Nomad
ACL Binding Rules HTTP API
The /acl/binding-rules
and /acl/binding-rule
endpoints are used to manage ACL Binding Rules.
Read Binding Rule by Name
This endpoint reads an ACL Binding Rule with the given name. This queries the Binding Rule that has been replicated to the region, and may lag behind the authoritative region.
Method | Path | Produces |
---|---|---|
GET | /acl/binding-rule/:rule_id | application/json |
The table below shows this endpoint's support for blocking queries, consistency modes and required ACLs.
Blocking Queries | Consistency Modes | ACL Required |
---|---|---|
YES | all | management |
Parameters
:rule_id
(string: <required>)
- Specifies the ID of the ACL Binding Rule. This is specified as part of the path.
Sample Request
$ curl \
--header "X-Nomad-Token: <NOMAD_TOKEN_SECRET_ID>" \
https://localhost:4646/v1/acl/binding-rule/5da76548-1a60-b8fb-f9be-c7736a5bca09
Sample Response
{
"AuthMethod": "example-acl-auth-method",
"BindName": "role",
"BindType": "role",
"CreateIndex": 16,
"CreateTime": "2022-12-16T10:29:07.248465Z",
"Description": "updated-acl-binding-rule",
"ID": "5da76548-1a60-b8fb-f9be-c7736a5bca09",
"ModifyIndex": 17,
"ModifyTime": "2022-12-19T16:40:52.602004Z",
"Selector": "engineering in list.roles"
}
List Binding Rules
This endpoint lists all ACL Binding Rules. This lists the Binding Rules that have been replicated to the region, and may lag behind the authoritative region.
Method | Path | Produces |
---|---|---|
GET | /acl/binding-rules | application/json |
The table below shows this endpoint's support for blocking queries, consistency modes and required ACLs.
Blocking Queries | Consistency Modes | ACL Required |
---|---|---|
YES | all | management |
Sample Request
$ curl \
--header "X-Nomad-Token: <NOMAD_TOKEN_SECRET_ID>" \
https://localhost:4646/v1/acl/binding-rules
Sample Response
[
{
"AuthMethod": "auth0",
"CreateIndex": 16,
"Description": "updated-acl-binding-rule",
"Hash": "N7aEMsAfl3btWrZSwaWdzcRIAO3uRrRH2yQ8rPsuJ44=",
"ID": "5da76548-1a60-b8fb-f9be-c7736a5bca09",
"ModifyIndex": 17
}
]
Create Binding Rule
This endpoint creates an ACL Binding Rule. The request is always forwarded to the authoritative region.
Method | Path | Produces |
---|---|---|
POST | /acl/binding-rule | application/json |
The table below shows this endpoint's support for blocking queries and required ACLs.
Blocking Queries | ACL Required |
---|---|
NO | management |
Parameters
Description
(string: "")
- Human-readable, operator set description that can provide additional context about the binding role. This is an operational field.AuthMethod
(string: <required>)
- Name of the auth method for which this rule applies to. This is a required field and the method must exist within state before the cluster administrator can create the rule.Selector
(string: "")
- A boolean expression that matches against verified identity attributes returned from the auth method during login. This is optional and when not set, provides a catch-all rule. If set, it must be a valid go-bexpr expression; for example, a dash in the claim name will require it to be encased in quotes and escaped such as"\"project-developer\" in list.roles"
.Caveat: Selectors that operate on
ClaimMappings
(as opposed toListClaimMappings
), the key that we match against has to be prefixed withvalue.
(e.g.value.owner == username
for a claim mapping that hasowner
as its key).BindType
(string: <required>)
- Adjusts how this binding rule is applied at login time. Valid values arerole
,policy
, andmanagement
.BindName
(string: <required>)
- Target of the binding. Can be lightly templated using HIL ${foo} syntax from available field names. If the bind type is set tomanagement
, this should not be set. How it is used depends on the BindType.
Sample Payload
{
"Description": "example-acl-binding-rule",
"AuthMethod": "auth0",
"Selector": "engineering in list.roles",
"BindType": "role",
"BindName": "eng-ro",
}
Sample Request
$ curl \
--request POST \
--header "X-Nomad-Token: <NOMAD_TOKEN_SECRET_ID>" \
--data @payload.json \
https://localhost:4646/v1/acl/binding-rule
Sample Response
{
"AuthMethod": "auth0",
"BindName": "eng-ro",
"BindType": "role",
"CreateIndex": 16,
"CreateTime": "2022-12-16T10:29:07.248465Z",
"Description": "example-acl-binding-rule",
"ID": "5da76548-1a60-b8fb-f9be-c7736a5bca09",
"ModifyIndex": 16,
"ModifyTime": "2022-12-16T10:29:07.248465Z",
"Selector": "engineering in list.roles"
}
Update Binding Rule
This endpoint updates an existing ACL Binding Rule. The request is always forwarded to the authoritative region.
Method | Path | Produces |
---|---|---|
POST | /acl/binding-rule/:rule_id | application/json |
The table below shows this endpoint's support for blocking queries and required ACLs.
Blocking Queries | ACL Required |
---|---|
NO | management |
Parameters
Description
(string: "")
- Human-readable, operator set description that can provide additional context about the binding role. This is an operational field.Selector
(string: "")
- A boolean expression that matches against verified identity attributes returned from the auth method during login. This is optional and when not set, provides a catch-all rule. If set, it must be a valid go-bexpr expression; for example, a dash in the claim name will require it to be encased in quotes and escaped such as"\"project-developer\" in list.roles"
.BindType
(string: "")
- Adjusts how this binding rule is applied at login time. Valid values arerole
,policy
, andmanagement
.BindName
(string: "")
- Target of the binding. Can be lightly templated using HIL ${foo} syntax from available field names. How it is used depends on the BindType.
Sample Payload
{
"Description": "new description",
}
Sample Request
$ curl \
--request POST \
--header "X-Nomad-Token: <NOMAD_TOKEN_SECRET_ID>" \
--data @payload.json \
https://localhost:4646/v1/acl/binding-rule/example-acl-binding-rule
Sample Response
{
"AuthMethod": "auth0",
"BindName": "eng-ro",
"BindType": "role",
"CreateIndex": 16,
"CreateTime": "2022-12-16T10:29:07.248465Z",
"Description": "new description",
"ID": "5da76548-1a60-b8fb-f9be-c7736a5bca09",
"ModifyIndex": 17,
"ModifyTime": "2022-12-19T16:40:52.602004Z",
"Selector":"engineering in list.roles"
}
Delete Binding Rule
This endpoint deletes the ACL Binding Rule as identified by its ID. This request is always forwarded to the authoritative region.
Method | Path | Produces |
---|---|---|
DELETE | /acl/binding-rule/:rule_id | (empty body) |
The table below shows this endpoint's support for blocking queries and required ACLs.
Blocking Queries | ACL Required |
---|---|
NO | management |
Parameters
rule_id
(string: <required>)
- Specifies the ID of Binding Rule to delete and is specified as part of the path.
Sample Request
$ curl \
--request DELETE \
--header "X-Nomad-Token: <NOMAD_TOKEN_SECRET_ID>" \
https://localhost:4646/v1/acl/binding-rule/5da76548-1a60-b8fb-f9be-c7736a5bca09