github.com/anth0d/nomad@v0.0.0-20221214183521-ae3a0a2cad06/website/content/docs/configuration/acl.mdx (about)

     1  ---
     2  layout: docs
     3  page_title: acl Stanza - Agent Configuration
     4  description: >-
     5    The "acl" stanza configures the Nomad agent to enable ACLs and tune various
     6    parameters.
     7  ---
     8  
     9  # `acl` Stanza
    10  
    11  <Placement groups={['acl']} />
    12  
    13  The `acl` stanza configures the Nomad agent to enable ACLs and tunes various
    14  ACL parameters. Learn more about configuring Nomad's ACL system in the [Secure
    15  Nomad with Access Control guide][secure-guide].
    16  
    17  ```hcl
    18  acl {
    19    enabled    = true
    20    token_ttl  = "30s"
    21    policy_ttl = "60s"
    22    role_ttl   = "60s"
    23  }
    24  ```
    25  
    26  ## `acl` Parameters
    27  
    28  - `enabled` `(bool: false)` - Specifies if ACL enforcement is enabled. All other
    29    ACL configuration options depend on this value. Note that the Nomad command
    30    line client will send requests for client endpoints such as `alloc exec`
    31    directly to Nomad clients whenever they are accessible. In this scenario, the
    32    client will enforce ACLs, so both servers and clients should have ACLs enabled.
    33  
    34  - `token_ttl` `(string: "30s")` - Specifies the maximum time-to-live (TTL) for
    35    cached ACL tokens. This does not affect servers, since they do not cache tokens.
    36    Setting this value lower reduces how stale a token can be, but increases
    37    the request load against servers. If a client cannot reach a server, for example
    38    because of an outage, the TTL will be ignored and the cached value used.
    39  
    40  - `policy_ttl` `(string: "30s")` - Specifies the maximum time-to-live (TTL) for
    41    cached ACL policies. This does not affect servers, since they do not cache policies.
    42    Setting this value lower reduces how stale a policy can be, but increases
    43    the request load against servers. If a client cannot reach a server, for example
    44    because of an outage, the TTL will be ignored and the cached value used.
    45  
    46  - `role_ttl` `(string: "30s")` - Specifies the maximum time-to-live (TTL) for
    47    cached ACL roles. This does not affect servers, since they do not cache roles.
    48    Setting this value lower reduces how stale a role can be, but increases the
    49    request load against servers. If a client cannot reach a server, for example
    50    because of an outage, the TTL will be ignored and the cached value used.
    51  
    52  - `replication_token` `(string: "")` - Specifies the Secret ID of the ACL token
    53    to use for replicating policies and tokens. This is used by servers in non-authoritative
    54    region to mirror the policies and tokens into the local region from [authoritative_region][authoritative-region].
    55  
    56  - `token_min_expiration_ttl` `(string: "1m")` - Specifies the lowest acceptable
    57    TTL value for an ACL token when setting expiration. This is used by the Nomad
    58    servers to validate ACL tokens.
    59  
    60  - `token_max_expiration_ttl` `(string: "24h")` - Specifies the highest acceptable
    61    TTL value for an ACL token when setting expiration. This is used by the Nomad
    62    servers to validate ACL tokens.
    63  
    64  [secure-guide]: https://learn.hashicorp.com/collections/nomad/access-control
    65  [authoritative-region]: /docs/configuration/server#authoritative_region