Merge pull request #9309 from hashicorp/docs/example-snapshot-agent-policy

docs: Add example ACL policy for snapshot agent
release/1.10.0-beta3
Daniel Nephin 2021-05-20 14:44:54 -04:00 committed by hc-github-team-consul-core
parent 51c9d1e6c3
commit be3a7cf745
1 changed files with 59 additions and 0 deletions

View File

@ -51,6 +51,8 @@ Snapshots can be restored using the
[`consul snapshot restore`](/commands/snapshot/restore) command, or
the [HTTP API](/api/snapshot).
## ACL permissions
If ACLs are enabled the following privileges are required:
| Resource | Segment | Permission | Explanation |
@ -60,6 +62,63 @@ If ACLs are enabled the following privileges are required:
| `session` | `<agent name>` | `write` | The session used for locking during leader election is created against the agent name of the Consul agent that the Snapshot agent is registering itself with. |
| `service` | `<service name>` | `write` | The Snapshot agent registers itself with the local Consul agent and must have write privileges on its service name which is configured with `-service`. |
### Example ACL policy
The following is a example least privilege policy which allows the snapshot agent
to run on a node named `server-1234`.
<Tabs>
<Tab heading="HCL">
```hcl
# Required to read and snapshot ACL data
acl = "write"
# Allow the snapshot agent to create the key consul-snapshot/lock which will
# serve as a leader election lock when multiple snapshot agents are running in
# an environment
key "consul-snapshot/lock" {
policy = "write"
}
# Allow the snapshot agent to create sessions on the specified node
session "server-1234" {
policy = "write"
}
# Allow the snapshot agent to register itself into the catalog
service "consul-snapshot" {
policy = "write"
}
```
</Tab>
<Tab heading="JSON">
```json
{
"acl": "write",
"key": {
"consul-snapshot/lock": {
"policy": "write"
}
},
"session": {
"server-1234": {
"policy": "write"
}
},
"service": {
"consul-snapshot": {
"policy": "write"
}
}
}
```
</Tab>
</Tabs>
Additional `session` rules should be created, or `session_prefix` used, if the
snapshot agent is deployed across more than one hosts.
## Usage
Usage: `consul snapshot agent [options]`