docs: adding note about enabling acl token replication for auth methods (#5792)

6 years ago · 0f686687b2
parent dbf0a0f6c0
commit 0f686687b2
3 changed files with 19 additions and 2 deletions
--- a/website/source/api/acl/acl.html.md
+++ b/website/source/api/acl/acl.html.md
@ -285,6 +285,14 @@ The table below shows this endpoint's support for
 | ---------------- | ----------------- | ------------- | ------------ |
 | `NO`             | `none`            | `none`        | `none`       |

+-> **Note** - To use the login process to create tokens in any connected
+secondary datacenter, [ACL
+replication](/docs/agent/options.html#acl_enable_token_replication) must be
+enabled. Login requires the ability to create local tokens which is restricted
+to the primary datacenter and any secondary datacenters with ACL token
+replication enabled.
+
+
 ### Parameters

 - `AuthMethod` `(string: <required>)` - The name of the auth method to use for login.
--- a/website/source/docs/acl/acl-auth-methods.html.md
+++ b/website/source/docs/acl/acl-auth-methods.html.md
@ -54,6 +54,12 @@ using the API or command line before they can be used by applications.
  with the `consul acl binding-rule` subcommands or the corresponding [API
  endpoints](/api/acl/binding-rules.html).

+-> **Note** - To configure auth methods in any connected secondary datacenter,
+[ACL token replication](/docs/agent/options.html#acl_enable_token_replication)
+must be enabled.  Auth methods require the ability to create local tokens which
+is restricted to the primary datacenter and any secondary datacenters with ACL
+token replication enabled.
+
 ## Binding Rules

 Binding rules allow an operator to express a systematic way of automatically
--- a/website/source/docs/agent/options.html.md
+++ b/website/source/docs/agent/options.html.md
@ -561,8 +561,11 @@ default will automatically work with some tooling.
     * <a name="acl_enable_key_list"></a><a href="#acl_enable_key_list">`enable_key_list`</a> - Either "enabled" or "disabled", defaults to "disabled". When enabled, the `list` permission will be required on the prefix being recursively read from the KV store. Regardless of being enabled, the full set of KV entries under the prefix will be filtered to remove any entries that the request's ACL token does not grant at least read persmissions. This option is only available in Consul 1.0 and newer.

     * <a name="acl_enable_token_replication"></a><a href="#acl_enable_token_replication">`enable_token_replication`</a> - By
-     default secondary Consul datacenters will perform replication of only ACL policies. Setting this configuration will
-     also enable ACL token replication.
+     default secondary Consul datacenters will perform replication of only ACL policies and roles.
+     Setting this configuration will will enable ACL token replication and
+     allow for the creation of both [local tokens](/api/acl/tokens.html#local)
+     and [auth methods](/docs/acl/acl-auth-methods.html) in connected secondary
+     datacenters.

     * <a name="acl_enable_token_persistence"></a><a href="#acl_enable_token_persistence">`enable_token_persistence`</a> - Either
    `true` or `false`. When `true` tokens set using the API will be persisted to disk and reloaded when an agent restarts.