Introduction
Problem
Nomad ACLs are a great way to refine, and administer, a users capabilities within Nomad based on their role (admin, developer, qa, etc.); ACLs are enforced whether the user interacts with Nomad using the CLI or the UI.
While the Nomad CLI is the preferred method for many that interact with Nomad, the Nomad UI offers a richer experience for end users.
It is possible that performing an action in the CLI (eg. reading allocation logs) using a nomad token works as expected but when performing the same action in the UI you receive a "Not Authorized" message; this article covers the cause of this confusing behavior as well as how to resolve the issue.
Prerequisites (if applicable)
- Nomad
- ACL's enabled
Cause
- The richer UI experience requires calls to additional endpoints, which are unnecessary when using the CLI.
- Two particular API endpoints called by the UI, for most pages, will generate this message: '/v1/agent' and '/v1/node'. These requests can be seen in your browsers developer tools while navigating the Nomad UI.
Overview of possible solutions (if applicable)
Solution:
-
Add the capabilities below to your ACL
node {
policy = "read"
}
agent {
policy = "read"
}
Outcome
Once read capability has been added, for node and agent, in your ACL, the "Not Authorized" message in the UI will no longer display.