Merge pull request #6288 from hashicorp/volume-acl-docs

docs: Add host volume acl docs
This commit is contained in:
Danielle 2019-09-06 15:04:07 +02:00 committed by GitHub
commit c2b64483ce
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -49,6 +49,7 @@ The following table summarizes the ACL Rules that are available for constructing
| [node](#node-rules) | Node-level catalog operations | | [node](#node-rules) | Node-level catalog operations |
| [operator](#operator-rules) | Cluster-level operations in the Operator API | | [operator](#operator-rules) | Cluster-level operations in the Operator API |
| [quota](#quota-rules) | Quota specification related operations | | [quota](#quota-rules) | Quota specification related operations |
| [host_volume](#host_volume-rules) | host_volume related operations |
Constructing rules from these policies is covered in detail in the Rule Specification section below. Constructing rules from these policies is covered in detail in the Rule Specification section below.
@ -356,6 +357,46 @@ region. When replication is interrupted, the existing data is used for request p
become stale. When the authoritative region is reachable, replication will resume and repair any become stale. When the authoritative region is reachable, replication will resume and repair any
inconsistency. inconsistency.
### host_volume Rules
The `host_volume` policy controls access to mounting and accessing host volumes.
```
host_volume "*" {
policy = "write"
}
host_volume "prod-*" {
policy = "deny"
}
host_volume "prod-ca-certificates" {
policy = "read"
}
```
Host volume rules are keyed to the volume names that they apply to. As with
namespaces, you may use wildcards to reuse the same configuration across a set
of volumes. In addition to the coarse grained policy specification, the
`host_volume` stanza allows setting a more fine grained list of capabilities.
This includes:
- `deny` - Do not allow a user to mount a volume in any way.
- `mount-readonly` - Only allow the user to mount the volume as `readonly`
- `mount-readwrite` - Allow the user to mount the volume as `readonly` or `readwrite` if the `host_volume` configuration allows it.
The course grained policy permissions are shorthand for the fine grained capabilities:
- `deny` policy - ["deny"]
- `read` policy - ["mount-readonly"]
- `write` policy - ["mount-readonly", "mount-readwrite"]
When both the policy short hand and a capabilities list are provided, the capabilities are merged.
**Note:** Host Volume policies are applied when attempting to _use_ a volume,
however, if a user has access to the Node API, they will be able to see that a
volume exists in the `nomad node status` output regardless of this configuration.
### Resetting ACL Bootstrap ### Resetting ACL Bootstrap
If all management tokens are lost, it is possible to reset the ACL bootstrap so that it can be performed again. If all management tokens are lost, it is possible to reset the ACL bootstrap so that it can be performed again.