open-nomad/website/content/docs/configuration/acl.mdx
みゃお 8d970d97d3
[doc]Add replication_token link with authoritative_region
replication_token always works together with authoritative_region, add a link for better doc.
2021-08-03 18:56:00 +08:00

48 lines
1.8 KiB
Plaintext

---
layout: docs
page_title: acl Stanza - Agent Configuration
description: >-
The "acl" stanza configures the Nomad agent to enable ACLs and tune various
parameters.
---
# `acl` Stanza
<Placement groups={['acl']} />
The `acl` stanza configures the Nomad agent to enable ACLs and tunes various
ACL parameters. Learn more about configuring Nomad's ACL system in the [Secure
Nomad with Access Control guide][secure-guide].
```hcl
acl {
enabled = true
token_ttl = "30s"
policy_ttl = "60s"
}
```
## `acl` Parameters
- `enabled` `(bool: false)` - Specifies if ACL enforcement is enabled. All other
ACL configuration options depend on this value.
- `token_ttl` `(string: "30s")` - Specifies the maximum time-to-live (TTL) for
cached ACL tokens. This does not affect servers, since they do not cache tokens.
Setting this value lower reduces how stale a token can be, but increases
the request load against servers. If a client cannot reach a server, for example
because of an outage, the TTL will be ignored and the cached value used.
- `policy_ttl` `(string: "30s")` - Specifies the maximum time-to-live (TTL) for
cached ACL policies. This does not affect servers, since they do not cache policies.
Setting this value lower reduces how stale a policy can be, but increases
the request load against servers. If a client cannot reach a server, for example
because of an outage, the TTL will be ignored and the cached value used.
- `replication_token` `(string: "")` - Specifies the Secret ID of the ACL token
to use for replicating policies and tokens. This is used by servers in non-authoritative
region to mirror the policies and tokens into the local region from [authoritative_region][authoritative-region].
[secure-guide]: https://learn.hashicorp.com/collections/nomad/access-control
[authoritative-region]: /docs/configuration/server#authoritative_region