diff --git a/.changelog/19135.txt b/.changelog/19135.txt new file mode 100644 index 00000000000..36af5497ce3 --- /dev/null +++ b/.changelog/19135.txt @@ -0,0 +1,3 @@ +```release-note:improvement +sso: Allow adding a token name format to auth methods which can be used to generate token names when signing in via SSO +``` \ No newline at end of file diff --git a/api/acl.go b/api/acl.go index d18181323f4..c393505faf0 100644 --- a/api/acl.go +++ b/api/acl.go @@ -754,6 +754,9 @@ type ACLAuthMethod struct { // ACLAuthMethodTokenLocalityGlobal for convenience. TokenLocality string + // TokenNameFormat defines the HIL template to use when building the token name + TokenNameFormat string + // MaxTokenTTL is the maximum life of a token created by this method. MaxTokenTTL time.Duration diff --git a/command/acl_auth_method.go b/command/acl_auth_method.go index 9080c0124f2..0178974a52e 100644 --- a/command/acl_auth_method.go +++ b/command/acl_auth_method.go @@ -78,6 +78,7 @@ func formatAuthMethod(authMethod *api.ACLAuthMethod) string { fmt.Sprintf("Type|%s", authMethod.Type), fmt.Sprintf("Locality|%s", authMethod.TokenLocality), fmt.Sprintf("Max Token TTL|%s", authMethod.MaxTokenTTL.String()), + fmt.Sprintf("Token Name Format|%s", authMethod.TokenNameFormat), fmt.Sprintf("Default|%t", authMethod.Default), fmt.Sprintf("Create Index|%d", authMethod.CreateIndex), fmt.Sprintf("Modify Index|%d", authMethod.ModifyIndex), diff --git a/command/acl_auth_method_create.go b/command/acl_auth_method_create.go index 064acd904ea..e41fec8feb9 100644 --- a/command/acl_auth_method_create.go +++ b/command/acl_auth_method_create.go @@ -23,14 +23,15 @@ var _ cli.Command = &ACLAuthMethodCreateCommand{} type ACLAuthMethodCreateCommand struct { Meta - name string - methodType string - tokenLocality string - maxTokenTTL time.Duration - isDefault bool - config string - json bool - tmpl string + name string + methodType string + tokenLocality string + tokenNameFormat string + maxTokenTTL time.Duration + isDefault bool + config string + json bool + tmpl string testStdin io.Reader } @@ -63,6 +64,10 @@ ACL Auth Method Create Options: Defines the kind of token that this auth method should produce. This can be either 'local' or 'global'. + -token-name-format + Sets the token format for the authenticated users. This can be lightly templated + using HIL '${foo}' syntax. Defaults to '${auth_method_type}-${auth_method_name}' + -default Specifies whether this auth method should be treated as a default one in case no auth method is explicitly specified for a login command. @@ -84,14 +89,15 @@ ACL Auth Method Create Options: func (a *ACLAuthMethodCreateCommand) AutocompleteFlags() complete.Flags { return mergeAutocompleteFlags(a.Meta.AutocompleteFlags(FlagSetClient), complete.Flags{ - "-name": complete.PredictAnything, - "-type": complete.PredictSet("OIDC", "JWT"), - "-max-token-ttl": complete.PredictAnything, - "-token-locality": complete.PredictSet("local", "global"), - "-default": complete.PredictSet("true", "false"), - "-config": complete.PredictNothing, - "-json": complete.PredictNothing, - "-t": complete.PredictAnything, + "-name": complete.PredictAnything, + "-type": complete.PredictSet("OIDC", "JWT"), + "-max-token-ttl": complete.PredictAnything, + "-token-locality": complete.PredictSet("local", "global"), + "-token-name-format": complete.PredictNothing, + "-default": complete.PredictSet("true", "false"), + "-config": complete.PredictNothing, + "-json": complete.PredictNothing, + "-t": complete.PredictAnything, }) } @@ -113,6 +119,7 @@ func (a *ACLAuthMethodCreateCommand) Run(args []string) int { flags.StringVar(&a.name, "name", "", "") flags.StringVar(&a.methodType, "type", "", "") flags.StringVar(&a.tokenLocality, "token-locality", "", "") + flags.StringVar(&a.tokenNameFormat, "token-name-format", "", "") flags.DurationVar(&a.maxTokenTTL, "max-token-ttl", 0, "") flags.BoolVar(&a.isDefault, "default", false, "") flags.StringVar(&a.config, "config", "", "") @@ -166,12 +173,13 @@ func (a *ACLAuthMethodCreateCommand) Run(args []string) int { // Set up the auth method with the passed parameters. authMethod := api.ACLAuthMethod{ - Name: a.name, - Type: strings.ToUpper(a.methodType), - TokenLocality: a.tokenLocality, - MaxTokenTTL: a.maxTokenTTL, - Default: a.isDefault, - Config: &configJSON, + Name: a.name, + Type: strings.ToUpper(a.methodType), + TokenLocality: a.tokenLocality, + TokenNameFormat: a.tokenNameFormat, + MaxTokenTTL: a.maxTokenTTL, + Default: a.isDefault, + Config: &configJSON, } // Get the HTTP client. diff --git a/command/acl_auth_method_update.go b/command/acl_auth_method_update.go index 5b7a78b588c..59d0ebe3649 100644 --- a/command/acl_auth_method_update.go +++ b/command/acl_auth_method_update.go @@ -24,13 +24,14 @@ var _ cli.Command = &ACLAuthMethodUpdateCommand{} type ACLAuthMethodUpdateCommand struct { Meta - methodType string - tokenLocality string - maxTokenTTL time.Duration - isDefault bool - config string - json bool - tmpl string + methodType string + tokenLocality string + tokenNameFormat string + maxTokenTTL time.Duration + isDefault bool + config string + json bool + tmpl string testStdin io.Reader } @@ -59,6 +60,10 @@ ACL Auth Method Update Options: Updates the kind of token that this auth method should produce. This can be either 'local' or 'global'. + -token-name-format + Sets the token format for the authenticated users. This can be lightly templated + using HIL '${foo}' syntax. Defaults to '${auth_method_type}-${auth_method_name}' + -default Specifies whether this auth method should be treated as a default one in case no auth method is explicitly specified for a login command. @@ -81,13 +86,14 @@ ACL Auth Method Update Options: func (a *ACLAuthMethodUpdateCommand) AutocompleteFlags() complete.Flags { return mergeAutocompleteFlags(a.Meta.AutocompleteFlags(FlagSetClient), complete.Flags{ - "-type": complete.PredictSet("OIDC", "JWT"), - "-max-token-ttl": complete.PredictAnything, - "-token-locality": complete.PredictSet("local", "global"), - "-default": complete.PredictSet("true", "false"), - "-config": complete.PredictNothing, - "-json": complete.PredictNothing, - "-t": complete.PredictAnything, + "-type": complete.PredictSet("OIDC", "JWT"), + "-max-token-ttl": complete.PredictAnything, + "-token-locality": complete.PredictSet("local", "global"), + "-token-name-format": complete.PredictNothing, + "-default": complete.PredictSet("true", "false"), + "-config": complete.PredictNothing, + "-json": complete.PredictNothing, + "-t": complete.PredictAnything, }) } @@ -108,6 +114,7 @@ func (a *ACLAuthMethodUpdateCommand) Run(args []string) int { flags.Usage = func() { a.Ui.Output(a.Help()) } flags.StringVar(&a.methodType, "type", "", "") flags.StringVar(&a.tokenLocality, "token-locality", "", "") + flags.StringVar(&a.tokenNameFormat, "token-name-format", "", "") flags.DurationVar(&a.maxTokenTTL, "max-token-ttl", 0, "") flags.StringVar(&a.config, "config", "", "") flags.BoolVar(&a.isDefault, "default", false, "") @@ -142,7 +149,7 @@ func (a *ACLAuthMethodUpdateCommand) Run(args []string) int { // Check if any command-specific flags were set setFlags := []string{} - for _, f := range []string{"type", "token-locality", "max-token-ttl", "config", "default"} { + for _, f := range []string{"type", "token-locality", "token-name-format", "max-token-ttl", "config", "default"} { if flagPassed(flags, f) { setFlags = append(setFlags, f) } @@ -162,6 +169,10 @@ func (a *ACLAuthMethodUpdateCommand) Run(args []string) int { updatedMethod.TokenLocality = a.tokenLocality } + if slices.Contains(setFlags, "token-name-format") { + updatedMethod.TokenNameFormat = a.tokenNameFormat + } + if slices.Contains(setFlags, "type") { if !slices.Contains([]string{"OIDC", "JWT"}, strings.ToUpper(a.methodType)) { a.Ui.Error("ACL auth method type must be set to 'OIDC' or 'JWT'") diff --git a/lib/auth/binder.go b/lib/auth/binder.go index f601f27a27f..0614784a575 100644 --- a/lib/auth/binder.go +++ b/lib/auth/binder.go @@ -131,7 +131,7 @@ func (b *Binder) Bind(authMethod *structs.ACLAuthMethod, identity *Identity) (*B // - If the computed name is not valid for the type ("INVALID_NAME", false, nil) is returned. // - If the computed name is valid for the type ("VALID_NAME", true, nil) is returned. func computeBindName(bindType, bindName string, claimMappings map[string]string) (string, bool, error) { - bindName, err := interpolateHIL(bindName, claimMappings, true) + bindName, err := InterpolateHIL(bindName, claimMappings, true) if err != nil { return "", false, err } @@ -170,9 +170,9 @@ func doesSelectorMatch(selector string, selectableVars interface{}) bool { return result } -// interpolateHIL processes the string as if it were HIL and interpolates only +// InterpolateHIL processes the string as if it were HIL and interpolates only // the provided string->string map as possible variables. -func interpolateHIL(s string, vars map[string]string, lowercase bool) (string, error) { +func InterpolateHIL(s string, vars map[string]string, lowercase bool) (string, error) { if !strings.Contains(s, "${") { // Skip going to the trouble of parsing something that has no HIL. return s, nil diff --git a/nomad/acl_endpoint.go b/nomad/acl_endpoint.go index e246b50833d..bea0dd98c7f 100644 --- a/nomad/acl_endpoint.go +++ b/nomad/acl_endpoint.go @@ -2769,8 +2769,13 @@ func (a *ACL) OIDCCompleteAuth( // logic, so we do not want to call Raft directly or copy that here. In the // future we should try and extract out the logic into an interface, or at // least a separate function. + name, err := formatTokenName(authMethod.TokenNameFormat, structs.ACLAuthMethodTypeOIDC, authMethod.Name, oidcInternalClaims.Value) + if err != nil { + return err + } + token := structs.ACLToken{ - Name: "OIDC-" + authMethod.Name, + Name: name, Global: authMethod.TokenLocalityIsGlobal(), ExpirationTTL: authMethod.MaxTokenTTL, } @@ -2917,8 +2922,13 @@ func (a *ACL) Login(args *structs.ACLLoginRequest, reply *structs.ACLLoginRespon // logic, so we do not want to call Raft directly or copy that here. In the // future we should try and extract out the logic into an interface, or at // least a separate function. + name, err := formatTokenName(authMethod.TokenNameFormat, structs.ACLAuthMethodTypeJWT, authMethod.Name, jwtClaims.Value) + if err != nil { + return err + } + token := structs.ACLToken{ - Name: "JWT-" + authMethod.Name, + Name: name, Global: authMethod.TokenLocalityIsGlobal(), ExpirationTTL: authMethod.MaxTokenTTL, } @@ -2952,3 +2962,23 @@ func (a *ACL) Login(args *structs.ACLLoginRequest, reply *structs.ACLLoginRespon return nil } + +func formatTokenName(format, authType, authName string, claims map[string]string) (string, error) { + claimMappings := map[string]string{ + "auth_method_type": authType, + "auth_method_name": authName, + } + for k, v := range claims { + claimMappings["value."+k] = v + } + + if format == "" { + format = structs.DefaultACLAuthMethodTokenNameFormat + } + tokenName, err := auth.InterpolateHIL(format, claimMappings, false) + if err != nil { + return "", fmt.Errorf("failed to generate ACL token name: %w", err) + } + + return tokenName, nil +} diff --git a/nomad/acl_endpoint_test.go b/nomad/acl_endpoint_test.go index 72fd3bbae25..4dd5b292a04 100644 --- a/nomad/acl_endpoint_test.go +++ b/nomad/acl_endpoint_test.go @@ -3764,12 +3764,14 @@ func TestACL_Login(t *testing.T) { iat := time.Now().Unix() nbf := time.Now().Unix() exp := time.Now().Add(time.Hour).Unix() + user := "John" testToken, testPubKey, err := mock.SampleJWTokenWithKeys(jwt.MapClaims{ "http://nomad.internal/policies": []string{"engineering"}, "http://nomad.internal/roles": []string{"engineering"}, "iat": iat, "nbf": nbf, "exp": exp, + "sub": user, "iss": "nomad test suite", "aud": []string{"sales", "engineering"}, }, nil) @@ -3810,7 +3812,9 @@ func TestACL_Login(t *testing.T) { mockedAuthMethod.Config.BoundIssuer = []string{"nomad test suite"} mockedAuthMethod.Config.ExpirationLeeway = time.Duration(3600) mockedAuthMethod.Config.ClockSkewLeeway = time.Duration(3600) - mockedAuthMethod.Config.ClaimMappings = map[string]string{} + mockedAuthMethod.Config.ClaimMappings = map[string]string{ + "sub": "user", + } mockedAuthMethod.Config.ListClaimMappings = map[string]string{ "http://nomad.internal/roles": "roles", "http://nomad.internal/policies": "policies", @@ -3877,6 +3881,7 @@ func TestACL_Login(t *testing.T) { must.Len(t, 1, completeAuthResp4.ACLToken.Roles) must.Eq(t, mockACLRole.Name, completeAuthResp4.ACLToken.Roles[0].Name) must.Eq(t, mockACLRole.ID, completeAuthResp4.ACLToken.Roles[0].ID) + must.Eq(t, mockedAuthMethod.Type+"-"+mockedAuthMethod.Name, completeAuthResp4.ACLToken.Name) // Create a binding rule which generates management tokens. This should // override the other rules, giving us a management token when we next @@ -3901,8 +3906,26 @@ func TestACL_Login(t *testing.T) { var completeAuthResp5 structs.ACLLoginResponse err = msgpackrpc.CallWithCodec(codec, structs.ACLLoginRPCMethod, &loginReq5, &completeAuthResp5) must.NoError(t, err) - must.NotNil(t, completeAuthResp4.ACLToken) + must.NotNil(t, completeAuthResp5.ACLToken) must.Len(t, 0, completeAuthResp5.ACLToken.Policies) must.Len(t, 0, completeAuthResp5.ACLToken.Roles) must.Eq(t, structs.ACLManagementToken, completeAuthResp5.ACLToken.Type) + + // Change the token name format + mockedAuthMethod.TokenNameFormat = "${auth_method_type}-${auth_method_name}-${value.user}" + must.NoError(t, testServer.fsm.State().UpsertACLAuthMethods(60, []*structs.ACLAuthMethod{mockedAuthMethod})) + + loginReq6 := structs.ACLLoginRequest{ + AuthMethodName: mockedAuthMethod.Name, + LoginToken: testToken, + WriteRequest: structs.WriteRequest{ + Region: DefaultRegion, + }, + } + + var completeAuthResp6 structs.ACLLoginResponse + err = msgpackrpc.CallWithCodec(codec, structs.ACLLoginRPCMethod, &loginReq6, &completeAuthResp6) + must.NoError(t, err) + must.NotNil(t, completeAuthResp6.ACLToken) + must.Eq(t, mockedAuthMethod.Type+"-"+mockedAuthMethod.Name+"-"+user, completeAuthResp6.ACLToken.Name) } diff --git a/nomad/structs/acl.go b/nomad/structs/acl.go index 63359b714bf..da0a91ab21a 100644 --- a/nomad/structs/acl.go +++ b/nomad/structs/acl.go @@ -213,6 +213,8 @@ const ( // ACLAuthMethodTypeJWT the ACLAuthMethod.Type and represents an auth-method // which uses the JWT type. ACLAuthMethodTypeJWT = "JWT" + + DefaultACLAuthMethodTokenNameFormat = "${auth_method_type}-${auth_method_name}" ) var ( @@ -742,12 +744,13 @@ type ACLRoleByNameResponse struct { // ACLAuthMethod is used to capture the properties of an authentication method // used for single sing-on type ACLAuthMethod struct { - Name string - Type string - TokenLocality string // is the token valid locally or globally? - MaxTokenTTL time.Duration - Default bool - Config *ACLAuthMethodConfig + Name string + Type string + TokenLocality string // is the token valid locally or globally? + TokenNameFormat string + MaxTokenTTL time.Duration + Default bool + Config *ACLAuthMethodConfig Hash []byte @@ -771,6 +774,7 @@ func (a *ACLAuthMethod) SetHash() []byte { _, _ = hash.Write([]byte(a.Name)) _, _ = hash.Write([]byte(a.Type)) _, _ = hash.Write([]byte(a.TokenLocality)) + _, _ = hash.Write([]byte(a.TokenNameFormat)) _, _ = hash.Write([]byte(a.MaxTokenTTL.String())) _, _ = hash.Write([]byte(strconv.FormatBool(a.Default))) @@ -900,6 +904,10 @@ func (a *ACLAuthMethod) Canonicalize() { a.CreateTime = t } a.ModifyTime = t + + if a.TokenNameFormat == "" { + a.TokenNameFormat = DefaultACLAuthMethodTokenNameFormat + } } // Merge merges auth method a with method b. It sets all required empty fields @@ -909,6 +917,7 @@ func (a *ACLAuthMethod) Merge(b *ACLAuthMethod) { if b != nil { a.Type = helper.Merge(a.Type, b.Type) a.TokenLocality = helper.Merge(a.TokenLocality, b.TokenLocality) + a.TokenNameFormat = helper.Merge(a.TokenNameFormat, b.TokenNameFormat) a.MaxTokenTTL = helper.Merge(a.MaxTokenTTL, b.MaxTokenTTL) a.Config = helper.Merge(a.Config, b.Config) } diff --git a/nomad/structs/acl_test.go b/nomad/structs/acl_test.go index fbcc9ebd94f..266c7d08beb 100644 --- a/nomad/structs/acl_test.go +++ b/nomad/structs/acl_test.go @@ -1051,15 +1051,17 @@ func TestACLAuthMethod_Merge(t *testing.T) { maxTokenTTL, _ := time.ParseDuration("3600s") am1 := &ACLAuthMethod{ - Name: name, - TokenLocality: "global", + Name: name, + TokenLocality: "global", + TokenNameFormat: "${auth_method_name}-${value.sub}", } am2 := &ACLAuthMethod{ - Name: name, - Type: "OIDC", - TokenLocality: "locality", - MaxTokenTTL: maxTokenTTL, - Default: true, + Name: name, + Type: "OIDC", + TokenLocality: "locality", + TokenNameFormat: "format", + MaxTokenTTL: maxTokenTTL, + Default: true, Config: &ACLAuthMethodConfig{ OIDCDiscoveryURL: "http://example.com", OIDCClientID: "mock", @@ -1078,6 +1080,7 @@ func TestACLAuthMethod_Merge(t *testing.T) { am1.Merge(am2) must.Eq(t, am1.TokenLocality, "global") + must.Eq(t, am1.TokenNameFormat, "${auth_method_name}-${value.sub}") minTTL, _ := time.ParseDuration("10s") maxTTL, _ := time.ParseDuration("10h") must.NoError(t, am1.Validate(minTTL, maxTTL)) @@ -1117,6 +1120,10 @@ func TestACLAuthMethod_Canonicalize(t *testing.T) { "no create time or modify time set", &ACLAuthMethod{}, }, + { + "no create time or modify time set & token name format set", + &ACLAuthMethod{TokenNameFormat: "${auth_method_name}-${value.sub}"}, + }, { "create time set to now, modify time not set", &ACLAuthMethod{CreateTime: now}, @@ -1138,6 +1145,11 @@ func TestACLAuthMethod_Canonicalize(t *testing.T) { if existing.ModifyTime.IsZero() { must.NotEq(t, time.Time{}, tt.inputMethod.ModifyTime) } + if existing.TokenNameFormat == "" { + must.Eq(t, DefaultACLAuthMethodTokenNameFormat, tt.inputMethod.TokenNameFormat) + } else { + must.Eq(t, existing.TokenNameFormat, tt.inputMethod.TokenNameFormat) + } }) } } diff --git a/website/content/api-docs/acl/auth-methods.mdx b/website/content/api-docs/acl/auth-methods.mdx index 1a0107ec775..afa6fd91e0b 100644 --- a/website/content/api-docs/acl/auth-methods.mdx +++ b/website/content/api-docs/acl/auth-methods.mdx @@ -37,6 +37,10 @@ The table below shows this endpoint's support for creates a local or global token when performing SSO login. This field must be set to either "local" or "global" +- `TokenNameFormat` `(string )` - Defines the token name format for the + generated tokens This can be lightly templated using HIL '${foo}' syntax. + Defaults to '${auth_method_type}-${auth_method_name}' + - `MaxTokenTTL` `(duration: )` - Defines the maximum life of a token created by this method. When set, it will initialize the `ExpirationTime` field on all tokens to a value of `Token.CreateTime + AuthMethod.MaxTokenTTL`. This field is @@ -92,6 +96,7 @@ The table below shows this endpoint's support for "Name": "example-acl-auth-method", "Type": "OIDC", "TokenLocality": "local", + "TokenNameFormat": "${auth_method_type}-${value.user}", "MaxTokenTTL": "1h0m0s", "Default": false, "Config": { @@ -136,6 +141,7 @@ $ curl \ "Name": "example-acl-auth-method", "Type": "OIDC", "TokenLocality": "local", + "TokenNameFormat": "${auth_method_type}-${value.user}", "Default": false, "Config": { "OIDCDiscoveryURL": "https://my-corp-app-name.auth0.com/", @@ -196,6 +202,10 @@ queries](/nomad/api-docs#blocking-queries) and [required ACLs](/nomad/api-docs#a creates a local or global token when performing SSO login. This field must be set to either "local" or "global" +- `TokenNameFormat` `(string )` - Defines the token name format for the + generated tokens This can be lightly templated using HIL '${foo}' syntax. + Defaults to '${auth_method_type}-${auth_method_name}' + - `MaxTokenTTL` `(duration: )` - Defines the maximum life of a token created by this method. When set it will initialize the `ExpirationTime` field on all tokens to a value of `Token.CreateTime + AuthMethod.MaxTokenTTL`. This field is @@ -251,6 +261,7 @@ queries](/nomad/api-docs#blocking-queries) and [required ACLs](/nomad/api-docs#a "Name": "example-acl-auth-method", "Type": "OIDC", "Tokenlocality": "global", + "TokenNameFormat": "${auth_method_type}-${value.user}", "Maxtokenttl": "1h0m0s", "Default": true, "Config": { @@ -295,6 +306,7 @@ $ curl \ "Name": "example-acl-auth-method", "Type": "OIDC", "TokenLocality": "global", + "TokenNameFormat": "${auth_method_type}-${value.user}", "Default": true, "Config": { "OIDCDiscoveryURL": "https://my-corp-app-name.auth0.com/", @@ -404,6 +416,7 @@ $ curl \ "Name": "example-acl-auth-method", "Type": "OIDC", "TokenLocality": "global", + "TokenNameFormat": "${auth_method_type}-${value.user}", "Default": true, "Config": { "OIDCDiscoveryURL": "https://my-corp-app-name.auth0.com/", diff --git a/website/content/docs/commands/acl/auth-method/create.mdx b/website/content/docs/commands/acl/auth-method/create.mdx index 8cc6519a78c..2d3d8cccc1a 100644 --- a/website/content/docs/commands/acl/auth-method/create.mdx +++ b/website/content/docs/commands/acl/auth-method/create.mdx @@ -37,6 +37,10 @@ via flags detailed below. - `-token-locality`: Defines the kind of token that this auth method should produce. This can be either `local` or `global`. +- `token-name-format`: Sets the token format for the authenticated users. + This can be lightly templated using HIL '${foo}' syntax. Defaults to + '${auth_method_type}-${auth_method_name}'. + - `-default`: Specifies whether this auth method should be treated as a default one in case no auth method is explicitly specified for a login command. @@ -54,13 +58,14 @@ Create a new ACL Auth Method: ```shell-session $ nomad acl auth-method create -name "example-acl-auth-method" -type "OIDC" -max-token-ttl "1h" -token-locality "local" -config "@config.json" -Name = example-acl-auth-method -Type = OIDC -Locality = local -Max Token TTL = 1h0m0s -Default = false -Create Index = 14 -Modify Index = 14 +Name = example-acl-auth-method +Type = OIDC +Locality = local +Max Token TTL = 1h0m0s +Token Name Format = ${auth_method_type}-${auth_method_name} +Default = false +Create Index = 14 +Modify Index = 14 Auth Method Config diff --git a/website/content/docs/commands/acl/auth-method/info.mdx b/website/content/docs/commands/acl/auth-method/info.mdx index 1f7605213a7..a6d13c61b83 100644 --- a/website/content/docs/commands/acl/auth-method/info.mdx +++ b/website/content/docs/commands/acl/auth-method/info.mdx @@ -34,13 +34,14 @@ Fetch information about an existing ACL Auth Method: ```shell-session $ nomad acl auth-method info example-acl-auth-method -Name = example-acl-auth-method -Type = OIDC -Locality = local -Max Token TTL = 1h0m0s -Default = false -Create Index = 14 -Modify Index = 14 +Name = example-acl-auth-method +Type = OIDC +Locality = local +Max Token TTL = 1h0m0s +Token Name Format = ${auth_method_type}-${auth_method_name} +Default = false +Create Index = 14 +Modify Index = 14 Auth Method Config diff --git a/website/content/docs/commands/acl/auth-method/update.mdx b/website/content/docs/commands/acl/auth-method/update.mdx index 2dd8a9d6681..3738f7f3e52 100644 --- a/website/content/docs/commands/acl/auth-method/update.mdx +++ b/website/content/docs/commands/acl/auth-method/update.mdx @@ -45,6 +45,10 @@ The `acl auth-method update` command requires an existing method's name. - `-token-locality`: Updates the kind of token that this auth method should produce. This can be either `local` or `global`. +- `token-name-format`: Sets the token format for the authenticated users. + This can be lightly templated using HIL '${foo}' syntax. Defaults to + '${auth_method_type}-${auth_method_name}'. + - `-default`: Specifies whether this auth method should be treated as a default one in case no auth method is explicitly specified for a login command. @@ -61,14 +65,15 @@ The `acl auth-method update` command requires an existing method's name. Update an existing ACL auth method: ```shell-session -$ nomad acl auth-method update -token-locality "global" -config @config.json example-acl-auth-method -Name = example-acl-auth-method -Type = OIDC -Locality = global -Max Token TTL = 1h0m0s -Default = false -Create Index = 14 -Modify Index = 33 +$ nomad acl auth-method update -token-locality "global" -token-name-format '${auth_method_name}-${value.user}' -config @config.json example-acl-auth-method +Name = example-acl-auth-method +Type = OIDC +Locality = global +Max Token TTL = 1h0m0s +Token Name Format = ${auth_method_name}-${value.user} +Default = false +Create Index = 14 +Modify Index = 33 Auth Method Config