diff --git a/website/source/docs/upgrade-specific.html.markdown b/website/source/docs/upgrade-specific.html.markdown index 5c4c68f51e..0659ad4074 100644 --- a/website/source/docs/upgrade-specific.html.markdown +++ b/website/source/docs/upgrade-specific.html.markdown @@ -14,6 +14,29 @@ details provided for their upgrades as a result of new features or changed behavior. This page is used to document those details seperately from the standard upgrade flow. +## Consul 0.6 + +Consul 0.6 introduces enhancements to the ACL system which may require special +handling: + +* Service ACL's are enforced during service discovery (REST + DNS) + +Previously, service discovery was wide open, and any client could query +information about any service without providing a token. Consul now requires +read-level access at a minimum when ACL's are enabled to return service +information over the REST or DNS interfaces. If clients depend on an open +service discovery system, then the following should be added to all ACL tokens +which require it: + + # Enable discovery of all services + service "" { + policy = "read" + } + +Note that the agent's [`acl_token`](/docs/agent/options.html#acl_token) is used +when the DNS interface is queried, so be sure that token has sufficient +privileges to return the DNS records you expect to retrieve from it. + ## Consul 0.5.1 Consul version 0.5.1 uses a different backend store for persisting the Raft