Skip to content

[Docs] Access Control Lists : add the command and random keys #333

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Oct 27, 2022
Merged

[Docs] Access Control Lists : add the command and random keys #333

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 10 additions & 6 deletions content/enterprise-features/access-control-lists.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,13 @@ is only allowed to access the data permitted by the ACL rules.

The ACL feature can be turned on by following these steps:

1. Create a plain text file, and store a randomly generated secret key in it. The secret
1. Create a plain text file named `hmac_secret_file`, and store a randomly generated secret key in it. The secret
key is used by Dgraph Alpha nodes to sign JSON Web Tokens (JWT). Keep this secret key secret to avoid data security issues. The secret key must have at least 256-bits (32 ASCII characters) to support the HMAC-SHA256 signing algorithm.

```bash
echo '9z$C&F)J@NcRfUjXn2r5u8x!A%D*G-Ka' > hmac_secret_file
```

2. Start all the Dgraph Alpha nodes in your cluster with the option `--acl secret-file="/path/to/secret"`, and
make sure that they are all using the same secret key file created in Step 1. Alternatively, you can [store the secret in Hashicorp Vault](#storing-acl-secret-in-hashicorp-vault).

Expand All @@ -41,7 +45,7 @@ Here is an example that starts a Dgraph Zero node and a Dgraph Alpha node with t

```bash
## Create ACL secret key file with 32 ASCII characters
echo '12345678901234567890123456789012' > hmac_secret_file
echo '9z$C&F)J@NcRfUjXn2r5u8x!A%D*G-Ka' > hmac_secret_file

## Start Dgraph Zero in different terminal tab or window
dgraph zero --my=localhost:5080 --replicas 1 --raft idx=1
Expand Down Expand Up @@ -80,7 +84,7 @@ You can run this with:

```bash
## Create ACL secret key file with 32 ASCII characters
echo '12345678901234567890123456789012' > hmac_secret_file
echo '9z$C&F)J@NcRfUjXn2r5u8x!A%D*G-Ka' > hmac_secret_file

## Start Docker Compose
docker-compose up
Expand All @@ -94,7 +98,7 @@ The first step is to encode the secret with base64:

```bash
## encode a secret without newline character and copy to the clipboard
printf '12345678901234567890123456789012' | base64
printf '9z$C&F)J@NcRfUjXn2r5u8x!A%D*G-Ka' | base64
```

The next step is that we need to create a [Helm](https://helm.sh/) chart config values file, e.g. `dgraph_values.yaml`. We want to copy the results of encoded secret as paste this into the `hmac_secret_file` like the example below:
Expand All @@ -105,7 +109,7 @@ alpha:
acl:
enabled: true
file:
hmac_secret_file: MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI=
hmac_secret_file: 9z$C&F)J@NcRfUjXn2r5u8x!A%D*G-Ka
configFile:
config.yaml: |
acl:
Expand Down Expand Up @@ -138,7 +142,7 @@ Do the following to set up on the [Hashicorp Vault](https://www.vaultproject.io/
"cas": 0
},
"data": {
"hmac_secret_file": "12345678901234567890123456789012"
"hmac_secret_file": "9z$C&F)J@NcRfUjXn2r5u8x!A%D*G-Ka"
}
}
```
Expand Down