kemko/nomad
1
0
Fork 0
mirror of https://github.com/kemko/nomad.git synced 2026-01-05 18:05:42 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
36f75c5f3ef1efa689cfef2a080f3bbf89a7bf69
nomad/website/content/docs/configuration/acl.mdx
Tim Gross d3ddb0aa49 docs: make it clear that federation features require ACLs (#20196) 
Our documentation has a hidden assumption that users know that federation
replication requires ACLs to be enabled and bootstrapped. Add notes at some of
the places users are likely to look for it.

A separate follow-up PR to the federation tutorial should point to the ACL
multi-region tutorial as well.

Fixes: https://github.com/hashicorp/nomad/issues/20128
2024-03-22 15:15:00 -04:00

72 lines
3.3 KiB
Plaintext
Raw Blame History

---
layout: docs
page_title: acl Block - Agent Configuration
description: >-
The "acl" block configures the Nomad agent to enable ACLs and tune various
parameters.
---
# `acl` Block
<Placement groups={['acl']} />
The `acl` block configures the Nomad agent to enable ACLs and tunes various
ACL parameters. Learn more about configuring Nomad's ACL system in the [Secure
Nomad with Access Control guide][secure-guide].
```hcl
acl {
enabled = true
token_ttl = "30s"
policy_ttl = "60s"
role_ttl = "60s"
}
```
## `acl` Parameters
- `enabled` `(bool: false)` - Specifies if ACL enforcement is enabled. All other
ACL configuration options depend on this value. All agents should have the
same value for this parameter. For example the Nomad command line will
send requests for client endpoints such as `alloc exec` directly to Nomad
clients whenever they are accessible. In this scenario, the client will
enforce ACLs, so both servers and clients should have ACLs enabled.
- `token_ttl` `(string: "30s")` - Specifies the maximum time-to-live (TTL) for
cached ACL tokens. This does not affect servers, since they do not cache tokens.
Setting this value lower reduces how stale a token can be, but increases
the request load against servers. If a client cannot reach a server, for example
because of an outage, the TTL will be ignored and the cached value used.
- `policy_ttl` `(string: "30s")` - Specifies the maximum time-to-live (TTL) for
cached ACL policies. This does not affect servers, since they do not cache policies.
Setting this value lower reduces how stale a policy can be, but increases
the request load against servers. If a client cannot reach a server, for example
because of an outage, the TTL will be ignored and the cached value used.
- `role_ttl` `(string: "30s")` - Specifies the maximum time-to-live (TTL) for
cached ACL roles. This does not affect servers, since they do not cache roles.
Setting this value lower reduces how stale a role can be, but increases the
request load against servers. If a client cannot reach a server, for example
because of an outage, the TTL will be ignored and the cached value used.
- `replication_token` `(string: "")` - Specifies the Secret ID of the ACL token
to use for replicating policies and tokens. This is used by servers in
non-authoritative region to mirror the policies and tokens into the local
region from the [`authoritative_region`][authoritative-region]. Setting
`replication_token` requires that ACLs have been bootstrapped in the
authoritative region. See [Configure for multiple regions][] in the ACLs
tutorial.
- `token_min_expiration_ttl` `(string: "1m")` - Specifies the lowest acceptable
TTL value for an ACL token when setting expiration. This is used by the Nomad
servers to validate ACL tokens and ACL authentication methods.
- `token_max_expiration_ttl` `(string: "24h")` - Specifies the highest acceptable
TTL value for an ACL token when setting expiration. This is used by the Nomad
servers to validate ACL tokens and ACL authentication methods.
[secure-guide]: /nomad/tutorials/access-control
[authoritative-region]: /nomad/docs/configuration/server#authoritative_region
[Configure for multiple regions]: /nomad/tutorials/access-control/access-control-bootstrap#configure-for-multiple-regions
Reference in New Issue View Git Blame Copy Permalink