Skip to content
GitLab
Menu
Projects
Groups
Snippets
Help
Projects
Groups
Snippets
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Menu
Open sidebar
小 白蛋
Nomad
Commits
3bc103eb
Unverified
Commit
3bc103eb
authored
7 years ago
by
Nicolas Corrarello
Browse files
Options
Download
Email Patches
Plain Diff
Introducing @schmichael suggestions
parent
38c72b44
Branches unavailable
v1.4.3
v1.4.2
v1.4.1
v1.4.0
v1.4.0-rc.1
v1.4.0-beta.1
v1.3.8
v1.3.7
v1.3.6
v1.3.5
v1.3.4
v1.3.3
v1.3.2
v1.3.1
v1.3.0
v1.3.0-rc.1
v1.3.0-beta.1
v1.2.15
v1.2.14
v1.2.13
v1.2.12
v1.2.11
v1.2.10
v1.2.9
v1.2.8
v1.2.7
v1.2.6
v1.2.5
v1.2.4
v1.2.3
v1.2.2
v1.2.1
v1.2.0
v1.2.0-rc1
v1.2.0-beta1
v1.1.18
v1.1.17
v1.1.16
v1.1.15
v1.1.14
v1.1.13
v1.1.12
v1.1.11
v1.1.10
v1.1.9
v1.1.8
v1.1.7
v1.1.6
v1.1.5
v1.1.4
v1.1.3
v1.1.2
v1.1.1
v1.1.0
v1.1.0-rc1
v1.1.0-beta1
v1.0.18
v1.0.17
v1.0.16
v1.0.15
v1.0.14
v1.0.13
v1.0.12
v1.0.11
v1.0.10
v1.0.9
v1.0.8
v1.0.7
v1.0.6
v1.0.5
v1.0.4
v1.0.3
v1.0.2
v1.0.1
v1.0.0
v1.0.0-rc1
v1.0.0-beta3
v1.0.0-beta2
v0.12.12
v0.12.11
v0.12.10
v0.12.9
v0.12.8
v0.12.7
v0.12.6
v0.12.5
v0.12.4
v0.12.4-rc1
v0.12.3
v0.12.2
v0.12.1
v0.12.0
v0.12.0-rc1
v0.12.0-beta2
v0.12.0-beta1
v0.11.8
v0.11.7
v0.11.6
v0.11.5
v0.11.4
v0.11.3
v0.11.2
v0.11.1
v0.11.0
v0.11.0-rc1
v0.11.0-beta2
v0.11.0-beta1
v0.10.9
v0.10.8
v0.10.7
v0.10.6
v0.10.5
v0.10.4
v0.10.4-rc1
v0.10.3
v0.10.2
v0.10.2-rc1
v0.10.1
v0.10.0
v0.10.0-rc1
v0.10.0-connect1
v0.10.0-beta1
v0.9.7
v0.9.6
v0.9.5
v0.9.4
v0.9.4-rc1
v0.9.3
v0.9.2
v0.9.2-rc1
v0.9.1
v0.9.1-rc1
v0.9.0
v0.9.0-rc2
v0.9.0-rc1
v0.9.0-beta3
v0.9.0-beta2
v0.9.0-beta1
v0.8.7
v0.8.7-rc1
v0.8.6
v0.8.5
v0.8.4
v0.8.4-rc1
v0.8.3
v0.8.2
v0.8.1
v0.8.0
v0.8.0-rc1
nightly
No related merge requests found
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
website/source/guides/acl.html.markdown
+15
-12
website/source/guides/acl.html.markdown
with
15 additions
and
12 deletions
+15
-12
website/source/guides/acl.html.markdown
+
15
-
12
View file @
3bc103eb
...
...
@@ -377,7 +377,7 @@ using an pre-existing identity service (LDAP, Okta, Amazon IAM, etc. ...) in ord
Nomad token.
~> Hashicorp Vault is a standalone product with it's own set of deployment and configuration best
practices. Please review Vault's documentation before deploying it in production.
practices. Please review
[
Vault's documentation
](
https://www.vaultproject.io/docs/index.html
)
before deploying it in production.
For evaluation purposes, a Vault server in "dev" mode can be used.
...
...
@@ -420,7 +420,7 @@ Root Token: f84b587e-5882-bba1-a3f0-d1a3d90ca105
-
A management token (the bootstrap token can be used, but for production systems it's recommended to
have a separate token)
-
A set of policies created in Nomad
-
An unsealed Vault server
-
An unsealed Vault server
(Vault running in
`dev`
mode is unsealed automatically upon startup)
### Configuration
Mount the "nomad" secret backend in Vault:
...
...
@@ -439,23 +439,24 @@ $ vault write nomad/config/access \
Success! Data written to: nomad/config/access
```
Vault secret backends have the concept of roles, configuration unit that group one or more policies
to a potential identity based on Vault's policy. The name of the role is specified on the path, while
the mapping to Nomad policies is done by naming them in a comma separated list, for example:
Vault secret backends have the concept of roles, which are configuration units that group one or more
Vault policies to a potential identity attribute, (Like an LDAP Group membership). The name of the role
is specified on the path, while the mapping to policies is done by naming them in a comma separated list,
for example:
```
$ vault write nomad/role/role-name policy=policyone,policytwo
Success! Data written to: nomad/roles/role-name
```
Alternative
ly, to create management tokens, or global tokens:
Similar
ly, to create management tokens, or global tokens:
```
$ vault write nomad/role/role-name
token_
type=management global=true
$ vault write nomad/role/role-name type=management global=true
Success! Data written to: nomad/roles/role-name
```
A
Vault policy
is required
to allow different identities to get tokens associated with a particular
Create a
Vault policy to allow different identities to get tokens associated with a particular
role:
```
...
...
@@ -467,7 +468,7 @@ Policy 'nomad-user-policy' written.
If you have an existing authentication backend (like LDAP), follow the relevant instructions to create
a role available on the
[
Authentication backends page
](
https://www.vaultproject.io/docs/auth/index.html
)
.
Otherwise, for testing purposes, a token can be generated associated with the policy:
Otherwise, for testing purposes, a
Vault
token can be generated associated with the policy:
```
$ vault token-create -policy=nomad-user-policy
...
...
@@ -477,7 +478,7 @@ token deedfa83-99b5-34a1-278d-e8fb76809a5b
token_accessor fd185371-7d80-8011-4f45-1bb3af2c2733
token_duration 768h0m0s
token_renewable true
token_policies [nomad-user-policy]
token_policies [
default
nomad-user-policy]
```
Finally obtain a Nomad Token using the existing Vault Token:
...
...
@@ -493,8 +494,7 @@ accessor_id 10b8fb49-7024-2126-8683-ab355b581db2
secret_id 8898d19c-e5b3-35e4-649e-4153d63fbea9
```
Verify that the token is created correctly in Nomad, referring to it by its accessor:
Verify that the token is created correctly in Nomad, looking it up by its accessor:
```
$ nomad acl token info 10b8fb49-7024-2126-8683-ab355b581db2
...
...
@@ -508,3 +508,6 @@ Create Time = 2017-10-06 16:26:04.170633207 +0000 UTC
Create Index = 228
Modify Index = 228
```
Any user or process with access to Vault can now obtain short lived Nomad Tokens in order to
carry out operations, thus centralising the access to Nomad tokens.
This diff is collapsed.
Click to expand it.
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
Menu
Projects
Groups
Snippets
Help