luxolus
/
open-nomad
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity

docs: Add host volume acl docs

This commit is contained in:
Danielle Lancashire 2019-09-06 14:02:19 +02:00
parent b460271de5
commit 4b6e03b8e9
No known key found for this signature in database
GPG Key ID: 8D65584EF3DDF91B
1 changed files with 41 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
website/source/guides/security/acl.html.markdown
View File

@ -49,6 +49,7 @@ The following table summarizes the ACL Rules that are available for constructing
| [node](#node-rules) | Node-level catalog operations | | [node](#node-rules) | Node-level catalog operations |
| [operator](#operator-rules) | Cluster-level operations in the Operator API | | [operator](#operator-rules) | Cluster-level operations in the Operator API |
| [quota](#quota-rules) | Quota specification related operations | | [quota](#quota-rules) | Quota specification related operations |
| [host_volume](#host_volume-rules) | host_volume related operations |
Constructing rules from these policies is covered in detail in the Rule Specification section below. Constructing rules from these policies is covered in detail in the Rule Specification section below.
@ -356,6 +357,46 @@ region. When replication is interrupted, the existing data is used for request p
become stale. When the authoritative region is reachable, replication will resume and repair any become stale. When the authoritative region is reachable, replication will resume and repair any
inconsistency. inconsistency.
### host_volume Rules
The `host_volume` policy controls access to mounting and accessing host volumes.
```
host_volume "*" {
policy = "write"
}
host_volume "prod-*" {
policy = "deny"
}
host_volume "prod-ca-certificates" {
policy = "read"
}
```
Host volume rules are keyed to the volume names that they apply to. As with
namespaces, you may use wildcards to reuse the same configuration across a set
of volumes. In addition to the coarse grained policy specification, the
host_volume stanza allows setting a more fine grained list of capabilities.
This includes:
- `deny` - Do not allow a user to mount a volume in any way.
- `mount-readonly` - Only allow the user to mount the volume as `readonly`
- `mount-readwrite` - Allow the user to mount the volume as `readonly` or `readwrite` if the host_volume configuration allows it.
The course grained policy permissions are shorthand for the fine grained capabilities:
- `deny` policy - ["deny"]
- `read` policy - ["mount-readonly"]
- `write` policy - ["mount-readonly", "mount-readwrite"]
When both the policy short hand and a capabilities list are provided, the capabilities are merged.
**Note:** Host Volume policies are applied when attempting to _use_ a volume,
however, if a user has access to the Node API, they will be able to see that a
volume exists in the `nomad node status` output regardless of this configuration.
### Resetting ACL Bootstrap ### Resetting ACL Bootstrap
If all management tokens are lost, it is possible to reset the ACL bootstrap so that it can be performed again. If all management tokens are lost, it is possible to reset the ACL bootstrap so that it can be performed again.