Adding warning for ACL replication data loss (#8210)

This commit is contained in:
danielehc 2020-08-18 23:48:37 +02:00 committed by GitHub
parent a932aafc91
commit 1790b37a11
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -641,6 +641,11 @@ Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'."
allow for the creation of both [local tokens](/api/acl/tokens#local) and allow for the creation of both [local tokens](/api/acl/tokens#local) and
[auth methods](/docs/acl/auth-methods) in connected secondary datacenters. [auth methods](/docs/acl/auth-methods) in connected secondary datacenters.
~> **Warning:** When enabling ACL token replication on the secondary datacenter,
global tokens already present in the secondary datacenter will be lost. For
production environments, consider configuring ACL replication in your initial
datacenter bootstrapping process.
- `enable_token_persistence` ((#acl_enable_token_persistence)) - Either - `enable_token_persistence` ((#acl_enable_token_persistence)) - Either
`true` or `false`. When `true` tokens set using the API will be persisted to `true` or `false`. When `true` tokens set using the API will be persisted to
disk and reloaded when an agent restarts. disk and reloaded when an agent restarts.
@ -683,6 +688,11 @@ Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'."
authorize secondary datacenters with the primary datacenter for replication authorize secondary datacenters with the primary datacenter for replication
operations. This token is required for servers outside the [`primary_datacenter`](#primary_datacenter) when ACLs are enabled. This token may be provided later using the [agent token API](/api/agent#update-acl-tokens) on each server. This token must have at least "read" permissions on ACL data but if ACL token replication is enabled then it must have "write" permissions. This also enables Connect replication, for which the token will require both operator "write" and intention "read" permissions for replicating CA and Intention data. operations. This token is required for servers outside the [`primary_datacenter`](#primary_datacenter) when ACLs are enabled. This token may be provided later using the [agent token API](/api/agent#update-acl-tokens) on each server. This token must have at least "read" permissions on ACL data but if ACL token replication is enabled then it must have "write" permissions. This also enables Connect replication, for which the token will require both operator "write" and intention "read" permissions for replicating CA and Intention data.
~> **Warning:** When enabling ACL token replication on the secondary datacenter,
policies and roles already present in the secondary datacenter will be lost. For
production environments, consider configuring ACL replication in your initial
datacenter bootstrapping process.
- `managed_service_provider` ((#acl_tokens_managed_service_provider)) <EnterpriseAlert inline /> - An - `managed_service_provider` ((#acl_tokens_managed_service_provider)) <EnterpriseAlert inline /> - An
array of ACL tokens used by Consul managed service providers for cluster operations. array of ACL tokens used by Consul managed service providers for cluster operations.
@ -1414,6 +1424,11 @@ Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'."
and then introduce the token using the [agent token API](/api/agent#update-acl-tokens) on each server. and then introduce the token using the [agent token API](/api/agent#update-acl-tokens) on each server.
See [`acl_replication_token`](#acl_replication_token) for more details. See [`acl_replication_token`](#acl_replication_token) for more details.
~> **Warning:** When enabling ACL token replication on the secondary datacenter,
policies and roles already present in the secondary datacenter will be lost. For
production environments, consider configuring ACL replication in your initial
datacenter bootstrapping process.
- `enable_agent_tls_for_checks` When set, uses a subset of the agent's TLS configuration (`key_file`, - `enable_agent_tls_for_checks` When set, uses a subset of the agent's TLS configuration (`key_file`,
`cert_file`, `ca_file`, `ca_path`, and `server_name`) to set up the client for HTTP or gRPC health checks. This allows services requiring 2-way TLS to be checked using the agent's credentials. This was added in Consul 1.0.1 and defaults to false. `cert_file`, `ca_file`, `ca_path`, and `server_name`) to set up the client for HTTP or gRPC health checks. This allows services requiring 2-way TLS to be checked using the agent's credentials. This was added in Consul 1.0.1 and defaults to false.