本文共 1829 字,大约阅读时间需要 6 分钟。
1、在server节点的配置文件/etc/nomad/server.hcl添加启用acl,如下:
server { enabled = truebootstrap_expect = 1}acl { enabled = truetoken_ttl = "30s"policy_ttl = "60s"}配置添加完成后重启nomad服务:service nomad restart2、生成初始令牌
启用ACL系统后,我们需要生成初始令牌。第一个令牌用于引导系统,应注意不要丢失它。启用ACL系统后,我们使用Bootstrap CLInomad acl bootstrapAccessor ID = 5b7fd453-d3f7-6814-81dc-fcfe6daedea5Secret ID = 9184ec35-65d4-9258-61e3-0c066d0a45c5Name = Bootstrap TokenType = managementGlobal = truePolicies = n/aCreate Time = 2017-09-11 17:38:10.999089612 +0000 UTCCreate Index = 7Modify Index = 7执行初始引导后,除非重置,否则无法再次执行。确保保存此AccessorID和SecretID。引导令牌是management类型令牌,这意味着它可以执行任何操作。它应该用于设置ACL策略并创建其他ACL令牌。引导令牌可以删除,就像任何其他令牌一样,因此应注意不要撤销所有管理令牌。3、设置匿名策略
Store our token secret IDexport NOMAD_TOKEN="BOOTSTRAP_SECRET_ID"Write out the payload
cat > payload.json <<EOF{ "Name": "anonymous","Description": "Allow read-only access for anonymous requests","Rules": "namespace \"default\" { policy = \"read\"}agent { policy = \"read\"}node { policy = \"read\"}"}EOFInstall the policy
curl --request POST \--data @payload.json \-H "X-Nomad-Token: $NOMAD_TOKEN" \Verify anonymous request works
curl4、规则规范
ACL系统的核心部分是规则语言,用于描述必须强制执行的策略。我们使用HashiCorp配置语言(HCL)来指定规则。这种语言是人类可读的并且可与JSON互操作,因此可以轻松地生成机器。策略可以包含任意数量的规则。
政策通常有几种处置方式:
read:允许读取资源但不修改资源
write:允许读取和修改资源deny:不允许读取或修改资源。当多个策略与令牌关联时,拒绝优先。HCL格式的规范如下:namespace "default" {
policy = "read"}foo namespacenamespace "foo" {
policy = "write"}agent {
policy = "read"}node {
policy = "read"}quota {
policy = "read"}这相当于以下JSON输入:{
"namespace": { "default": { "policy": "read"},"foo": { "policy": "write"}},"agent": { "policy": "read"},"node": { "policy": "read"},"quota": { "policy": "read"}}转载于:https://blog.51cto.com/aaronsa/2151006