ACL, legacy config to new

foobar · November 10, 2022, 2:33pm

Hi All, I hope you are all well.

I have a few questions regarding ACL.

How to quickly know if ACL token is of legacy type? Is there an identifier and can this be seen when invoking consul acl token read -id {token_id}?
In a consul (version 1.6.2) cluster where ACL got enabled by setting the legacy option acl_datacenter. If this will be changed to the new config below, will this impact the existing tokens?

"acl": {
  "enabled": true  
}

maxb · November 11, 2022, 4:30pm

Legacy ACL tokens have rules, written in HCL, directly associated with them. Modern tokens have instead, links to policies and/or roles.

As written in the documentation, you need to define primary_datacenter as well when migrating.

Topic		Replies	Views
HCSEC-2020-11 - Consul Legacy ACL Permission Changes Not Propagated to Secondary Datacenters Security security-consul	0	4227	November 25, 2020
Consul AccessorID is empty in one of remote clusters Consul	1	334	April 27, 2023
Creating an ACL token with "-secret" option breaks the consul security? Consul	6	1207	April 7, 2023
Cannot update ACL token in a different datacenter Consul acl	1	877	May 26, 2020
Stuck troubleshooting ACLs Consul	3	943	August 16, 2023