Consul使用【ACL使用】

  • 接前文,需要开启consul ACL配置,如下
#enable_key_list_policy开启true,为kv配置acl控制
    "acl":{
        "enabled":true,
        "default_policy":"deny",
        "enable_token_persistence":true,
        "enable_key_list_policy":true,
        "tokens":{
            "master":"14d54c5e-24ca-41cc-8c9e-987ba7a96ffb",
            "agent":"db98c304-4d38-8660-fafe-6a4be56a40d0"
        }
    }
  • 策略级别

    策略可以具有多个控制级别:

  • read:允许读取但不修改资源。
  • write:允许读取和修改资源。
  • deny:不允许读取或修改资源。
  • list:允许访问领事KV中某个网段下的所有键。注意,此策略只能与key_prefix资源一起使用,并且acl.enable_key_list_policy必须设置为true。
  • k-v创建token示例
# These control access to the key/value store.
key_prefix "" {
  policy = "read"
}
key_prefix "foo/" {
  policy = "write"
}
key_prefix "foo/private/" {
  policy = "deny"
}
# Or for exact key matches
key "foo/bar/secret" {
  policy = "deny"
}

# This controls access to cluster-wide Consul operator information.
operator = "read"

等效

{
  "key_prefix": {
    "": {
      "policy": "read"
    },
    "foo/": {
      "policy": "write"
    },
    "foo/private/": {
      "policy": "deny"
    }
  },
  "key" : {
    "foo/bar/secret" : {
      "policy" : "deny"
    }
  },
  "operator": "read"
}
key_prefix "" {
  policy = "read"
}
key "foo" {
  policy = "write"
}
key "bar" {
  policy = "deny"
}
key_prefix "" {
 policy = "deny"
}

key_prefix "bar" {
 policy = "list"
}

key_prefix "baz" {
 policy = "read"
}
node_prefix "" {
  policy = "read"
}
node "app" {
  policy = "write"
}
node "admin" {
  policy = "deny"
}
agent_prefix "" {
  policy = "read"
}
agent "foo" {
  policy = "write"
}
agent_prefix "bar" {
  policy = "deny"
}
event_prefix "" {
  policy = "read"
}
event "deploy" {
  policy = "write"
}
node_prefix "" {
  policy = "read"
}
node "app" {
  policy = "write"
}
node "admin" {
  policy = "deny"
}
query_prefix "" {
  policy = "read"
}
query "foo" {
  policy = "write"
}
service_prefix "" {
  policy = "read"
}
service "app" {
  policy = "write"
}
service "admin" {
  policy = "deny"
}
session_prefix "" {
  policy = "read"
}
session "app" {
  policy = "write"
}
session "admin" {
  policy = "deny"
}
  • 遇到的坑!

当我创建一个token,分配了policy,如service_prefix....用这个token登录ui,在Services中可以看到权限内的service!同理node也是一样,但是针对key/values不行,会直接跳转到ACL登录页面

Consul使用【ACL使用】Consul使用【ACL使用】

Consul使用【ACL使用】Consul使用【ACL使用】

这时候并不是acl没有权限,需要在浏览器中直接输入http://ip:8500/ui/dc1/kv/foo/,dc1是datacenter的名字,foo为policy赋予的kv前缀,这样就可以在ui中修改key/values了

上一篇:hosts.deny不生效问题


下一篇:处理IP恶意的访问