consul/contributing/acl/README.md

36 lines
1.2 KiB
Markdown

# ACL
This section is a work in progress.
The ACL subsystem is responsible for authenticating and authorizing access to Consul
operations ([HTTP API], and [RPC]).
[HTTP API]: ../http-api
[RPC]: ../rpc
## ACL Entities
There are many entities in the ACL subsystem. The diagram below shows the relationship
between the entities.
![Entity Relationship Diagram](./erd.svg)
<sup>[source](./erd.mmd)</sup>
ACL Tokens are at the center of the ACL system. Tokens are associated with a set of
Policies, and Roles.
AuthMethods, which consist of BindingRules, are a mechanism for creating ACL Tokens from
policies stored in external systems (ex: kubernetes, JWT, or OIDC).
Roles are a set of policies associated with a named role, and ServiceIdentity and
NodeIdentity are policy templates that are associated with a specific service or node and
can be rendered into a full policy.
Each Policy contains a set of rules. Each rule relates to a specific resource, and
includes an AccessLevel (read, write, list or deny).
An ACL Token can be resolved into an Authorizer. The Authorizer is what is used by the
[HTTP API], and [RPC] endpoints to determine if an operation is allowed or forbidden (the
enforcement decision).