kemko/nomad
1
0
Fork 0
mirror of https://github.com/kemko/nomad.git synced 2026-01-01 16:05:42 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
eaea9164a56c60aaff2c311138995a2038ebc302
nomad/website/content/docs/configuration/acl.mdx
James Rasell eaea9164a5 acl: correctly resolve ACL roles within client cache. (#14922) 
The client ACL cache was not accounting for tokens which included
ACL role links. This change modifies the behaviour to resolve role
links to policies. It will also now store ACL roles within the
cache for quick lookup. The cache TTL is configurable in the same
manner as policies or tokens.

Another small fix is included that takes into account the ACL
token expiry time. This was not included, which meant tokens with
expiry could be used past the expiry time, until they were GC'd.
2022-10-20 09:37:32 +02:00

66 lines
2.9 KiB
Plaintext
Raw Blame History

---
layout: docs
page_title: acl Stanza - Agent Configuration
description: >-
The "acl" stanza configures the Nomad agent to enable ACLs and tune various
parameters.
---
# `acl` Stanza
<Placement groups={['acl']} />
The `acl` stanza configures the Nomad agent to enable ACLs and tunes various
ACL parameters. Learn more about configuring Nomad's ACL system in the [Secure
Nomad with Access Control guide][secure-guide].
```hcl
acl {
enabled = true
token_ttl = "30s"
policy_ttl = "60s"
role_ttl = "60s"
}
```
## `acl` Parameters
- `enabled` `(bool: false)` - Specifies if ACL enforcement is enabled. All other
ACL configuration options depend on this value. Note that the Nomad command
line client will send requests for client endpoints such as `alloc exec`
directly to Nomad clients whenever they are accessible. In this scenario, the
client will enforce ACLs, so both servers and clients should have ACLs enabled.
- `token_ttl` `(string: "30s")` - Specifies the maximum time-to-live (TTL) for
cached ACL tokens. This does not affect servers, since they do not cache tokens.
Setting this value lower reduces how stale a token can be, but increases
the request load against servers. If a client cannot reach a server, for example
because of an outage, the TTL will be ignored and the cached value used.
- `policy_ttl` `(string: "30s")` - Specifies the maximum time-to-live (TTL) for
cached ACL policies. This does not affect servers, since they do not cache policies.
Setting this value lower reduces how stale a policy can be, but increases
the request load against servers. If a client cannot reach a server, for example
because of an outage, the TTL will be ignored and the cached value used.
- `role_ttl` `(string: "30s")` - Specifies the maximum time-to-live (TTL) for
cached ACL roles. This does not affect servers, since they do not cache roles.
Setting this value lower reduces how stale a role can be, but increases the
request load against servers. If a client cannot reach a server, for example
because of an outage, the TTL will be ignored and the cached value used.
- `replication_token` `(string: "")` - Specifies the Secret ID of the ACL token
to use for replicating policies and tokens. This is used by servers in non-authoritative
region to mirror the policies and tokens into the local region from [authoritative_region][authoritative-region].
- `token_min_expiration_ttl` `(string: "1m")` - Specifies the lowest acceptable
TTL value for an ACL token when setting expiration. This is used by the Nomad
servers to validate ACL tokens.
- `token_max_expiration_ttl` `(string: "24h")` - Specifies the highest acceptable
TTL value for an ACL token when setting expiration. This is used by the Nomad
servers to validate ACL tokens.
[secure-guide]: https://learn.hashicorp.com/collections/nomad/access-control
[authoritative-region]: /docs/configuration/server#authoritative_region
Reference in New Issue View Git Blame Copy Permalink