consul自帶ACL控制功能,看了很多遍官方文檔,沒有配置步驟https://www.consul.io/docs/internals/acl.html 主要對各種配置參數解釋,沒有明確的步驟,當時唯一疑惑的是怎樣生成ACL規則。看了很多相關的blog都是相似的內容,都是基礎的安裝測試而已,沒有提到具體配置ACL,估計更多的只是實驗嘗試而已,沒有涉及ACL配置使用。后來有辛搜到了一片文章才恍然大悟,明白ACL配置是怎么回事了,http://qiita.com/yunano/items/931448a590c7f346ed01。我之后是這樣配置的:
1、對數據中心的每個server,添加acl_config.json配置:
{
"acl_datacenter"
:
"datacenter-tag"
,
"acl_master_token"
:
"xxxxxxxxxx9cda01"
,
"acl_default_policy"
:
"deny"
}
|
這3個參數每個server模式的node都必須有。相關參數解釋官方文檔都有,https://www.consul.io/docs/agent/options.html
acl_default_policy默認值值是allow,即能夠執行任何操作,這里需要關閉。
acl_master_token需要在每個server上配置,有management級別的權限,相當於一個種子token。
acl_datacenter區域的標識。
2、通過API接口 /v1/acl/create 創建一個management用戶用於管理token的權限分配,這里生成這個management級別的token需要之前配置文件里面的種子token。
curl -H
"X-Consul-Token: secret"
-X PUT -d
'{"Name": "datacenter-tag", "Type": "management"}'
http:
//127
.0.0.1:8500
/v1/acl/create
?token=xxxxxxxxxx9cda01
{
"ID"
:
"xxxxxxxxxxx-xxxx-xxxx-xxxxxxxxxxx"
}
|
3、可以將這個management權限的token配置在ui節目管理的節點上,便於管理ACL、k/v、service等(但是我沒有這么干,不然這個node的權限太大,不便於控制)。
{
"acl_datacenter"
:
"datacenter-tag"
,
"acl_master_token"
:
"xxxxxxxxxxx9cda01"
,
"acl_token"
:
"b9exxxxx-xxxx-xxxx-xxx-xxxxxxxxxx291ba"
,
"acl_default_policy"
:
"deny"
}
|
現在就可以通過ui界面管理token的權限分配了(制訂ACL規則)。
4、合理分配token的權限(制定ACL規則),官方文檔有一例分配說明:
# Default all keys to read-only
key
""
{
policy =
"read"
}
key
"foo/"
{
policy =
"write"
}
key
"foo/private/"
{
# Deny access to the dir "foo/private"
policy =
"deny"
}
# Default all services to allow registration. Also permits all
# services to be discovered.
service
""
{
policy =
"write"
}
# Deny registration access to services prefixed "secure-".
# Discovery of the service is still allowed in read mode.
service
"secure-"
{
policy =
"read"
}
# Allow firing any user event by default.
event
""
{
policy =
"write"
}
# Deny firing events prefixed with "destroy-".
event
"destroy-"
{
policy =
"deny"
}
# Default prepared queries to read-only.
query
""
{
policy =
"read"
}
# Read-only mode for the encryption keyring by default (list only)
keyring =
"read"
|
API注冊ACL規則用JSION數據格式:
{
"key"
: {
""
: {
"policy"
:
"read"
},
"foo/"
: {
"policy"
:
"write"
},
"foo/private"
: {
"policy"
:
"deny"
}
},
"service"
: {
""
: {
"policy"
:
"write"
},
"secure-"
: {
"policy"
:
"read"
}
},
"event"
: {
""
: {
"policy"
:
"write"
},
"destroy-"
: {
"policy"
:
"deny"
}
},
"query"
: {
""
: {
"policy"
:
"read"
}
},
"keyring"
:
"read"
}
|
創建好ACL后,將生成的acl_token xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx 配置到每個agent,除了那個ui的server節點,當然這個節點也可以配置這個token,只是權限沒有那么大了,管理不是很便捷。
client節點的acl_config.json配置:
{
"acl_datacenter"
:
"datacenter-tag"
,
"acl_token"
:
"xxxxxx-4bf0-xxxx-2079-xxxxxxxxx"
}
|
server節點的acl_config.json配置(UI的server節點除外):
{
"acl_datacenter"
:
"datacenter-tag"
,
"acl_master_token"
:
"xxxxxxxxxxxxxxxxx"
,
"acl_token"
:
"xxxxxxx-xxxx-xxxx-2079-xxxxxxxxxx"
,
"acl_default_policy"
:
"deny"
}
|
測試ACL是否生效:
[root@xx-xx-xxxx ~]
# curl -X PUT -d 'test' http://127.0.0.1:8500/v1/kv/web/key1
rpc error: Permission denied
[root@xx-xx-xxxx ~]
#
[root@xx-xx-xxxx ~]
# curl -X PUT -d 'test' http://127.0.0.1:8500/v1/kv/foo/key1
true
|
雖然分享了知識但也得為安全考慮,文章中所有敏感信息均已處理,比如token都是未知或無效的等。