Nomad添加acl认证
1、在server节点的配置文件/etc/nomad/server.hcl添加启用acl,如下:
server {
enabled = true
bootstrap_expect = 1
}
acl {
enabled = true
token_ttl = "30s"
policy_ttl = "60s"
}
配置添加完成后重启nomad服务:service nomad restart
2、生成初始令牌
启用ACL系统后,我们需要生成初始令牌。第一个令牌用于引导系统,应注意不要丢失它。启用ACL系统后,我们使用Bootstrap CLI
nomad acl bootstrap
Accessor ID = 5b7fd453-d3f7-6814-81dc-fcfe6daedea5
Secret ID = 9184ec35-65d4-9258-61e3-0c066d0a45c5
Name = Bootstrap Token
Type = management
Global = true
Policies = n/a
Create Time = 2017-09-11 17:38:10.999089612 +0000 UTC
Create Index = 7
Modify Index = 7
执行初始引导后,除非重置,否则无法再次执行。确保保存此AccessorID和SecretID。引导令牌是management类型令牌,这意味着它可以执行任何操作。它应该用于设置ACL策略并创建其他ACL令牌。引导令牌可以删除,就像任何其他令牌一样,因此应注意不要撤销所有管理令牌。
3、设置匿名策略
Store our token secret ID
export NOMAD_TOKEN="BOOTSTRAP_SECRET_ID"
Write out the payload
cat > payload.json <
"Name": "anonymous",
"Description": "Allow read-only access for anonymous requests",
"Rules": "
namespace \"default\" {
policy = \"read\"
}
agent {
policy = \"read\"
}
node {
policy = \"read\"
}
"
}
EOF
Install the policy
curl --request POST \
--data @payload.json \
-H "X-Nomad-Token: $NOMAD_TOKEN" \
https://localhost:4646/v1/acl/policy/anonymous
Verify anonymous request works
curl https://localhost:4646/v1/jobs
4、规则规范
ACL系统的核心部分是规则语言,用于描述必须强制执行的策略。我们使用HashiCorp配置语言(HCL)来指定规则。这种语言是人类可读的并且可与JSON互操作,因此可以轻松地生成机器。策略可以包含任意数量的规则。
政策通常有几种处置方式:
read:允许读取资源但不修改资源
write:允许读取和修改资源
deny:不允许读取或修改资源。当多个策略与令牌关联时,拒绝优先。
HCL格式的规范如下:
Allow read only access to the default namespace
namespace "default" {
policy = "read"
}
Allow writing to the foo
namespace
namespace "foo" {
policy = "write"
}
agent {
policy = "read"
}
node {
policy = "read"
}
quota {
policy = "read"
}
这相当于以下JSON输入:
{
"namespace": {
"default": {
"policy": "read"
},
"foo": {
"policy": "write"
}
},
"agent": {
"policy": "read"
},
"node": {
"policy": "read"
},
"quota": {
"policy": "read"
}
}