luxolus/open-consul
2
0
Fork 0
Code Issues 1 Pull requests Packages Releases Wiki Activity

docs: Add example ACL policy for snapshot agent

Browse source 
Co-Authored-By: Blake Covarrubias <blake@covarrubi.as>
This commit is contained in:
Dhia Ayachi 2021-05-20 10:55:33 -04:00 committed by Daniel Nephin
parent 429ac52af6
commit 8d87621a8e
1 changed files with 59 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

59
website/content/commands/snapshot/agent.mdx
View file

@ -51,6 +51,8 @@ Snapshots can be restored using the
[`consul snapshot restore`](/commands/snapshot/restore) command, or [`consul snapshot restore`](/commands/snapshot/restore) command, or
the [HTTP API](/api/snapshot). the [HTTP API](/api/snapshot).
## ACL permissions
If ACLs are enabled the following privileges are required: If ACLs are enabled the following privileges are required:
| Resource | Segment | Permission | Explanation | | Resource | Segment | Permission | Explanation |
@ -60,6 +62,63 @@ If ACLs are enabled the following privileges are required:
| `session` | `<agent name>` | `write` | The session used for locking during leader election is created against the agent name of the Consul agent that the Snapshot agent is registering itself with. | | `session` | `<agent name>` | `write` | The session used for locking during leader election is created against the agent name of the Consul agent that the Snapshot agent is registering itself with. |
| `service` | `<service name>` | `write` | The Snapshot agent registers itself with the local Consul agent and must have write privileges on its service name which is configured with `-service`. | | `service` | `<service name>` | `write` | The Snapshot agent registers itself with the local Consul agent and must have write privileges on its service name which is configured with `-service`. |
### Example ACL policy
The following is a example least privilege policy which allows the snapshot agent
to run on a node named `server-1234`.
<Tabs>
<Tab heading="HCL">
```hcl
# Required to read and snapshot ACL data
acl = "write"
# Allow the snapshot agent to create the key consul-snapshot/lock which will
# serve as a leader election lock when multiple snapshot agents are running in
# an environment
key "consul-snapshot/lock" {
policy = "write"
}
# Allow the snapshot agent to create sessions on the specified node
session "server-1234" {
policy = "write"
}
# Allow the snapshot agent to register itself into the catalog
service "consul-snapshot" {
policy = "write"
}
```
</Tab>
<Tab heading="JSON">
```json
{
"acl": "write",
"key": {
"consul-snapshot/lock": {
"policy": "write"
}
},
"session": {
"server-1234": {
"policy": "write"
}
},
"service": {
"consul-snapshot": {
"policy": "write"
}
}
}
```
</Tab>
</Tabs>
Additional `session` rules should be created, or `session_prefix` used, if the
snapshot agent is deployed across more than one hosts.
## Usage ## Usage
Usage: `consul snapshot agent [options]` Usage: `consul snapshot agent [options]`