From d7f76702fecd528c69fec0d90bd56147c41655a1 Mon Sep 17 00:00:00 2001 From: Ryan Uber Date: Tue, 7 Jul 2015 11:45:49 -0600 Subject: [PATCH] website: docs for keyring ACLs --- .../source/docs/internals/acl.html.markdown | 31 +++++++++++++++++-- 1 file changed, 28 insertions(+), 3 deletions(-) diff --git a/website/source/docs/internals/acl.html.markdown b/website/source/docs/internals/acl.html.markdown index ff3eb47ff..c1daa6373 100644 --- a/website/source/docs/internals/acl.html.markdown +++ b/website/source/docs/internals/acl.html.markdown @@ -18,8 +18,8 @@ on tokens to which fine grained rules can be applied. It is very similar to When the ACL system was launched in Consul 0.4, it was only possible to specify policies for the KV store. In Consul 0.5, ACL policies were extended to service -registrations. In Consul 0.6, ACL's were further extended to restrict the -service discovery mechanisms and user events.. +registrations. In Consul 0.6, ACL's were further extended to restrict service +discovery mechanisms, user events, and encryption keyring operations. ## ACL Design @@ -147,6 +147,27 @@ event "" { As always, the more secure way to handle user events is to explicitly grant access to each API token based on the events they should be able to fire. +### Blacklist mode and Keyring Operations + +Consul 0.6 and later supports securing the encryption keyring operations using +ACL's. Encryption is an optional component of the gossip layer. More information +about Consul's keyring operations can be found on the [keyring +command](/docs/commands/keyring.html) documentation page. + +If your [`acl_default_policy`](/docs/agent/options.html#acl_default_policy) is +set to `deny`, then the `anonymous` token will not have access to read or write +to the encryption keyring. The keyring policy is yet another first-class citizen +in the ACL syntax. You can configure the anonymous token to have free reign over +the keyring using a policy like the following: + +``` +keyring = "write" +``` + +Encryption keyring operations are sensitive and should be properly secured. It +is recommended that instead of configuring a wide-open policy like above, a +per-token policy is applied to maximize security. + ### Bootstrapping ACLs Bootstrapping the ACL system is done by providing an initial [`acl_master_token` @@ -229,6 +250,9 @@ event "" { event "destroy-" { policy = "deny" } + +# Read-only mode for the encryption keyring by default (list only) +keyring = "read" ``` This is equivalent to the following JSON input: @@ -261,7 +285,8 @@ This is equivalent to the following JSON input: "destroy-": { "policy": "deny" } - } + }, + "keyring": "read" } ```