From 95f495c2b8a11cd3f185649fb9866889d11df6cd Mon Sep 17 00:00:00 2001 From: Paul Glass Date: Tue, 18 Jul 2023 10:29:44 -0500 Subject: [PATCH] Apply suggestions from code review Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> --- .../acl/tokens/create/create-a-consul-esm-token.mdx | 4 ++-- .../docs/security/acl/tokens/create/create-a-dns-token.mdx | 4 ++-- .../acl/tokens/create/create-a-replication-token.mdx | 5 ++--- .../acl/tokens/create/create-a-snapshot-agent-token.mdx | 7 +++---- .../create/create-a-token-for-vault-consul-storage.mdx | 2 -- 5 files changed, 9 insertions(+), 13 deletions(-) diff --git a/website/content/docs/security/acl/tokens/create/create-a-consul-esm-token.mdx b/website/content/docs/security/acl/tokens/create/create-a-consul-esm-token.mdx index 8735d64d9590..2dcbc99572c7 100644 --- a/website/content/docs/security/acl/tokens/create/create-a-consul-esm-token.mdx +++ b/website/content/docs/security/acl/tokens/create/create-a-consul-esm-token.mdx @@ -11,7 +11,7 @@ This topic describes how to create a token for the Consul External Service Monit ## Introduction -Consul External Service Monitor (ESM) can monitor third party or external services in contexts where it is not possible to run a Consul agent. To learn more about Consul ESM, refer to the [Register External Services with Consul Service Discovery](/consul/tutorials/developer-discovery/service-registration-external-services) tutorial. +Consul external service monitor (ESM) can monitor third-party or external services in contexts where you are unable to run a Consul agent. To learn more about Consul ESM, refer to the [Register External Services with Consul Service Discovery](/consul/tutorials/developer-discovery/service-registration-external-services) tutorial. ## Requirements @@ -28,7 +28,7 @@ Consul ESM must present a token linked to policies that grant the following perm * `session:write`: Enables Consul ESM is registered to acquire a leader lock * `acl:read`: (Enterprise-only) Enables Consul ESM to scan namespaces for nodes and health checks to monitor --> Note: Consul ESM does not currently support non-default partitions. +Consul ESM only supports `default` admin partitions. @include 'create-token-requirements.mdx' diff --git a/website/content/docs/security/acl/tokens/create/create-a-dns-token.mdx b/website/content/docs/security/acl/tokens/create/create-a-dns-token.mdx index b27223953b21..14cf7774513c 100644 --- a/website/content/docs/security/acl/tokens/create/create-a-dns-token.mdx +++ b/website/content/docs/security/acl/tokens/create/create-a-dns-token.mdx @@ -7,11 +7,11 @@ description: >- # Create a DNS token -This topic describes how to create a token that you can use to enable using Consul DNS. +This topic describes how to create a token that enables the Consul DNS to query services in the network when ACLs are enabled. ## Introduction -A Consul agent must be configured with a token linked to policies that grant the appropriate set of permissions. To enable catalog lookups over DNS, the token must be linked to policies that grant the following permissions: +A Consul agent must be configured with a token linked to policies that grant the appropriate set of permissions. Specify the [`default`](/consul/docs/agent/config/config-files#acl_tokens_default) token to the Consul agent to authorize the agent to respond to DNS queries. Refer to [DNS usage overview](/consul/docs/services/discovery/dns-overview) for details on configuring and using Consul DNS. diff --git a/website/content/docs/security/acl/tokens/create/create-a-replication-token.mdx b/website/content/docs/security/acl/tokens/create/create-a-replication-token.mdx index 8df06311953f..f38f4682fcc2 100644 --- a/website/content/docs/security/acl/tokens/create/create-a-replication-token.mdx +++ b/website/content/docs/security/acl/tokens/create/create-a-replication-token.mdx @@ -7,14 +7,13 @@ description: >- # Create a replication token -This topic describes how to configure an ACL token for ACL replication between WAN-federated datacenters. +This topic describes how to configure an ACL token for ACL replication between WAN-federated datacenters. If your Consul clusters are connected through peer connections, ACL replication is not required. To learn more about cluster peering, refer to the [comparison between WAN federation and cluster peering](/consul/docs/connect/cluster-peering#compared-with-wan-federation). ## Introduction Consul agents must present a token linked to policies that grant the appropriate set of permissions. -Specify the [`replication`](/consul/docs/agent/config/config-files#acl_tokens_replication) token on each server in a non-primary datacenter. To learn about configuring ACL replication, refer to the ACL Replication for Multiple Datacenters tutorial. +Specify the [`replication`](/consul/docs/agent/config/config-files#acl_tokens_replication) token on each server in a non-primary datacenter. For hands-on instructions on how to configure ACL replication across datacenters, refer to the [ACL Replication for Multiple Datacenters](/consul/tutorials/security-operations/access-control-replication-multiple-datacenters) tutorial. --> Note: ACL replication is only supported for WAN-federated datacenters. When using cluster peering to connect Consul datacenters, ACL replication is not required. To learn more about cluster peering, refer to Differences between WAN federation and cluster peering. ## Requirements diff --git a/website/content/docs/security/acl/tokens/create/create-a-snapshot-agent-token.mdx b/website/content/docs/security/acl/tokens/create/create-a-snapshot-agent-token.mdx index bc1c03322b6e..c1b820957efa 100644 --- a/website/content/docs/security/acl/tokens/create/create-a-snapshot-agent-token.mdx +++ b/website/content/docs/security/acl/tokens/create/create-a-snapshot-agent-token.mdx @@ -11,10 +11,6 @@ This topic describes how to create a token for the Consul snapshot agent. -~> The [`agent`](/consul/commands/snapshot/agent) subcommand described here is -available only in [Consul Enterprise](https://www.hashicorp.com/products/consul/) -version 0.7.1 and later. All other [snapshot subcommands](/consul/commands/snapshot) -are available in the open source version of Consul. ## Introduction @@ -24,7 +20,10 @@ servers and either saves them locally or pushes them to a remote storage service ## Requirements Core ACL functionality is available in all versions of Consul. +### `agent` command requirements +The [`agent`](/consul/commands/snapshot/agent) subcommand requires [Consul Enterprise](https://www.hashicorp.com/products/consul/). All other [snapshot subcommands](/consul/commands/snapshot) +are available in the open source version of Consul. The Consul snapshot agent must present a token linked to policies that grant the following set of permissions. * `acl:write`: Enables the agent read and snapshot ACL data diff --git a/website/content/docs/security/acl/tokens/create/create-a-token-for-vault-consul-storage.mdx b/website/content/docs/security/acl/tokens/create/create-a-token-for-vault-consul-storage.mdx index 899a9723ebbf..a33cc544a3a6 100644 --- a/website/content/docs/security/acl/tokens/create/create-a-token-for-vault-consul-storage.mdx +++ b/website/content/docs/security/acl/tokens/create/create-a-token-for-vault-consul-storage.mdx @@ -31,10 +31,8 @@ To create a token for Vault’s Consul storage backend, you must define a policy ### Define a policy - You can send policy definitions as command line or API arguments or define them in an external HCL or JSON file. Refer to [ACL Rules](/consul/docs/security/acl/acl-rules) for details about all of the rules you can use in your policies. - The following example policy is defined in a file. The policy grants the appropriate permissions to enable Vault to register as a service named `vault` and provides access to the `vault/` path in Consul's KV store.