +64,7 @@ The corresponding CLI command is [`consul acl role create`](/commands/acl/role/c but may in the future. - `NodeIdentities` `(array)` - The list of [node - identities](/docs/security/acl/acl-system#acl-node-identities) that should be + identities](/docs/security/acl#node-identities) that should be applied to the role. Added in Consul 1.8.1. - `NodeName` `(string: )` - The name of the node. The name @@ -339,11 +339,11 @@ The corresponding CLI command is [`consul acl role update`](/commands/acl/role/u breaking tokens. - `ServiceIdentities` `(array)` - The list of [service - identities](/docs/security/acl/acl-system#acl-service-identities) that should be + identities](/docs/security/acl#service-identities) that should be applied to the role. Added in Consul 1.5.0. - `NodeIdentities` `(array)` - The list of [node - identities](/docs/security/acl/acl-system#acl-node-identities) that should be + identities](/docs/security/acl#node-identities) that should be applied to the role. Added in Consul 1.8.1. - `Namespace` `(string: "")` - Specifies the namespace of diff --git a/website/content/api-docs/acl/tokens.mdx b/website/content/api-docs/acl/tokens.mdx index 7afada637..4dd8e626b 100644 --- a/website/content/api-docs/acl/tokens.mdx +++ b/website/content/api-docs/acl/tokens.mdx @@ -62,7 +62,7 @@ The corresponding CLI command is [`consul acl token create`](/commands/acl/token enables role renaming without breaking tokens. Added in Consul 1.5.0. - `ServiceIdentities` `(array)` - The list of [service - identities](/docs/security/acl/acl-system#acl-service-identities) that should be + identities](/docs/security/acl#service-identities) that should be applied to the token. Added in Consul 1.5.0. - `ServiceName` `(string: )` - The name of the service. The name @@ -76,7 +76,7 @@ The corresponding CLI command is [`consul acl token create`](/commands/acl/token but may in the future. - `NodeIdentities` `(array)` - The list of [node - identities](/docs/security/acl/acl-system#acl-node-identities) that should be + identities](/docs/security/acl#node-identities) that should be applied to the token. Added in Consul 1.8.1. - `NodeName` `(string: )` - The name of the node. The name @@ -418,7 +418,7 @@ The corresponding CLI command is [`consul acl token update`](/commands/acl/token enables role renaming without breaking tokens. - `ServiceIdentities` `(array)` - The list of [service - identities](/docs/security/acl/acl-system#acl-service-identities) that should be + identities](/docs/security/acl#service-identities) that should be applied to the token. Added in Consul 1.5.0. - `ServiceName` `(string: )` - The name of the service. The name @@ -432,7 +432,7 @@ The corresponding CLI command is [`consul acl token update`](/commands/acl/token but may in the future. - `NodeIdentities` `(array)` - The list of [node - identities](/docs/security/acl/acl-system#acl-node-identities) that should be + identities](/docs/security/acl#node-identities) that should be applied to the token. Added in Consul 1.8.1. - `NodeName` `(string: )` - The name of the node. The name diff --git a/website/content/api-docs/index.mdx b/website/content/api-docs/index.mdx index 23b3456eb..84fd9ee55 100644 --- a/website/content/api-docs/index.mdx +++ b/website/content/api-docs/index.mdx @@ -44,7 +44,7 @@ Previously this was provided via a `?token=` query parameter. This functionality exists on many endpoints for backwards compatibility, but its use is **highly discouraged**, since it can show up in access logs as part of the URL. -To learn more about the ACL system read the [documentation](/docs/security/acl/acl-system). +To learn more about the ACL system read the [documentation](/docs/security/acl). ## Version Prefix diff --git a/website/content/commands/exec.mdx b/website/content/commands/exec.mdx index 8f91b6c91..4f992b1c9 100644 --- a/website/content/commands/exec.mdx +++ b/website/content/commands/exec.mdx @@ -40,7 +40,7 @@ execute this command. | `key:write` | `"_rexec"` prefix | | `event:write` | `"_rexec"` prefix | -In addition to the above, the policy associated with the [agent token](/docs/security/acl/acl-system#acl-agent-token) should have `write` on `"_rexec"` key prefix. This is for the agents to read the `exec` command and write its output back to the KV store. +In addition to the above, the policy associated with the [agent token](/docs/security/acl/acl-tokens#acl-agent-token) should have `write` on `"_rexec"` key prefix. This is for the agents to read the `exec` command and write its output back to the KV store. ## Usage diff --git a/website/content/commands/index.mdx b/website/content/commands/index.mdx index 47c4085b6..04be80f28 100644 --- a/website/content/commands/index.mdx +++ b/website/content/commands/index.mdx @@ -94,7 +94,7 @@ Command Options ## Authentication When the [ACL system is enabled](/docs/agent/options#acl_enabled) the Consul CLI will -require an [ACL token](/docs/security/acl/acl-system#tokens) to perform API requests. +require an [ACL token](/docs/security/acl#tokens) to perform API requests. The ACL token can be provided directly on the command line using the `-token` command line flag, from a file using the `-token-file` command line flag, or from the diff --git a/website/content/docs/discovery/dns.mdx b/website/content/docs/discovery/dns.mdx index 5e24f34da..891c14daa 100644 --- a/website/content/docs/discovery/dns.mdx +++ b/website/content/docs/discovery/dns.mdx @@ -488,14 +488,14 @@ or local datacenter respectively. ## DNS with ACLs In order to use the DNS interface when -[Access Control Lists (ACLs)](/docs/security/acl/acl-system) +[Access Control Lists (ACLs)](/docs/security/acl) are enabled, you must first create ACL tokens with the necessary policies. Consul agents resolve DNS requests using one of the preconfigured tokens below, listed in order of precedence: 1. The agent's [`default` token](/docs/agent/config/config-files#acl_tokens_default). -2. The built-in [`anonymous` token](/docs/security/acl/acl-system#builtin-tokens). +2. The built-in [`anonymous` token](/docs/security/acl/acl-tokens#built-in-tokens). Because the anonymous token is used when any request is made to Consul without explicitly specifying a token, production deployments should not apply policies needed for DNS to this token. diff --git a/website/content/docs/ecs/manual/secure-configuration.mdx b/website/content/docs/ecs/manual/secure-configuration.mdx index 1fc7345e7..330b6d5f0 100644 --- a/website/content/docs/ecs/manual/secure-configuration.mdx +++ b/website/content/docs/ecs/manual/secure-configuration.mdx @@ -57,7 +57,7 @@ names on ECS are not known until runtime. ### Create service tokens -Service tokens should be associated with a [service identity](https://www.consul.io/docs/security/acl/acl-system#acl-service-identities). +Service tokens should be associated with a [service identity](/docs/security/acl#service-identities). The service identity includes `service:write` permissions for the service and sidecar proxy. The following example shows how to use the Consul CLI to create a service token for a service named `example-client-app`: diff --git a/website/content/docs/enterprise/audit-logging.mdx b/website/content/docs/enterprise/audit-logging.mdx index ebe56bd86..a8d69fae2 100644 --- a/website/content/docs/enterprise/audit-logging.mdx +++ b/website/content/docs/enterprise/audit-logging.mdx @@ -138,7 +138,7 @@ is set to `OperationStart` which indicates the agent has begun processing the request. The value of the `payload.auth.accessor_id` field is the accessor ID of the -[ACL token](/docs/security/acl/acl-system#acl-tokens) which issued the request. +[ACL token](/docs/security/acl#tokens) which issued the request. diff --git a/website/content/docs/release-notes/consul/v1_11_x.mdx b/website/content/docs/release-notes/consul/v1_11_x.mdx index 6b764f977..2f10f0bb1 100644 --- a/website/content/docs/release-notes/consul/v1_11_x.mdx +++ b/website/content/docs/release-notes/consul/v1_11_x.mdx @@ -23,7 +23,7 @@ description: >- - The legacy ACL system that was deprecated in Consul 1.4.0 has been removed. Before upgrading you should verify that all tokens and policies have been migrated to the newer ACL system. See the [Migrate Legacy ACL Tokens Learn Guide](https://learn.hashicorp.com/tutorials/consul/access-control-token-migration) for more information. -- The `agent_master` ACL token has been renamed to `agent_recovery` ACL token. In addition, the `consul acl set-agent-token master` command has been replaced with `consul acl set-agent-token recovery`. See [ACL Agent Recovery Token](/docs/security/acl/acl-system#acl-agent-recovery-token) and [Consul ACL Set Agent Token](/commands/acl/set-agent-token) for more information. +- The `agent_master` ACL token has been renamed to `agent_recovery` ACL token. In addition, the `consul acl set-agent-token master` command has been replaced with `consul acl set-agent-token recovery`. See [ACL Agent Recovery Token](/docs/security/acl/acl-tokens#acl-agent-recovery-token) and [Consul ACL Set Agent Token](/commands/acl/set-agent-token) for more information. - Drops support for Envoy versions 1.15.x and 1.16.x diff --git a/website/content/docs/security/acl/acl-federated-datacenters.mdx b/website/content/docs/security/acl/acl-federated-datacenters.mdx index 045680ec2..0309452c2 100644 --- a/website/content/docs/security/acl/acl-federated-datacenters.mdx +++ b/website/content/docs/security/acl/acl-federated-datacenters.mdx @@ -180,12 +180,12 @@ $ consul join -token="ACL_MANAGEMENT_TOKEN" -wan [server 1, server 2, ...] ## Configure Clients in Secondary Datacenters -When ACLs are enabled, client agents need a special token known as the [`agent token`](/docs/security/acl/acl-system#acl-agent-token) to perform internal operations. Agent tokens need to have the right policies for node related actions, including +When ACLs are enabled, client agents need a special token known as the [`agent token`](/docs/security/acl/acl-tokens#acl-agent-token) to perform internal operations. Agent tokens need to have the right policies for node related actions, including registering itself in the catalog, updating node level health checks, and performing [anti-entropy](/docs/architecture/anti-entropy) syncing. ### Generate Agent ACL Token -[ACL Node Identities](/docs/security/acl/acl-system#acl-node-identities) were introduced +[ACL Node Identities](/docs/security/acl#node-identities) were introduced in Consul 1.8.1 and enable easily creating agent tokens with appropriately scoped policies. To generate the ACL token using node identity, run the following command: diff --git a/website/content/docs/security/acl/acl-legacy.mdx b/website/content/docs/security/acl/acl-legacy.mdx index 542d2bbef..051bd2439 100644 --- a/website/content/docs/security/acl/acl-legacy.mdx +++ b/website/content/docs/security/acl/acl-legacy.mdx @@ -10,12 +10,12 @@ description: >- # ACL System in Legacy Mode --> **1.3.0 and earlier:** This document only applies in Consul versions 1.3.0 and before. If you are using version 1.4.0 or later please use the updated documentation [here](/docs/security/acl/acl-system). +-> **1.3.0 and earlier:** This document only applies in Consul versions 1.3.0 and before. If you are using version 1.4.0 or later please use the updated documentation [here](/docs/security/acl). ~> **Alert: Deprecation Notice** The ACL system described here was Consul's original ACL implementation. The legacy ACL system was deprecated in Consul 1.4.0 and removed in Consul 1.11.0. -The documentation for the new ACL system can be found [here](/docs/security/acl/acl-system). For information on how to migrate to the new ACL System, please read the [Migrate Legacy ACL Tokens](https://learn.hashicorp.com/tutorials/consul/access-control-token-migration) tutorial. +The documentation for the new ACL system can be found [here](/docs/security/acl). For information on how to migrate to the new ACL System, please read the [Migrate Legacy ACL Tokens](https://learn.hashicorp.com/tutorials/consul/access-control-token-migration) tutorial. The legacy documentation has two sections. @@ -26,7 +26,7 @@ The legacy documentation has two sections. # New ACL System Differences -The [ACL System documentation](/docs/security/acl/acl-system) and [legacy ACL +The [ACL System documentation](/docs/security/acl) and [legacy ACL documentation](/docs/security/acl/acl-legacy) describes the new and old systems in detail. Below is a summary of the changes that need to be considered when migrating legacy tokens to the new system. diff --git a/website/content/docs/security/acl/acl-tokens.mdx b/website/content/docs/security/acl/acl-tokens.mdx index 89999008b..5cda4dfb1 100644 --- a/website/content/docs/security/acl/acl-tokens.mdx +++ b/website/content/docs/security/acl/acl-tokens.mdx @@ -13,13 +13,13 @@ This topic describes access control list (ACL) tokens, which are the core method Tokens are artifacts in the ACL system used to authenticate users, services, and Consul agents. When ACLs are enabled, entities requesting access to a resource must include a token that has been linked with a policy, service identity, or node identity that grants permission to the resource. The ACL system checks the token and grants or denies access to resource based on the associated permissions. -Refer to the [ACL system workflow overview](/docs/security/acl/acl-system#workflow-overview) for information about tokens' role in the ACL system. +Refer to the [ACL system workflow overview](/docs/security/acl#workflow-overview) for information about tokens' role in the ACL system. ## Creating Tokens The person responsible for administrating ACLs can use the API or CLI to create and link tokens to entities that enable permissions to resources. Refer to the [ACL API](/api-docs/acl) and [ACL CLI](/commands/acl) documentation for instructions on how to create and link tokens. Tokens can also be created dynamically from trusted external system using an -[auth method](/docs/security/acl/auth-methods). +[auth method](/docs/security/acl/auth-methods). Refer to the [Secure Consul with Access Control Lists (ACLs)](https://learn.hashicorp.com/tutorials/consul/access-control-setup-production?in=consul/security) tutorial for help getting started with creating tokens. The tutorial includes an interactive sandbox so that you can perform the procedures without configuring your local environment. @@ -148,8 +148,8 @@ Refer to the [API](/api-docs/acl/token) or [command line](/commands/acl/token) d | `Namespace` | Specifies the name of the Consul namespace in which the token is valid. See [Namespaces](/docs/enterprise/namespaces) for additional information. | String | `default` | | `Description` | Human-readable description for documenting the purpose of the token. | String | none | | `Local` | Indicates whether the token should be replicated globally or local to the datacenter.
Set to `false` to replicate globally across all reachable datacenters.
Setting to `true` configures the token to functional in the local datacenter only. | Boolean | `false` | -| `ServiceIdentities` | Specifies a list of nodes to apply to the token. See [Service Identities](/docs/security/roles#service-identities) in the "Roles" topic for additional information. | Array | none | -| `NodeIdentities` | Specifies a list of nodes to apply to the token. See [Node Identities](/docs/security/roles##node-identities) in the "Roles" topic for additional information. | Array | none | +| `ServiceIdentities` | Specifies a list of nodes to apply to the token. See [Service Identities](/docs/security/acl/acl-roles#service-identities) in the "Roles" topic for additional information. | Array | none | +| `NodeIdentities` | Specifies a list of nodes to apply to the token. See [Node Identities](/docs/security/acl/acl-roles#node-identities) in the "Roles" topic for additional information. | Array | none | | `Legacy` | Indicates if the token was created using the the legacy ACL system. | Boolean | `false` | | `Policies` | List of policies linked to the token, including the policy ID and name. | String | none | diff --git a/website/content/docs/security/security-models/core.mdx b/website/content/docs/security/security-models/core.mdx index 80976e68c..398bd0548 100644 --- a/website/content/docs/security/security-models/core.mdx +++ b/website/content/docs/security/security-models/core.mdx @@ -170,7 +170,7 @@ environment and adapt these configurations accordingly. capabilities tied to an individual human, or machine operator identity. To ultimately secure the ACL system, administrators should configure the [`default_policy`](/docs/agent/config/config-files#acl_default_policy) to "deny". - The [system](/docs/security/acl/acl-system) is comprised of five major components: + The [system](/docs/security/acl) is comprised of five major components: - **🗝 Token** - API key associated with policies, roles, or service identities. diff --git a/website/redirects.js b/website/redirects.js index 3c8eb297d..51dfb4b88 100644 --- a/website/redirects.js +++ b/website/redirects.js @@ -47,12 +47,22 @@ module.exports = [ }, { source: '/docs/agent/acl-system', - destination: '/docs/security/acl/acl-system', + destination: '/docs/security/acl', permanent: true, }, { source: '/docs/acl/acl-system', - destination: '/docs/security/acl/acl-system', + destination: '/docs/security/acl', + permanent: true, + }, + { + source: '/docs/security/acl/acl-system', + destination: '/docs/security/acl', + permanent: true, + }, + { + source: '/docs/security/roles', + destination: '/docs/security/acl/acl-roles', permanent: true, }, { source: '/docs/agent/http', destination: '/api-docs', permanent: true }, @@ -1287,9 +1297,9 @@ module.exports = [ { source: '/docs/nia/release-notes/0-5-0', destination: '/docs/release-notes/consul-terraform-sync/v0_5_x', - permanent: true, + permanent: true, }, - { + { source: '/docs/api-gateway/api-gateway-usage', destination: '/docs/api-gateway/consul-api-gateway-install', permanent: true,