Reset/Re-bootstrap ACL in consul

sammy676776 · March 23, 2023, 5:03pm

I am quite new to the Nomad/Consul world . I have a test env with 3 Nomad/Consul servers and 6nomad/ consul clients . Able to run jobs and access consul and nomad UI etc .Mostly everything is working fine. I wanted to enable ACL and I went through the setup
Secure Consul with Access Control Lists (ACLs) | Consul | HashiCorp Developer and was able to create token and I put the following in both Consul Servers and Clients

Consul.hcl

#  enabled = true
#  default_policy = "deny"
#  enable_token_persistence = true
#  enable_token_replication = true
#  tokens {
#    master = "xxxxf"
#     agent = "xxxxx"
#  }
#}

So couple of questions

a) What config needs to go into my Nomad and do I use the same tokens in the Consul stanza ? my current nomad stanza looks like this

consul {
    ssl     = true
    address = "127.0.0.1:8501"
    ca_file   = "xxx"
    cert_file = "xxx"
    key_file  = "xxx"
    token = "same as "agent" from consul above "
    }

b) Do I need to bootstrap my Nomad cluster and create new tokens per Bootstrap Nomad ACL System | Nomad | HashiCorp Developer
c)Finally if I need to reset the ACL bootstrap on consul and redo everything how can we do this ?

maxb · March 23, 2023, 9:44pm

I don’t know Nomad, so I’ll only be answering this part:

You can’t re-bootstrap unless you completely wipe the Consul data directory on all nodes, and have the cluster nodes recreate the cluster with no data.

However, the tokens.master setting in the Consul server config file serves as a way to “break glass” into a Consul installation if all admin tokens have been lost. The exact functionality of the tokens.master setting, is that when a Consul server becomes the cluster leader, it will check whether that token already exists, and if it does not, will create it will global-management privileges.

To be clear, it is not necessary to keep tokens.master set at all in the configuration file - its only purpose is to allow creating an initial or replacement global-management token without having an existing token.

Ranjandas · March 30, 2023, 1:11am

Hi @maxb,

Consul lets you re-bootstrap the ACL system if you lose the bootstrap token. Please find the documentation for the same here: Troubleshoot the Access Control System | Consul | HashiCorp Developer

maxb · March 30, 2023, 8:17am

Huh, that must be new in more recent versions of Consul. It didn’t exist when I last was working in that area.

Ranjandas · March 30, 2023, 8:45am

That means you must have been using the Consul version below 1.4.0. This feature is available from Consul 1.4.0 just for information for anyone else referring to this thread in the future.

Topic		Replies	Views
ACLs in Production, Done the Right Way Consul	2	582	March 4, 2020
Consul/Nomad integration Nomad consul-nomad	5	890	December 10, 2020
Consul-connect job results in "ACL support disabled" error Nomad acl	3	4934	August 19, 2020
Consul Connect Service Identity Token Nomad consul	0	156	December 27, 2023
[Nomad][ACL] is there any production ready example for nomad acl policy? Nomad	1	350	August 17, 2021

Reset/Re-bootstrap ACL in consul

Related topics