From 58016d1aa2d06658158d683a49fa355634ef90f0 Mon Sep 17 00:00:00 2001 From: Paul Glass Date: Tue, 7 Mar 2023 14:05:23 -0600 Subject: [PATCH] docs: Document config entry permissions (#16556) --- website/content/api-docs/config.mdx | 157 +++++++++++++++++----------- 1 file changed, 96 insertions(+), 61 deletions(-) diff --git a/website/content/api-docs/config.mdx b/website/content/api-docs/config.mdx index 3c49e0c8d3..96e6a7b4de 100644 --- a/website/content/api-docs/config.mdx +++ b/website/content/api-docs/config.mdx @@ -31,25 +31,32 @@ The table below shows this endpoint's support for | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------------------------------------------- | -| `NO` | `none` | `none` | `service:write`
`operator:write`1 | - -

- 1 The ACL required depends on the config entry kind being updated: -

- -| Config Entry Kind | Required ACL | -| ------------------- | ------------------ | -| ingress-gateway | `operator:write` | -| proxy-defaults | `operator:write` | -| service-defaults | `service:write` | -| service-intentions | `intentions:write` | -| service-resolver | `service:write` | -| service-router | `service:write` | -| service-splitter | `service:write` | -| terminating-gateway | `operator:write` | +| `NO` | `none` | `none` | Refer to [Permissions](#permissions) | The corresponding CLI command is [`consul config write`](/consul/commands/config/write). +### Permissions + +The ACL required depends on the config entry being written: + +| Config Entry Kind | Required ACLs | +| ------------------- | -------------------------------- | +| api-gateway | `mesh:write` or `operator:write` | +| bound-api-gateway | Not writable. | +| exported-services | `mesh:write` or `operator:write` | +| http-route | `mesh:write` or `operator:write` | +| ingress-gateway | `mesh:write` or `operator:write` | +| inline-certificate | `mesh:write` or `operator:write` | +| mesh | `mesh:write` or `operator:write` | +| proxy-defaults | `mesh:write` or `operator:write` | +| service-defaults | `service:write` | +| service-intentions | `intentions:write` | +| service-resolver | `service:write` | +| service-router | `service:write` | +| service-splitter | `service:write` | +| tcp-route | `mesh:write` or `operator:write` | +| terminating-gateway | `mesh:write` or `operator:write` | + ### Query Parameters - `dc` `(string: "")` - Specifies the datacenter to query. @@ -96,25 +103,35 @@ The table below shows this endpoint's support for [agent caching](/consul/api-docs/features/caching), and [required ACLs](/consul/api-docs/api-structure#authentication). -| Blocking Queries | Consistency Modes | Agent Caching | ACL Required | -| ---------------- | ----------------- | ------------- | -------------------------- | -| `YES` | `all` | `none` | `service:read`1 | - -1 The ACL required depends on the config entry kind being read: +| Blocking Queries | Consistency Modes | Agent Caching | ACL Required | +| ---------------- | ----------------- | ------------- | -------------------------------------- | +| `YES` | `all` | `none` | Refer to [Permissions](#permissions-1) | -| Config Entry Kind | Required ACL | -| ------------------- | ----------------- | -| ingress-gateway | `service:read` | -| proxy-defaults | `` | -| service-defaults | `service:read` | -| service-intentions | `intentions:read` | -| service-resolver | `service:read` | -| service-router | `service:read` | -| service-splitter | `service:read` | -| terminating-gateway | `service:read` | The corresponding CLI command is [`consul config read`](/consul/commands/config/read). +### Permissions + +The ACL required depends on the config entry kind being read: + +| Config Entry Kind | Required ACLs | +| ------------------- | -------------------------------- | +| api-gateway | `service:read` | +| bound-api-gateway | `service:read` | +| exported-services | `mesh:read` or `operator:read` | +| http-route | `mesh:read` or `operator:read` | +| ingress-gateway | `service:read` | +| inline-certificate | `mesh:read` or `operator:read` | +| mesh | No ACL required | +| proxy-defaults | No ACL required | +| service-defaults | `service:read` | +| service-intentions | `intentions:read` | +| service-resolver | `service:read` | +| service-router | `service:read` | +| service-splitter | `service:read` | +| tcp-route | `mesh:read` or `operator:read` | +| terminating-gateway | `service:read` | + ### Path Parameters - `kind` `(string: )` - Specifies the kind of the entry to read. @@ -167,22 +184,31 @@ The table below shows this endpoint's support for [agent caching](/consul/api-docs/features/caching), and [required ACLs](/consul/api-docs/api-structure#authentication). -| Blocking Queries | Consistency Modes | Agent Caching | ACL Required | -| ---------------- | ----------------- | ------------- | -------------------------- | -| `YES` | `all` | `none` | `service:read`1 | - -1 The ACL required depends on the config entry kind being read: - -| Config Entry Kind | Required ACL | -| ------------------- | ----------------- | -| ingress-gateway | `service:read` | -| proxy-defaults | `` | -| service-defaults | `service:read` | -| service-intentions | `intentions:read` | -| service-resolver | `service:read` | -| service-router | `service:read` | -| service-splitter | `service:read` | -| terminating-gateway | `service:read` | +| Blocking Queries | Consistency Modes | Agent Caching | ACL Required | +| ---------------- | ----------------- | ------------- | -------------------------------------- | +| `YES` | `all` | `none` | Refer to [Permissions](#permissions-2) | + +### Permissions + +The ACL required depends on the config entry kind being read: + +| Config Entry Kind | Required ACLs | +| ------------------- | -------------------------------- | +| api-gateway | `service:read` | +| bound-api-gateway | `service:read` | +| exported-services | `mesh:read` or `operator:read` | +| http-route | `mesh:read` or `operator:read` | +| ingress-gateway | `service:read` | +| inline-certificate | `mesh:read` or `operator:read` | +| mesh | No ACL required | +| proxy-defaults | No ACL required | +| service-defaults | `service:read` | +| service-intentions | `intentions:read` | +| service-resolver | `service:read` | +| service-router | `service:read` | +| service-splitter | `service:read` | +| tcp-route | `mesh:read` or `operator:read` | +| terminating-gateway | `service:read` | The corresponding CLI command is [`consul config list`](/consul/commands/config/list). @@ -243,20 +269,29 @@ The table below shows this endpoint's support for | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | | ---------------- | ----------------- | ------------- | ------------------------------------------------- | -| `NO` | `none` | `none` | `service:write`
`operator:write`1 | - -1 The ACL required depends on the config entry kind being deleted: - -| Config Entry Kind | Required ACL | -| ------------------- | ------------------ | -| ingress-gateway | `operator:write` | -| proxy-defaults | `operator:write` | -| service-defaults | `service:write` | -| service-intentions | `intentions:write` | -| service-resolver | `service:write` | -| service-router | `service:write` | -| service-splitter | `service:write` | -| terminating-gateway | `operator:write ` | +| `NO` | `none` | `none` | Refer to [Permissions](#permissions-3) | + +### Permissions + +The ACL required depends on the config entry kind being deleted: + +| Config Entry Kind | Required ACLs | +| ------------------- | -------------------------------- | +| api-gateway | `mesh:write` or `operator:write` | +| bound-api-gateway | Not writable. | +| exported-services | `mesh:write` or `operator:write` | +| http-route | `mesh:write` or `operator:write` | +| ingress-gateway | `mesh:write` or `operator:write` | +| inline-certificate | `mesh:write` or `operator:write` | +| mesh | `mesh:write` or `operator:write` | +| proxy-defaults | `mesh:write` or `operator:write` | +| service-defaults | `service:write` | +| service-intentions | `intentions:write` | +| service-resolver | `service:write` | +| service-router | `service:write` | +| service-splitter | `service:write` | +| tcp-route | `mesh:write` or `operator:write` | +| terminating-gateway | `mesh:write` or `operator:write` | The corresponding CLI command is [`consul config delete`](/consul/commands/config/delete).