Website: more cleanup for docs/internals/acl.html.

pull/827/head
Ryan Breen 10 years ago
parent ba3071c147
commit d90a466f45

@ -35,8 +35,8 @@ can be configured with an [`acl_token`](/docs/agent/options.html#acl_token) prop
to provide a default token, but the token can also be specified by a client on a to provide a default token, but the token can also be specified by a client on a
[per-request basis](/docs/agent/http.html). ACLs were added in Consul 0.4, meaning [per-request basis](/docs/agent/http.html). ACLs were added in Consul 0.4, meaning
prior versions do not provide a token. This is handled by the special "anonymous" prior versions do not provide a token. This is handled by the special "anonymous"
token. If no token provided, the rules associated with the anonymous token are token. If no token is provided, the rules associated with the anonymous token are
automatically applied. This allows policy to be enforced on legacy clients. automatically applied: this allows policy to be enforced on legacy clients.
Enforcement is always done by the server nodes. All servers must be configured Enforcement is always done by the server nodes. All servers must be configured
to provide an [`acl_datacenter`](/docs/agent/options.html#acl_datacenter) which to provide an [`acl_datacenter`](/docs/agent/options.html#acl_datacenter) which
@ -56,8 +56,8 @@ that is enforced. It is possible to set a zero TTL, but this has adverse
performance impacts, as every request requires refreshing the policy via a performance impacts, as every request requires refreshing the policy via a
cross-datacenter WAN call. cross-datacenter WAN call.
The Consul ACL center is also built to accommodate for an outage of the The Consul ACL system is designed with flexible rules to accommodate for an outage
[`acl_datacenter`](/docs/agent/options.html#acl_datacenter) or networking of the [`acl_datacenter`](/docs/agent/options.html#acl_datacenter) or networking
issues preventing access to it. In this case, it may be impossible for issues preventing access to it. In this case, it may be impossible for
servers in non-authoritative datacenters to resolve tokens. Consul provides servers in non-authoritative datacenters to resolve tokens. Consul provides
a number of configurable [`acl_down_policy`](/docs/agent/options.html#acl_down_policy) a number of configurable [`acl_down_policy`](/docs/agent/options.html#acl_down_policy)
@ -67,9 +67,9 @@ for any previously resolved tokens and to deny any uncached tokens.
ACLs can also act in either a whitelist or blacklist mode depending ACLs can also act in either a whitelist or blacklist mode depending
on the configuration of on the configuration of
[`acl_default_policy`](/docs/agent/options.html#acl_default_policy). If the default [`acl_default_policy`](/docs/agent/options.html#acl_default_policy). If the
policy is to deny all actions, then token rules can be set to allow or whitelist default policy is to deny all actions, then token rules can be set to whitelist
actions. In the inverse, the allow all default behavior is a blacklist specific actions. In the inverse, the allow all default behavior is a blacklist
where rules are used to prohibit actions. By default, Consul will allow all where rules are used to prohibit actions. By default, Consul will allow all
actions. actions.
@ -116,14 +116,14 @@ that must be enforced. Consul supports ACLs for both [K/Vs](/intro/getting-start
and [services](/intro/getting-started/services.html). and [services](/intro/getting-started/services.html).
Key policies are defined by coupling a prefix with a policy. The rules are enforced Key policies are defined by coupling a prefix with a policy. The rules are enforced
using a longest-prefix match policy; Consul picks the most specific policy possible. The using a longest-prefix match policy: Consul picks the most specific policy possible. The
policy is either "read", "write" or "deny". A "write" policy implies "read", and there is no policy is either "read", "write", or "deny". A "write" policy implies "read", and there is no
way to specify write-only. If there is no applicable rule, the way to specify write-only. If there is no applicable rule, the
[`acl_default_policy`](/docs/agent/options.html#acl_default_policy) is applied. [`acl_default_policy`](/docs/agent/options.html#acl_default_policy) is applied.
Service policies are defined by coupling a service name and a policy. The rules are Service policies are defined by coupling a service name and a policy. The rules are
enforced using an exact match policy. The default rule, applied to any service that doesn't enforced using an exact match policy. The default rule, applied to any service that doesn't
have a matching policy, is provided using the empty string. The policy is either "read", have a matching policy, is provided using the empty string. A service policy is either "read",
"write", or "deny". A "write" policy implies "read", and there is no way to specify write-only. "write", or "deny". A "write" policy implies "read", and there is no way to specify write-only.
If there is no applicable rule, the If there is no applicable rule, the
[`acl_default_policy`](/docs/agent/options.html#acl_default_policy) is [`acl_default_policy`](/docs/agent/options.html#acl_default_policy) is

Loading…
Cancel
Save