consul【ACL使用】


开启ACL

接前文,需要开启consul ACL配置,如下

// enable_key_list_policy开启true,为kv配置acl控制
"acl":{
    "enabled":true,
    "default_policy":"deny",
    "enable_token_persistence":true,
    "enable_key_list_policy":true,
    "tokens":{
        "master":"14d54c5e-24ca-41cc-8c9e-987ba7a96ffb",
        "agent":"db98c304-4d38-8660-fafe-6a4be56a40d0"
    }
}

策略级别

策略可以具有多个控制级别:

  • read:允许读取但不修改资源。
  • write:允许读取和修改资源。
  • deny:不允许读取或修改资源。
  • list:允许访问领事KV中某个网段下的所有键。注意,此策略只能与key_prefix资源一起使用,并且acl.enable_key_list_policy必须设置为true。

k-v创建token示例

# These control access to the key/value store.
key_prefix "" {
  policy = "read"
}
key_prefix "foo/" {
  policy = "write"
}
key_prefix "foo/private/" {
  policy = "deny"
}
# Or for exact key matches
key "foo/bar/secret" {
  policy = "deny"
}

# This controls access to cluster-wide Consul operator information.
operator = "read"

等同于

{
  "key_prefix": {
    "": {
      "policy": "read"
    },
    "foo/": {
      "policy": "write"
    },
    "foo/private/": {
      "policy": "deny"
    }
  },
  "key" : {
    "foo/bar/secret" : {
      "policy" : "deny"
    }
  },
  "operator": "read"
}
key_prefix "" {
  policy = "read"
}
key "foo" {
  policy = "write"
}
key "bar" {
  policy = "deny"
}
key_prefix "" {
 policy = "deny"
}

key_prefix "bar" {
 policy = "list"
}

key_prefix "baz" {
 policy = "read"
}
node_prefix "" {
  policy = "read"
}
node "app" {
  policy = "write"
}
node "admin" {
  policy = "deny"
}
agent_prefix "" {
  policy = "read"
}
agent "foo" {
  policy = "write"
}
agent_prefix "bar" {
  policy = "deny"
}
event_prefix "" {
  policy = "read"
}
event "deploy" {
  policy = "write"
}
node_prefix "" {
  policy = "read"
}
node "app" {
  policy = "write"
}
node "admin" {
  policy = "deny"
}
query_prefix "" {
  policy = "read"
}
query "foo" {
  policy = "write"
}
service_prefix "" {
  policy = "read"
}
service "app" {
  policy = "write"
}
service "admin" {
  policy = "deny"
}
session_prefix "" {
  policy = "read"
}
session "app" {
  policy = "write"
}
session "admin" {
  policy = "deny"
}

遇到的坑!

当我创建一个token,分配了policy,如service_prefix....用这个token登录ui,在Services中可以看到权限内的service!同理node也是一样,但是针对key/values不行,会直接跳转到ACL登录页面!
consul
consul
consul
consul

这时候并不是acl没有权限,需要在浏览器中直接输入http://ip:8500/ui/dc1/kv/foo/dc1datacenter的名字,foopolicy赋予的kv前缀,这样就可以在ui中修改key/values了.


文章作者: wuzhiyong
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 wuzhiyong !
评论
  目录