From e527c191ae69fcdacb246d85a0a750478c882945 Mon Sep 17 00:00:00 2001 From: Dhia Ayachi Date: Thu, 20 May 2021 10:55:33 -0400 Subject: [PATCH] docs: Add example ACL policy for snapshot agent Co-Authored-By: Blake Covarrubias --- website/content/commands/snapshot/agent.mdx | 59 +++++++++++++++++++++ 1 file changed, 59 insertions(+) diff --git a/website/content/commands/snapshot/agent.mdx b/website/content/commands/snapshot/agent.mdx index 5691e095ac..8edcd5eb56 100644 --- a/website/content/commands/snapshot/agent.mdx +++ b/website/content/commands/snapshot/agent.mdx @@ -51,6 +51,8 @@ Snapshots can be restored using the [`consul snapshot restore`](/commands/snapshot/restore) command, or the [HTTP API](/api/snapshot). +## ACL permissions + If ACLs are enabled the following privileges are required: | Resource | Segment | Permission | Explanation | @@ -60,6 +62,63 @@ If ACLs are enabled the following privileges are required: | `session` | `` | `write` | The session used for locking during leader election is created against the agent name of the Consul agent that the Snapshot agent is registering itself with. | | `service` | `` | `write` | The Snapshot agent registers itself with the local Consul agent and must have write privileges on its service name which is configured with `-service`. | +### Example ACL policy + +The following is a example least privilege policy which allows the snapshot agent +to run on a node named `server-1234`. + + + + +```hcl +# Required to read and snapshot ACL data +acl = "write" +# Allow the snapshot agent to create the key consul-snapshot/lock which will +# serve as a leader election lock when multiple snapshot agents are running in +# an environment +key "consul-snapshot/lock" { + policy = "write" +} +# Allow the snapshot agent to create sessions on the specified node +session "server-1234" { + policy = "write" +} +# Allow the snapshot agent to register itself into the catalog +service "consul-snapshot" { + policy = "write" +} +``` + + + + +```json +{ + "acl": "write", + "key": { + "consul-snapshot/lock": { + "policy": "write" + } + }, + "session": { + "server-1234": { + "policy": "write" + } + }, + "service": { + "consul-snapshot": { + "policy": "write" + } + } +} +``` + + + + +Additional `session` rules should be created, or `session_prefix` used, if the +snapshot agent is deployed across more than one hosts. + ## Usage Usage: `consul snapshot agent [options]`