additional information about service and node ids

2022-02-18 14:46:29 -08:00 · 2022-02-18 14:46:29 -08:00 · 171685dc8e
parent 919f32270a
commit 171685dc8e
2 changed files with 272 additions and 39 deletions
--- a/website/content/docs/security/acl/acl-roles.mdx
+++ b/website/content/docs/security/acl/acl-roles.mdx
@ -70,65 +70,231 @@ Roles may contain the following table describe the attributes:

 <!-- -> Added in Consul 1.5.0 # Remove and lean on versioning?-->

-Service identities are methods for linking services that participate in a Consul service mesh to a policy.
-They are configurations added to a role that specifies a services that participate in a Consul service mesh and links them to a policy.
-Service identities are templates that provide privileges to _be discovered_ and to _discover other healthy service instances_ in a service mesh.
-See [Service Mesh](/docs/connect) for additional information about Consul service mesh.
+You can specify a service identity when configuring roles or linking tokens to policies. Service identities are used during the authorization process to automatically generate a policy for the service(s) specifed. The policy will be linked to the role or token so that the service(s) can _be discovered_ and _discover other healthy service instances_ in a service mesh. See [Service Mesh](/docs/connect) for additional information about Consul service mesh. Service identities enable you to quickly construct policies for services, rather than creating identical polices for each service.

-They are usable
-on both tokens and roles and are composed of the following elements:
+### Service Identity Specification

- **Service Name** - The name of the service.
- **Datacenters** - A list of datacenters the effective policy is valid within. (Optional)
+Use the following syntax to define a service identity:

-Suitable policies tend to all look nearly identical so a service identity is a policy
-template to aid in avoiding boilerplate policy creation.
+<CodeTabs>
+<CodeBlockConfig>

-During the authorization process, the configured service identity is automatically
-applied as a policy with the following preconfigured [ACL
-rules](/docs/acl/acl-system#acl-rules-and-scope):
+```json
+{
+  "ServiceIdentities": [
+    {
+      "ServiceName": "<service name>",
+      "Datacenters": ["<datacenter name>"]
+    }
+  ]
+}
+```
+
+</CodeBlockConfig>
+<CodeBlockConfig>
+
+```hcl
+"ServiceIdentities" = {
+  "ServiceName" = "<service name>"
+  "Datacenters" = ["<datacenter name>"]
+}
+```
+
+</CodeBlockConfig>
+</CodeTabs>
+
+- `ServiceIdentities`: Declares a service identity block.
+- `ServiceIdentities.ServiceName`: String value that specifies the name of the service you want to associate with the policy.
+- `ServiceIdentitites.Datacenters`: Array that specifies the names of datacenters in which the service identity applies. This field is optional.
+
+Refer to the the [API documentation for roles](/api/acl/roles#sample-payload) for additional information and examples.
+
+-> **Scope for Namespace and Admin Partition** - In Consul Enterprise, service identities inherit the namespace or admin partition scope of the corresponding ACL token or role.
+
+The following policy is generated for each service when a service identity is declared:

 ```hcl
 # Allow the service and its sidecar proxy to register into the catalog.
-service "<Service Name>" {
+service "<service name>" {
+    policy = "write"
+}
+service "<service name>-sidecar-proxy" {
+    policy = "write"
+}
+
+# Allow for any potential upstreams to be resolved.
+service_prefix "" {
+    policy = "read"
+}
+node_prefix "" {
+    policy = "read"
+}
+
+```
+
+Refer to the [rules reference](/docs/security/acl/acl-rules) for information about the rules in the policy.
+
+### Example
+
+The following role configuration contains service identities for the `web` and `db` services. Note that the `db` service is also scoped to the `dc1` datacenter so that the policy will only be applied to instances of `db` in `dc1`.
+
+<CodeTabs>
+<CodeBlockConfig filename="example-role.hcl">
+
+```hcl
+"Description" = "Showcases all input parameters"
+"Name" = "example-role"
+"Policies" = {
+  "ID" = "783beef3-783f-f41f-7422-7087dc272765"
+}
+"Policies" = {
+  "Name" = "node-read"
+}
+"ServiceIdentities" = {
+  "ServiceName" = "web"
+}
+"ServiceIdentities" = {
+  "Datacenters" = ["dc1"]
+  "ServiceName" = "db"
+}
+```
+
+</CodeBlockConfig>
+<CodeBlockConfig filename="example-role.json">
+
+```json
+{
+  "Name": "example-role",
+  "Description": "Showcases all input parameters",
+  "Policies": [
+    {
+      "ID": "783beef3-783f-f41f-7422-7087dc272765"
+    },
+    {
+      "Name": "node-read"
+    }
+  ],
+  "ServiceIdentities": [
+    {
+      "ServiceName": "web"
+    },
+    {
+      "ServiceName": "db",
+      "Datacenters": ["dc1"]
+    }
+  ],
+  "NodeIdentities": [
+    {
+      "NodeName": "node-1",
+      "Datacenter": "dc2"
+    }
+  ]
+}
+```
+
+</CodeBlockConfig>
+</CodeTabs>
+
+During the authorization process, the following policies for the `web` and `db` services will be generated and linked to the token:
+
+<CodeBlockConfig filename="web-policy.hcl">
+
+```hcl
+# Allow the service and its sidecar proxy to register into the catalog.
+service "web" {
 	policy = "write"
 }
-service "<Service Name>-sidecar-proxy" {
+service "web-sidecar-proxy" {
 	policy = "write"
 }

 # Allow for any potential upstreams to be resolved.
 service_prefix "" {
-	policy = "read"
+    policy = "read"
 }
 node_prefix "" {
-	policy = "read"
+    policy = "read"
 }
 ```

-The [API documentation for roles](/api/acl/roles#sample-payload) has some
-examples of using a service identity.
+</CodeBlockConfig>

-> **Service Scope for Namespace and Admin Partition** - Service identity rules in Consul Enterprise are scoped to the namespace or admin partition within which the corresponding ACL token or role resides.
+Per the `ServiceIdentitites.Datacenters` configuration, the `db` policy is scoped to resources in the `dc1` datacenter.
+
+<CodeBlockConfig filename="db-policy.hcl">
+
+```hcl
+# Allow the service and its sidecar proxy to register into the catalog.
+service "db" {
+	policy = "write"
+}
+service "db-sidecar-proxy" {
+	policy = "write"
+}
+
+# Allow for any potential upstreams to be resolved.
+service_prefix "" {
+    policy = "read"
+}
+node_prefix "" {
+    policy = "read"
+}
+```
+
+</CodeBlockConfig>

 ## Node Identities

-> Added in Consul 1.8.1
+<!-- -> Added in Consul 1.8.1 -- remove and lean on doc version? -->

-An ACL node identity is an [ACL policy](/docs/acl/acl-system#policies) template for expressing a link to a policy
-suitable for use as an [Consul `agent` token](/docs/agent/options#acl_tokens_agent). They are usable
-on both tokens and roles and are composed of the following elements:
+You can specify a node identity when configuring roles or linking tokens to policies. Node identities are used during the authorization process to automatically generate a policy for the node(s) specifed. In most cases, "node" refers to a Consul agent.

- **Node Name** - The name of the node to grant access to.
- **Datacenter** - The datacenter that the node resides within.
+You can specify the token linked to the policy in the [`acl_tokens_agent`](/docs/agent/options#acl_tokens_agent) field when configuring the agent. Node identities enable you to quickly construct policies for nodes, rather than creating identical polices for each node.

-During the authorization process, the configured node identity is automatically
-applied as a policy with the following preconfigured [ACL
-rules](/docs/acl/acl-system#acl-rules-and-scope):
+### Node Identity Specification
+
+Use the following syntax to define a node identity:
+
+<CodeTabs>
+<CodeBlockConfig>
+
+```json
+{
+  "NodeIdentities": [
+    {
+      "NodeName": "<node name>",
+      "Datacenters": ["<datacenter name>"]
+    }
+  ]
+}
+```
+
+</CodeBlockConfig>
+<CodeBlockConfig>
+
+```hcl
+"NodeIdentities" = {
+  "NodeName" = "<node name>"
+  "Datacenters" = ["<datacenter name>"]
+}
+```
+
+</CodeBlockConfig>
+</CodeTabs>
+
+- `NodeIdentities`: Declares a node identity block.
+- `NodeIdentities.ServiceName`: String value that specifies the name of the node you want to associate with the policy.
+- `NodeIdentitites.Datacenters`: Array that specifies the names of datacenters in which the node identity applies. This field is optional.
+
+Refer to the the [API documentation for roles](/api/acl/roles#sample-payload) for additional information and examples.
+
+-> **Consul Enterprise Namespacing** - Node Identities can only be applied to tokens and roles in the `default` namespace. The generated policy rules allow for `service:read` permissions on all services in all namespaces.
+
+The following policy is generated for each node when a node identity is declared:

 ```hcl
 # Allow the agent to register its own node in the Catalog and update its network coordinates
-node "<Node Name>" {
+node "<node name>" {
  policy = "write"
 }

@ -140,5 +306,73 @@ service_prefix "" {
 }
 ```

-> **Consul Enterprise Namespacing** - Node Identities can only be applied to tokens and roles in the `default` namespace.
-The synthetic policy rules allow for `service:read` permissions on all services in all namespaces.
+Refer to the [rules reference](/docs/security/acl/acl-rules) for information about the rules in the policy.
+
+### Example
+
+The following role configuration contains a node identity for `node-1`. Note that the node identity is also scoped to the `dc2` datacenter. As a result, the policy will only be applied to nodes named `node-1` in `dc2`.
+
+<CodeTabs>
+<CodeBlockConfig filename="example-role.hcl">
+
+```hcl
+"Description" = "Showcases all input parameters"
+"Name" = "example-role"
+"NodeIdentities" = {
+  "Datacenter" = "dc2"
+  "NodeName" = "node-1",
+}
+"Policies" = {
+  "ID" = "783beef3-783f-f41f-7422-7087dc272765"
+}
+"Policies" = {
+  "Name" = "node-read"
+}
+```
+
+</CodeBlockConfig>
+<CodeBlockConfig filename="example-role.json">
+
+```json
+{
+  "Name": "example-role",
+  "Description": "Showcases all input parameters",
+  "Policies": [
+    {
+      "ID": "783beef3-783f-f41f-7422-7087dc272765"
+    },
+    {
+      "Name": "node-read"
+    }
+  ],
+  "NodeIdentities": [
+    {
+      "NodeName": "node-1",
+      "Datacenter": "dc2"
+    }
+  ]
+}
+```
+
+</CodeBlockConfig>
+</CodeTabs>
+
+During the authorization process, the following policy will be generated and linked to the token:
+
+<CodeBlockConfig filename="node-1-policy.hcl">
+
+```hcl
+# Allow the agent to register its own node in the Catalog and update its network coordinates
+node "node-1" {
+  policy = "write"
+}
+
+# Allows the agent to detect and diff services registered to itself. This is used during
+# anti-entropy to reconcile difference between the agents knowledge of registered
+# services and checks in comparison with what is known in the Catalog.
+service_prefix "" {
+  policy = "read"
+}
+```
+
+</CodeBlockConfig>
--- a/website/content/docs/security/acl/acl-system.mdx
+++ b/website/content/docs/security/acl/acl-system.mdx
@ -69,21 +69,20 @@ Refer to the [Roles](/docs/security/acl/acl-roles) topic for additional informat

 ## Service Identities

-An ACL service identity is an ACL policy template for expressing a link to a policy suitable for use in a [service mesh](/docs/connect).
+Service identities are configuration blocks that you can add to role configurations or specify when linking tokens to policies. The are used during the authorization process to automatically generate a policy for the service(s) specifed. The policy will be linked to the role or token so that the service(s) can _be discovered_ and _discover other healthy service instances_ in a service mesh.

-Services participating in the service mesh will need privileges to both _be discovered_ and to _discover other healthy service instances_. Suitable
-policies tend to all look nearly identical so a service identity is a policy template to aid in avoiding boilerplate policy creation.
+Service identities enable you to quickly construct policies for services, rather than creating identical polices for each service.

-Service identities can be used in tokens and roles. Refer to the following topics for additional information about service identities:
+Refer to the following topics for additional information about service identities:

 - [Service Identities](/docs/security/acl/acl-roles#service-identities)
 - [API documentation for roles](/api/acl/roles#sample-payload)

 ## Node Identities

-A node identity is a template that can be configured in tokens and roles.
-They link nodes to policies suitable for use as an [Consul `agent` token](/docs/agent/options#acl_tokens_agent).
-During the authorization process, the configured node identity is automatically applied as a policy.
+Node identities are configuration blocks that you can add to role configurations or specify when linking tokens to policies. The are used during the authorization process to automatically generate a policy for the node(s) specifed. You can specify the token linked to the policy in the [`acl_tokens_agent`](/docs/agent/options#acl_tokens_agent) field when configuring the agent.
+
+Node identities enable you to quickly construct policies for nodes, rather than creating identical polices for each service.

 Refer to the following topics for additional information about node identities: