ACL安全配置
2026/1/15大约 3 分钟ConsulACL安全
ACL 安全配置
一、ACL 概述
ACL(Access Control List)是 Consul 的访问控制系统,用于保护服务注册、KV 存储等资源。
1.1 ACL 组件
1.2 权限级别
| 级别 | 说明 |
|---|---|
| deny | 拒绝访问 |
| read | 只读访问 |
| write | 读写访问 |
| list | 列出资源 |
二、启用 ACL
2.1 Server 配置
{
"acl": {
"enabled": true,
"default_policy": "deny",
"enable_token_persistence": true,
"tokens": {
"initial_management": "root-token-uuid"
}
}
}2.2 HCL 配置
acl {
enabled = true
default_policy = "deny"
enable_token_persistence = true
tokens {
initial_management = "root-token-uuid"
}
}2.3 Bootstrap ACL
# 初始化 ACL 系统
consul acl bootstrap
# 输出示例
AccessorID: a1b2c3d4-e5f6-7890-abcd-ef1234567890
SecretID: root-secret-token
Description: Bootstrap Token
Local: false
Create Time: 2024-01-01 00:00:00
Policies:
00000000-0000-0000-0000-000000000001 - global-management三、创建 Policy
3.1 服务策略
# user-service-policy.hcl
service "user-service" {
policy = "write"
}
service_prefix "" {
policy = "read"
}
node_prefix "" {
policy = "read"
}3.2 KV 策略
# kv-policy.hcl
key_prefix "config/user-service/" {
policy = "write"
}
key_prefix "config/" {
policy = "read"
}3.3 创建策略
# 创建策略
consul acl policy create \
-name "user-service-policy" \
-rules @user-service-policy.hcl \
-token "root-secret-token"
# 列出策略
consul acl policy list -token "root-secret-token"四、创建 Token
4.1 服务 Token
# 创建 Token
consul acl token create \
-description "User Service Token" \
-policy-name "user-service-policy" \
-token "root-secret-token"4.2 Agent Token
# 创建 Agent Token
consul acl token create \
-description "Agent Token" \
-policy-name "agent-policy" \
-token "root-secret-token"4.3 配置 Agent Token
{
"acl": {
"tokens": {
"agent": "agent-token-uuid",
"default": "default-token-uuid"
}
}
}五、Role 管理
5.1 创建 Role
consul acl role create \
-name "developer-role" \
-policy-name "read-only-policy" \
-policy-name "kv-read-policy" \
-token "root-secret-token"5.2 绑定 Role 到 Token
consul acl token create \
-description "Developer Token" \
-role-name "developer-role" \
-token "root-secret-token"六、Spring Cloud Consul ACL
6.1 配置 Token
spring:
cloud:
consul:
host: localhost
port: 8500
discovery:
acl-token: ${CONSUL_ACL_TOKEN}
config:
acl-token: ${CONSUL_ACL_TOKEN}6.2 环境变量
export CONSUL_ACL_TOKEN=your-service-token6.3 Token 配置类
@Configuration
public class ConsulAclConfig {
@Value("${consul.acl.token}")
private String aclToken;
@Bean
public ConsulClient consulClient() {
ConsulRawClient rawClient = new ConsulRawClient("localhost", 8500);
return new ConsulClient(rawClient);
}
}七、常用策略模板
7.1 只读策略
# read-only-policy.hcl
service_prefix "" {
policy = "read"
}
node_prefix "" {
policy = "read"
}
key_prefix "" {
policy = "read"
}7.2 服务注册策略
# service-register-policy.hcl
service "${service_name}" {
policy = "write"
}
service_prefix "" {
policy = "read"
}
node_prefix "" {
policy = "read"
}
agent_prefix "" {
policy = "read"
}7.3 配置管理策略
# config-admin-policy.hcl
key_prefix "config/" {
policy = "write"
}
session_prefix "" {
policy = "write"
}八、API 使用 Token
8.1 HTTP Header
curl -H "X-Consul-Token: your-token" \
http://localhost:8500/v1/kv/config/key8.2 Query Parameter
curl "http://localhost:8500/v1/kv/config/key?token=your-token"8.3 CLI
consul kv get -token="your-token" config/key九、Token 管理
9.1 列出 Token
consul acl token list -token "root-secret-token"9.2 更新 Token
consul acl token update \
-id "token-accessor-id" \
-policy-name "new-policy" \
-token "root-secret-token"9.3 删除 Token
consul acl token delete \
-id "token-accessor-id" \
-token "root-secret-token"9.4 Token 轮换
# 创建新 Token
NEW_TOKEN=$(consul acl token create \
-policy-name "service-policy" \
-token "root-secret-token" \
-format=json | jq -r '.SecretID')
# 更新应用配置使用新 Token
# 删除旧 Token
consul acl token delete -id "old-token-id" -token "root-secret-token"十、最佳实践
10.1 最小权限原则
10.2 Token 安全
- 不要在代码中硬编码 Token
- 使用环境变量或密钥管理服务
- 定期轮换 Token
- 审计 Token 使用情况
10.3 策略组织
policies/
├── global/
│ ├── read-only.hcl
│ └── admin.hcl
├── services/
│ ├── user-service.hcl
│ └── order-service.hcl
└── config/
├── config-read.hcl
└── config-write.hcl