zrok/assets/js/0c66edb9.cf3471cb.js

1 line
7.0 KiB
JavaScript
Raw Normal View History

"use strict";(self.webpackChunkwebsite=self.webpackChunkwebsite||[]).push([[58],{7723:(e,s,n)=>{n.r(s),n.d(s,{assets:()=>c,contentTitle:()=>a,default:()=>l,frontMatter:()=>i,metadata:()=>t,toc:()=>d});var r=n(5893),o=n(1151);const i={sidebar_position:22,sidebar_label:"Permission Modes"},a="Permission Modes",t={id:"guides/permission-modes",title:"Permission Modes",description:"Shares created in zrok v0.4.26 and newer now include a choice of permission mode.",source:"@site/../docs/guides/permission-modes.md",sourceDirName:"guides",slug:"/guides/permission-modes",permalink:"/docs/guides/permission-modes",draft:!1,unlisted:!1,editUrl:"https://github.com/openziti/zrok/blob/main/docs/../docs/guides/permission-modes.md",tags:[],version:"current",sidebarPosition:22,frontMatter:{sidebar_position:22,sidebar_label:"Permission Modes"},sidebar:"tutorialSidebar",previous:{title:"frontdoor",permalink:"/docs/guides/frontdoor"},next:{title:"Getting Started with Docker",permalink:"/docs/guides/docker-share/"}},c={},d=[{value:"Creating a Share with Closed Permission Mode",id:"creating-a-share-with-closed-permission-mode",level:2},{value:"Adding and Removing Access Grants for Existing Shares",id:"adding-and-removing-access-grants-for-existing-shares",level:2},{value:"Limitations",id:"limitations",level:2}];function h(e){const s={code:"code",em:"em",h1:"h1",h2:"h2",header:"header",p:"p",pre:"pre",...(0,o.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(s.header,{children:(0,r.jsx)(s.h1,{id:"permission-modes",children:"Permission Modes"})}),"\n",(0,r.jsxs)(s.p,{children:["Shares created in zrok ",(0,r.jsx)(s.code,{children:"v0.4.26"})," and newer now include a choice of ",(0,r.jsx)(s.em,{children:"permission mode"}),"."]}),"\n",(0,r.jsxs)(s.p,{children:["Shares created with zrok ",(0,r.jsx)(s.code,{children:"v0.4.25"})," and older were created using what is now called the ",(0,r.jsx)(s.em,{children:"open permission mode"}),". Whether ",(0,r.jsx)(s.em,{children:"public"})," or ",(0,r.jsx)(s.em,{children:"private"}),", these shares can be accessed by any user of the zrok service instance, as long as they know the ",(0,r.jsx)(s.em,{children:"share token"})," of the share. Effectively shares with the ",(0,r.jsx)(s.em,{children:"open permission mode"})," are accessible by any user of the zrok service instance."]}),"\n",(0,r.jsxs)(s.p,{children:["zrok now supports a ",(0,r.jsx)(s.em,{children:"closed permission mode"}),", which allows for more fine-grained control over which zrok users are allowed to privately access your shares using ",(0,r.jsx)(s.code,{children:"zrok access private"}),"."]}),"\n",(0,r.jsxs)(s.p,{children:["zrok defaults to continuing to create shares with the ",(0,r.jsx)(s.em,{children:"open permission mode"}),". This will likely change in a future release. We're leaving the default behavior in place to allow users a period of time to get comfortable with the new permission modes."]}),"\n",(0,r.jsx)(s.h2,{id:"creating-a-share-with-closed-permission-mode",children:"Creating a Share with Closed Permission Mode"}),"\n",(0,r.jsxs)(s.p,{children:["Adding the ",(0,r.jsx)(s.code,{children:"--closed"})," flag to the ",(0,r.jsx)(s.code,{children:"zrok share"})," or ",(0,r.jsx)(s.code,{children:"zrok reserve"})," commands will create shares using the ",(0,r.jsx)(s.em,{children:"closed permission mode"}),":"]}),"\n",(0,r.jsx)(s.pre,{children:(0,r.jsx)(s.code,{children:"$ zrok share private --headless --closed -b web .\n[ 0.066] INFO main.(*sharePrivateCommand).run: allow other to access your share with the following command:\nzrok access private 0vzwzodf0c7g\n"})}),"\n",(0,r.jsxs)(s.p,{children:["By default any environment owned by the account that created the share is ",(0,r.jsx)(s.em,{children:"allowed"})," to access the new share. But a user trying to access the share from an environment owned by a different account will enounter the following error message:"]}),"\n",(0,r.jsx)(s.pre,{children:(0,r.jsx)(s.code,{children:"$ zrok access private 0vzwzodf0c7g\n[ERROR]: unable to access ([POST /access][401] accessUn