otterblitzar
commented
2 years ago The code currently uses deprecated Consul API calls that only work with the legacy ACL system. For example:
The fix would be to migrate to the new API calls. For example, replace ACL.List with ACL.TokenList. See:
https://pkg.go.dev/github.com/hashicorp/consul/api#ACL.List
Since ACLs are now composed of tokens and policies, I suggest using a struct to contain both of these items. Example:
type AclBackup struct {
Policies []byte
Tokens []byte
}I'm willing to develop this code, if nobody else wants to. @nathanejohnson Are you OK with the general outline of the fix I've proposed?
aaronhurt
cherishedbrain
Hello,
Consul 1.4 introduced a new ACL system where a token's permissions are tied to a policy (or multiple policies), rather than being baked into the token itself. I just recently upgraded my Consul cluster from version 1.3.1 to 1.4.5. After upgrade, all pre-existing non-management tokens were in "legacy" mode. At this point, consul-backinator was backing up the ACLs just fine.
However, after migrating the legacy tokens to the new format, consul-backinator now backs up only the management tokens and ignores anything with a policy tied to it. I confirmed this in two ways:
The consul-backinator log indicates that only a handful of ACL tokens were backed up, even though I have about 50 tokens in total
2022/03/07 15:05:02 [Success] Backed up 10 ACL tokens from consul.service.example.com:8501 to /path/to/backup/my-aclsI restored the above backup to a fresh test cluster and confirmed that only 10 ACL tokens exist (all of which are management tokens)
Note that KV backups appear to be working as they did previously.
Can you please implement support for backing up ACLs/Policies in Consul 1.4+? If this already exists, please let me know how to enable it. I can provide more details if needed.
Thank you!