Browse Source

docs: internals/acl: minor fixes

pull/500/head
Dan Frost 10 years ago
parent
commit
738ade9df8
  1. 10
      website/source/docs/internals/acl.html.markdown

10
website/source/docs/internals/acl.html.markdown

@ -11,7 +11,7 @@ description: |-
Consul provides an optional Access Control List (ACL) system which can be used to control Consul provides an optional Access Control List (ACL) system which can be used to control
access to data and APIs. The ACL system is a access to data and APIs. The ACL system is a
[Capability-based system](http://en.wikipedia.org/wiki/Capability-based_security) that relies [Capability-based system](http://en.wikipedia.org/wiki/Capability-based_security) that relies
on tokens which can have fine grained rules applied to them. It is very similar to on tokens to which fine grained rules can be applied. It is very similar to
[AWS IAM](http://aws.amazon.com/iam/) in many ways. [AWS IAM](http://aws.amazon.com/iam/) in many ways.
## ACL Design ## ACL Design
@ -30,10 +30,10 @@ perform all actions.
The token ID is passed along with each RPC request to the servers. Agents The token ID is passed along with each RPC request to the servers. Agents
[can be configured](/docs/agent/options.html) with `acl_token` to provide a default token, [can be configured](/docs/agent/options.html) with `acl_token` to provide a default token,
but the token can also be specified by a client on a [per-request basis](/docs/agent/http.html). but the token can also be specified by a client on a [per-request basis](/docs/agent/http.html).
ACLs are new as of Consul 0.4, meaning versions prior do not provide a token. ACLs are new as of Consul 0.4, meaning prior versions do not provide a token.
This is handled by the special "anonymous" token. Anytime there is no token provided, This is handled by the special "anonymous" token. Anytime there is no token provided,
the rules defined by that token are automatically applied. This lets policy be enforced the rules defined by that token are automatically applied. This allows
on legacy clients. policy to be enforced on legacy clients.
Enforcement is always done by the server nodes. All servers must be [configured Enforcement is always done by the server nodes. All servers must be [configured
to provide](/docs/agent/options.html) an `acl_datacenter`, which enables to provide](/docs/agent/options.html) an `acl_datacenter`, which enables
@ -47,7 +47,7 @@ all the tokens.
When a request is made to any non-authoritative server with a token, it must When a request is made to any non-authoritative server with a token, it must
be resolved into the appropriate policy. This is done by reading the token be resolved into the appropriate policy. This is done by reading the token
from the authoritative server and caching a configurable `acl_ttl`. The implication from the authoritative server and caching a configurable `acl_ttl`. The implication
of caching is that the cache TTL is an upper-bound on the staleness of policy of caching is that the cache TTL is an upper bound on the staleness of policy
that is enforced. It is possible to set a zero TTL, but this has adverse that is enforced. It is possible to set a zero TTL, but this has adverse
performance impacts, as every request requires refreshing the policy. performance impacts, as every request requires refreshing the policy.

Loading…
Cancel
Save