From 24ea879264b3be111935e2c040aa228c0346256c Mon Sep 17 00:00:00 2001 From: Matt Siegel Date: Tue, 11 Jan 2022 09:41:54 -0500 Subject: [PATCH] Added some missing ACL info, updated details around some permissions, added missing HTTP API refs --- website/content/commands/acl/policy/read.mdx | 2 +- website/content/commands/config/delete.mdx | 19 +++++++++++++--- website/content/commands/config/list.mdx | 19 +++++++++++++--- website/content/commands/config/read.mdx | 19 +++++++++++++--- website/content/commands/config/write.mdx | 22 ++++++++++++++++--- website/content/commands/intention/check.mdx | 17 ++++++++++++++ website/content/commands/intention/create.mdx | 15 ++++++++++--- website/content/commands/intention/delete.mdx | 17 ++++++++++---- website/content/commands/intention/get.mdx | 17 ++++++++++---- website/content/commands/intention/list.mdx | 17 ++++++++++++++ website/content/commands/intention/match.mdx | 15 ++++++++++--- website/content/commands/keyring.mdx | 13 +++++++++++ website/content/commands/kv/export.mdx | 8 +++++++ website/content/commands/kv/import.mdx | 8 +++++++ website/content/commands/namespace/list.mdx | 9 +++++--- website/content/commands/namespace/read.mdx | 9 +++++--- website/content/commands/namespace/write.mdx | 8 +++++++ website/content/commands/rtt.mdx | 10 ++++++--- 18 files changed, 208 insertions(+), 36 deletions(-) diff --git a/website/content/commands/acl/policy/read.mdx b/website/content/commands/acl/policy/read.mdx index 0b9bdf45d..0f45b18cb 100644 --- a/website/content/commands/acl/policy/read.mdx +++ b/website/content/commands/acl/policy/read.mdx @@ -7,7 +7,7 @@ page_title: 'Commands: ACL Policy Read' Command: `consul acl policy read` -Corresponding HTTP API Endpoint: [\[GET\] /v1/acl/policy/:id](/api-docs/acl/policies#read-a-policy) +Corresponding HTTP API Endpoints: [\[GET\] /v1/acl/policy/:id](/api-docs/acl/policies#read-a-policy), [\[GET\] /v1/acl/policy/name/:name](/api-docs/acl/policies#read-a-policy-by-name) The `acl policy read` command reads and displays a policies details. diff --git a/website/content/commands/config/delete.mdx b/website/content/commands/config/delete.mdx index fb3b6e553..a869d17aa 100644 --- a/website/content/commands/config/delete.mdx +++ b/website/content/commands/config/delete.mdx @@ -17,9 +17,22 @@ The table below shows this command's [required ACLs](/api#authentication). Confi [blocking queries](/api/features/blocking) and [agent caching](/api/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. -| ACL Required | -| ----------------------------------- | -| `service:write` or `operator:write` | +| ACL Required1 | +| ------------------------------------------------------------- | +| `service:write`
`operator:write`
`intentions:write` | + +1 The ACL required depends on the config entry kind being deleted: + +| Config Entry Kind | Required ACL | +| ------------------- | ------------------ | +| ingress-gateway | `operator:write` | +| proxy-defaults | `operator:write` | +| service-defaults | `service:write` | +| service-intentions | `intentions:write` | +| service-resolver | `service:write` | +| service-router | `service:write` | +| service-splitter | `service:write` | +| terminating-gateway | `operator:write ` | ## Usage diff --git a/website/content/commands/config/list.mdx b/website/content/commands/config/list.mdx index 26e3ab203..a2e5a7c49 100644 --- a/website/content/commands/config/list.mdx +++ b/website/content/commands/config/list.mdx @@ -17,9 +17,22 @@ The table below shows this command's [required ACLs](/api#authentication). Confi [blocking queries](/api/features/blocking) and [agent caching](/api/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. -| ACL Required | -| -------------- | -| `service:read` | +| ACL Required1 | +| ------------------------------------- | +| `service:read`
`intentions:read` | + +1 The ACL required depends on the config entry kind being read: + +| Config Entry Kind | Required ACL | +| ------------------- | ----------------- | +| ingress-gateway | `service:read` | +| proxy-defaults | `` | +| service-defaults | `service:read` | +| service-intentions | `intentions:read` | +| service-resolver | `service:read` | +| service-router | `service:read` | +| service-splitter | `service:read` | +| terminating-gateway | `service:read` | ## Usage diff --git a/website/content/commands/config/read.mdx b/website/content/commands/config/read.mdx index c1984d48b..3df4009b3 100644 --- a/website/content/commands/config/read.mdx +++ b/website/content/commands/config/read.mdx @@ -18,9 +18,22 @@ The table below shows this command's [required ACLs](/api#authentication). Confi [blocking queries](/api/features/blocking) and [agent caching](/api/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. -| ACL Required | -| -------------- | -| `service:read` | +| ACL Required1 | +| ------------------------------------- | +| `service:read`
`intentions:read` | + +1 The ACL required depends on the config entry kind being read: + +| Config Entry Kind | Required ACL | +| ------------------- | ----------------- | +| ingress-gateway | `service:read` | +| proxy-defaults | `` | +| service-defaults | `service:read` | +| service-intentions | `intentions:read` | +| service-resolver | `service:read` | +| service-router | `service:read` | +| service-splitter | `service:read` | +| terminating-gateway | `service:read` | ## Usage diff --git a/website/content/commands/config/write.mdx b/website/content/commands/config/write.mdx index 5677a5db8..d577999b4 100644 --- a/website/content/commands/config/write.mdx +++ b/website/content/commands/config/write.mdx @@ -17,9 +17,25 @@ The table below shows this command's [required ACLs](/api#authentication). Confi [blocking queries](/api/features/blocking) and [agent caching](/api/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. -| ACL Required | -| ----------------------------------- | -| `service:write` or `operator:write` | +| ACL Required1 | +| ------------------------------------------------------------- | +| `service:write`
`operator:write`
`intentions:write` | + +

+ 1 The actual ACL required depends on the config entry kind being + updated: +

+ +| Config Entry Kind | Required ACL | +| ------------------- | ------------------ | +| ingress-gateway | `operator:write` | +| proxy-defaults | `operator:write` | +| service-defaults | `service:write` | +| service-intentions | `intentions:write` | +| service-resolver | `service:write` | +| service-router | `service:write` | +| service-splitter | `service:write` | +| terminating-gateway | `operator:write` | ## Usage diff --git a/website/content/commands/intention/check.mdx b/website/content/commands/intention/check.mdx index 21cb33422..a8641b653 100644 --- a/website/content/commands/intention/check.mdx +++ b/website/content/commands/intention/check.mdx @@ -23,6 +23,23 @@ intention read permissions and don't evaluate the result. defined as _deny_ intentions during evaluation, as this endpoint is only suited for networking layer 4 (e.g. TCP) integration. +The table below shows this command's [required ACLs](/api#authentication). Configuration of +[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching) +are not supported from commands, but may be from the corresponding HTTP endpoint. + +| ACL Required | +| ----------------------------- | +| `intentions:read`1 | + +

+ 1 Intention ACL rules are specified as part of a{' '} + service rule. See{' '} + + Intention Management Permissions + {' '} + for more details. +

+ ## Usage Usage: `consul intention check [options] SRC DST` diff --git a/website/content/commands/intention/create.mdx b/website/content/commands/intention/create.mdx index 505fbe970..37b70b92b 100644 --- a/website/content/commands/intention/create.mdx +++ b/website/content/commands/intention/create.mdx @@ -21,9 +21,18 @@ The table below shows this command's [required ACLs](/api#authentication). Confi [blocking queries](/api/features/blocking) and [agent caching](/api/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. -| ACL Required | -| ------------------ | -| `intentions:write` | +| ACL Required | +| ------------------------------ | +| `intentions:write`1 | + +

+ 1 Intention ACL rules are specified as part of a{' '} + service rule. See{' '} + + Intention Management Permissions + {' '} + for more details. +

## Usage diff --git a/website/content/commands/intention/delete.mdx b/website/content/commands/intention/delete.mdx index 07f4a95fe..d2b58545e 100644 --- a/website/content/commands/intention/delete.mdx +++ b/website/content/commands/intention/delete.mdx @@ -7,7 +7,7 @@ page_title: 'Commands: Intention Delete' Command: `consul intention delete` -Corresponding HTTP API Endpoint: [\[DELETE\] /v1/connect/intentions/exact](/api-docs/connect/intentions#delete-intention-by-name) +Corresponding HTTP API Endpoints: [\[DELETE\] /v1/connect/intentions/exact](/api-docs/connect/intentions#delete-intention-by-name), [\[DELETE\] /v1/connect/intentions/:uuid](/api-docs/connect/intentions#delete-intention-by-id) The `intention delete` command deletes a matching intention. @@ -15,9 +15,18 @@ The table below shows this command's [required ACLs](/api#authentication). Confi [blocking queries](/api/features/blocking) and [agent caching](/api/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. -| ACL Required | -| ------------------ | -| `intentions:write` | +| ACL Required | +| ------------------------------ | +| `intentions:write`1 | + +

+ 1 Intention ACL rules are specified as part of a{' '} + service rule. See{' '} + + Intention Management Permissions + {' '} + for more details. +

-> **Deprecated** - The one argument form of this command is deprecated in Consul 1.9.0. Intentions no longer need IDs when represented as diff --git a/website/content/commands/intention/get.mdx b/website/content/commands/intention/get.mdx index 438358b66..b1252a1b4 100644 --- a/website/content/commands/intention/get.mdx +++ b/website/content/commands/intention/get.mdx @@ -7,7 +7,7 @@ page_title: 'Commands: Intention Get' Command: `consul intention get` -Corresponding HTTP API Endpoint: [\[GET\] /v1/connect/intentions/exact](/api-docs/connect/intentions##read-specific-intention-by-name) +Corresponding HTTP API Endpoints: [\[GET\] /v1/connect/intentions/exact](/api-docs/connect/intentions#read-specific-intention-by-name), [\[GET\] /v1/connect/intentions/:uuid](/api-docs/connect/intentions#read-specific-intention-by-id) The `intention get` command shows a single intention. @@ -20,9 +20,18 @@ The table below shows this command's [required ACLs](/api#authentication). Confi [blocking queries](/api/features/blocking) and [agent caching](/api/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. -| ACL Required | -| ----------------- | -| `intentions:read` | +| ACL Required | +| ----------------------------- | +| `intentions:read`1 | + +

+ 1 Intention ACL rules are specified as part of a{' '} + service rule. See{' '} + + Intention Management Permissions + {' '} + for more details. +

## Usage diff --git a/website/content/commands/intention/list.mdx b/website/content/commands/intention/list.mdx index e3d546877..03dd93248 100644 --- a/website/content/commands/intention/list.mdx +++ b/website/content/commands/intention/list.mdx @@ -11,6 +11,23 @@ Corresponding HTTP API Endpoint: [\[GET\] /v1/connect/intentions](/api-docs/conn The `intention list` command shows all intentions including ID and precedence. +The table below shows this command's [required ACLs](/api#authentication). Configuration of +[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching) +are not supported from commands, but may be from the corresponding HTTP endpoint. + +| ACL Required | +| ----------------------------- | +| `intentions:read`1 | + +

+ 1 Intention ACL rules are specified as part of a{' '} + service rule. See{' '} + + Intention Management Permissions + {' '} + for more details. +

+ ## Usage Usage: diff --git a/website/content/commands/intention/match.mdx b/website/content/commands/intention/match.mdx index ee587cb5c..49694551a 100644 --- a/website/content/commands/intention/match.mdx +++ b/website/content/commands/intention/match.mdx @@ -20,9 +20,18 @@ The table below shows this command's [required ACLs](/api#authentication). Confi [blocking queries](/api/features/blocking) and [agent caching](/api/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. -| ACL Required | -| ----------------- | -| `intentions:read` | +| ACL Required | +| ----------------------------- | +| `intentions:read`1 | + +

+ 1 Intention ACL rules are specified as part of a{' '} + service rule. See{' '} + + Intention Management Permissions + {' '} + for more details. +

## Usage diff --git a/website/content/commands/keyring.mdx b/website/content/commands/keyring.mdx index 84283a05c..0d50260f9 100644 --- a/website/content/commands/keyring.mdx +++ b/website/content/commands/keyring.mdx @@ -29,6 +29,19 @@ All variations of the `keyring` command return 0 if all nodes reply and there are no errors. If any node fails to reply or reports failure, the exit code will be 1. +The table below shows this command's [required ACLs](/api#authentication). Configuration of +[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching) +are not supported from commands, but may be from the corresponding HTTP endpoint. + +| ACL Required1 | +| ----------------------------------- | +| `keyring:read`
`keyring:write` | + +

+ 1 The actual ACL required depends on the flags being used in the + command. +

+ ## Usage Usage: `consul keyring [options]` diff --git a/website/content/commands/kv/export.mdx b/website/content/commands/kv/export.mdx index ce6f1e6bf..97f675966 100644 --- a/website/content/commands/kv/export.mdx +++ b/website/content/commands/kv/export.mdx @@ -12,6 +12,14 @@ prefix from Consul's KV store, and write a JSON representation to stdout. This can be used with the command "consul kv import" to move entire trees between Consul clusters. +The table below shows this command's [required ACLs](/api#authentication). Configuration of +[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching) +are not supported from commands, but may be from the corresponding HTTP endpoint. + +| ACL Required | +| ------------ | +| `key:read` | + ## Usage Usage: `consul kv export [options] [PREFIX]` diff --git a/website/content/commands/kv/import.mdx b/website/content/commands/kv/import.mdx index 6c5f1f1ee..ab9acf229 100644 --- a/website/content/commands/kv/import.mdx +++ b/website/content/commands/kv/import.mdx @@ -10,6 +10,14 @@ Command: `consul kv import` The `kv import` command is used to import KV pairs from the JSON representation generated by the `kv export` command. +The table below shows this command's [required ACLs](/api#authentication). Configuration of +[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching) +are not supported from commands, but may be from the corresponding HTTP endpoint. + +| ACL Required | +| ------------ | +| `key:write` | + ## Usage Usage: `consul kv import [options] [DATA]` diff --git a/website/content/commands/namespace/list.mdx b/website/content/commands/namespace/list.mdx index 037ef1369..1ce45328c 100644 --- a/website/content/commands/namespace/list.mdx +++ b/website/content/commands/namespace/list.mdx @@ -20,9 +20,12 @@ The table below shows this command's [required ACLs](/api#authentication). Confi [blocking queries](/api/features/blocking) and [agent caching](/api/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. -| ACL Required | -| ------------------------------------- | -| `operator:read` or `namespace:* read` | +| ACL Required | +| ------------------------------------------------- | +| `operator:read` or `namespace:*:read`1 | + +1 Access can be granted to list the Namespace if the token used when making +the request has been granted any access in the namespace (read, list or write). ## Usage diff --git a/website/content/commands/namespace/read.mdx b/website/content/commands/namespace/read.mdx index bf31cd228..b008977b7 100644 --- a/website/content/commands/namespace/read.mdx +++ b/website/content/commands/namespace/read.mdx @@ -19,9 +19,12 @@ The table below shows this command's [required ACLs](/api#authentication). Confi [blocking queries](/api/features/blocking) and [agent caching](/api/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. -| ACL Required | -| ------------------------------------- | -| `operator:read` or `namespace:* read` | +| ACL Required | +| ------------------------------------------------- | +| `operator:read` or `namespace:*:read`1 | + +1 Access can be granted to list the Namespace if the token used when making +the request has been granted any access in the namespace (read, list or write). ## Usage diff --git a/website/content/commands/namespace/write.mdx b/website/content/commands/namespace/write.mdx index f9e533f14..1fe3e5d69 100644 --- a/website/content/commands/namespace/write.mdx +++ b/website/content/commands/namespace/write.mdx @@ -13,6 +13,14 @@ Corresponding HTTP API Endpoint: [\[PUT\] /v1/namespace/:name](/api-docs/namespa This `namespace write` command creates or updates a namespace's configuration from its full definition. This was added in Consul Enterprise 1.7.0. +The table below shows this command's [required ACLs](/api#authentication). Configuration of +[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching) +are not supported from commands, but may be from the corresponding HTTP endpoint. + +| ACL Required | +| ---------------- | +| `operator:write` | + ## Usage Usage: `consul namespace write ` diff --git a/website/content/commands/rtt.mdx b/website/content/commands/rtt.mdx index 926e08570..9eed062c9 100644 --- a/website/content/commands/rtt.mdx +++ b/website/content/commands/rtt.mdx @@ -21,9 +21,13 @@ The table below shows this command's [required ACLs](/api#authentication). Confi [blocking queries](/api/features/blocking) and [agent caching](/api/features/caching) are not supported from commands, but may be from the corresponding HTTP endpoint. -| ACL Required | -| ------------ | -| `node:read` | +| ACL Required | +| ----------------------- | +| `node:read`1 | + +

+ 1 When referencing WAN coordinates, no ACL permission is needed. +

## Usage