github.com/outbrain/consul@v1.4.5/website/source/api/connect/intentions.html.md (about) 1 --- 2 layout: api 3 page_title: Intentions - Connect - HTTP API 4 sidebar_current: api-connect-intentions 5 description: |- 6 The /connect/intentions endpoint provide tools for managing intentions via 7 Consul's HTTP API. 8 --- 9 10 # Intentions - Connect HTTP API 11 12 The `/connect/intentions` endpoint provide tools for managing 13 [intentions](/docs/connect/intentions.html). 14 15 ## Create Intention 16 17 This endpoint creates a new intention and returns its ID if it was created 18 successfully. 19 20 The name and destination pair must be unique. If another intention matches 21 the name and destination, the creation will fail. You must either update the 22 existing intention or delete it prior to creating a new one. 23 24 | Method | Path | Produces | 25 | ------ | ---------------------------- | -------------------------- | 26 | `POST` | `/connect/intentions` | `application/json` | 27 28 The table below shows this endpoint's support for 29 [blocking queries](/api/index.html#blocking-queries), 30 [consistency modes](/api/index.html#consistency-modes), 31 [agent caching](/api/index.html#agent-caching), and 32 [required ACLs](/api/index.html#acls). 33 34 | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | 35 | ---------------- | ----------------- | ------------- | ------------------------------- | 36 | `NO` | `none` | `none` | `intentions:write`<sup>1</sup> | 37 38 <sup>1</sup> Intention ACL rules are specified as part of a `service` rule. 39 See [Intention Management Permissions](/docs/connect/intentions.html#intention-management-permissions) for more details. 40 41 ### Parameters 42 43 - `SourceName` `(string: <required>)` - The source of the intention. 44 For a `SourceType` of `consul` this is the name of a Consul service. The 45 service doesn't need to be registered. 46 47 - `DestinationName` `(string: <required>)` - The destination of the intention. 48 The intention destination is always a Consul service, unlike the source. 49 The service doesn't need to be registered. 50 51 - `SourceType` `(string: <required>)` - The type for the `SourceName` value. 52 This can be only "consul" today to represent a Consul service. 53 54 - `Action` `(string: <required>)` - This is one of "allow" or "deny" for 55 the action that should be taken if this intention matches a request. 56 57 - `Description` `(string: nil)` - Description for the intention. This is not 58 used for anything by Consul, but is presented in API responses to assist 59 tooling. 60 61 - `Meta` `(map<string|string>: nil)` - Specifies arbitrary KV metadata pairs. 62 63 ### Sample Payload 64 65 ```json 66 { 67 "SourceName": "web", 68 "DestinationName": "db", 69 "SourceType": "consul", 70 "Action": "allow" 71 } 72 ``` 73 74 ### Sample Request 75 76 ```text 77 $ curl \ 78 --request POST \ 79 --data @payload.json \ 80 http://127.0.0.1:8500/v1/connect/intentions 81 ``` 82 83 ### Sample Response 84 85 ```json 86 { 87 "ID": "8f246b77-f3e1-ff88-5b48-8ec93abf3e05" 88 } 89 ``` 90 91 ## Read Specific Intention 92 93 This endpoint reads a specific intention. 94 95 | Method | Path | Produces | 96 | ------ | ---------------------------- | -------------------------- | 97 | `GET` | `/connect/intentions/:uuid` | `application/json` | 98 99 The table below shows this endpoint's support for 100 [blocking queries](/api/index.html#blocking-queries), 101 [consistency modes](/api/index.html#consistency-modes), 102 [agent caching](/api/index.html#agent-caching), and 103 [required ACLs](/api/index.html#acls). 104 105 | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | 106 | ---------------- | ----------------- | ------------- | --------------- | 107 | `YES` | `all` | `none` | `intentions:read`<sup>1</sup> | 108 109 <sup>1</sup> Intention ACL rules are specified as part of a `service` rule. 110 See [Intention Management Permissions](/docs/connect/intentions.html#intention-management-permissions) for more details. 111 112 ### Parameters 113 114 - `uuid` `(string: <required>)` - Specifies the UUID of the intention to read. This 115 is specified as part of the URL. 116 117 ### Sample Request 118 119 ```text 120 $ curl \ 121 http://127.0.0.1:8500/v1/connect/intentions/e9ebc19f-d481-42b1-4871-4d298d3acd5c 122 ``` 123 124 ### Sample Response 125 126 ```json 127 { 128 "ID": "e9ebc19f-d481-42b1-4871-4d298d3acd5c", 129 "Description": "", 130 "SourceNS": "default", 131 "SourceName": "web", 132 "DestinationNS": "default", 133 "DestinationName": "db", 134 "SourceType": "consul", 135 "Action": "allow", 136 "DefaultAddr": "", 137 "DefaultPort": 0, 138 "Meta": {}, 139 "Precedence": 9, 140 "CreatedAt": "2018-05-21T16:41:27.977155457Z", 141 "UpdatedAt": "2018-05-21T16:41:27.977157724Z", 142 "CreateIndex": 11, 143 "ModifyIndex": 11 144 } 145 ``` 146 147 ## List Intentions 148 149 This endpoint lists all intentions. 150 151 | Method | Path | Produces | 152 | ------ | ---------------------------- | -------------------------- | 153 | `GET` | `/connect/intentions` | `application/json` | 154 155 The table below shows this endpoint's support for 156 [blocking queries](/api/index.html#blocking-queries), 157 [consistency modes](/api/index.html#consistency-modes), 158 [agent caching](/api/index.html#agent-caching), and 159 [required ACLs](/api/index.html#acls). 160 161 | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | 162 | ---------------- | ----------------- | ------------- | --------------- | 163 | `YES` | `all` | `none` | `intentions:read`<sup>1</sup> | 164 165 <sup>1</sup> Intention ACL rules are specified as part of a `service` rule. 166 See [Intention Management Permissions](/docs/connect/intentions.html#intention-management-permissions) for more details. 167 168 ### Sample Request 169 170 ```text 171 $ curl \ 172 http://127.0.0.1:8500/v1/connect/intentions 173 ``` 174 175 ### Sample Response 176 177 ```json 178 [ 179 { 180 "ID": "e9ebc19f-d481-42b1-4871-4d298d3acd5c", 181 "Description": "", 182 "SourceNS": "default", 183 "SourceName": "web", 184 "DestinationNS": "default", 185 "DestinationName": "db", 186 "SourceType": "consul", 187 "Action": "allow", 188 "DefaultAddr": "", 189 "DefaultPort": 0, 190 "Meta": {}, 191 "Precedence": 9, 192 "CreatedAt": "2018-05-21T16:41:27.977155457Z", 193 "UpdatedAt": "2018-05-21T16:41:27.977157724Z", 194 "CreateIndex": 11, 195 "ModifyIndex": 11 196 } 197 ] 198 ``` 199 200 ## Update Intention 201 202 This endpoint updates an intention with the given values. 203 204 | Method | Path | Produces | 205 | ------ | ---------------------------- | -------------------------- | 206 | `PUT` | `/connect/intentions/:uuid` | `application/json` | 207 208 The table below shows this endpoint's support for 209 [blocking queries](/api/index.html#blocking-queries), 210 [consistency modes](/api/index.html#consistency-modes), 211 [agent caching](/api/index.html#agent-caching), and 212 [required ACLs](/api/index.html#acls). 213 214 | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | 215 | ---------------- | ----------------- | ------------- | ---------------- | 216 | `NO` | `none` | `none` | `intentions:write`<sup>1</sup> | 217 218 219 <sup>1</sup> Intention ACL rules are specified as part of a `service` rule. 220 See [Intention Management Permissions](/docs/connect/intentions.html#intention-management-permissions) for more details. 221 222 ### Parameters 223 224 - `uuid` `(string: <required>)` - Specifies the UUID of the intention to update. This 225 is specified as part of the URL. 226 227 - Other parameters are identical to creating an intention. 228 229 ### Sample Payload 230 231 ```json 232 { 233 "SourceName": "web", 234 "DestinationName": "other-db", 235 "SourceType": "consul", 236 "Action": "allow" 237 } 238 ``` 239 240 ### Sample Request 241 242 ```text 243 $ curl \ 244 --request PUT \ 245 --data @payload.json \ 246 http://127.0.0.1:8500/v1/connect/intentions/e9ebc19f-d481-42b1-4871-4d298d3acd5c 247 ``` 248 249 ## Delete Intention 250 251 This endpoint deletes a specific intention. 252 253 | Method | Path | Produces | 254 | -------- | ---------------------------- | -------------------------- | 255 | `DELETE` | `/connect/intentions/:uuid` | `application/json` | 256 257 The table below shows this endpoint's support for 258 [blocking queries](/api/index.html#blocking-queries), 259 [consistency modes](/api/index.html#consistency-modes), 260 [agent caching](/api/index.html#agent-caching), and 261 [required ACLs](/api/index.html#acls). 262 263 | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | 264 | ---------------- | ----------------- | ------------- | --------------- | 265 | `NO` | `none` | `none` | `intentions:write`<sup>1</sup> | 266 267 268 <sup>1</sup> Intention ACL rules are specified as part of a `service` rule. 269 See [Intention Management Permissions](/docs/connect/intentions.html#intention-management-permissions) for more details. 270 271 ### Parameters 272 273 - `uuid` `(string: <required>)` - Specifies the UUID of the intention to delete. This 274 is specified as part of the URL. 275 276 ### Sample Request 277 278 ```text 279 $ curl \ 280 --request DELETE \ 281 http://127.0.0.1:8500/v1/connect/intentions/e9ebc19f-d481-42b1-4871-4d298d3acd5c 282 ``` 283 284 ## Check Intention Result 285 286 This endpoint evaluates the intentions for a specific source and destination 287 and returns whether the connection would be authorized or not given the 288 current Consul configuration and set of intentions. 289 290 This endpoint will work even if the destination service has 291 `intention = "deny"` specifically set, because the resulting API response 292 does not contain any information about the intention itself. 293 294 295 | Method | Path | Produces | 296 | ------ | ---------------------------- | -------------------------- | 297 | `GET` | `/connect/intentions/check` | `application/json` | 298 299 The table below shows this endpoint's support for 300 [blocking queries](/api/index.html#blocking-queries), 301 [consistency modes](/api/index.html#consistency-modes), 302 [agent caching](/api/index.html#agent-caching), and 303 [required ACLs](/api/index.html#acls). 304 305 | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | 306 | ---------------- | ----------------- | ------------- | -------------- | 307 | `NO` | `none` | `none` | `intentions:read`<sup>1</sup> | 308 309 <sup>1</sup> Intention ACL rules are specified as part of a `service` rule. 310 See [Intention Management Permissions](/docs/connect/intentions.html#intention-management-permissions) for more details. 311 312 ### Parameters 313 314 - `source` `(string: <required>)` - Specifies the source service. This 315 is specified as part of the URL. 316 317 - `destination` `(string: <required>)` - Specifies the destination service. This 318 is specified as part of the URL. 319 320 ### Sample Request 321 322 ```text 323 $ curl \ 324 http://127.0.0.1:8500/v1/connect/intentions/check?source=web&destination=db 325 ``` 326 327 ### Sample Response 328 329 ```json 330 { 331 "Allowed": true 332 } 333 ``` 334 335 - `Allowed` is true if the connection would be allowed, false otherwise. 336 337 ## List Matching Intentions 338 339 This endpoint lists the intentions that match a given source or destination. 340 The intentions in the response are in evaluation order. 341 342 | Method | Path | Produces | 343 | ------ | ------------------------------ | -------------------------- | 344 | `GET` | `/connect/intentions/match` | `application/json` | 345 346 The table below shows this endpoint's support for 347 [blocking queries](/api/index.html#blocking-queries), 348 [consistency modes](/api/index.html#consistency-modes), 349 [agent caching](/api/index.html#agent-caching), and 350 [required ACLs](/api/index.html#acls). 351 352 | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | 353 | ---------------- | ----------------- | ------------- | -------------- | 354 | `NO` | `none` | `none` | `intentions:read`<sup>1</sup> | 355 356 <sup>1</sup> Intention ACL rules are specified as part of a `service` rule. 357 See [Intention Management Permissions](/docs/connect/intentions.html#intention-management-permissions) for more details. 358 359 ### Parameters 360 361 - `by` `(string: <required>)` - Specifies whether to match the "name" value 362 by "source" or "destination". 363 364 - `name` `(string: <required>)` - Specifies a name to match. This parameter 365 can be repeated for batching multiple matches. 366 367 ### Sample Request 368 369 ```text 370 $ curl \ 371 http://127.0.0.1:8500/v1/connect/intentions/match?by=source&name=web 372 ``` 373 374 ### Sample Response 375 376 ```json 377 { 378 "web": [ 379 { 380 "ID": "ed16f6a6-d863-1bec-af45-96bbdcbe02be", 381 "Description": "", 382 "SourceNS": "default", 383 "SourceName": "web", 384 "DestinationNS": "default", 385 "DestinationName": "db", 386 "SourceType": "consul", 387 "Action": "deny", 388 "DefaultAddr": "", 389 "DefaultPort": 0, 390 "Meta": {}, 391 "CreatedAt": "2018-05-21T16:41:33.296693825Z", 392 "UpdatedAt": "2018-05-21T16:41:33.296694288Z", 393 "CreateIndex": 12, 394 "ModifyIndex": 12 395 }, 396 { 397 "ID": "e9ebc19f-d481-42b1-4871-4d298d3acd5c", 398 "Description": "", 399 "SourceNS": "default", 400 "SourceName": "web", 401 "DestinationNS": "default", 402 "DestinationName": "*", 403 "SourceType": "consul", 404 "Action": "allow", 405 "DefaultAddr": "", 406 "DefaultPort": 0, 407 "Meta": {}, 408 "CreatedAt": "2018-05-21T16:41:27.977155457Z", 409 "UpdatedAt": "2018-05-21T16:41:27.977157724Z", 410 "CreateIndex": 11, 411 "ModifyIndex": 11 412 } 413 ] 414 } 415 ```