From c66628a06f8f066dadc2e1b20067c64f00b91d70 Mon Sep 17 00:00:00 2001 From: Jack Pearkes Date: Wed, 14 Mar 2018 16:46:04 -0700 Subject: [PATCH 1/2] website: add section on securing the UI with ACLs Figured it would be worth documenting due to #3931. --- website/source/docs/guides/acl.html.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/website/source/docs/guides/acl.html.md b/website/source/docs/guides/acl.html.md index 082325ab9a61..0318888bd4e0 100644 --- a/website/source/docs/guides/acl.html.md +++ b/website/source/docs/guides/acl.html.md @@ -482,6 +482,26 @@ default. If using [`acl_token`](/docs/agent/options.html#acl_token), then it's likely the anonymous token will have a more restrictive policy than shown in the examples here. +#### Create Tokens for UI Use (Optional) + +If you utilize the Consul UI with a restrictive ACL policy, as above, the UI will +not function fully using the anonymous ACL token. It is recommended +that a UI-specific ACL token is used, which can be set in the UI during the +web browser session to authenticate the interface. + +```text +$ curl \ + --request PUT \ + --header "X-Consul-Token: b1gs33cr3t" \ + --data \ +'{ + "Name": "UI Token", + "Type": "client", + "Rules": "key \"\" { policy = \"write\" } node \"\" { policy = \"read\" } service \"\" { policy = \"read\" }" +}' http://127.0.0.1:8500/v1/acl/create +{"ID":"d0a9f330-2f9d-0a8c-d2af-1e9ceda354e6"} +``` + #### Next Steps The examples above configure a basic ACL environment with the ability to see all nodes From 6fb94ff40acf41da904f4bedb9312b07f5b5d57f Mon Sep 17 00:00:00 2001 From: Jack Pearkes Date: Wed, 14 Mar 2018 16:50:04 -0700 Subject: [PATCH 2/2] website: clarify where ACL token is set in the UI --- website/source/docs/guides/acl.html.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/website/source/docs/guides/acl.html.md b/website/source/docs/guides/acl.html.md index 0318888bd4e0..a78f60b55ebd 100644 --- a/website/source/docs/guides/acl.html.md +++ b/website/source/docs/guides/acl.html.md @@ -502,6 +502,8 @@ $ curl \ {"ID":"d0a9f330-2f9d-0a8c-d2af-1e9ceda354e6"} ``` +The token can then be set on the "settings" page of the UI. + #### Next Steps The examples above configure a basic ACL environment with the ability to see all nodes