applied feedback
This commit is contained in:
parent
9b632f0a9e
commit
e6073653b5
|
@ -228,6 +228,7 @@ The options below are all specified on the command-line.
|
||||||
Like [`enable_script_checks`](#_enable_script_checks), but only enable them when
|
Like [`enable_script_checks`](#_enable_script_checks), but only enable them when
|
||||||
they are defined in the local configuration files. Script checks defined in HTTP
|
they are defined in the local configuration files. Script checks defined in HTTP
|
||||||
API registrations will still not be allowed.
|
API registrations will still not be allowed.
|
||||||
|
|
||||||
|
|
||||||
- `-encrypt` ((#\_encrypt)) - Specifies the secret key to use for encryption
|
- `-encrypt` ((#\_encrypt)) - Specifies the secret key to use for encryption
|
||||||
of Consul network traffic. This key must be 32-bytes that are Base64-encoded. The
|
of Consul network traffic. This key must be 32-bytes that are Base64-encoded. The
|
||||||
|
@ -1468,10 +1469,9 @@ bind_addr = "{{ GetPrivateInterfaces | include \"network\" \"10.0.0.0/8\" | attr
|
||||||
|
|
||||||
- `enable_script_checks` Equivalent to the [`-enable-script-checks` command-line flag](#_enable_script_checks).
|
- `enable_script_checks` Equivalent to the [`-enable-script-checks` command-line flag](#_enable_script_checks).
|
||||||
|
|
||||||
~> **Security Warning:** Enabling script checks in some configurations may
|
ACLs must be enabled for agents and the `enable_script_checks` option must be set to `true` to enable script checks in Consul 0.9.0 and later. See [Registering and Querying Node Information](/docs/security/acl/acl-rules#registering-and-querying-node-information) for related information.
|
||||||
introduce a remote execution vulnerability which is known to be targeted by
|
|
||||||
malware. We strongly recommend `enable_local_script_checks` instead. See [this
|
~> **Security Warning:** Enabling script checks in some configurations may introduce a known remote execution vulnerability targeted by malware. We strongly recommend `enable_local_script_checks` instead. Refer to the following article for additional guidance: [_Protecting Consul from RCE Risk in Specific Configurations_](https://www.hashicorp.com/blog/protecting-consul-from-rce-risk-in-specific-configurations)
|
||||||
blog post](https://www.hashicorp.com/blog/protecting-consul-from-rce-risk-in-specific-configurations)
|
|
||||||
for more details.
|
for more details.
|
||||||
|
|
||||||
- `enable_local_script_checks` Equivalent to the [`-enable-local-script-checks` command-line flag](#_enable_local_script_checks).
|
- `enable_local_script_checks` Equivalent to the [`-enable-local-script-checks` command-line flag](#_enable_local_script_checks).
|
||||||
|
|
|
@ -505,9 +505,9 @@ node "admin" {
|
||||||
|
|
||||||
#### Registering and Querying Node Information
|
#### Registering and Querying Node Information
|
||||||
|
|
||||||
Agents must be configured with `write` or `read` privileges for their own node name so that the agent can register their node metadata, tagged addresses, and other information in the catalog.
|
Agents must be configured with `write` privileges for their own node name so that the agent can register their node metadata, tagged addresses, and other information in the catalog.
|
||||||
If configured incorrectly, the agent will print an error to the console when it tries to sync its state with the catalog.
|
If configured incorrectly, the agent will print an error to the console when it tries to sync its state with the catalog.
|
||||||
Configure `write` or `read` access in the [`acl.tokens.agent`](/docs/agent/options#acl_tokens_agent) parameter.
|
Configure `write` access in the [`acl.tokens.agent`](/docs/agent/options#acl_tokens_agent) parameter.
|
||||||
|
|
||||||
The [`acl.token.default`](/docs/agent/options#acl_tokens_default) used by the agent should have `read` access to a given node so that the DNS interface can be queried.
|
The [`acl.token.default`](/docs/agent/options#acl_tokens_default) used by the agent should have `read` access to a given node so that the DNS interface can be queried.
|
||||||
|
|
||||||
|
@ -523,11 +523,6 @@ This allows for greater flexibility and enables the use of multiple tokens on th
|
||||||
Refer to the [services](/docs/agent/services) and [checks](/docs/agent/checks) documentation for examples.
|
Refer to the [services](/docs/agent/services) and [checks](/docs/agent/checks) documentation for examples.
|
||||||
Tokens may also be passed to the [HTTP API](/api) for operations that require them.
|
Tokens may also be passed to the [HTTP API](/api) for operations that require them.
|
||||||
|
|
||||||
|
|
||||||
-> **Script checks are required for Consul 0.9.0 and later**. In addition to ACLs, the agent must be configured with
|
|
||||||
[`enable_script_checks`](/docs/agent/options#_enable_script_checks) set to `true` to enable
|
|
||||||
script checks in Consul 0.9.0 and later0.
|
|
||||||
|
|
||||||
### Operator Rules
|
### Operator Rules
|
||||||
|
|
||||||
The `operator` resource controls access to cluster-level operations in the
|
The `operator` resource controls access to cluster-level operations in the
|
||||||
|
|
Loading…
Reference in a new issue