Purpose of enabling ACL for Nomad clients

Question

We have successfully enabled the ACL subsystem on our Nomad cluster by setting acl.enabled = true for all the Nomad servers on the cluster. It appears that the ACL works as expected without needing to set acl.enabled = true for the Nomad clients on the cluster.

The Nomad ACL docs do mention enabling ACL’s on Nomad clients:

To enforce client endpoints, you need to enable ACLs on clients as well. Do this by setting the enabled value of the acl stanza to true. Once complete, restart the client to read in the new configuration.

However, what we've seen is that Nomad CLI commands run from a client (without acl.enabled = true) are still gated with 403 (Permission Denied), as expected.

As our cluster has many clients, it would save us time if we did not have to explicitly enable ACL for every client.

To summarize - we would like to know if it is absolutely required that the Nomad clients also have their configuration updated to enable ACL, even though the ACL subsystem appears to already work by just enabling ACL on the Nomad servers.

Answer 1

if all of your nomad systems are on 100% trusted systems and you are fine with anyone on the network being able to submit jobs, etc... Then you don't need ACL's.

If you are NOT ok with that, for whatever reason, then you have to go through the ACL song and dance and make it work. If you also use Vault, you can integrate the two, making your life easier, see: https://www.vaultproject.io/docs/secrets/nomad

ACL's must be enabled on the client as well, "To enforce client endpoints, you need to enable ACLs on clients as well. " - https://learn.hashicorp.com/tutorials/nomad/access-control-bootstrap?in=nomad/access-control#enable-acls-on-nomad-clients