HashiCorp‘s distributed service mesh Consul has introduced a redesigned access control list system and multi-data center support in the just released v1.4.
The new ACL design is meant to lighten the operational burden and simplify service management with changes in areas such as UI, tokens, and CLI. It includes a policy data model, which allows operators to centrally update specific policies for all kinds of groupings (business units for example). Those will than apply to all tokens created under that policy.
To make the management of ACL tokens more secure, they can now be retrieved and modified via public accessor IDs. The latter are different from token in API interactions that are used for authorizing requests to Consul. Tokens and policies can be managed via the Consul web UI or a new CLI, which should also facilitate automation efforts.
Tokens created with prior Consul versions should still work as before and will keep doing so for at least the 1.5.x and 1.6.x series of the tool, HashiCorp promises in the project’s docs. Users wanting to take advantage of the new system‘s features however will have to translate their tokens according to the migration guide.
On top of that, the Connect feature that landed in Consul earlier this year reaches general availability status with the v1.4 release. Ops teams using Consul Enterprise now also have the option to replicate intentions in real-time and have federated certificate management between datacenters with Connect. Those features should help in securing traffic and applying consistent security policies to services regardless of source and destination.
Additional enhancements include a new debug command to gather information about the target agent and cluster as well as support for prefix lookups in the DNS. HashiCorp Consul can be found on GitHub, where it‘s licensed under the Mozilla Public License 2.0. Pricing information for enterprise versions however is only available upon request.