kemko/nomad
1
0
Fork 0
mirror of https://github.com/kemko/nomad.git synced 2026-01-09 20:05:42 +03:00
Code Issues Packages Projects Releases Wiki Activity

guides: Update for globbed namespace rules

Browse Source
This commit is contained in:
Danielle Tomlinson
2018-12-12 13:02:44 +01:00
parent 4e59d473f7
commit f10dbbec54
1 changed files with 30 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
website/source/guides/security/acl.html.markdown
View File

@@ -253,6 +253,36 @@ namespace "default" {
}
```
Namespaces definitions may also include globs, allowing a single policy definition to apply to a set of namespaces. For example, the below policy allows read access to most production namespaces, but allows write access to the "production-api" namespace, and rejects any access to the "production-web" namespace.
```
namespace "production-*" {
policy = "read"
}
namespace "production-api" {
policy = "write"
}
namespace "production-web" {
policy = "deny"
}
```
Namespaces are matched to their policies first by performing a lookup on any _exact match_, before falling back to performing a glob based lookup. When looking up namespaces by glob, the matching policy with the greatest number of matched characters will be chosen. For example:
```
namespace "*-web" {
policy = "deny"
}
namespace "*" {
policy = "write"
}
```
Will evaluate to deny for `production-web`, because it is 9 characters different from the `"*-web"` rule, but 13 characters different from the `"*"` rule.
### Node Rules
The `node` policy controls access to the [Node API](/api/nodes.html) such as listing nodes or triggering a node drain.