docs: Document config entry permissions

hashicorp · Mar 7, 2023 · 6fc6098 · 6fc6098
1 parent a5b8256
commit 6fc6098
Showing 1 changed file with 96 additions and 61 deletions.
diff --git a/website/content/api-docs/config.mdx b/website/content/api-docs/config.mdx
@@ -31,25 +31,32 @@ The table below shows this endpoint's support for
 
 | Blocking Queries | Consistency Modes | Agent Caching | ACL Required                                      |
 | ---------------- | ----------------- | ------------- | ------------------------------------------------- |
-| `NO`             | `none`            | `none`        | `service:write`<br />`operator:write`<sup>1</sup> |
-
-<p>
-  <sup>1</sup> The ACL required depends on the config entry kind being updated:
-</p>
-
-| Config Entry Kind   | Required ACL       |
-| ------------------- | ------------------ |
-| ingress-gateway     | `operator:write`   |
-| proxy-defaults      | `operator:write`   |
-| service-defaults    | `service:write`    |
-| service-intentions  | `intentions:write` |
-| service-resolver    | `service:write`    |
-| service-router      | `service:write`    |
-| service-splitter    | `service:write`    |
-| terminating-gateway | `operator:write`   |
+| `NO`             | `none`            | `none`        | Refer to [Permissions](#permissions)              |
 
 The corresponding CLI command is [`consul config write`](/consul/commands/config/write).
 
+### Permissions
+
+The ACL required depends on the config entry being written:
+
+| Config Entry Kind   | Required ACLs                    |
+| ------------------- | -------------------------------- |
+| api-gateway         | `mesh:write` or `operator:write` |
+| bound-api-gateway   | Not writable.                    |
+| exported-services   | `mesh:write` or `operator:write` |
+| http-route          | `mesh:write` or `operator:write` |
+| ingress-gateway     | `mesh:write` or `operator:write` |
+| inline-certificate  | `mesh:write` or `operator:write` |
+| mesh                | `mesh:write` or `operator:write` |
+| proxy-defaults      | `mesh:write` or `operator:write` |
+| service-defaults    | `service:write`                  |
+| service-intentions  | `intentions:write`               |
+| service-resolver    | `service:write`                  |
+| service-router      | `service:write`                  |
+| service-splitter    | `service:write`                  |
+| tcp-route           | `mesh:write` or `operator:write` |
+| terminating-gateway | `mesh:write` or `operator:write` |
+
 ### Query Parameters
 
 - `dc` `(string: "")` - Specifies the datacenter to query.
@@ -96,25 +103,35 @@ The table below shows this endpoint's support for
 [agent caching](/consul/api-docs/features/caching), and
 [required ACLs](/consul/api-docs/api-structure#authentication).
 
-| Blocking Queries | Consistency Modes | Agent Caching | ACL Required               |
-| ---------------- | ----------------- | ------------- | -------------------------- |
-| `YES`            | `all`             | `none`        | `service:read`<sup>1</sup> |
-
-<sup>1</sup> The ACL required depends on the config entry kind being read:
+| Blocking Queries | Consistency Modes | Agent Caching | ACL Required                           |
+| ---------------- | ----------------- | ------------- | -------------------------------------- |
+| `YES`            | `all`             | `none`        | Refer to [Permissions](#permissions-1) |
 
-| Config Entry Kind   | Required ACL      |
-| ------------------- | ----------------- |
-| ingress-gateway     | `service:read`    |
-| proxy-defaults      | `<none>`          |
-| service-defaults    | `service:read`    |
-| service-intentions  | `intentions:read` |
-| service-resolver    | `service:read`    |
-| service-router      | `service:read`    |
-| service-splitter    | `service:read`    |
-| terminating-gateway | `service:read`    |
 
 The corresponding CLI command is [`consul config read`](/consul/commands/config/read).
 
+### Permissions
+
+The ACL required depends on the config entry kind being read:
+
+| Config Entry Kind   | Required ACLs                    |
+| ------------------- | -------------------------------- |
+| api-gateway         | `service:read`                   |
+| bound-api-gateway   | `service:read`                   |
+| exported-services   | `mesh:read` or `operator:read`   |
+| http-route          | `mesh:read` or `operator:read`   |
+| ingress-gateway     | `service:read`                   |
+| inline-certificate  | `mesh:read` or `operator:read`   |
+| mesh                | No ACL required                  |
+| proxy-defaults      | No ACL required                  |
+| service-defaults    | `service:read`                   |
+| service-intentions  | `intentions:read`                |
+| service-resolver    | `service:read`                   |
+| service-router      | `service:read`                   |
+| service-splitter    | `service:read`                   |
+| tcp-route           | `mesh:read` or `operator:read`   |
+| terminating-gateway | `service:read`                   |
+
 ### Path Parameters
 
 - `kind` `(string: <required>)` - Specifies the kind of the entry to read.
@@ -167,22 +184,31 @@ The table below shows this endpoint's support for
 [agent caching](/consul/api-docs/features/caching), and
 [required ACLs](/consul/api-docs/api-structure#authentication).
 
-| Blocking Queries | Consistency Modes | Agent Caching | ACL Required               |
-| ---------------- | ----------------- | ------------- | -------------------------- |
-| `YES`            | `all`             | `none`        | `service:read`<sup>1</sup> |
-
-<sup>1</sup> The ACL required depends on the config entry kind being read:
-
-| Config Entry Kind   | Required ACL      |
-| ------------------- | ----------------- |
-| ingress-gateway     | `service:read`    |
-| proxy-defaults      | `<none>`          |
-| service-defaults    | `service:read`    |
-| service-intentions  | `intentions:read` |
-| service-resolver    | `service:read`    |
-| service-router      | `service:read`    |
-| service-splitter    | `service:read`    |
-| terminating-gateway | `service:read`    |
+| Blocking Queries | Consistency Modes | Agent Caching | ACL Required                           |
+| ---------------- | ----------------- | ------------- | -------------------------------------- |
+| `YES`            | `all`             | `none`        | Refer to [Permissions](#permissions-2) |
+
+### Permissions
+
+The ACL required depends on the config entry kind being read:
+
+| Config Entry Kind   | Required ACLs                    |
+| ------------------- | -------------------------------- |
+| api-gateway         | `service:read`                   |
+| bound-api-gateway   | `service:read`                   |
+| exported-services   | `mesh:read` or `operator:read`   |
+| http-route          | `mesh:read` or `operator:read`   |
+| ingress-gateway     | `service:read`                   |
+| inline-certificate  | `mesh:read` or `operator:read`   |
+| mesh                | No ACL required                  |
+| proxy-defaults      | No ACL required                  |
+| service-defaults    | `service:read`                   |
+| service-intentions  | `intentions:read`                |
+| service-resolver    | `service:read`                   |
+| service-router      | `service:read`                   |
+| service-splitter    | `service:read`                   |
+| tcp-route           | `mesh:read` or `operator:read`   |
+| terminating-gateway | `service:read`                   |
 
 The corresponding CLI command is [`consul config list`](/consul/commands/config/list).
 
@@ -243,20 +269,29 @@ The table below shows this endpoint's support for
 
 | Blocking Queries | Consistency Modes | Agent Caching | ACL Required                                      |
 | ---------------- | ----------------- | ------------- | ------------------------------------------------- |
-| `NO`             | `none`            | `none`        | `service:write`<br />`operator:write`<sup>1</sup> |
-
-<sup>1</sup> The ACL required depends on the config entry kind being deleted:
-
-| Config Entry Kind   | Required ACL       |
-| ------------------- | ------------------ |
-| ingress-gateway     | `operator:write`   |
-| proxy-defaults      | `operator:write`   |
-| service-defaults    | `service:write`    |
-| service-intentions  | `intentions:write` |
-| service-resolver    | `service:write`    |
-| service-router      | `service:write`    |
-| service-splitter    | `service:write`    |
-| terminating-gateway | `operator:write `  |
+| `NO`             | `none`            | `none`        | Refer to [Permissions](#permissions-3)            |
+
+### Permissions
+
+The ACL required depends on the config entry kind being deleted:
+
+| Config Entry Kind   | Required ACLs                    |
+| ------------------- | -------------------------------- |
+| api-gateway         | `mesh:write` or `operator:write` |
+| bound-api-gateway   | Not writable.                    |
+| exported-services   | `mesh:write` or `operator:write` |
+| http-route          | `mesh:write` or `operator:write` |
+| ingress-gateway     | `mesh:write` or `operator:write` |
+| inline-certificate  | `mesh:write` or `operator:write` |
+| mesh                | `mesh:write` or `operator:write` |
+| proxy-defaults      | `mesh:write` or `operator:write` |
+| service-defaults    | `service:write`                  |
+| service-intentions  | `intentions:write`               |
+| service-resolver    | `service:write`                  |
+| service-router      | `service:write`                  |
+| service-splitter    | `service:write`                  |
+| tcp-route           | `mesh:write` or `operator:write` |
+| terminating-gateway | `mesh:write` or `operator:write` |
 
 The corresponding CLI command is [`consul config delete`](/consul/commands/config/delete).