Purpose of enabling ACL for Nomad clients

francis-li · March 23, 2021, 9:52pm

We have successfully enabled the ACL subsystem on our Nomad cluster by setting acl.enabled = true for all the Nomad servers on the cluster. It appears that the ACL works as expected without needing to set acl.enabled = true for the Nomad clients on the cluster.

For example, Nomad CLI commands run from a client (without acl.enabled = true) are still gated with 403 (Permission Denied), as expected.

While the Nomad ACL docs do mention enabling ACL’s on Nomad clients, there is no additional information about why it is needed.

As our cluster has many clients, it would save us time if we did not have to explicitly enable ACL for every client.

To summarize - we would like to know if it is absolutely required that the Nomad clients also have their configuration updated to enable ACL, even though the ACL subsystem appears to already work by just enabling ACL on the Nomad servers.

lgfa29 · March 29, 2021, 4:44pm

Hi @francis-li

ACL appears to work without enabling it in the clients because requests are usually forward from clients to servers. But that’s not true for all endpoints. Without ACL enabled in the clients you would be exposing those endpoints to unauthenticated users. Apart from that, there are other issues that have seen, but I don’t have an exact list right now.

So in general it’s really not recommended to have ACLs only enabled in the servers.

Topic		Replies	Views
Nomad client ACL for joining a cluster Nomad acl	2	494	November 27, 2022
[Nomad][ACL] is there any production ready example for nomad acl policy? Nomad	1	345	August 17, 2021
A reliable way to tell if Nomad client/server has joined a cluster without ACL? Nomad acl	2	293	April 29, 2023
Access control for Nomad clients Nomad	2	584	January 24, 2022
Nomad authentication Nomad	7	1642	August 5, 2020

Purpose of enabling ACL for Nomad clients

Related topics