Consul System information
server version: v1.2.3
KV Store Endpoints
url: http://host:port/v1/kv/:key
Read key
Method: GET
Url: /kv/:key
Parameters(Not all)
- raw (bool: false) - Specifies the response is just the raw value of the key, without any encoding or metadata. This is specified as part of the URL as a query parameter.
Sample Request
curl
http://127.0.0.1:8500/v1/kv/my-key
Sample Response
default (value: base64-encoded blob of data)
[
{
LockIndex: 0,
Key: "pgsql",
Flags: 0,
Value: "ewogICAgInVzZXIiOiAidHBpemRzIiwKICAgICJwYXNzd29yZCI6ICJ0cGl6ZHMxOSIsCiAgICAiaG9zdCI6ICIxMC4zMC42My4yNDMiLAogICAgInBvcnQiOiA1NDMyLAogICAgImRhdGFiYXNlIjogInRwaXpkcyIKICB9Cg==",
CreateIndex: 7865811,
ModifyIndex: 7869176
}
]
?raw=true
{
user: "tp",
password: "123456",
host: "192.168.1.1",
port: 5432,
database: "tp"
}
Create/Update key
This endpoint updates the value of the specified key. If no key exists at the given path, the key will be created.
使用PUT方法,创建或者修改一个key的value,如果key不存在,将会创建。
Method: PUT
Url: /kv/:key
Even though the return type is application/json, the value is either true or false, indicating whether the create/update succeeded.
Sample Payload
The payload is arbitrary, and is loaded directly into Consul as supplied.
Payload可以为任意值
ACL
Reference
Legacy documentation for consul version < 1.4
Bootstrapping ACLs 初始化ACL
可以通过两种方式初始化ACL的一些基础配置,分别是直接书写配置文件,另一种是HTTP API,首先简单介绍在配置文件中配置:(配置文件的位置是位于容器内/consul/config/
文件夹下)
以下是示例:
{
"acl_datacenter": "dc1",
"acl_master_token": "b1gs33cr3t",
"acl_default_policy": "deny",
"acl_down_policy": "extend-cache"
}
以上配置的含义为: - acl_datacenter
consul datacenter的名字 - acl_master_token
自定义的master token,这个token拥有全局最高权限,可以配置管理acl后台及配置面向agent的acl节点、kv等信息 - acl_default_policy
默认的policy,如果设置为deny
则默认为白名单模式,获取consul各项信息需通过配置拥有对应对象信息的policy token - acl_down_policy
extend-cache
表示当authoritative datacenter offline无法提供认证服务时,会默认使用cache里的policy信息
接下来主要说明如何通过HTTP API配置ACL 1. 设置master token 2. 设置agent token 3. 设置UI token
设置master_token
$ curl
--request PUT
http://127.0.0.1:8500/v1/acl/bootstrap
{"ID":"fe3b8d40-0ee0-8783-6cc2-ab1aa9bb16c1"}
返回的ID
即master token
,这个api只能在初始化ACL且configuration file未设置master token
的时候使用,仅能使用一次。
生成master token
后server将会重启,将配置信息同步到各个consul server并select leader server,此时会出现一个问题,就是因为我们还未配置agent token
,当没有设置时,agent server将无权限向consul server获取信息,此时观看consul log,会看到报错:
2020/04/27 23:38:24 [WARN] agent: Node info update blocked by ACLs
2020/04/27 23:38:44 [WARN] agent: Coordinate update blocked by ACLs
设置agent_token
$ curl
--request PUT
--header "X-Consul-Token: b1gs33cr3t"
--data
'{
"Name": "Agent Token",
"Type": "client",
"Rules": "node "" { policy = "write" } service "" { policy = "read" }"
}' http://127.0.0.1:8500/v1/acl/create
{"ID":"fe3b8d40-0ee0-8783-6cc2-ab1aa9bb16c1"}
After generated the token, we could also introduce the agent token using the API:
$ curl
--request PUT
--header "X-Consul-Token: b1gs33cr3t"
--data
'{
"Token": "fe3b8d40-0ee0-8783-6cc2-ab1aa9bb16c1"
}' http://127.0.0.1:8500/v1/agent/token/acl_agent_token
With that ACL agent token set, the servers will be able to sync themselves with the catalog:
2020/04/27 23:42:59 [INFO] agent: Synced node info
当设置好token后,重启server和client,此时由于系统默认的acl_default_policy
为deny
,所以对于datacenter中的各项配置信息如nodes, services等信息我们都无法在不传递token的情况下获取,由于我们是允许所有用户能看到node节点信息的,因此我们设置对于anonymous的访问权限为node allow:
$ curl
--request PUT
--header "X-Consul-Token: b1gs33cr3t"
--data
'{
"ID": "anonymous",
"Type": "client",
"Rules": "node "" { policy = "read" }"
}' http://127.0.0.1:8500/v1/acl/update
{"ID":"anonymous"}
需要注意的是,由于consul的dns服务信息存储在consul
这个service中,因此我们也需要把这个service添加到anonymous policy中。
$ curl
--request PUT
--header "X-Consul-Token: b1gs33cr3t"
--data
'{
"ID": "anonymous",
"Type": "client",
"Rules": "node "" { policy = "read" } service "consul" { policy = "read" }"
}' http://127.0.0.1:8500/v1/acl/update
{"ID":"anonymous"}
这里提一下,如果觉得设置anonymous policy的方法太过于宽泛,想要定制基于每个agent server不同的policy,可以使用agent token policy,参考链接
设置UI_token
由于前面设置的anonymous token并不全适用于consul UI(官网文档并没有写清楚哪些地方anonymous token在UI中不适用),因此官方建议设置一个UI token policy来让UI使用,获取完之后可以在UI的settings中配置。
$ curl
--request PUT
--header "X-Consul-Token: b1gs33cr3t"
--data
'{
"Name": "UI Token",
"Type": "client",
"Rules": "key "" { policy = "write" } node "" { policy = "read" } service "" { policy = "read" }"
}' http://127.0.0.1:8500/v1/acl/create
{"ID":"d0a9f330-2f9d-0a8c-d2af-1e9ceda354e6"}