Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Consul acl role support #11025

Closed
wants to merge 3 commits into from
Closed

Consul acl role support #11025

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
c736e60
Updated policy config text
Feb 28, 2021
138a374
Added consul role support
Feb 28, 2021
9e79a2f
Added come info to the docs
Feb 28, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 16 additions & 4 deletions builtin/logical/consul/path_roles.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,8 +37,14 @@ for 'client' tokens. Required for Consul pre-1.4.`,

"policies": &framework.FieldSchema{
Type: framework.TypeCommaStringSlice,
Description: `List of policies to attach to the token. Required
for Consul 1.4 or above.`,
Description: `List of policies to attach to the token. Policies required
for Consul 1.4 or above, roles can be used for Consul 1.5 and above.`,
},

"roles": &framework.FieldSchema{
Type: framework.TypeCommaStringSlice,
Description: `List of roles to attach to the token. Policies / roles required
for Consul 1.5 or above.`,
},

"local": &framework.FieldSchema{
Expand Down Expand Up @@ -126,6 +132,9 @@ func (b *backend) pathRolesRead(ctx context.Context, req *logical.Request, d *fr
if len(result.Policies) > 0 {
resp.Data["policies"] = result.Policies
}
if len(result.Roles) > 0 {
resp.Data["roles"] = result.Roles
}
return resp, nil
}

Expand All @@ -134,14 +143,15 @@ func (b *backend) pathRolesWrite(ctx context.Context, req *logical.Request, d *f
policy := d.Get("policy").(string)
name := d.Get("name").(string)
policies := d.Get("policies").([]string)
roles := d.Get("roles").([]string)
local := d.Get("local").(bool)

if len(policies) == 0 {
if len(policies) == 0 && len(roles) == 0 {
switch tokenType {
case "client":
if policy == "" {
return logical.ErrorResponse(
"Use either a policy document, or a list of policies, depending on your Consul version"), nil
"Use either a policy document, a list of policies, or a list of roles, depending on your Consul version"), nil
}
case "management":
default:
Expand Down Expand Up @@ -176,6 +186,7 @@ func (b *backend) pathRolesWrite(ctx context.Context, req *logical.Request, d *f
entry, err := logical.StorageEntryJSON("policy/"+name, roleConfig{
Policy: string(policyRaw),
Policies: policies,
Roles: roles,
TokenType: tokenType,
TTL: ttl,
MaxTTL: maxTTL,
Expand Down Expand Up @@ -203,6 +214,7 @@ func (b *backend) pathRolesDelete(ctx context.Context, req *logical.Request, d *
type roleConfig struct {
Policy string `json:"policy"`
Policies []string `json:"policies"`
Roles []string `json:"roles"`
TTL time.Duration `json:"lease"`
MaxTTL time.Duration `json:"max_ttl"`
TokenType string `json:"token_type"`
Expand Down
7 changes: 7 additions & 0 deletions builtin/logical/consul/path_token.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -97,9 +97,16 @@ func (b *backend) pathTokenRead(ctx context.Context, req *logical.Request, d *fr
Name: policyName,
})
}
var roleLink = []*api.ACLTokenRoleLink{}
for _, roleName := range result.Roles {
roleLink = append(roleLink, &api.ACLTokenRoleLink{
Name: roleName,
})
}
token, _, err := c.ACL().TokenCreate(&api.ACLToken{
Description: tokenName,
Policies: policyLink,
Roles: roleLink,
Local: result.Local,
}, writeOpts)
if err != nil {
Expand Down
11 changes: 11 additions & 0 deletions website/content/api-docs/secret/consul.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,9 @@ updated attributes.
- `policies` `(list: <policy or policies>)` – The list of policies to assign to the generated
token. This is only available in Consul 1.4 and greater.

- `roles` `(list: <role or roles>)` – The list of roles to assign to the generated
token. This is only available in Consul 1.5 and greater.

- `local` `(bool: false)` - Indicates that the token should not be replicated
globally and instead be local to the current datacenter. Only available in Consul
1.4 and greater.
Expand Down Expand Up @@ -120,6 +123,14 @@ To create a client token with a custom policy:
}
```

To create a client token with defined roles:

```json
{
"roles": "role-a,role-b"
}
```

### Sample Request

```shell-session
Expand Down
7 changes: 7 additions & 0 deletions website/content/docs/secrets/consul.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,13 @@ management tool.
Success! Data written to: consul/roles/my-role
```

For Consul versions 1.5 and above, [generate a role in Consul](https://www.consul.io/api/acl/roles), and proceed to link it to the role:

```text
$ vault write consul/roles/my-role roles=api-server
Success! Data written to: consul/roles/my-role
```

-> **Token lease duration:** If you do not specify a value for `ttl` (or `lease` for Consul versions below 1.4) the tokens created using Vault's
Consul secrets engine are created with a Time To Live (TTL) of 30 days. You can change the lease duration by passing `-ttl=<duration>` to the
command above with "duration" being a string with a time suffix like "30s" or "1h".
Expand Down