open-consul/contributing/acl/README.md

1.2 KiB

ACL

This section is a work in progress.

The ACL subsystem is responsible for authenticating and authorizing access to Consul operations (HTTP API, and RPC).

ACL Entities

There are many entities in the ACL subsystem. The diagram below shows the relationship between the entities.

Entity Relationship Diagram

source

ACL Tokens are at the center of the ACL system. Tokens are associated with a set of Policies, and Roles.

AuthMethods, which consist of BindingRules, are a mechanism for creating ACL Tokens from policies stored in external systems (ex: kubernetes, JWT, or OIDC).

Roles are a set of policies associated with a named role, and ServiceIdentity and NodeIdentity are policy templates that are associated with a specific service or node and can be rendered into a full policy.

Each Policy contains a set of rules. Each rule relates to a specific resource, and includes an AccessLevel (read, write, list or deny).

An ACL Token can be resolved into an Authorizer. The Authorizer is what is used by the HTTP API, and RPC endpoints to determine if an operation is allowed or forbidden (the enforcement decision).