添加acl配置文件

# vim acl.json
{
"acl": {
"enabled": true,
"default_policy": "deny",
"down_policy": "extend-cache"
}
}

重启consul

# docker restart consul_server 

生成初始token

# consul acl bootstrap
AccessorID: edcaacda-b6d0-1954-5939-b5aceaca7c9a
SecretID: 4411f091-a4c9-48e6-0884-1fcb092da1c8
Description: Bootstrap Token (Global Management)
Local: false
Create Time: 2018-12-06 18:03:23.742699239 +0000 UTC
Policies:
00000000-0000-0000-0000-000000000001 - global-management

创建变量环境

# echo 'export CONSUL_HTTP_TOKEN=4411f091-a4c9-48e6-0884-1fcb092da1c8' >>/etc/profile
# source /etc/profile

创建agent token

创建agent策略

# vim agent-policy.hcl
node_prefix "" {
policy = "write"
}
service_prefix "" {
policy = "read"
}

此策略将允许注册和访问所有节点,并读取任何服务

# consul acl policy create  -name "agent-token" -description "Agent Token Policy" -rules @agent-policy.hcl
ID: 5102b76c-6058-9fe7-82a4-315c353eb7f7
Name: agent-policy
Description: Agent Token Policy
Datacenters:
Rules:
node_prefix "" {
policy = "write"
}

service_prefix "" {
policy = "read"
}

创建agent令牌

# consul acl token create -description "Agent Token" -policy-name "agent-token"
AccessorID: 499ab022-27f2-acb8-4e05-5a01fff3b1d1
SecretID: da666809-98ca-0e94-a99c-893c4bf5f9eb
Description: Agent Token
Local: false
Create Time: 2018-10-19 14:23:40.816899 -0400 EDT
Policies:
fcd68580-c566-2bd2-891f-336eadc02357 - agent-token

服务端配置acl

把令牌添加到所有server.hcl

"primary_datacenter": "testkydhuabei2",
"acl": {
"enabled": true,
"default_policy": "deny",
"down_policy": "extend-cache",
"tokens": {
"agent": "da666809-98ca-0e94-a99c-893c4bf5f9eb"
}
}

重启consul

# docker restart consul_server        

检测是否成功

# curl http://127.0.0.1:8500/v1/catalog/nodes -H 'x-consul-token: 4411f091-a4c9-48e6-0884-1fcb092da1c8'
[
{
"Address": "172.20.20.10",
"CreateIndex": 7,
"Datacenter": "kc",
"ID": "881cfb69-2bcd-c2a9-d87c-cb79fc454df9",
"Meta": {
"consul-network-segment": ""
},
"ModifyIndex": 10,
"Node": "fox",
"TaggedAddresses": {
"lan": "172.20.20.10",
"wan": "172.20.20.10"
}
}]

客户端配置acl

把令牌添加到所有client.hcl

"acl": {
"enabled": true,
"default_policy": "deny",
"down_policy": "extend-cache",
"tokens": {
"agent": "da666809-98ca-0e94-a99c-893c4bf5f9eb"
}
}

重启consul

# docker restart consul_client

service token

服务注册需要配置service token

# vim service.hcl
key_prefix "" {
policy = "write"
}
node_prefix "" {
policy = "write"
}
service_prefix "" {
policy = "read"
}
# consul acl policy create -name "service-token" -description "Service Token Policy" -rules @service.hcl
# consul acl token create -description "Service Token" -policy-name "service-token"

官方文档