luxolus
/
open-nomad
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity

Merge pull request #6997 from hashicorp/docs-bootstrap-reset 

docs: reseting bootstrap doesn't invalidate token
This commit is contained in:
Mahmood Ali 2020-01-28 08:37:45 -05:00 committed by GitHub
parent 7e7f558fdc 9926614df2
commit 112625e769
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
website/source/guides/security/acl.html.markdown
View File

@ -419,6 +419,8 @@ Error bootstrapping: Unexpected response code: 500 (Invalid bootstrap reset inde
This is because the reset file is in place, but with the incorrect index. The reset file can be deleted, but Nomad will not reset the bootstrap until the index is corrected.
Resetting ACL Bootstrap does not automatically invalidate previous ACL tokens: the previous bootstrap token remains valid, and existing tools that utilize it remain functional. If the token is unused, or if a management token is suspected of being compromised, then we should invalidate it, update any existing system with new tokens, and audit all existing tokens.
## Vault Integration
HashiCorp Vault has a secret backend for generating short-lived Nomad tokens. As Vault has a number of authentication backends, it could provide a workflow where a user or orchestration system authenticates using an pre-existing identity service (LDAP, Okta, Amazon IAM, etc.) in order to obtain a short-lived Nomad token.