Merge pull request #11468 from hashicorp/dnephin/acl-docs-namespace-rules

docs: update docs about namespace default policy/role
pull/11673/head
Daniel Nephin 2021-11-26 14:00:30 -05:00 committed by GitHub
commit a631378008
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 28 additions and 12 deletions

View File

@ -50,13 +50,17 @@ The table below shows this endpoint's support for
that should be applied to all tokens created in this namespace. The ACLLink that should be applied to all tokens created in this namespace. The ACLLink
struct is an object with an "ID" and/or "Name" field to identify a policy. struct is an object with an "ID" and/or "Name" field to identify a policy.
When a name is used instead of an ID, Consul will resolve the name to an ID When a name is used instead of an ID, Consul will resolve the name to an ID
and store that internally. and store that internally. The ACL token used in the API request
must have [`acl:write` access](/docs/security/acl/acl-rules#acl-resource-rules)
to the linked policy.
- `RoleDefaults` `(array<ACLLink>)` - This is the list of default roles - `RoleDefaults` `(array<ACLLink>)` - This is the list of default roles
that should be applied to all tokens created in this namespace. The ACLLink that should be applied to all tokens created in this namespace. The ACLLink
struct is an object with an "ID" and/or "Name" field to identify a policy. struct is an object with an "ID" and/or "Name" field to identify a policy.
When a name is used instead of an ID, Consul will resolve the name to an ID When a name is used instead of an ID, Consul will resolve the name to an ID
and store that internally. and store that internally. The ACL token used in the API request
must have [`acl:write` access](/docs/security/acl/acl-rules#acl-resource-rules)
access to the linked role.
- `Meta` `(map<string|string>: <optional>)` - Specifies arbitrary KV metadata - `Meta` `(map<string|string>: <optional>)` - Specifies arbitrary KV metadata
to associate with the namespace. to associate with the namespace.
@ -245,13 +249,17 @@ The table below shows this endpoint's support for
that should be applied to all tokens created in this namespace. The ACLLink that should be applied to all tokens created in this namespace. The ACLLink
struct is an object with an "ID" and/or "Name" field to identify a policy. struct is an object with an "ID" and/or "Name" field to identify a policy.
When a name is used instead of an ID, Consul will resolve the name to an ID When a name is used instead of an ID, Consul will resolve the name to an ID
and store that internally. and store that internally. The ACL token used in the API request
must have [`acl:write` access](/docs/security/acl/acl-rules#acl-resource-rules)
to the linked policy.
- `RoleDefaults` `(array<ACLLink>)` - This is the list of default roles - `RoleDefaults` `(array<ACLLink>)` - This is the list of default roles
that should be applied to all tokens created in this namespace. The ACLLink that should be applied to all tokens created in this namespace. The ACLLink
struct is an object with an "ID" and/or "Name" field to identify a policy. struct is an object with an "ID" and/or "Name" field to identify a policy.
When a name is used instead of an ID, Consul will resolve the name to an ID When a name is used instead of an ID, Consul will resolve the name to an ID
and store that internally. and store that internally. The ACL token used in the API request
must have [`acl:write` access](/docs/security/acl/acl-rules#acl-resource-rules)
to the linked role.
- `Meta` `(map<string|string>: <optional>)` - Specifies arbitrary KV metadata - `Meta` `(map<string|string>: <optional>)` - Specifies arbitrary KV metadata
to associate with the namespace. to associate with the namespace.

View File

@ -31,10 +31,12 @@ from the CLI arguments.
in this namespace. May be specified multiple times. in this namespace. May be specified multiple times.
- `-default-policy-name=<value>` - Name of a policy from the default namespace to inject for all - `-default-policy-name=<value>` - Name of a policy from the default namespace to inject for all
tokens in this namespace. May be specified multiple times. tokens in this namespace. May be specified multiple times. The ACL token used with
this command must have [`acl:write` access](/docs/security/acl/acl-rules#acl-resource-rules) to the linked policy.
- `-default-role-id=<value>` - ID of a role from the default namespace to inject for all tokens in - `-default-role-id=<value>` - ID of a role from the default namespace to inject for all tokens in
this namespace. May be specified multiple times. this namespace. May be specified multiple times. The ACL token used with
this command must have [`acl:write` access](/docs/security/acl/acl-rules#acl-resource-rules) to the linked role.
- `-default-role-name=<value>` - Name of a role from the default namespace to inject for all tokens - `-default-role-name=<value>` - Name of a role from the default namespace to inject for all tokens
in this namespace. May be specified multiple times. in this namespace. May be specified multiple times.

View File

@ -29,16 +29,20 @@ with the existing namespace definition.
#### Command Options #### Command Options
- `-default-policy-id=<value>` - ID of a policy from the default namespace to inject for all tokens - `-default-policy-id=<value>` - ID of a policy from the default namespace to inject for all tokens
in this namespace. May be specified multiple times. in this namespace. May be specified multiple times. The ACL token used with
this command must have [`acl:write` access](/docs/security/acl/acl-rules#acl-resource-rules) to the linked policy.
- `-default-policy-name=<value>` - Name of a policy from the default namespace to inject for all - `-default-policy-name=<value>` - Name of a policy from the default namespace to inject for all
tokens in this namespace. May be specified multiple times. tokens in this namespace. May be specified multiple times. The ACL token used with
this command must have [`acl:write` access](/docs/security/acl/acl-rules#acl-resource-rules) to the linked policy.
- `-default-role-id=<value>` - ID of a role from the default namespace to inject for all tokens in - `-default-role-id=<value>` - ID of a role from the default namespace to inject for all tokens in
this namespace. May be specified multiple times. this namespace. May be specified multiple times. The ACL token used with
this command must have [`acl:write` access](/docs/security/acl/acl-rules#acl-resource-rules) to the linked role.
- `-default-role-name=<value>` - Name of a role from the default namespace to inject for all tokens - `-default-role-name=<value>` - Name of a role from the default namespace to inject for all tokens
in this namespace. May be specified multiple times. in this namespace. May be specified multiple times. The ACL token used with
this command must have [`acl:write` access](/docs/security/acl/acl-rules#acl-resource-rules) to the linked role.
- `-description=<string>` - A description of the namespace. - `-description=<string>` - A description of the namespace.

View File

@ -101,13 +101,15 @@ Meta {
created in this namespace. The ACLLink object can contain an `ID` and/or `Name` field. When the created in this namespace. The ACLLink object can contain an `ID` and/or `Name` field. When the
policies ID is omitted Consul will resolve the name to an ID before writing the namespace policies ID is omitted Consul will resolve the name to an ID before writing the namespace
definition internally. Note that all policies linked in a namespace definition must be defined definition internally. Note that all policies linked in a namespace definition must be defined
within the `default namespace. within the `default` namespace, and the ACL token used to create or edit the
namespace must have [`acl:write` access](/docs/security/acl/acl-rules#acl-resource-rules) to the linked policy.
- `RoleDefaults` `(array<ACLLink>)` - A list of default roles to be applied to all tokens - `RoleDefaults` `(array<ACLLink>)` - A list of default roles to be applied to all tokens
created in this namespace. The ACLLink object can contain an `ID` and/or `Name` field. When the created in this namespace. The ACLLink object can contain an `ID` and/or `Name` field. When the
roles' ID is omitted Consul will resolve the name to an ID before writing the namespace roles' ID is omitted Consul will resolve the name to an ID before writing the namespace
definition internally. Note that all roles linked in a namespace definition must be defined definition internally. Note that all roles linked in a namespace definition must be defined
within the `default namespace. within the `default` namespace, and the ACL token used to create or edit the
namespace must have [`acl:write` access](/docs/security/acl/acl-rules#acl-resource-rules) to the linked role.
- `Meta` `(map<string|string>: <optional>)` - Specifies arbitrary KV metadata to associate with - `Meta` `(map<string|string>: <optional>)` - Specifies arbitrary KV metadata to associate with
this namespace. this namespace.