2017-08-23 23:56:05 +00:00
|
|
|
---
|
2020-02-06 23:45:31 +00:00
|
|
|
layout: docs
|
2023-01-30 14:48:43 +00:00
|
|
|
page_title: acl Block - Agent Configuration
|
2020-02-06 23:45:31 +00:00
|
|
|
description: >-
|
2023-01-30 14:48:43 +00:00
|
|
|
The "acl" block configures the Nomad agent to enable ACLs and tune various
|
2020-02-06 23:45:31 +00:00
|
|
|
parameters.
|
2017-08-23 23:56:05 +00:00
|
|
|
---
|
|
|
|
|
2023-01-30 14:48:43 +00:00
|
|
|
# `acl` Block
|
2017-08-23 23:56:05 +00:00
|
|
|
|
2020-02-06 23:45:31 +00:00
|
|
|
<Placement groups={['acl']} />
|
2017-08-23 23:56:05 +00:00
|
|
|
|
2023-01-30 14:48:43 +00:00
|
|
|
The `acl` block configures the Nomad agent to enable ACLs and tunes various
|
2020-03-13 17:16:01 +00:00
|
|
|
ACL parameters. Learn more about configuring Nomad's ACL system in the [Secure
|
|
|
|
Nomad with Access Control guide][secure-guide].
|
2017-08-23 23:56:05 +00:00
|
|
|
|
|
|
|
```hcl
|
|
|
|
acl {
|
2022-08-31 14:13:47 +00:00
|
|
|
enabled = true
|
|
|
|
token_ttl = "30s"
|
2017-08-23 23:56:05 +00:00
|
|
|
policy_ttl = "60s"
|
2022-10-20 07:37:32 +00:00
|
|
|
role_ttl = "60s"
|
2017-08-23 23:56:05 +00:00
|
|
|
}
|
|
|
|
```
|
|
|
|
|
|
|
|
## `acl` Parameters
|
|
|
|
|
|
|
|
- `enabled` `(bool: false)` - Specifies if ACL enforcement is enabled. All other
|
2023-03-16 21:22:41 +00:00
|
|
|
ACL configuration options depend on this value. All agents should have the
|
|
|
|
same value for this parameter. For example the Nomad command line will
|
|
|
|
send requests for client endpoints such as `alloc exec` directly to Nomad
|
|
|
|
clients whenever they are accessible. In this scenario, the client will
|
|
|
|
enforce ACLs, so both servers and clients should have ACLs enabled.
|
2017-08-23 23:56:05 +00:00
|
|
|
|
|
|
|
- `token_ttl` `(string: "30s")` - Specifies the maximum time-to-live (TTL) for
|
|
|
|
cached ACL tokens. This does not affect servers, since they do not cache tokens.
|
|
|
|
Setting this value lower reduces how stale a token can be, but increases
|
|
|
|
the request load against servers. If a client cannot reach a server, for example
|
|
|
|
because of an outage, the TTL will be ignored and the cached value used.
|
|
|
|
|
|
|
|
- `policy_ttl` `(string: "30s")` - Specifies the maximum time-to-live (TTL) for
|
|
|
|
cached ACL policies. This does not affect servers, since they do not cache policies.
|
|
|
|
Setting this value lower reduces how stale a policy can be, but increases
|
|
|
|
the request load against servers. If a client cannot reach a server, for example
|
|
|
|
because of an outage, the TTL will be ignored and the cached value used.
|
|
|
|
|
2022-10-20 07:37:32 +00:00
|
|
|
- `role_ttl` `(string: "30s")` - Specifies the maximum time-to-live (TTL) for
|
|
|
|
cached ACL roles. This does not affect servers, since they do not cache roles.
|
|
|
|
Setting this value lower reduces how stale a role can be, but increases the
|
|
|
|
request load against servers. If a client cannot reach a server, for example
|
|
|
|
because of an outage, the TTL will be ignored and the cached value used.
|
|
|
|
|
2017-08-23 23:56:05 +00:00
|
|
|
- `replication_token` `(string: "")` - Specifies the Secret ID of the ACL token
|
|
|
|
to use for replicating policies and tokens. This is used by servers in non-authoritative
|
2021-08-03 10:56:00 +00:00
|
|
|
region to mirror the policies and tokens into the local region from [authoritative_region][authoritative-region].
|
2020-03-13 17:16:01 +00:00
|
|
|
|
2022-08-31 14:13:47 +00:00
|
|
|
- `token_min_expiration_ttl` `(string: "1m")` - Specifies the lowest acceptable
|
|
|
|
TTL value for an ACL token when setting expiration. This is used by the Nomad
|
|
|
|
servers to validate ACL tokens.
|
|
|
|
|
|
|
|
- `token_max_expiration_ttl` `(string: "24h")` - Specifies the highest acceptable
|
|
|
|
TTL value for an ACL token when setting expiration. This is used by the Nomad
|
|
|
|
servers to validate ACL tokens.
|
|
|
|
|
2023-01-25 17:31:14 +00:00
|
|
|
[secure-guide]: /nomad/tutorials/access-control
|
|
|
|
[authoritative-region]: /nomad/docs/configuration/server#authoritative_region
|