Search code examples
aclconsul

Consul 0.8 ACL migration - how to migrate

TLTR How to migrate the pre 0.8 ACL permissions to 0.7.3?

Current setup I am currently running an ACL enabled Consul 0.7.3 stack.

With Consul 0.8 ACLs will finally also include services and nodes, so that nodes / service (Consul) are not longer shown to anonymous users. This is exactly what I need. Today I tried to enable the new ACL "pre 0.8" using https://www.consul.io/docs/agent/options.html#acl_enforce_version_8

After doing so, my nodes could no longer authenticate against the master ( if authentication is the problem at all ).

I run the consul-network with gossip enabled, I have configured a acl_master_token:

"{acl_master_token":"<token>}"

and a token for the agents:

"{acl_token":"<token>}"

which all agents use / are configured with.

I have these ACL defaults:

{
 "acl_datacenter": "stable",
 "acl_default_policy": "deny",
 "acl_down_policy": "deny"
}

and my Consul config looks like this:

{
  "datacenter": "stable",
  "data_dir": "/consul/data",
  "ui": true,
  "dns_config": {
    "allow_stale": false
  },
  "log_level": "INFO",
  "node_name": "dwconsul",
  "client_addr" : "0.0.0.0",
  "server": true,
  "bootstrap": true,
  "acl_enforce_version_8": true
}

What happens When I boot, I cannot see my nodes/services using my token at all, neither the nodes/agents can register at the master,

Question What is exactly needed to get the following:

  • All agents can see all nodes and all services and all KVs
  • Anonymous sees nothing, not KV, services or nodes (thats what is possible with 0.8 )

I looked at https://www.consul.io/docs/internals/acl.html "ACL Changes Coming in Consul 0.8" but I could not wrap my head around it. Should I now use https://www.consul.io/docs/agent/options.html#acl_agent_master_token instead of acl_token?

Thank you for any help. I guess I will not be the only one on this migration path and this particular interest, a lot of people are interested in this. You help all of them :)

Solution

  • It looks like the new node policy is preventing the nodes from registering properly. This should fix things:

    1. On your Consul servers configure them with an acl_agent_token that has a policy that can write to any node, like this: node "" { policy = "write" }.

    2. On your Consul agents, configure them with a similar one to the servers to keep things open, or you can give them a token with a more specific policy that only lets them write to some allowed prefix.

    Note this gets set as the acl_agent_token which is used for internal registration operations. The acl_agent_master_token is used as kind of an emergency token to use the /v1/agent APIs if there's something wrong with the Consul servers, but it only applies to the /v1/agent APIs.

    For "all agents can see all nodes and all services and all KVs" you'd add node read privileges to whatever token you are giving to your agents via the acl_token, so you'd add a policy like:

    node "" { policy = "read" }
service "" { policy = "read" }
key "" { policy = "read" }

    Note that this allows anyone with access to the agent's client interface to read all these things, so you want to be careful with what you bind to (usually only loopback). Or don't set acl_token at all and make callers pass in a token with each request.