Thanks for your reply @blake .
Through your clear and practical case, now I know why that ACL and tokes all need to be replicated across DCs.
In our production usage case, Nomad and Consul are both be federated across multi-DC or multi-region, and all deployment and bootstrap actions of clusters are self-driven in the form of scripts. So ACLs replication across DCs brings a little sophication in this initial bootstraping process. In purticular, we have to do some necessary manual intervention and verification. I know it plays a import part in service discovery and other situations, so I think it should be worth it.
My problem has been solved completely.
By the way, I have one another question:
Can the federated Consul cluster across multi-DC be used with a single Nomad cluster in seperated region? that is to say, can two seperaed Nomad cluster in two regions operate well with one federated Consul cluster across two DCs? (I think it’s ok) and in turn, can the federated Nomad cluster across two regions be used with two seperated Consul cluster in seperated DC? (I think it’s ok too)
Thanks very much.