open-nomad/website/content/docs/configuration/acl.mdx

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

67 lines
2.9 KiB
Plaintext
Raw Normal View History

---
2020-02-06 23:45:31 +00:00
layout: docs
page_title: acl Block - Agent Configuration
2020-02-06 23:45:31 +00:00
description: >-
The "acl" block configures the Nomad agent to enable ACLs and tune various
2020-02-06 23:45:31 +00:00
parameters.
---
# `acl` Block
2020-02-06 23:45:31 +00:00
<Placement groups={['acl']} />
The `acl` block configures the Nomad agent to enable ACLs and tunes various
ACL parameters. Learn more about configuring Nomad's ACL system in the [Secure
Nomad with Access Control guide][secure-guide].
```hcl
acl {
enabled = true
token_ttl = "30s"
policy_ttl = "60s"
role_ttl = "60s"
}
```
## `acl` Parameters
- `enabled` `(bool: false)` - Specifies if ACL enforcement is enabled. All other
ACL configuration options depend on this value. All agents should have the
same value for this parameter. For example the Nomad command line will
send requests for client endpoints such as `alloc exec` directly to Nomad
clients whenever they are accessible. In this scenario, the client will
enforce ACLs, so both servers and clients should have ACLs enabled.
- `token_ttl` `(string: "30s")` - Specifies the maximum time-to-live (TTL) for
cached ACL tokens. This does not affect servers, since they do not cache tokens.
Setting this value lower reduces how stale a token can be, but increases
the request load against servers. If a client cannot reach a server, for example
because of an outage, the TTL will be ignored and the cached value used.
- `policy_ttl` `(string: "30s")` - Specifies the maximum time-to-live (TTL) for
cached ACL policies. This does not affect servers, since they do not cache policies.
Setting this value lower reduces how stale a policy can be, but increases
the request load against servers. If a client cannot reach a server, for example
because of an outage, the TTL will be ignored and the cached value used.
- `role_ttl` `(string: "30s")` - Specifies the maximum time-to-live (TTL) for
cached ACL roles. This does not affect servers, since they do not cache roles.
Setting this value lower reduces how stale a role can be, but increases the
request load against servers. If a client cannot reach a server, for example
because of an outage, the TTL will be ignored and the cached value used.
- `replication_token` `(string: "")` - Specifies the Secret ID of the ACL token
to use for replicating policies and tokens. This is used by servers in non-authoritative
region to mirror the policies and tokens into the local region from [authoritative_region][authoritative-region].
- `token_min_expiration_ttl` `(string: "1m")` - Specifies the lowest acceptable
TTL value for an ACL token when setting expiration. This is used by the Nomad
servers to validate ACL tokens.
- `token_max_expiration_ttl` `(string: "24h")` - Specifies the highest acceptable
TTL value for an ACL token when setting expiration. This is used by the Nomad
servers to validate ACL tokens.
[secure-guide]: /nomad/tutorials/access-control
[authoritative-region]: /nomad/docs/configuration/server#authoritative_region