luxolus/open-nomad
2
0
Fork 0
Code Issues 1 Pull requests Packages Releases Wiki Activity

website: document ACL bootstrap reset process

Browse source
This commit is contained in:
Armon Dadgar 2017-09-10 16:18:39 -07:00
parent 20a8e590a0
commit c234e09d9e
3 changed files with 59 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
command/agent/testagent.go
View file

@ -176,7 +176,7 @@ func (a *TestAgent) Start() *TestAgent {
if a.Config.ACL.Enabled && a.Config.Server.Enabled && a.Config.ACL.PolicyTTL != 0 {
a.Token = mock.ACLManagementToken()
state := a.Agent.server.State()
if err := state.BootstrapACLTokens(1, a.Token); err != nil {
if err := state.BootstrapACLTokens(1, 0, a.Token); err != nil {
panic(fmt.Sprintf("token bootstrap failed: %v", err))
}
}

3
website/source/api/acl-tokens.html.md
View file

@ -14,7 +14,8 @@ For more details about ACLs, please see the [ACL Guide](/guides/acl.html).
## Bootstrap Token
This endpoint is used to bootstrap the ACL system and provide the initial management token.
This request is always forwarded to the authoritative region. It can only be invoked once.
This request is always forwarded to the authoritative region. It can only be invoked once
until a [bootstrap reset](/guides/acl.html#reseting-acl-bootstrap) is performed.
| Method | Path | Produces |
| ------ | ---------------------------- | -------------------------- |

57
website/source/guides/acl.html.markdown
View file

@ -104,7 +104,7 @@ $ curl \
}
```
Once the initial bootstrap is performed, it _cannot be performed again_. Make sure to save this AccessorID and SecretID.
Once the initial bootstrap is performed, it cannot be performed again until [reset](#reseting-acl-bootstrap). Make sure to save this AccessorID and SecretID.
The bootstrap token is a `management` type token, meaning it can perform any operation. It should be used to setup the ACL policies and create additional ACL tokens. The bootstrap token can be deleted and is like any other token, so care should be taken to not revoke all management tokens.
### Enable ACLs on Nomad Clients
@ -310,3 +310,58 @@ region. When replication is interrupted, the existing data is used for request p
become stale. When the authoritative region is reachable, replication will resume and repair any
inconsistency.
### Reseting ACL Bootstrap
If all management tokens are lost, it is possible to reset the ACL bootstrap so that it can be performed again.
First, we need to determine the reset index, this can be done by calling the reset endpoint:
```
$ curl \
--request POST \
https://nomad.rocks/v1/acl/bootstrap?pretty=true
ACL bootstrap already done (reset index: 7)
```
Here we can see the `reset index`. To reset the ACL system, we create the `acl-bootstrap-reset` file in the data directory:
```
$ echo 7 >> /nomad-data-dir/server/acl-bootstrap-reset
```
Now, we can bootstrap like normal using the reset key:
```
$ curl \
--request POST \
https://nomad.rocks/v1/acl/bootstrap?pretty=true
```
```json
{
"AccessorID":"52d3353d-d7b9-d945-0591-1af608732b76",
"SecretID":"4b0a41ca-6d32-1853-e64b-de0d347e4525",
"Name":"Bootstrap Token",
"Type":"management",
"Policies":null,
"Global":true,
"Hash":"BUJ3BerTfrqFVm1P+vZr1gz9ubOkd+JAvYjNAJyaU9Y=",
"CreateTime":"2017-09-10T23:11:49.34730714Z",
"CreateIndex":11,
"ModifyIndex":11
}
```
If we attempt to bootstrap again, we will get a mismatch on the reset index:
```
$ curl \
--request POST \
https://nomad.rocks/v1/acl/bootstrap?pretty=true
Invalid bootstrap reset index (specified 7, reset index: 11)
```
This is because the reset file is in place, but with the incorrect index.
The reset file can be deleted, but Nomad will not reset the bootstrap until the index is corrected.