diff --git a/website/content/docs/commands/acl/index.mdx b/website/content/docs/commands/acl/index.mdx index 92f200cc2c3..d079e2ca128 100644 --- a/website/content/docs/commands/acl/index.mdx +++ b/website/content/docs/commands/acl/index.mdx @@ -11,6 +11,10 @@ The `acl` command is used to interact with ACL policies and tokens. Learn more about using Nomad's ACL system in the [Secure Nomad with Access Control guide][secure-guide]. +In [federated][] clusters, all ACL updates are forwarded to the +[`authoritative_region`][] and replicated to non-authoritative regions. This +requires that ACLs have been bootstrapped in the authoritative region. + ## Usage Usage: `nomad acl [options]` @@ -72,3 +76,5 @@ subcommands are available: [roleinfo]: /nomad/docs/commands/acl/role/info [rolelist]: /nomad/docs/commands/acl/role/list [secure-guide]: /nomad/tutorials/access-control +[federated]: /nomad/tutorials/manage-clusters/federation +[`authoritative_region`]: /nomad/docs/configuration/server#authoritative_region diff --git a/website/content/docs/commands/namespace/index.mdx b/website/content/docs/commands/namespace/index.mdx index e2ab326c7d3..5117fa50bb4 100644 --- a/website/content/docs/commands/namespace/index.mdx +++ b/website/content/docs/commands/namespace/index.mdx @@ -25,8 +25,14 @@ subcommands are available: - [`namespace list`][list] - List available namespaces - [`namespace status`][status] - Display a namespace's status +In [federated][] clusters, all namespace updates are forwarded to the +[`authoritative_region`][] and replicated to non-authoritative regions. This +requires that ACLs have been bootstrapped in the authoritative region. + [apply]: /nomad/docs/commands/namespace/apply 'Create or update a namespace' [delete]: /nomad/docs/commands/namespace/delete 'Delete a namespace' [inspect]: /nomad/docs/commands/namespace/inspect 'Inspect a namespace' [list]: /nomad/docs/commands/namespace/list 'List available namespaces' [status]: /nomad/docs/commands/namespace/status "Display a namespace's status" +[federated]: /nomad/tutorials/manage-clusters/federation +[`authoritative_region`]: /nomad/docs/configuration/server#authoritative_region diff --git a/website/content/docs/commands/server/join.mdx b/website/content/docs/commands/server/join.mdx index 152a102f526..a5a6661ec8a 100644 --- a/website/content/docs/commands/server/join.mdx +++ b/website/content/docs/commands/server/join.mdx @@ -24,6 +24,10 @@ specified, then an attempt will be made to join each one. If one or more nodes are joined successfully, the exit code will be 0. Otherwise, the exit code will be 1. +Joining servers in different regions will [federate][] the regions. This assumes +that ACLs have been bootstrapped in the authoritative region. See [Configure for +multiple regions][] in the ACLs tutorial. + ## General Options @include 'general_options_no_namespace.mdx' @@ -36,3 +40,6 @@ Join the local server to a remote server: $ nomad server join 10.0.0.8:4648 Joined 1 servers successfully ``` + +[federate]: /nomad/tutorials/manage-clusters/federation +[Configure for multiple regions]: /nomad/tutorials/access-control/access-control-bootstrap#configure-for-multiple-regions diff --git a/website/content/docs/configuration/acl.mdx b/website/content/docs/configuration/acl.mdx index 8d68bdecba4..64c0263182f 100644 --- a/website/content/docs/configuration/acl.mdx +++ b/website/content/docs/configuration/acl.mdx @@ -50,8 +50,12 @@ acl { because of an outage, the TTL will be ignored and the cached value used. - `replication_token` `(string: "")` - Specifies the Secret ID of the ACL token - to use for replicating policies and tokens. This is used by servers in non-authoritative - region to mirror the policies and tokens into the local region from [authoritative_region][authoritative-region]. + to use for replicating policies and tokens. This is used by servers in + non-authoritative region to mirror the policies and tokens into the local + region from the [`authoritative_region`][authoritative-region]. Setting + `replication_token` requires that ACLs have been bootstrapped in the + authoritative region. See [Configure for multiple regions][] in the ACLs + tutorial. - `token_min_expiration_ttl` `(string: "1m")` - Specifies the lowest acceptable TTL value for an ACL token when setting expiration. This is used by the Nomad @@ -63,3 +67,4 @@ acl { [secure-guide]: /nomad/tutorials/access-control [authoritative-region]: /nomad/docs/configuration/server#authoritative_region +[Configure for multiple regions]: /nomad/tutorials/access-control/access-control-bootstrap#configure-for-multiple-regions diff --git a/website/content/docs/configuration/server.mdx b/website/content/docs/configuration/server.mdx index 18b01e9ca54..8998d4526b1 100644 --- a/website/content/docs/configuration/server.mdx +++ b/website/content/docs/configuration/server.mdx @@ -29,10 +29,13 @@ server { ## `server` Parameters -- `authoritative_region` `(string: "")` - Specifies the authoritative region, which - provides a single source of truth for global configurations such as ACL Policies and - global ACL tokens. Non-authoritative regions will replicate from the authoritative - to act as a mirror. By default, the local region is assumed to be authoritative. +- `authoritative_region` `(string: "")` - Specifies the authoritative region, + which provides a single source of truth for global configurations such as ACL + Policies and global ACL tokens. Non-authoritative regions will replicate from + the authoritative to act as a mirror. By default, the local region is assumed + to be authoritative. Setting `authoritative_region` assumes that ACLs have + been bootstrapped in the authoritative region. See [Configure for multiple + regions][] in the ACLs tutorial. - `bootstrap_expect` `(int: required)` - Specifies the number of server nodes to wait for before bootstrapping. It is most common to use the odd-numbered @@ -494,3 +497,4 @@ work. [encryption key]: /nomad/docs/operations/key-management [max_client_disconnect]: /nomad/docs/job-specification/group#max-client-disconnect [herd]: https://en.wikipedia.org/wiki/Thundering_herd_problem +[Configure for multiple regions]: /nomad/tutorials/access-control/access-control-bootstrap#configure-for-multiple-regions diff --git a/website/content/docs/other-specifications/acl-policy.mdx b/website/content/docs/other-specifications/acl-policy.mdx index 9992def10f1..82c004321b5 100644 --- a/website/content/docs/other-specifications/acl-policy.mdx +++ b/website/content/docs/other-specifications/acl-policy.mdx @@ -426,3 +426,5 @@ agent { [host_volumes]: /nomad/docs/configuration/client#host_volume-block [api_plugins]: /nomad/api-docs/plugins/ [Variables]: /nomad/docs/concepts/variables +[federated]: /nomad/tutorials/manage-clusters/federation +[`authoritative_region`]: /nomad/docs/configuration/server#authoritative_region