35c4efd220
Extend Consul’s intentions model to allow for request-based access control enforcement for HTTP-like protocols in addition to the existing connection-based enforcement for unspecified protocols (e.g. tcp).
98 lines
1.9 KiB
HCL
98 lines
1.9 KiB
HCL
enable_central_service_config = true
|
|
|
|
acl {
|
|
default_policy = "deny"
|
|
}
|
|
|
|
config_entries {
|
|
bootstrap {
|
|
kind = "service-defaults"
|
|
name = "s2"
|
|
protocol = "http"
|
|
}
|
|
|
|
# TODO: test header invert
|
|
bootstrap {
|
|
kind = "service-intentions"
|
|
name = "s2"
|
|
|
|
sources {
|
|
name = "s1"
|
|
permissions = [
|
|
// paths
|
|
{
|
|
action = "allow"
|
|
http { path_exact = "/exact" }
|
|
},
|
|
{
|
|
action = "allow"
|
|
http { path_prefix = "/prefix" }
|
|
},
|
|
{
|
|
action = "allow"
|
|
http { path_regex = "/reg[ex]{2}" }
|
|
},
|
|
// headers
|
|
{
|
|
action = "allow"
|
|
http {
|
|
path_exact = "/hdr-present"
|
|
header = [{
|
|
name = "x-test-debug"
|
|
present = true
|
|
}]
|
|
}
|
|
},
|
|
{
|
|
action = "allow"
|
|
http {
|
|
path_exact = "/hdr-exact"
|
|
header = [{
|
|
name = "x-test-debug"
|
|
exact = "exact"
|
|
}]
|
|
}
|
|
},
|
|
{
|
|
action = "allow"
|
|
http {
|
|
path_exact = "/hdr-prefix"
|
|
header = [{
|
|
name = "x-test-debug"
|
|
prefix = "prefi"
|
|
}]
|
|
}
|
|
},
|
|
{
|
|
action = "allow"
|
|
http {
|
|
path_exact = "/hdr-suffix"
|
|
header = [{
|
|
name = "x-test-debug"
|
|
suffix = "uffix"
|
|
}]
|
|
}
|
|
},
|
|
{
|
|
action = "allow"
|
|
http {
|
|
path_exact = "/hdr-regex"
|
|
header = [{
|
|
name = "x-test-debug"
|
|
regex = "reg[ex]{2}"
|
|
}]
|
|
}
|
|
},
|
|
// methods
|
|
{
|
|
action = "allow"
|
|
http {
|
|
path_exact = "/method-match"
|
|
methods = ["GET", "PUT"]
|
|
}
|
|
}
|
|
]
|
|
}
|
|
}
|
|
}
|