consul 节点有server模式,与client 的模式, 微服务通过Nginx 访问 consul client 节点用来进行服务的注册与发现。
consul ACL介绍
ACL是访问控制列表,consul中主要用来控制 agent ,service,node,event,key,query 等功能的控制访问
consul ACL Server节点配置
{
"data_dir": "/data/consul/data/",
"datacenter": "lq",
"log_level": "INFO",
"bootstrap_expect": 3,
"server": true,
"bind_addr": "10.23.27.91",
"client_addr": "0.0.0.0",
"acl_datacenter": "lq",
"acl_master_token":
"autohome-openapi",
"acl_default_policy": "deny" ,
"acl_token" : "autohome-openapi",
"retry_join": ["10.23.27.87"],
"retry_interval": "30s",
"rejoin_after_leave": true,
"start_join": ["10.23.27.87"],
"ui":true
}
acl_default_policy 默认值值是allow,即能够执行任何操作,这里需要关闭
acl_master_token 需要在每个server上配置,有management级别的权限,相当于一个种子token
acl_datacenter区域的标识
在UI 界面进行ACL规则定制
官方文档有一例分配说明
# Default all keys to read-only
key "" {
policy = "read"
}
key "foo/" {
policy = "write"
}
key "foo/private/" {
# Deny access to the dir "foo/private" policy = "deny"
}
# Default all services to allow registration. Also permits all
# services to be discovered.
service "" {
policy = "write"
}
# Deny registration access to services prefixed "secure-".
# Discovery of the service is still allowed in read mode.
service "secure-" {
policy = "read"
}
# Allow firing any user event by default.
event "" {
policy = "write"
}
# Deny firing events prefixed with "destroy-".
event "destroy-" {
policy = "deny"
}# Default prepared queries to read-only.
query "" {
policy = "read"
}
# Read-only mode for the encryption keyring by default (list only)
keyring = "read"
配置好权限后,就可以启动Consul 的Client 节点了。配置如下
{
"data_dir": "/data/consul/data/",
"datacenter": "lq",
"log_level": "INFO",
"bind_addr": "192.168.0.10",
"client_addr": "0.0.0.0",
"retry_join": ["10.23.27.87"],
"acl_datacenter": "bj",
"acl_token": "366ef886-4162-5e60-1c85-74ab7a944061",
"ui":true}
