From 400620e10cebdb8bbee9f4c61cd6fd5722cde489 Mon Sep 17 00:00:00 2001 From: John Landa Date: Sat, 11 Nov 2023 10:42:35 -0700 Subject: [PATCH] PR feedback updates --- .../content/commands/acl/set-agent-token.mdx | 21 +++++++++---------- .../docs/agent/config/config-files.mdx | 7 ++++--- .../docs/security/acl/tokens/index.mdx | 6 +++--- 3 files changed, 17 insertions(+), 17 deletions(-) diff --git a/website/content/commands/acl/set-agent-token.mdx b/website/content/commands/acl/set-agent-token.mdx index f5d3aa343854..c56b706871b2 100644 --- a/website/content/commands/acl/set-agent-token.mdx +++ b/website/content/commands/acl/set-agent-token.mdx @@ -36,9 +36,10 @@ The token types are: If not given then the default token is used for these operations. - `dns` - Specifies the token that agents use to request information needed to respond to DNS queries. - If the `dns` token is not set, the `default` token is used instead. - Because the `default` token allows unauthenticated HTTP API access to list nodes and services, it is - strongly recommended to use the `dns` token. DNS tokens should be [created using the templated policy](/consul/docs/security/acl/tokens/create/create-a-dns-token#create_a_dns_token) to ensure the token has the permissions needed to respond to all DNS queries. + If the `dns` token is not set, Consul uses the `default` token by default. + Because the `default` token allows unauthenticated HTTP API access to list nodes and services, we + strongly recommend using the `dns` token. Create DNS tokens using the [templated policy](/consul/docs/security/acl/tokens/create/create-a-dns-token#create_a_dns_token) option + to ensure that the token has the permissions needed to respond to all DNS queries. - `config_file_service_registration` - This is the token that the agent uses to register services and checks defined in config files. This token needs to be @@ -47,18 +48,16 @@ The token types are: contains a `token` field, then that token is used to register that service or check instead of the `config_file_service_registration` token. -- `replication` - This is the token that the agent will use for replication - operations. This token will need to be configured with read access to - whatever data is being replicated. +- `replication` - This is the token that the agent uses for replication + operations. This token must be configured with read access to + all data that the agent replicates. -- `recovery` - This sets the token that can be used to access the Agent APIs - in the event that the ACL datacenter cannot be reached. In Consul versions - prior to 1.11, this token type was called `agent_master`. +- `recovery` - This sets the token that allows access to the agent APIs when the ACL datacenter is unreachable. -- `default` - The default token is the token that the agent will use for +- `default` - The default token is the token that the agent uses for both internal agent operations and operations initiated by the HTTP and DNS interfaces when no specific token is provided. If not set the - agent will use the anonymous token. + agent uses the anonymous token. ### API Options diff --git a/website/content/docs/agent/config/config-files.mdx b/website/content/docs/agent/config/config-files.mdx index dfb446733300..7a52e5c187bc 100644 --- a/website/content/docs/agent/config/config-files.mdx +++ b/website/content/docs/agent/config/config-files.mdx @@ -959,10 +959,11 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati - `dns` ((#acl_tokens_dns)) - Specifies the token that agents use to request information needed to respond to DNS queries. If the `dns` token is not set, the `default` token is used instead. - Because the `default` token allows unauthenticated HTTP API access to list nodes and services, it is - strongly recommended to use the `dns` token. DNS tokens should be [created using the templated policy](/consul/docs/security/acl/tokens/create/create-a-dns-token#create_a_dns_token) to ensure the token has the permissions needed to respond to all DNS queries. + Because the `default` token allows unauthenticated HTTP API access to list nodes and services, we + strongly recommend using the `dns` token. Create DNS tokens using the [templated policy](/consul/docs/security/acl/tokens/create/create-a-dns-token#create_a_dns_token) + option to ensure that the token has the permissions needed to respond to all DNS queries. - - `replication` ((#acl_tokens_replication)) - Specifies the token used to + - `replication` ((#acl_tokens_replication)) - Specifies the token that the agent uses to authorize secondary datacenters with the primary datacenter for replication operations. This token is required for servers outside the [`primary_datacenter`](#primary_datacenter) when ACLs are enabled. This token may be provided later using the [agent token API](/consul/api-docs/agent#update-acl-tokens) on each server. This token must have at least "read" permissions on ACL data but if ACL token replication is enabled then it must have "write" permissions. This also enables service mesh data replication, for which the token will require both operator "write" and intention "read" permissions for replicating CA and Intention data. diff --git a/website/content/docs/security/acl/tokens/index.mdx b/website/content/docs/security/acl/tokens/index.mdx index 067ca702f905..45df06d3900d 100644 --- a/website/content/docs/security/acl/tokens/index.mdx +++ b/website/content/docs/security/acl/tokens/index.mdx @@ -156,9 +156,9 @@ system or accessing Consul under specific conditions. The following table descri | [`acl.tokens.agent`](/consul/docs/agent/config/config-files#acl_tokens_agent) | `OPTIONAL` | `OPTIONAL` | Used for internal agent operations. See [ACL Agent Token](#acl-agent-token) for details. | | [`acl.tokens.initial_management`](/consul/docs/agent/config/config-files#acl_tokens_initial_management) | `OPTIONAL` | `N/A` | Used to bootstrap the ACL system. See [Initial Management Token](#initial-management-token). | | [`acl.tokens.default`](/consul/docs/agent/config/config-files#acl_tokens_default) | `OPTIONAL` | `OPTIONAL` | Specifies a default token to use for client requests if no token is supplied. This is commonly configured with read-only access to services to enable DNS service discovery on agents. | -| [`acl.tokens.replication`](/consul/docs/agent/config/config-files#acl_tokens_replication) | `OPTIONAL` | `N/A` | Used to authorize secondary datacenters with the primary datacenter for replication operations. | -| [`acl.tokens.config_file_service_registration`](/consul/docs/agent/config/config-files#acl_tokens_config_file_service_registration) | `OPTIONAL` | `OPTIONAL` | Used to register services and checks from service and check definitions specified in configuration files or fragments passed to the agent using the `-hcl` flag. | -| [`acl.tokens.dns`](/consul/docs/agent/config/config-files#acl_tokens_dns) | `OPTIONAL` | `OPTIONAL` | Used by the agent to answer DNS queries about services and nodes. | +| [`acl.tokens.replication`](/consul/docs/agent/config/config-files#acl_tokens_replication) | `OPTIONAL` | `N/A` | Authorizes secondary datacenters to replicate data from the primary datacenter. | +| [`acl.tokens.config_file_service_registration`](/consul/docs/agent/config/config-files#acl_tokens_config_file_service_registration) | `OPTIONAL` | `OPTIONAL` | Registers services and checks from service and check definitions specified in configuration files or fragments passed to the agent using the `-hcl` flag. | +| [`acl.tokens.dns`](/consul/docs/agent/config/config-files#acl_tokens_dns) | `OPTIONAL` | `OPTIONAL` | Enables the agent to answer DNS queries about services and nodes. | All reserved tokens except the `initial_management` token can be created or updated using the [/v1/agent/token API](/consul/api-docs/agent#update-acl-tokens).