Consul 使用访问控制列表 (ACL) 来保护 UI、API、CLI、服务通信和 agent 通信,本文主要介绍 Consul ACL 的基本概念及使用,文中所使用到的软件版本:Consul 1.11.1。
1、Consul ACL 概述
ACL 的核心是将规则分组到策略中,然后将一个或多个策略与令牌相关联。
在最高级别,ACL 系统有两个主要组件:
ACL Policies:策略允许将一组规则分组到一个逻辑单元中,该逻辑单元可以重用并与许多令牌关联。
ACL Tokens:访问 Consul 需要携带 Token 进行认证;每个 ACL Token 对应一个 Accessor ID 和一个 Secret ID。Accessor ID 被用来命名 Token,Secret ID 被作为 Token 用于与 Consul 的通信。
在多数情况下,Policies 和 Tokens 足够了;但其他组件可用于更高级的设置:
ACL Roles:角色允许将一组策略和服务标识分组到可应用于多个令牌的可重用的高级实体中。(1.5.0 中新增)
ACL Service Identities:服务标识是一个策略模板,表示一个策略链接。(1.5.0 中新增)
ACL Node Identities:节点标识是一个策略模板,表示一个策略链接。(1.5.0 中新增)
ACL Auth Methods and Binding Rules:身份验证方法针对受信任的外部方执行身份验证,以授权创建可在本地数据中心内使用的 ACL 令牌。。(1.8.1 中新增)
1.1、ACL Policies
ACL policies 包含如下属性:
Attribute | Description | Required | Default |
| The policy's auto-generated public identifier. | N/A | N/A |
| Unique name for the policy. | Required | none |
| Human readable description of the policy. | Optional | none |
| Set of rules granting or denying permissions. See the Rule Specification documentation for more details. | Optional | none |
| Datacenter in which the policy is valid. More than one datacenter can be specified. | Optional | none |
| ENTERPRISE Namespace in which the policy is valid. Added in Consul Enterprise 1.7.0. | Optional | |
| ENTERPRISE Admin partition in which the policy is valid. Added in Consul Enterprise 1.11.0 | Optional | |
查看已有策略:
consul acl policy list -format json -token <token>
内置策略:
Global Management:拥有超级权限,只能修改名称,不能修改其他属性
Namespace Management:企业版的内置策略,相当于社区版的 Global Management
策略管理:对应策略的增删改查都可以方便的通过控制台来进行操作,当然也可以通过命令行或API,这里就不详述了,可分别参考官网文档:https://www.consul.io/commands/acl/policy、https://www.consul.io/api-docs/acl/policies。
1.2、ACL Service Identities
服务标识包含如下元素:
Service Name:服务名称
Datacenters:数据中心列表 (可选)
参与服务网格的服务需要具有被发现和发现其他正常服务实例的权限。合适的策略往往看起来几乎完全相同,因此服务标识是一个策略模板,可帮助避免创建样板策略。在授权过程中,配置的服务标识将自动作为策略应用;服务标识的 ACL 规则如下:
# 运行注册相应的服务
service "<Service Name>" {
policy = "write"
}
service "<Service Name>-sidecar-proxy" {
policy = "write"
}
# 允许访问任何服务
service_prefix "" {
policy = "read"
}
node_prefix "" {
policy = "read"
}
1.3、ACL Node Identities
节点标识包含如下元素:
Node Name:节点名称
Datacenter:数据中心
在授权过程中,配置的节点标识将自动作为策略应用;节点标识的 ACL 规则如下:
# 允许注册该节点到集群
node "<Node Name>" {
policy = "write"
}
# 允许检测和比较注册到自身的服务
service_prefix "" {
policy = "read"
}
1.4、ACL Roles
角色包含如下元素:
ID:角色 id
Name:角色名称
Description:描述(可选)
Policy Set:策略集合
Service Identity Set:服务标识符集合.
Namespace ENTERPRISE:命名空间 (企业版 1.7.0 新增)
可以通过控制来方便的创建、删除角色。
1.5、ACL Tokens
Consul 使用 Token 来确定调用方是否有权执行操作,Token 包含如下元素:
Accessor ID:token 唯一标识
Secret ID:token
Policy Set:策略集合
Role Set:角色集合(1.5.0 新增)
Service Identity Set:服务标识集合(1.5.0 新增)
Local:是否为本中心的 token
CreateTime:token 创建时间
Expiration Time:token 过期时间(1.5.0 新增)
Namespace ENTERPRISE:命名空间(企业版 1.7.0 新增)
Partition ENTERPRISE: 分区(企业版 1.11.0 新增)
查看已有 Token:
consul acl token list -format json -token <token_id>
内置 Token:
Anonymous Token:访问 Consul 时如果未修改 Token,则使用该 Token;Accessor ID 为 00000000-0000-0000-0000-000000000002,Secret ID 为 anonymous。
Initial Management Token:Global Management 策略对应的 Token;在 Consul 1.4 - 1.10 中,这被称为 master token。在 Consul 1.11 中,它被重命名为 initial_management Token。
1.6、ACL Rules
ACL Rules 描述对资源的访问权限,它资源声明和策略组成:
<resource> ["<label>"] {
policy = "<policy disposition>"
}
资源 acl、keyring、mesh、operator 不包含 label,可使用下面的语法来配置规则:
<resource> = "<policy disposition>"
1.6.1、策略类型
有如下集中策略:
read:只读
write:读写
deny:拒绝
1.6.1、策略匹配和前缀
匹配特定的资源:
service "web-prod" {
policy = "deny"
}
匹配某一类型特定前缀的资源:
service_prefix "web" {
policy = "write"
}
匹配某一类型的所有资源:
service_prefix "" {
policy = "read"
}
1.6.2、格式化规则
规则可以使用 HashiCorp Configuration Language (HCL) 或 JSON 来定义。
HCL 方式:
# These control access to the key/value store.
key_prefix "" {
policy = "read"
}
key_prefix "foo/" {
policy = "write"
}
key_prefix "foo/private/" {
policy = "deny"
}
# Or for exact key matches
key "foo/bar/secret" {
policy = "deny"
}
# This controls access to cluster-wide Consul operator information.
operator = "read"
JSON 方式:
{
"key": [{
"foo/bar/secret": [{
"policy": "deny"
}]
}],
"key_prefix": [{
"": [{
"policy": "read"
}]
},{
"foo/": [{
"policy": "write"
}]
}, {
"foo/private/": [{
"policy": "deny"
}]
}],
"operator": "read"
}
1.6.3、规则中的资源
Resource | Description | Labels |
| Controls access to ACL operations in the ACL API. See ACL Resource Rules for details. | No |
| ENTERPRISE Controls access to one or more admin partitions. See Admin Partition Rules for details. | Yes |
| Controls access to the utility operations in the Agent API, such as See Agent Rules for details. | Yes |
| Controls access to event operations in the Event API, such as firing and listing events. See Event Rules for details. | Yes |
| Controls access to key/value store operations in the KV API. Can also use the Has additional value options in Consul Enterprise for integrating with Sentinel. See Key/Value Rules for details. | Yes |
| Controls access to keyring operations in the Keyring API. See Keyring Rules for details. | No |
| Provides operator-level permissions for resources in the admin partition, such as ingress gateways or mesh proxy defaults. See Mesh Rules for details. | No |
| ENTERPRISE Controls access to one or more namespaces. See Namespace Rules for details. | Yes |
| Controls access to node-level registration and read access to the Catalog API. See Node Rules for details. | Yes |
| Controls access to cluster-level operations available in the Operator API excluding keyring API endpoints. See Operator Rules for details. | No |
| Controls access to create, update, and delete prepared queries in the Prepared Query API. Access to the node and service must also be granted. See Prepared Query Rules for details. | Yes |
| Controls service-level registration and read access to the Catalog API, as well as service discovery with the Health API. See Service Rules for details. | Yes |
| Controls access to operations in the Session API. See Session Rules for details. | Yes |
2、Consul ACL 启用
假设在三台机器上安装 Consul:
机器 | agent 类型 |
10.40.96.10 | server |
10.40.96.11 | server |
10.40.96.12 | server |
A、分别在各机器上启动 Consul:
nohup ./consul agent -config-file=./agent.hcl &
10.40.96.10 上 agent.hcl:
server = true,
ui_config = {
enabled = true
},
bootstrap_expect = 3,
data_dir = "./data",
datacenter = "dc1",
primary_datacenter= "dc1",
node_name = "node131",
client_addr = "0.0.0.0",
bind_addr = "10.40.96.10",
acl = {
enabled = true
default_policy = "deny"
down_policy = "extend-cache"
enable_token_persistence = true
}
10.40.96.11 上 agent.hcl:
server = true,
ui_config = {
enabled = true
},
bootstrap_expect = 3,
data_dir = "./data",
datacenter = "dc1",
primary_datacenter= "dc1",
node_name = "node132",
client_addr = "0.0.0.0",
bind_addr = "10.40.96.11",
start_join = ["10.40.96.10"],
acl = {
enabled = true
default_policy = "deny"
down_policy = "extend-cache"
enable_token_persistence = true
}
10.40.96.12 上 agent.hcl:
server = true,
ui_config = {
enabled = true
},
bootstrap_expect = 3,
data_dir = "./data",
datacenter = "dc1",
primary_datacenter= "dc1",
node_name = "node132",
client_addr = "0.0.0.0",
bind_addr = "10.40.96.12",
start_join = ["10.40.96.10"],
acl = {
enabled = true
default_policy = "deny"
down_policy = "extend-cache"
enable_token_persistence = true
}
B、创建初始 Token,在任一节点上执行:
./consul acl bootstrap
执行完成后控制会打印创建的 Token 信息,该 Token 具有超级权限,可以使用该 Token 登录控制台以进行后续的操作。
3、Spring Cloud Consul 中使用 ACL
这里使用 ACL 来控制服务的注册的发现;创建两个 Token,一个用于服务的注册,另外一个用于客户端服务发现并调用服务。
3.1、创建策略和 Token
创建服务注册的策略:
创建服务注册的 Token:
创建服务发现的策略:
创建服务发现的 Token:
3.2、应用配置文件中增加配置 spring.cloud.consul.discovery.acl-token
服务一(不调用其他服务)配置:
spring:
cloud:
consul:
host: 10.40.96.10
port: 8500
discovery:
prefer-ip-address: true
acl-token: 17d11099-64ee-e923-5e9b-60a7cb23aa87
health-check-critical-timeout: 10s
服务二(调用服务一,本身不这注册为服务)配置:
spring:
cloud:
consul:
host: 10.40.96.132
port: 8500
discovery:
register: false
acl-token: 9a6bc59e-73d7-7af5-a669-818a200a9ded
prefer-ip-address: true
配置完成后,启动两个服务,服务二可以正常调用服务一。