Cluster access permissions
Warning
HashiCorp will deprecate HCP Consul Central on November 6, 2024. Learn more.
This page explains concepts associated with the read/write permissions granted to Consul by the global-management-token
when linking a self-managed Community or Enterprise cluster to HCP Consul Central. The page also summarizes the differences between using self-managed Community and Enterprise clusters linked to HCP Consul Central with read/write or read-only access, and provides details about Consul ACL policies that provide these access permissions.
Background
When you link a self-managed Consul cluster with HCP Consul Central, HashiCorp's hosted management plane service, your cluster uses an ACL token to grant access. The management plane stores this token in a dedicated Vault environment for your organization and uses it to access your self-managed Community or Enterprise cluster when providing observability and lifecycle management operations through dashboards in the HCP portal.
During the cluster linking process, HCP Consul Central prompts you to choose between granting HCP Consul Central read/write or read-only access to your cluster. Your decision determines the ACL policy attached to the token that HCP Consul Central uses to access your self-managed Community or Enterprise cluster. You can change a cluster's read-only permissions to read/write using HCP Consul Central. However, to convert a read/write cluster to read-only, you must unlink the cluster from HCP Consul Central and then re-link it. For details on this process, refer to Manage HCP Consul Central's cluster access permissions.
For more information about HCP Consul Central and the benefits it provides, refer to HCP Consul Central. For more information about how the linking process works, refer to Link self-managed Community and Enterprise clusters with HCP Consul Central overview.
Permission comparison
The following table describes the differences in HCP Consul Central features that are available for self-managed Community and Enterprise clusters when linked with read/write permissions and read-only permissions.
Permission level | Consul Central UI View | Consul Central UI Operations | Observability dashboards | Cluster peering workflow | Version upgrades | Editable permissions while linked |
---|---|---|---|---|---|---|
Read/write | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ |
Read-only | ✅ | ❌ | ✅ | ❌ | ❌ | ✅ |
ACL policy comparison
Clusters with read/write access permissions use a token with the global-management
policy attached it. This policy, which is also attached to the ACL bootstrap token, contains write permissions for your entire cluster.
Clusters with read-only access permissions use a token with the builtin/global-read-only
policy attached it. This policy contains the following ACL rules:
mesh = "read"
peering = "read"
operator = "read"
agent_prefix "" {
policy = "read"
}
node_prefix "" {
policy = "read"
}
service_prefix "" {
policy = "read"
}
For more information about the ACL system and the access it provides, refer to Access Control List (ACL) Overview in the Consul documentation.