66 lines
2.9 KiB
Plaintext
66 lines
2.9 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: acl Block - Agent Configuration
|
|
description: >-
|
|
The "acl" block configures the Nomad agent to enable ACLs and tune various
|
|
parameters.
|
|
---
|
|
|
|
# `acl` Block
|
|
|
|
<Placement groups={['acl']} />
|
|
|
|
The `acl` block configures the Nomad agent to enable ACLs and tunes various
|
|
ACL parameters. Learn more about configuring Nomad's ACL system in the [Secure
|
|
Nomad with Access Control guide][secure-guide].
|
|
|
|
```hcl
|
|
acl {
|
|
enabled = true
|
|
token_ttl = "30s"
|
|
policy_ttl = "60s"
|
|
role_ttl = "60s"
|
|
}
|
|
```
|
|
|
|
## `acl` Parameters
|
|
|
|
- `enabled` `(bool: false)` - Specifies if ACL enforcement is enabled. All other
|
|
ACL configuration options depend on this value. Note that the Nomad command
|
|
line client will send requests for client endpoints such as `alloc exec`
|
|
directly to Nomad clients whenever they are accessible. In this scenario, the
|
|
client will enforce ACLs, so both servers and clients should have ACLs enabled.
|
|
|
|
- `token_ttl` `(string: "30s")` - Specifies the maximum time-to-live (TTL) for
|
|
cached ACL tokens. This does not affect servers, since they do not cache tokens.
|
|
Setting this value lower reduces how stale a token can be, but increases
|
|
the request load against servers. If a client cannot reach a server, for example
|
|
because of an outage, the TTL will be ignored and the cached value used.
|
|
|
|
- `policy_ttl` `(string: "30s")` - Specifies the maximum time-to-live (TTL) for
|
|
cached ACL policies. This does not affect servers, since they do not cache policies.
|
|
Setting this value lower reduces how stale a policy can be, but increases
|
|
the request load against servers. If a client cannot reach a server, for example
|
|
because of an outage, the TTL will be ignored and the cached value used.
|
|
|
|
- `role_ttl` `(string: "30s")` - Specifies the maximum time-to-live (TTL) for
|
|
cached ACL roles. This does not affect servers, since they do not cache roles.
|
|
Setting this value lower reduces how stale a role can be, but increases the
|
|
request load against servers. If a client cannot reach a server, for example
|
|
because of an outage, the TTL will be ignored and the cached value used.
|
|
|
|
- `replication_token` `(string: "")` - Specifies the Secret ID of the ACL token
|
|
to use for replicating policies and tokens. This is used by servers in non-authoritative
|
|
region to mirror the policies and tokens into the local region from [authoritative_region][authoritative-region].
|
|
|
|
- `token_min_expiration_ttl` `(string: "1m")` - Specifies the lowest acceptable
|
|
TTL value for an ACL token when setting expiration. This is used by the Nomad
|
|
servers to validate ACL tokens.
|
|
|
|
- `token_max_expiration_ttl` `(string: "24h")` - Specifies the highest acceptable
|
|
TTL value for an ACL token when setting expiration. This is used by the Nomad
|
|
servers to validate ACL tokens.
|
|
|
|
[secure-guide]: /nomad/tutorials/access-control
|
|
[authoritative-region]: /nomad/docs/configuration/server#authoritative_region
|