open-nomad/website/public/data/vault/nomad-server-policy.hcl

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

42 lines
1.2 KiB
HCL
Raw Normal View History

2017-01-27 20:24:59 +00:00
# Allow creating tokens under "nomad-cluster" role. The role name should be
# updated if "nomad-cluster" is not used.
path "auth/token/create/nomad-cluster" {
2017-01-22 01:53:30 +00:00
capabilities = ["update"]
2016-11-01 19:23:10 +00:00
}
2017-01-27 20:24:59 +00:00
# Allow looking up "nomad-cluster" role. The role name should be updated if
# "nomad-cluster" is not used.
path "auth/token/roles/nomad-cluster" {
capabilities = ["read"]
2016-11-01 19:23:10 +00:00
}
# Allow looking up the token passed to Nomad to validate the token has the
2017-02-28 21:46:38 +00:00
# proper capabilities. This is provided by the "default" policy.
path "auth/token/lookup-self" {
capabilities = ["read"]
}
2017-01-27 20:24:59 +00:00
# Allow looking up incoming tokens to validate they have permissions to access
# the tokens they are requesting. This is only required if
# `allow_unauthenticated` is set to false.
path "auth/token/lookup" {
capabilities = ["update"]
}
# Allow revoking tokens that should no longer exist. This allows revoking
# tokens for dead tasks.
path "auth/token/revoke-accessor" {
capabilities = ["update"]
}
# Allow checking the capabilities of our own token. This is used to validate the
# token upon startup.
2017-02-28 22:03:18 +00:00
path "sys/capabilities-self" {
2017-01-27 20:24:59 +00:00
capabilities = ["update"]
2016-11-01 19:23:10 +00:00
}
2017-01-27 20:24:59 +00:00
# Allow our own token to be renewed.
path "auth/token/renew-self" {
capabilities = ["update"]
2016-11-01 19:23:10 +00:00
}