From 29aaffdc3714da92238ba7b83e0fd5474a3ab60f Mon Sep 17 00:00:00 2001 From: Laurent Raufaste Date: Thu, 13 Nov 2014 17:42:39 -0500 Subject: [PATCH 1/3] Doc explaining the blacklist mode and consul exec --- .../source/docs/internals/acl.html.markdown | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/website/source/docs/internals/acl.html.markdown b/website/source/docs/internals/acl.html.markdown index f2f0dfe075..0e9ad633bc 100644 --- a/website/source/docs/internals/acl.html.markdown +++ b/website/source/docs/internals/acl.html.markdown @@ -63,6 +63,30 @@ to deny all actions, then token rules can be set to allow or whitelist actions. In the inverse, the allow all default behavior is a blacklist, where rules are used to prohibit actions. +### Blacklist mode and `consul exec` + +If you set `acl_default_policy` to `deny`, the `anonymous` token won't have the +permission to read the default `_rexec` prefix, and therefore token-less consul +agents (using the `anonymous` token) won't be able to perform `consul exec` +actions. + +There is a subtle interaction there. The agents will need permission to +read/write to the `_rexec` prefix for `consul exec` to work properly. They use +that as the transport for most data, only the edge trigger uses the event +system. + +You can do this by allowing the `anonymous` token to access that prefix, or by +providing tokens to the agents that enable it. The formar can be done by giving +this rule to the `anonymous` token`: + +```javascript +key "_rexec/" { + policy = "write" +} +``` + +### Bootstrapping ACLs + Bootstrapping the ACL system is done by providing an initial `acl_master_token` [configuration](/docs/agent/options.html), which will be created as a "management" type token if it does not exist. From 7f73e03b0b5762df22853955a9c940b161784b50 Mon Sep 17 00:00:00 2001 From: Laurent Raufaste Date: Thu, 13 Nov 2014 17:43:25 -0500 Subject: [PATCH 2/3] extra ' --- website/source/docs/internals/acl.html.markdown | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/source/docs/internals/acl.html.markdown b/website/source/docs/internals/acl.html.markdown index 0e9ad633bc..36d4a385ad 100644 --- a/website/source/docs/internals/acl.html.markdown +++ b/website/source/docs/internals/acl.html.markdown @@ -77,7 +77,7 @@ system. You can do this by allowing the `anonymous` token to access that prefix, or by providing tokens to the agents that enable it. The formar can be done by giving -this rule to the `anonymous` token`: +this rule to the `anonymous` token: ```javascript key "_rexec/" { From 6e69b3e40d64bc16f8f7c710a9ddbd9d55a156bc Mon Sep 17 00:00:00 2001 From: Laurent Raufaste Date: Thu, 13 Nov 2014 17:44:20 -0500 Subject: [PATCH 3/3] Another typo --- website/source/docs/internals/acl.html.markdown | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/source/docs/internals/acl.html.markdown b/website/source/docs/internals/acl.html.markdown index 36d4a385ad..08522a7077 100644 --- a/website/source/docs/internals/acl.html.markdown +++ b/website/source/docs/internals/acl.html.markdown @@ -76,7 +76,7 @@ that as the transport for most data, only the edge trigger uses the event system. You can do this by allowing the `anonymous` token to access that prefix, or by -providing tokens to the agents that enable it. The formar can be done by giving +providing tokens to the agents that enable it. The former can be done by giving this rule to the `anonymous` token: ```javascript