Purpose of enabling ACL for Nomad clients

We have successfully enabled the ACL subsystem on our Nomad cluster by setting acl.enabled = true for all the Nomad servers on the cluster. It appears that the ACL works as expected without needing to set acl.enabled = true for the Nomad clients on the cluster.

For example, Nomad CLI commands run from a client (without acl.enabled = true) are still gated with 403 (Permission Denied), as expected.

While the Nomad ACL docs do mention enabling ACL’s on Nomad clients, there is no additional information about why it is needed.

As our cluster has many clients, it would save us time if we did not have to explicitly enable ACL for every client.

To summarize - we would like to know if it is absolutely required that the Nomad clients also have their configuration updated to enable ACL, even though the ACL subsystem appears to already work by just enabling ACL on the Nomad servers.

Hi @francis-li :wave:

ACL appears to work without enabling it in the clients because requests are usually forward from clients to servers. But that’s not true for all endpoints. Without ACL enabled in the clients you would be exposing those endpoints to unauthenticated users. Apart from that, there are other issues that have seen, but I don’t have an exact list right now.

So in general it’s really not recommended to have ACLs only enabled in the servers.

1 Like