luxolus
/
open-consul
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity

Added some missing ACL info, updated details around some permissions, added missing HTTP API refs

This commit is contained in:
Matt Siegel 2022-01-11 09:41:54 -05:00
parent 079f27ee52
commit 24ea879264
18 changed files with 208 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
website/content/commands/acl/policy/read.mdx
View File

@ -7,7 +7,7 @@ page_title: 'Commands: ACL Policy Read'
Command: `consul acl policy read` Command: `consul acl policy read`
Corresponding HTTP API Endpoint: [\[GET\] /v1/acl/policy/:id](/api-docs/acl/policies#read-a-policy) Corresponding HTTP API Endpoints: [\[GET\] /v1/acl/policy/:id](/api-docs/acl/policies#read-a-policy), [\[GET\] /v1/acl/policy/name/:name](/api-docs/acl/policies#read-a-policy-by-name)
The `acl policy read` command reads and displays a policies details. The `acl policy read` command reads and displays a policies details.

19
website/content/commands/config/delete.mdx
View File

@ -17,9 +17,22 @@ The table below shows this command's [required ACLs](/api#authentication). Confi
[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching) [blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
are not supported from commands, but may be from the corresponding HTTP endpoint. are not supported from commands, but may be from the corresponding HTTP endpoint.
| ACL Required | | ACL Required<sup>1</sup> |
| ----------------------------------- | | ------------------------------------------------------------- |
| `service:write` or `operator:write` | | `service:write`<br />`operator:write`<br />`intentions:write` |
<sup>1</sup> The ACL required depends on the config entry kind being deleted:
| Config Entry Kind | Required ACL |
| ------------------- | ------------------ |
| ingress-gateway | `operator:write` |
| proxy-defaults | `operator:write` |
| service-defaults | `service:write` |
| service-intentions | `intentions:write` |
| service-resolver | `service:write` |
| service-router | `service:write` |
| service-splitter | `service:write` |
| terminating-gateway | `operator:write ` |
## Usage ## Usage

19
website/content/commands/config/list.mdx
View File

@ -17,9 +17,22 @@ The table below shows this command's [required ACLs](/api#authentication). Confi
[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching) [blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
are not supported from commands, but may be from the corresponding HTTP endpoint. are not supported from commands, but may be from the corresponding HTTP endpoint.
| ACL Required | | ACL Required<sup>1</sup> |
| -------------- | | ------------------------------------- |
| `service:read` | | `service:read`<br />`intentions:read` |
<sup>1</sup> The ACL required depends on the config entry kind being read:
| Config Entry Kind | Required ACL |
| ------------------- | ----------------- |
| ingress-gateway | `service:read` |
| proxy-defaults | `<none>` |
| service-defaults | `service:read` |
| service-intentions | `intentions:read` |
| service-resolver | `service:read` |
| service-router | `service:read` |
| service-splitter | `service:read` |
| terminating-gateway | `service:read` |
## Usage ## Usage

19
website/content/commands/config/read.mdx
View File

@ -18,9 +18,22 @@ The table below shows this command's [required ACLs](/api#authentication). Confi
[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching) [blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
are not supported from commands, but may be from the corresponding HTTP endpoint. are not supported from commands, but may be from the corresponding HTTP endpoint.
| ACL Required | | ACL Required<sup>1</sup> |
| -------------- | | ------------------------------------- |
| `service:read` | | `service:read`<br />`intentions:read` |
<sup>1</sup> The ACL required depends on the config entry kind being read:
| Config Entry Kind | Required ACL |
| ------------------- | ----------------- |
| ingress-gateway | `service:read` |
| proxy-defaults | `<none>` |
| service-defaults | `service:read` |
| service-intentions | `intentions:read` |
| service-resolver | `service:read` |
| service-router | `service:read` |
| service-splitter | `service:read` |
| terminating-gateway | `service:read` |
## Usage ## Usage

22
website/content/commands/config/write.mdx
View File

@ -17,9 +17,25 @@ The table below shows this command's [required ACLs](/api#authentication). Confi
[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching) [blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
are not supported from commands, but may be from the corresponding HTTP endpoint. are not supported from commands, but may be from the corresponding HTTP endpoint.
| ACL Required | | ACL Required<sup>1</sup> |
| ----------------------------------- | | ------------------------------------------------------------- |
| `service:write` or `operator:write` | | `service:write`<br />`operator:write`<br />`intentions:write` |
<p>
<sup>1</sup> The actual ACL required depends on the config entry kind being
updated:
</p>
| Config Entry Kind | Required ACL |
| ------------------- | ------------------ |
| ingress-gateway | `operator:write` |
| proxy-defaults | `operator:write` |
| service-defaults | `service:write` |
| service-intentions | `intentions:write` |
| service-resolver | `service:write` |
| service-router | `service:write` |
| service-splitter | `service:write` |
| terminating-gateway | `operator:write` |
## Usage ## Usage

17
website/content/commands/intention/check.mdx
View File

@ -23,6 +23,23 @@ intention read permissions and don't evaluate the result.
defined as _deny_ intentions during evaluation, as this endpoint is only suited defined as _deny_ intentions during evaluation, as this endpoint is only suited
for networking layer 4 (e.g. TCP) integration. for networking layer 4 (e.g. TCP) integration.
The table below shows this command's [required ACLs](/api#authentication). Configuration of
[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
are not supported from commands, but may be from the corresponding HTTP endpoint.
| ACL Required |
| ----------------------------- |
| `intentions:read`<sup>1</sup> |
<p>
<sup>1</sup> Intention ACL rules are specified as part of a{' '}
<code>service</code> rule. See{' '}
<a href="/docs/connect/intentions#intention-management-permissions">
Intention Management Permissions
</a>{' '}
for more details.
</p>
## Usage ## Usage
Usage: `consul intention check [options] SRC DST` Usage: `consul intention check [options] SRC DST`

13
website/content/commands/intention/create.mdx
View File

@ -22,8 +22,17 @@ The table below shows this command's [required ACLs](/api#authentication). Confi
are not supported from commands, but may be from the corresponding HTTP endpoint. are not supported from commands, but may be from the corresponding HTTP endpoint.
| ACL Required | | ACL Required |
| ------------------ | | ------------------------------ |
| `intentions:write` | | `intentions:write`<sup>1</sup> |
<p>
<sup>1</sup> Intention ACL rules are specified as part of a{' '}
<code>service</code> rule. See{' '}
<a href="/docs/connect/intentions#intention-management-permissions">
Intention Management Permissions
</a>{' '}
for more details.
</p>
## Usage ## Usage

15
website/content/commands/intention/delete.mdx
View File

@ -7,7 +7,7 @@ page_title: 'Commands: Intention Delete'
Command: `consul intention delete` Command: `consul intention delete`
Corresponding HTTP API Endpoint: [\[DELETE\] /v1/connect/intentions/exact](/api-docs/connect/intentions#delete-intention-by-name) Corresponding HTTP API Endpoints: [\[DELETE\] /v1/connect/intentions/exact](/api-docs/connect/intentions#delete-intention-by-name), [\[DELETE\] /v1/connect/intentions/:uuid](/api-docs/connect/intentions#delete-intention-by-id)
The `intention delete` command deletes a matching intention. The `intention delete` command deletes a matching intention.
@ -16,8 +16,17 @@ The table below shows this command's [required ACLs](/api#authentication). Confi
are not supported from commands, but may be from the corresponding HTTP endpoint. are not supported from commands, but may be from the corresponding HTTP endpoint.
| ACL Required | | ACL Required |
| ------------------ | | ------------------------------ |
| `intentions:write` | | `intentions:write`<sup>1</sup> |
<p>
<sup>1</sup> Intention ACL rules are specified as part of a{' '}
<code>service</code> rule. See{' '}
<a href="/docs/connect/intentions#intention-management-permissions">
Intention Management Permissions
</a>{' '}
for more details.
</p>
-> **Deprecated** - The one argument form of this command is deprecated in -> **Deprecated** - The one argument form of this command is deprecated in
Consul 1.9.0. Intentions no longer need IDs when represented as Consul 1.9.0. Intentions no longer need IDs when represented as

15
website/content/commands/intention/get.mdx
View File

@ -7,7 +7,7 @@ page_title: 'Commands: Intention Get'
Command: `consul intention get` Command: `consul intention get`
Corresponding HTTP API Endpoint: [\[GET\] /v1/connect/intentions/exact](/api-docs/connect/intentions##read-specific-intention-by-name) Corresponding HTTP API Endpoints: [\[GET\] /v1/connect/intentions/exact](/api-docs/connect/intentions#read-specific-intention-by-name), [\[GET\] /v1/connect/intentions/:uuid](/api-docs/connect/intentions#read-specific-intention-by-id)
The `intention get` command shows a single intention. The `intention get` command shows a single intention.
@ -21,8 +21,17 @@ The table below shows this command's [required ACLs](/api#authentication). Confi
are not supported from commands, but may be from the corresponding HTTP endpoint. are not supported from commands, but may be from the corresponding HTTP endpoint.
| ACL Required | | ACL Required |
| ----------------- | | ----------------------------- |
| `intentions:read` | | `intentions:read`<sup>1</sup> |
<p>
<sup>1</sup> Intention ACL rules are specified as part of a{' '}
<code>service</code> rule. See{' '}
<a href="/docs/connect/intentions#intention-management-permissions">
Intention Management Permissions
</a>{' '}
for more details.
</p>
## Usage ## Usage

17
website/content/commands/intention/list.mdx
View File

@ -11,6 +11,23 @@ Corresponding HTTP API Endpoint: [\[GET\] /v1/connect/intentions](/api-docs/conn
The `intention list` command shows all intentions including ID and precedence. The `intention list` command shows all intentions including ID and precedence.
The table below shows this command's [required ACLs](/api#authentication). Configuration of
[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
are not supported from commands, but may be from the corresponding HTTP endpoint.
| ACL Required |
| ----------------------------- |
| `intentions:read`<sup>1</sup> |
<p>
<sup>1</sup> Intention ACL rules are specified as part of a{' '}
<code>service</code> rule. See{' '}
<a href="/docs/connect/intentions#intention-management-permissions">
Intention Management Permissions
</a>{' '}
for more details.
</p>
## Usage ## Usage
Usage: Usage:

13
website/content/commands/intention/match.mdx
View File

@ -21,8 +21,17 @@ The table below shows this command's [required ACLs](/api#authentication). Confi
are not supported from commands, but may be from the corresponding HTTP endpoint. are not supported from commands, but may be from the corresponding HTTP endpoint.
| ACL Required | | ACL Required |
| ----------------- | | ----------------------------- |
| `intentions:read` | | `intentions:read`<sup>1</sup> |
<p>
<sup>1</sup> Intention ACL rules are specified as part of a{' '}
<code>service</code> rule. See{' '}
<a href="/docs/connect/intentions#intention-management-permissions">
Intention Management Permissions
</a>{' '}
for more details.
</p>
## Usage ## Usage

13
website/content/commands/keyring.mdx
View File

@ -29,6 +29,19 @@ All variations of the `keyring` command return 0 if all nodes reply and there
are no errors. If any node fails to reply or reports failure, the exit code are no errors. If any node fails to reply or reports failure, the exit code
will be 1. will be 1.
The table below shows this command's [required ACLs](/api#authentication). Configuration of
[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
are not supported from commands, but may be from the corresponding HTTP endpoint.
| ACL Required<sup>1</sup> |
| ----------------------------------- |
| `keyring:read`<br />`keyring:write` |
<p>
<sup>1</sup> The actual ACL required depends on the flags being used in the
command.
</p>
## Usage ## Usage
Usage: `consul keyring [options]` Usage: `consul keyring [options]`

8
website/content/commands/kv/export.mdx
View File

@ -12,6 +12,14 @@ prefix from Consul's KV store, and write a JSON representation to
stdout. This can be used with the command "consul kv import" to move entire stdout. This can be used with the command "consul kv import" to move entire
trees between Consul clusters. trees between Consul clusters.
The table below shows this command's [required ACLs](/api#authentication). Configuration of
[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
are not supported from commands, but may be from the corresponding HTTP endpoint.
| ACL Required |
| ------------ |
| `key:read` |
## Usage ## Usage
Usage: `consul kv export [options] [PREFIX]` Usage: `consul kv export [options] [PREFIX]`

8
website/content/commands/kv/import.mdx
View File

@ -10,6 +10,14 @@ Command: `consul kv import`
The `kv import` command is used to import KV pairs from the JSON representation The `kv import` command is used to import KV pairs from the JSON representation
generated by the `kv export` command. generated by the `kv export` command.
The table below shows this command's [required ACLs](/api#authentication). Configuration of
[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
are not supported from commands, but may be from the corresponding HTTP endpoint.
| ACL Required |
| ------------ |
| `key:write` |
## Usage ## Usage
Usage: `consul kv import [options] [DATA]` Usage: `consul kv import [options] [DATA]`

7
website/content/commands/namespace/list.mdx
View File

@ -21,8 +21,11 @@ The table below shows this command's [required ACLs](/api#authentication). Confi
are not supported from commands, but may be from the corresponding HTTP endpoint. are not supported from commands, but may be from the corresponding HTTP endpoint.
| ACL Required | | ACL Required |
| ------------------------------------- | | ------------------------------------------------- |
| `operator:read` or `namespace:* read` | | `operator:read` or `namespace:*:read`<sup>1</sup> |
<sup>1</sup> Access can be granted to list the Namespace if the token used when making
the request has been granted any access in the namespace (read, list or write).
## Usage ## Usage

7
website/content/commands/namespace/read.mdx
View File

@ -20,8 +20,11 @@ The table below shows this command's [required ACLs](/api#authentication). Confi
are not supported from commands, but may be from the corresponding HTTP endpoint. are not supported from commands, but may be from the corresponding HTTP endpoint.
| ACL Required | | ACL Required |
| ------------------------------------- | | ------------------------------------------------- |
| `operator:read` or `namespace:* read` | | `operator:read` or `namespace:*:read`<sup>1</sup> |
<sup>1</sup> Access can be granted to list the Namespace if the token used when making
the request has been granted any access in the namespace (read, list or write).
## Usage ## Usage

8
website/content/commands/namespace/write.mdx
View File

@ -13,6 +13,14 @@ Corresponding HTTP API Endpoint: [\[PUT\] /v1/namespace/:name](/api-docs/namespa
This `namespace write` command creates or updates a namespace's configuration from its full definition. This was added in Consul Enterprise 1.7.0. This `namespace write` command creates or updates a namespace's configuration from its full definition. This was added in Consul Enterprise 1.7.0.
The table below shows this command's [required ACLs](/api#authentication). Configuration of
[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
are not supported from commands, but may be from the corresponding HTTP endpoint.
| ACL Required |
| ---------------- |
| `operator:write` |
## Usage ## Usage
Usage: `consul namespace write <namespace definition>` Usage: `consul namespace write <namespace definition>`

8
website/content/commands/rtt.mdx
View File

@ -22,8 +22,12 @@ The table below shows this command's [required ACLs](/api#authentication). Confi
are not supported from commands, but may be from the corresponding HTTP endpoint. are not supported from commands, but may be from the corresponding HTTP endpoint.
| ACL Required | | ACL Required |
| ------------ | | ----------------------- |
| `node:read` | | `node:read`<sup>1</sup> |
<p>
<sup>1</sup> When referencing WAN coordinates, no ACL permission is needed.
</p>
## Usage ## Usage