Merge pull request #3160 from hashicorp/f-acl

Initial ACL enforcement framework

acl/acl.go

+package acl
+
+import (
+	"fmt"
+
+	iradix "github.com/hashicorp/go-immutable-radix"
+)
+
+// ManagementACL is a singleton used for management tokens
+var ManagementACL *ACL
+
+func init() {
+	var err error
+	ManagementACL, err = NewACL(true, nil)
+	if err != nil {
+		panic(fmt.Errorf("failed to setup management ACL: %v", err))
+	}
+}
+
+// capabilitySet is a type wrapper to help managing a set of capabilities
+type capabilitySet map[string]struct{}
+
+func (c capabilitySet) Check(k string) bool {
+	_, ok := c[k]
+	return ok
+}
+
+func (c capabilitySet) Set(k string) {
+	c[k] = struct{}{}
+}
+
+func (c capabilitySet) Clear() {
+	for cap := range c {
+		delete(c, cap)
+	}
+}
+
+// ACL object is used to convert a set of policies into a structure that
+// can be efficiently evaluated to determine if an action is allowed.
+type ACL struct {
+	// management tokens are allowed to do anything
+	management bool
+
+	// namespaces maps a namespace to a capabilitySet
+	namespaces *iradix.Tree
+
+	agent    string
+	node     string
+	operator string
+}
+
+// maxPrivilege returns the policy which grants the most privilege
+// This handles the case of Deny always taking maximum precedence.
+func maxPrivilege(a, b string) string {
+	switch {
+	case a == PolicyDeny || b == PolicyDeny:
+		return PolicyDeny
+	case a == PolicyWrite || b == PolicyWrite:
+		return PolicyWrite
+	case a == PolicyRead || b == PolicyRead:
+		return PolicyRead
+	default:
+		return ""
+	}
+}
+
+// NewACL compiles a set of policies into an ACL object
+func NewACL(management bool, policies []*Policy) (*ACL, error) {
+	// Hot-path management tokens
+	if management {
+		return &ACL{management: true}, nil
+	}
+
+	// Create the ACL object
+	acl := &ACL{}
+	nsTxn := iradix.New().Txn()
+
+	for _, policy := range policies {
+	NAMESPACES:
+		for _, ns := range policy.Namespaces {
+			// Check for existing capabilities
+			var capabilities capabilitySet
+			raw, ok := nsTxn.Get([]byte(ns.Name))
+			if ok {
+				capabilities = raw.(capabilitySet)
+			} else {
+				capabilities = make(capabilitySet)
+				nsTxn.Insert([]byte(ns.Name), capabilities)
+			}
+
+			// Deny always takes precedence
+			if capabilities.Check(NamespaceCapabilityDeny) {
+				continue NAMESPACES
+			}
+
+			// Add in all the capabilities
+			for _, cap := range ns.Capabilities {
+				if cap == NamespaceCapabilityDeny {
+					// Overwrite any existing capabilities
+					capabilities.Clear()
+					capabilities.Set(NamespaceCapabilityDeny)
+					continue NAMESPACES
+				}
+				capabilities.Set(cap)
+			}
+		}
+
+		// Take the maximum privilege for agent, node, and operator
+		if policy.Agent != nil {
+			acl.agent = maxPrivilege(acl.agent, policy.Agent.Policy)
+		}
+		if policy.Node != nil {
+			acl.node = maxPrivilege(acl.node, policy.Node.Policy)
+		}
+		if policy.Operator != nil {
+			acl.operator = maxPrivilege(acl.operator, policy.Operator.Policy)
+		}
+	}
+
+	// Finalize the namespaces
+	acl.namespaces = nsTxn.Commit()
+	return acl, nil
+}
+
+// AllowNamespaceOperation checks if a given operation is allowed for a namespace
+func (a *ACL) AllowNamespaceOperation(ns string, op string) bool {
+	// Hot path management tokens
+	if a.management {
+		return true
+	}
+
+	// Check for a matching capability set
+	raw, ok := a.namespaces.Get([]byte(ns))
+	if !ok {
+		return false
+	}
+
+	// Check if the capability has been granted
+	capabilities := raw.(capabilitySet)
+	return capabilities.Check(op)
+}
+
+// AllowAgentRead checks if read operations are allowed for an agent
+func (a *ACL) AllowAgentRead() bool {
+	switch {
+	case a.management:
+		return true
+	case a.agent == PolicyWrite:
+		return true
+	case a.agent == PolicyRead:
+		return true
+	default:
+		return false
+	}
+}
+
+// AllowAgentWrite checks if write operations are allowed for an agent
+func (a *ACL) AllowAgentWrite() bool {
+	switch {
+	case a.management:
+		return true
+	case a.agent == PolicyWrite:
+		return true
+	default:
+		return false
+	}
+}
+
+// AllowNodeRead checks if read operations are allowed for a node
+func (a *ACL) AllowNodeRead() bool {
+	switch {
+	case a.management:
+		return true
+	case a.node == PolicyWrite:
+		return true
+	case a.node == PolicyRead:
+		return true
+	default:
+		return false
+	}
+}
+
+// AllowNodeWrite checks if write operations are allowed for a node
+func (a *ACL) AllowNodeWrite() bool {
+	switch {
+	case a.management:
+		return true
+	case a.node == PolicyWrite:
+		return true
+	default:
+		return false
+	}
+}
+
+// AllowOperatorRead checks if read operations are allowed for a operator
+func (a *ACL) AllowOperatorRead() bool {
+	switch {
+	case a.management:
+		return true
+	case a.operator == PolicyWrite:
+		return true
+	case a.operator == PolicyRead:
+		return true
+	default:
+		return false
+	}
+}
+
+// AllowOperatorWrite checks if write operations are allowed for a operator
+func (a *ACL) AllowOperatorWrite() bool {
+	switch {
+	case a.management:
+		return true
+	case a.operator == PolicyWrite:
+		return true
+	default:
+		return false
+	}
+}
+
+// IsManagement checks if this represents a management token
+func (a *ACL) IsManagement() bool {
+	return a.management
+}

acl/acl_test.go

+package acl
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestCapabilitySet(t *testing.T) {
+	var cs capabilitySet = make(map[string]struct{})
+
+	// Check no capabilities by default
+	if cs.Check(PolicyDeny) {
+		t.Fatalf("unexpected check")
+	}
+
+	// Do a set and check
+	cs.Set(PolicyDeny)
+	if !cs.Check(PolicyDeny) {
+		t.Fatalf("missing check")
+	}
+
+	// Clear and check
+	cs.Clear()
+	if cs.Check(PolicyDeny) {
+		t.Fatalf("unexpected check")
+	}
+}
+
+func TestMaxPrivilege(t *testing.T) {
+	type tcase struct {
+		Privilege      string
+		PrecedenceOver []string
+	}
+	tcases := []tcase{
+		{
+			PolicyDeny,
+			[]string{PolicyDeny, PolicyWrite, PolicyRead, ""},
+		},
+		{
+			PolicyWrite,
+			[]string{PolicyWrite, PolicyRead, ""},
+		},
+		{
+			PolicyRead,
+			[]string{PolicyRead, ""},
+		},
+	}
+
+	for idx1, tc := range tcases {
+		for idx2, po := range tc.PrecedenceOver {
+			if maxPrivilege(tc.Privilege, po) != tc.Privilege {
+				t.Fatalf("failed %d %d", idx1, idx2)
+			}
+			if maxPrivilege(po, tc.Privilege) != tc.Privilege {
+				t.Fatalf("failed %d %d", idx1, idx2)
+			}
+		}
+	}
+}
+
+func TestACLManagement(t *testing.T) {
+	// Create management ACL
+	acl, err := NewACL(true, nil)
+	assert.Nil(t, err)
+
+	// Check default namespace rights
+	assert.Equal(t, true, acl.AllowNamespaceOperation("default", NamespaceCapabilityListJobs))
+	assert.Equal(t, true, acl.AllowNamespaceOperation("default", NamespaceCapabilitySubmitJob))
+
+	// Check non-specified namespace
+	assert.Equal(t, true, acl.AllowNamespaceOperation("foo", NamespaceCapabilityListJobs))
+
+	// Check the other simpler operations
+	assert.Equal(t, true, acl.IsManagement())
+	assert.Equal(t, true, acl.AllowAgentRead())
+	assert.Equal(t, true, acl.AllowAgentWrite())
+	assert.Equal(t, true, acl.AllowNodeRead())
+	assert.Equal(t, true, acl.AllowNodeWrite())
+	assert.Equal(t, true, acl.AllowOperatorRead())
+	assert.Equal(t, true, acl.AllowOperatorWrite())
+}
+
+func TestACLMerge(t *testing.T) {
+	// Merge read + write policy
+	p1, err := Parse(readAll)
+	assert.Nil(t, err)
+	p2, err := Parse(writeAll)
+	assert.Nil(t, err)
+	acl, err := NewACL(false, []*Policy{p1, p2})
+	assert.Nil(t, err)
+
+	// Check default namespace rights
+	assert.Equal(t, true, acl.AllowNamespaceOperation("default", NamespaceCapabilityListJobs))
+	assert.Equal(t, true, acl.AllowNamespaceOperation("default", NamespaceCapabilitySubmitJob))
+
+	// Check non-specified namespace
+	assert.Equal(t, false, acl.AllowNamespaceOperation("foo", NamespaceCapabilityListJobs))
+
+	// Check the other simpler operations
+	assert.Equal(t, false, acl.IsManagement())
+	assert.Equal(t, true, acl.AllowAgentRead())
+	assert.Equal(t, true, acl.AllowAgentWrite())
+	assert.Equal(t, true, acl.AllowNodeRead())
+	assert.Equal(t, true, acl.AllowNodeWrite())
+	assert.Equal(t, true, acl.AllowOperatorRead())
+	assert.Equal(t, true, acl.AllowOperatorWrite())
+
+	// Merge read + blank
+	p3, err := Parse("")
+	assert.Nil(t, err)
+	acl, err = NewACL(false, []*Policy{p1, p3})
+	assert.Nil(t, err)
+
+	// Check default namespace rights
+	assert.Equal(t, true, acl.AllowNamespaceOperation("default", NamespaceCapabilityListJobs))
+	assert.Equal(t, false, acl.AllowNamespaceOperation("default", NamespaceCapabilitySubmitJob))
+
+	// Check non-specified namespace
+	assert.Equal(t, false, acl.AllowNamespaceOperation("foo", NamespaceCapabilityListJobs))
+
+	// Check the other simpler operations
+	assert.Equal(t, false, acl.IsManagement())
+	assert.Equal(t, true, acl.AllowAgentRead())
+	assert.Equal(t, false, acl.AllowAgentWrite())
+	assert.Equal(t, true, acl.AllowNodeRead())
+	assert.Equal(t, false, acl.AllowNodeWrite())
+	assert.Equal(t, true, acl.AllowOperatorRead())
+	assert.Equal(t, false, acl.AllowOperatorWrite())
+
+	// Merge read + deny
+	p4, err := Parse(denyAll)
+	assert.Nil(t, err)
+	acl, err = NewACL(false, []*Policy{p1, p4})
+	assert.Nil(t, err)
+
+	// Check default namespace rights
+	assert.Equal(t, false, acl.AllowNamespaceOperation("default", NamespaceCapabilityListJobs))
+	assert.Equal(t, false, acl.AllowNamespaceOperation("default", NamespaceCapabilitySubmitJob))
+
+	// Check non-specified namespace
+	assert.Equal(t, false, acl.AllowNamespaceOperation("foo", NamespaceCapabilityListJobs))
+
+	// Check the other simpler operations
+	assert.Equal(t, false, acl.IsManagement())
+	assert.Equal(t, false, acl.AllowAgentRead())
+	assert.Equal(t, false, acl.AllowAgentWrite())
+	assert.Equal(t, false, acl.AllowNodeRead())
+	assert.Equal(t, false, acl.AllowNodeWrite())
+	assert.Equal(t, false, acl.AllowOperatorRead())
+	assert.Equal(t, false, acl.AllowOperatorWrite())
+}
+
+var readAll = `
+namespace "default" {
+	policy = "read"
+}
+agent {
+	policy = "read"
+}
+node {
+	policy = "read"
+}
+operator {
+	policy = "read"
+}
+`
+
+var writeAll = `
+namespace "default" {
+	policy = "write"
+}
+agent {
+	policy = "write"
+}
+node {
+	policy = "write"
+}
+operator {
+	policy = "write"
+}
+`
+
+var denyAll = `
+namespace "default" {
+	policy = "deny"
+}
+agent {
+	policy = "deny"
+}
+node {
+	policy = "deny"
+}
+operator {
+	policy = "deny"
+}
+`

acl/policy.go

+package acl
+
+import (
+	"fmt"
+	"regexp"
+
+	"github.com/hashicorp/hcl"
+)
+
+const (
+	// The following levels are the only valid values for the `policy = "read"` stanza.
+	// When policies are merged together, the most privilege is granted, except for deny
+	// which always takes precedence and supercedes.
+	PolicyDeny  = "deny"
+	PolicyRead  = "read"
+	PolicyWrite = "write"
+)
+
+const (
+	// The following are the fine-grained capabilities that can be granted within a namespace.
+	// The Policy stanza is a short hand for granting several of these. When capabilities are
+	// combined we take the union of all capabilities. If the deny capability is present, it
+	// takes precedence and overwrites all other capabilities.
+	NamespaceCapabilityDeny      = "deny"
+	NamespaceCapabilityListJobs  = "list-jobs"
+	NamespaceCapabilityReadJob   = "read-job"
+	NamespaceCapabilitySubmitJob = "submit-job"
+	NamespaceCapabilityReadLogs  = "read-logs"
+	NamespaceCapabilityReadFS    = "read-fs"
+)
+
+var (
+	validNamespace = regexp.MustCompile("^[a-zA-Z0-9-]{1,128}$")
+)
+
+// Policy represents a parsed HCL or JSON policy.
+type Policy struct {
+	Namespaces []*NamespacePolicy `hcl:"namespace,expand"`
+	Agent      *AgentPolicy       `hcl:"agent"`
+	Node       *NodePolicy        `hcl:"node"`
+	Operator   *OperatorPolicy    `hcl:"operator"`
+	Raw        string             `hcl:"-"`
+}
+
+// NamespacePolicy is the policy for a specific namespace
+type NamespacePolicy struct {
+	Name         string `hcl:",key"`
+	Policy       string
+	Capabilities []string
+}
+
+type AgentPolicy struct {
+	Policy string
+}
+
+type NodePolicy struct {
+	Policy string
+}
+
+type OperatorPolicy struct {
+	Policy string
+}
+
+// isPolicyValid makes sure the given string matches one of the valid policies.
+func isPolicyValid(policy string) bool {
+	switch policy {
+	case PolicyDeny, PolicyRead, PolicyWrite:
+		return true
+	default:
+		return false
+	}
+}
+
+// isNamespaceCapabilityValid ensures the given capability is valid for a namespace policy
+func isNamespaceCapabilityValid(cap string) bool {
+	switch cap {
+	case NamespaceCapabilityDeny, NamespaceCapabilityListJobs, NamespaceCapabilityReadJob,
+		NamespaceCapabilitySubmitJob, NamespaceCapabilityReadLogs, NamespaceCapabilityReadFS:
+		return true
+	default:
+		return false
+	}
+}
+
+// expandNamespacePolicy provides the equivalent set of capabilities for
+// a namespace policy
+func expandNamespacePolicy(policy string) []string {
+	switch policy {
+	case PolicyDeny:
+		return []string{NamespaceCapabilityDeny}
+	case PolicyRead:
+		return []string{
+			NamespaceCapabilityListJobs,
+			NamespaceCapabilityReadJob,
+		}
+	case PolicyWrite:
+		return []string{
+			NamespaceCapabilityListJobs,
+			NamespaceCapabilityReadJob,
+			NamespaceCapabilitySubmitJob,
+			NamespaceCapabilityReadLogs,
+			NamespaceCapabilityReadFS,
+		}
+	default:
+		return nil
+	}
+}
+
+// Parse is used to parse the specified ACL rules into an
+// intermediary set of policies, before being compiled into
+// the ACL
+func Parse(rules string) (*Policy, error) {
+	// Decode the rules
+	p := &Policy{Raw: rules}
+	if rules == "" {
+		// Hot path for empty rules
+		return p, nil
+	}
+
+	// Attempt to parse
+	if err := hcl.Decode(p, rules); err != nil {
+		return nil, fmt.Errorf("Failed to parse ACL Policy: %v", err)
+	}
+
+	// Validate the policy
+	for _, ns := range p.Namespaces {
+		if !validNamespace.MatchString(ns.Name) {
+			return nil, fmt.Errorf("Invalid namespace name: %#v", ns)
+		}
+		if ns.Policy != "" && !isPolicyValid(ns.Policy) {
+			return nil, fmt.Errorf("Invalid namespace policy: %#v", ns)
+		}
+		for _, cap := range ns.Capabilities {
+			if !isNamespaceCapabilityValid(cap) {
+				return nil, fmt.Errorf("Invalid namespace capability '%s': %#v", cap, ns)
+			}
+		}
+
+		// Expand the short hand policy to the capabilities and
+		// add to any existing capabilities
+		if ns.Policy != "" {
+			extraCap := expandNamespacePolicy(ns.Policy)
+			ns.Capabilities = append(ns.Capabilities, extraCap...)
+		}
+	}
+
+	if p.Agent != nil && !isPolicyValid(p.Agent.Policy) {
+		return nil, fmt.Errorf("Invalid agent policy: %#v", p.Agent)
+	}
+
+	if p.Node != nil && !isPolicyValid(p.Node.Policy) {
+		return nil, fmt.Errorf("Invalid node policy: %#v", p.Node)
+	}
+
+	if p.Operator != nil && !isPolicyValid(p.Operator.Policy) {
+		return nil, fmt.Errorf("Invalid operator policy: %#v", p.Operator)
+	}
+	return p, nil
+}

acl/policy_test.go

+package acl
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestParse(t *testing.T) {
+	type tcase struct {
+		Raw    string
+		ErrStr string
+		Expect *Policy
+	}
+	tcases := []tcase{
+		{
+			`
+			namespace "default" {
+				policy = "read"
+			}
+			`,
+			"",
+			&Policy{
+				Namespaces: []*NamespacePolicy{
+					&NamespacePolicy{
+						Name:   "default",
+						Policy: PolicyRead,
+						Capabilities: []string{
+							NamespaceCapabilityListJobs,
+							NamespaceCapabilityReadJob,
+						},
+					},
+				},
+			},
+		},
+		{
+			`
+			namespace "default" {
+				policy = "read"
+			}
+			namespace "other" {
+				policy = "write"
+			}
+			namespace "secret" {
+				capabilities = ["deny", "read-logs"]
+			}
+			agent {
+				policy = "read"
+			}
+			node {
+				policy = "write"
+			}
+			operator {
+				policy = "deny"
+			}
+			`,
+			"",
+			&Policy{
+				Namespaces: []*NamespacePolicy{
+					&NamespacePolicy{
+						Name:   "default",
+						Policy: PolicyRead,
+						Capabilities: []string{
+							NamespaceCapabilityListJobs,
+							NamespaceCapabilityReadJob,
+						},
+					},
+					&NamespacePolicy{
+						Name:   "other",
+						Policy: PolicyWrite,
+						Capabilities: []string{
+							NamespaceCapabilityListJobs,
+							NamespaceCapabilityReadJob,
+							NamespaceCapabilitySubmitJob,
+							NamespaceCapabilityReadLogs,
+							NamespaceCapabilityReadFS,
+						},
+					},
+					&NamespacePolicy{
+						Name: "secret",
+						Capabilities: []string{
+							NamespaceCapabilityDeny,
+							NamespaceCapabilityReadLogs,
+						},
+					},
+				},
+				Agent: &AgentPolicy{
+					Policy: PolicyRead,
+				},
+				Node: &NodePolicy{
+					Policy: PolicyWrite,
+				},
+				Operator: &OperatorPolicy{
+					Policy: PolicyDeny,
+				},
+			},
+		},
+		{
+			`
+			namespace "default" {
+				policy = "foo"
+			}
+			`,
+			"Invalid namespace policy",
+			nil,
+		},
+		{
+			`
+			namespace "default" {
+				capabilities = ["deny", "foo"]
+			}
+			`,
+			"Invalid namespace capability",
+			nil,
+		},
+		{
+			`
+			agent {
+				policy = "foo"
+			}
+			`,
+			"Invalid agent policy",
+			nil,
+		},
+		{
+			`
+			node {
+				policy = "foo"
+			}
+			`,
+			"Invalid node policy",
+			nil,
+		},
+		{
+			`
+			operator {
+				policy = "foo"
+			}
+			`,
+			"Invalid operator policy",
+			nil,
+		},
+		{
+			`
+			namespace "has a space"{
+				policy = "read"
+			}
+			`,
+			"Invalid namespace name",
+			nil,
+		},
+	}
+
+	for idx, tc := range tcases {
+		t.Run(fmt.Sprintf("%d", idx), func(t *testing.T) {
+			p, err := Parse(tc.Raw)
+			if err != nil {
+				if tc.ErrStr == "" {
+					t.Fatalf("Unexpected err: %v", err)
+				}
+				if !strings.Contains(err.Error(), tc.ErrStr) {
+					t.Fatalf("Unexpected err: %v", err)
+				}
+				return
+			}
+			if err == nil && tc.ErrStr != "" {
+				t.Fatalf("Missing expected err")
+			}
+			tc.Expect.Raw = tc.Raw
+			assert.EqualValues(t, tc.Expect, p)
+		})
+	}
+}

api/acl.go

+package api
+
+import (
+	"fmt"
+	"time"
+)
+
+// ACLPolicies is used to query the ACL Policy endpoints.
+type ACLPolicies struct {
+	client *Client
+}
+
+// ACLPolicies returns a new handle on the ACL policies.
+func (c *Client) ACLPolicies() *ACLPolicies {
+	return &ACLPolicies{client: c}
+}
+
+// List is used to dump all of the policies.
+func (a *ACLPolicies) List(q *QueryOptions) ([]*ACLPolicyListStub, *QueryMeta, error) {
+	var resp []*ACLPolicyListStub
+	qm, err := a.client.query("/v1/acl/policies", &resp, q)
+	if err != nil {
+		return nil, nil, err
+	}
+	return resp, qm, nil
+}
+
+// Upsert is used to create or update a policy
+func (a *ACLPolicies) Upsert(policy *ACLPolicy, q *WriteOptions) (*WriteMeta, error) {
+	if policy == nil || policy.Name == "" {
+		return nil, fmt.Errorf("missing policy name")
+	}
+	wm, err := a.client.write("/v1/acl/policy/"+policy.Name, policy, nil, q)
+	if err != nil {
+		return nil, err
+	}
+	return wm, nil
+}
+
+// Delete is used to delete a policy
+func (a *ACLPolicies) Delete(policyName string, q *WriteOptions) (*WriteMeta, error) {
+	if policyName == "" {
+		return nil, fmt.Errorf("missing policy name")
+	}
+	wm, err := a.client.delete("/v1/acl/policy/"+policyName, nil, q)
+	if err != nil {
+		return nil, err
+	}
+	return wm, nil
+}
+
+// Info is used to query a specific policy
+func (a *ACLPolicies) Info(policyName string, q *QueryOptions) (*ACLPolicy, *QueryMeta, error) {
+	if policyName == "" {
+		return nil, nil, fmt.Errorf("missing policy name")
+	}
+	var resp ACLPolicy
+	wm, err := a.client.query("/v1/acl/policy/"+policyName, &resp, q)
+	if err != nil {
+		return nil, nil, err
+	}
+	return &resp, wm, nil
+}
+
+// ACLTokens is used to query the ACL token endpoints.
+type ACLTokens struct {
+	client *Client
+}
+
+// ACLTokens returns a new handle on the ACL tokens.
+func (c *Client) ACLTokens() *ACLTokens {
+	return &ACLTokens{client: c}
+}
+
+// Bootstrap is used to get the initial bootstrap token
+func (a *ACLTokens) Bootstrap(q *WriteOptions) (*ACLToken, *WriteMeta, error) {
+	var resp ACLToken
+	wm, err := a.client.write("/v1/acl/bootstrap", nil, &resp, q)
+	if err != nil {
+		return nil, nil, err
+	}
+	return &resp, wm, nil
+}
+
+// List is used to dump all of the tokens.
+func (a *ACLTokens) List(q *QueryOptions) ([]*ACLTokenListStub, *QueryMeta, error) {
+	var resp []*ACLTokenListStub
+	qm, err := a.client.query("/v1/acl/tokens", &resp, q)
+	if err != nil {
+		return nil, nil, err
+	}
+	return resp, qm, nil
+}
+
+// Create is used to create a token
+func (a *ACLTokens) Create(token *ACLToken, q *WriteOptions) (*ACLToken, *WriteMeta, error) {
+	if token.AccessorID != "" {
+		return nil, nil, fmt.Errorf("cannot specify Accessor ID")
+	}
+	var resp ACLToken
+	wm, err := a.client.write("/v1/acl/token", token, &resp, q)
+	if err != nil {
+		return nil, nil, err
+	}
+	return &resp, wm, nil
+}
+
+// Update is used to update an existing token
+func (a *ACLTokens) Update(token *ACLToken, q *WriteOptions) (*ACLToken, *WriteMeta, error) {
+	if token.AccessorID == "" {
+		return nil, nil, fmt.Errorf("missing accessor ID")
+	}
+	var resp ACLToken
+	wm, err := a.client.write("/v1/acl/token/"+token.AccessorID,
+		token, &resp, q)
+	if err != nil {
+		return nil, nil, err
+	}
+	return &resp, wm, nil
+}
+
+// Delete is used to delete a token
+func (a *ACLTokens) Delete(accessorID string, q *WriteOptions) (*WriteMeta, error) {
+	if accessorID == "" {
+		return nil, fmt.Errorf("missing accessor ID")
+	}
+	wm, err := a.client.delete("/v1/acl/token/"+accessorID, nil, q)
+	if err != nil {
+		return nil, err
+	}
+	return wm, nil
+}
+
+// Info is used to query a token
+func (a *ACLTokens) Info(accessorID string, q *QueryOptions) (*ACLToken, *QueryMeta, error) {
+	if accessorID == "" {
+		return nil, nil, fmt.Errorf("missing accessor ID")
+	}
+	var resp ACLToken
+	wm, err := a.client.query("/v1/acl/token/"+accessorID, &resp, q)
+	if err != nil {
+		return nil, nil, err
+	}
+	return &resp, wm, nil
+}
+
+// ACLPolicyListStub is used to for listing ACL policies
+type ACLPolicyListStub struct {
+	Name        string
+	Description string
+	CreateIndex uint64
+	ModifyIndex uint64
+}
+
+// ACLPolicy is used to represent an ACL policy
+type ACLPolicy struct {
+	Name        string
+	Description string
+	Rules       string
+	CreateIndex uint64
+	ModifyIndex uint64
+}
+
+// ACLToken represents a client token which is used to Authenticate
+type ACLToken struct {
+	AccessorID  string
+	SecretID    string
+	Name        string
+	Type        string
+	Policies    []string
+	Global      bool
+	CreateTime  time.Time
+	CreateIndex uint64
+	ModifyIndex uint64
+}
+
+type ACLTokenListStub struct {
+	AccessorID  string
+	Name        string
+	Type        string
+	Policies    []string
+	Global      bool
+	CreateTime  time.Time
+	CreateIndex uint64
+	ModifyIndex uint64
+}

api/acl_test.go

+package api
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestACLPolicies_ListUpsert(t *testing.T) {
+	t.Parallel()
+	c, s, _ := makeACLClient(t, nil, nil)
+	defer s.Stop()
+	ap := c.ACLPolicies()
+
+	// Listing when nothing exists returns empty
+	result, qm, err := ap.List(nil)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	if qm.LastIndex != 1 {
+		t.Fatalf("bad index: %d", qm.LastIndex)
+	}
+	if n := len(result); n != 0 {
+		t.Fatalf("expected 0 policies, got: %d", n)
+	}
+
+	// Register a policy
+	policy := &ACLPolicy{
+		Name:        "test",
+		Description: "test",
+		Rules: `namespace "default" {
+			policy = "read"
+		}
+		`,
+	}
+	wm, err := ap.Upsert(policy, nil)
+	assert.Nil(t, err)
+	assertWriteMeta(t, wm)
+
+	// Check the list again
+	result, qm, err = ap.List(nil)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	assertQueryMeta(t, qm)
+	if len(result) != 1 {
+		t.Fatalf("expected policy, got: %#v", result)
+	}
+}
+
+func TestACLPolicies_Delete(t *testing.T) {
+	t.Parallel()
+	c, s, _ := makeACLClient(t, nil, nil)
+	defer s.Stop()
+	ap := c.ACLPolicies()
+
+	// Register a policy
+	policy := &ACLPolicy{
+		Name:        "test",
+		Description: "test",
+		Rules: `namespace "default" {
+			policy = "read"
+		}
+		`,
+	}
+	wm, err := ap.Upsert(policy, nil)
+	assert.Nil(t, err)
+	assertWriteMeta(t, wm)
+
+	// Delete the policy
+	wm, err = ap.Delete(policy.Name, nil)
+	assert.Nil(t, err)
+	assertWriteMeta(t, wm)
+
+	// Check the list again
+	result, qm, err := ap.List(nil)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	assertQueryMeta(t, qm)
+	if len(result) != 0 {
+		t.Fatalf("unexpected policy, got: %#v", result)
+	}
+}
+
+func TestACLPolicies_Info(t *testing.T) {
+	t.Parallel()
+	c, s, _ := makeACLClient(t, nil, nil)
+	defer s.Stop()
+	ap := c.ACLPolicies()
+
+	// Register a policy
+	policy := &ACLPolicy{
+		Name:        "test",
+		Description: "test",
+		Rules: `namespace "default" {
+			policy = "read"
+		}
+		`,
+	}
+	wm, err := ap.Upsert(policy, nil)
+	assert.Nil(t, err)
+	assertWriteMeta(t, wm)
+
+	// Query the policy
+	out, qm, err := ap.Info(policy.Name, nil)
+	assert.Nil(t, err)
+	assertQueryMeta(t, qm)
+	assert.Equal(t, policy.Name, out.Name)
+}
+
+func TestACLTokens_List(t *testing.T) {
+	t.Parallel()
+	c, s, _ := makeACLClient(t, nil, nil)
+	defer s.Stop()
+	at := c.ACLTokens()
+
+	// Expect out bootstrap token
+	result, qm, err := at.List(nil)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	if qm.LastIndex == 0 {
+		t.Fatalf("bad index: %d", qm.LastIndex)
+	}
+	if n := len(result); n != 1 {
+		t.Fatalf("expected 1 token, got: %d", n)
+	}
+}
+
+func TestACLTokens_CreateUpdate(t *testing.T) {
+	t.Parallel()
+	c, s, _ := makeACLClient(t, nil, nil)
+	defer s.Stop()
+	at := c.ACLTokens()
+
+	token := &ACLToken{
+		Name:     "foo",
+		Type:     "client",
+		Policies: []string{"foo1"},
+	}
+
+	// Create the token
+	out, wm, err := at.Create(token, nil)
+	assert.Nil(t, err)
+	assertWriteMeta(t, wm)
+	assert.NotNil(t, out)
+
+	// Update the token
+	out.Name = "other"
+	out2, wm, err := at.Update(out, nil)
+	assert.Nil(t, err)
+	assertWriteMeta(t, wm)
+	assert.NotNil(t, out2)
+
+	// Verify the change took hold
+	assert.Equal(t, out.Name, out2.Name)
+}
+
+func TestACLTokens_Info(t *testing.T) {
+	t.Parallel()
+	c, s, _ := makeACLClient(t, nil, nil)
+	defer s.Stop()
+	at := c.ACLTokens()
+
+	token := &ACLToken{
+		Name:     "foo",
+		Type:     "client",
+		Policies: []string{"foo1"},
+	}
+
+	// Create the token
+	out, wm, err := at.Create(token, nil)
+	assert.Nil(t, err)
+	assertWriteMeta(t, wm)
+	assert.NotNil(t, out)
+
+	// Query the token
+	out2, qm, err := at.Info(out.AccessorID, nil)
+	assert.Nil(t, err)
+	assertQueryMeta(t, qm)
+	assert.Equal(t, out, out2)
+}
+
+func TestACLTokens_Delete(t *testing.T) {
+	t.Parallel()
+	c, s, _ := makeACLClient(t, nil, nil)
+	defer s.Stop()
+	at := c.ACLTokens()
+
+	token := &ACLToken{
+		Name:     "foo",
+		Type:     "client",
+		Policies: []string{"foo1"},
+	}
+
+	// Create the token
+	out, wm, err := at.Create(token, nil)
+	assert.Nil(t, err)
+	assertWriteMeta(t, wm)
+	assert.NotNil(t, out)
+
+	// Delete the token
+	wm, err = at.Delete(out.AccessorID, nil)
+	assert.Nil(t, err)
+	assertWriteMeta(t, wm)
+}

api/api.go

@@ -41,6 +41,9 @@ type QueryOptions struct {
 
 	// Set HTTP parameters on the query.
 	Params map[string]string
+
+	// SecretID is the secret ID of an ACL token
+	SecretID string
 }
 
 // WriteOptions are used to parameterize a write
@@ -48,6 +51,9 @@ type WriteOptions struct {
 	// Providing a datacenter overwrites the region provided
 	// by the Config
 	Region string
+
+	// SecretID is the secret ID of an ACL token
+	SecretID string
 }
 
 // QueryMeta is used to return meta data about a query
@@ -97,6 +103,9 @@ type Config struct {
 	// httpClient is the client to use. Default will be used if not provided.
 	httpClient *http.Client
 
+	// SecretID to use. This can be overwritten per request.
+	SecretID string
+
 	// HttpAuth is the auth info to use for http access.
 	HttpAuth *HttpBasicAuth
 
@@ -121,6 +130,7 @@ func (c *Config) ClientConfig(region, address string, tlsEnabled bool) *Config {
 		Address:    fmt.Sprintf("%s://%s", scheme, address),
 		Region:     region,
 		httpClient: defaultConfig.httpClient,
+		SecretID:   c.SecretID,
 		HttpAuth:   c.HttpAuth,
 		WaitTime:   c.WaitTime,
 		TLSConfig:  c.TLSConfig.Copy(),
@@ -217,7 +227,9 @@ func DefaultConfig() *Config {
 			config.TLSConfig.Insecure = insecure
 		}
 	}
-
+	if v := os.Getenv("NOMAD_TOKEN"); v != "" {
+		config.SecretID = v
+	}
 	return config
 }
 
@@ -345,12 +357,18 @@ func (c *Client) getNodeClientImpl(nodeID string, q *QueryOptions, lookup nodeLo
 	return NewClient(conf)
 }
 
+// SetSecretID sets the ACL token secret for API requests.
+func (c *Client) SetSecretID(secretID string) {
+	c.config.SecretID = secretID
+}
+
 // request is used to help build up a request
 type request struct {
 	config *Config
 	method string
 	url    *url.URL
 	params url.Values
+	token  string
 	body   io.Reader
 	obj    interface{}
 }
@@ -364,6 +382,9 @@ func (r *request) setQueryOptions(q *QueryOptions) {
 	if q.Region != "" {
 		r.params.Set("region", q.Region)
 	}
+	if q.SecretID != "" {
+		r.token = q.SecretID
+	}
 	if q.AllowStale {
 		r.params.Set("stale", "")
 	}
@@ -395,6 +416,9 @@ func (r *request) setWriteOptions(q *WriteOptions) {
 	if q.Region != "" {
 		r.params.Set("region", q.Region)
 	}
+	if q.SecretID != "" {
+		r.token = q.SecretID
+	}
 }
 
 // toHTTP converts the request to an HTTP request
@@ -427,6 +451,10 @@ func (r *request) toHTTP() (*http.Request, error) {
 	}
 
 	req.Header.Add("Accept-Encoding", "gzip")
+	if r.token != "" {
+		req.Header.Set("X-Nomad-Token", r.token)
+	}
+
 	req.URL.Host = r.url.Host
 	req.URL.Scheme = r.url.Scheme
 	req.Host = r.url.Host
@@ -457,6 +485,9 @@ func (c *Client) newRequest(method, path string) (*request, error) {
 	if c.config.WaitTime != 0 {
 		r.params.Set("wait", durToMsec(r.config.WaitTime))
 	}
+	if c.config.SecretID != "" {
+		r.token = r.config.SecretID
+	}
 
 	// Add in the query parameters, if any
 	for key, values := range u.Query() {

api/api_test.go

@@ -24,6 +24,24 @@ func init() {
 	seen = make(map[*testing.T]struct{})
 }
 
+func makeACLClient(t *testing.T, cb1 configCallback,
+	cb2 testutil.ServerConfigCallback) (*Client, *testutil.TestServer, *ACLToken) {
+	client, server := makeClient(t, cb1, func(c *testutil.TestServerConfig) {
+		c.ACL.Enabled = true
+		if cb2 != nil {
+			cb2(c)
+		}
+	})
+
+	// Get the root token
+	root, _, err := client.ACLTokens().Bootstrap(nil)
+	if err != nil {
+		t.Fatalf("failed to bootstrap ACLs: %v", err)
+	}
+	client.SetSecretID(root.SecretID)
+	return client, server, root
+}
+
 func makeClient(t *testing.T, cb1 configCallback,
 	cb2 testutil.ServerConfigCallback) (*Client, *testutil.TestServer) {
 	// Make client config
@@ -97,6 +115,7 @@ func TestDefaultConfig_env(t *testing.T) {
 	t.Parallel()
 	url := "http://1.2.3.4:5678"
 	auth := []string{"nomaduser", "12345"}
+	token := "foobar"
 
 	os.Setenv("NOMAD_ADDR", url)
 	defer os.Setenv("NOMAD_ADDR", "")
@@ -104,6 +123,9 @@ func TestDefaultConfig_env(t *testing.T) {
 	os.Setenv("NOMAD_HTTP_AUTH", strings.Join(auth, ":"))
 	defer os.Setenv("NOMAD_HTTP_AUTH", "")
 
+	os.Setenv("NOMAD_TOKEN", token)
+	defer os.Setenv("NOMAD_TOKEN", "")
+
 	config := DefaultConfig()
 
 	if config.Address != url {
@@ -117,6 +139,10 @@ func TestDefaultConfig_env(t *testing.T) {
 	if config.HttpAuth.Password != auth[1] {
 		t.Errorf("expected %q to be %q", config.HttpAuth.Password, auth[1])
 	}
+
+	if config.SecretID != token {
+		t.Errorf("Expected %q to be %q", config.SecretID, token)
+	}
 }
 
 func TestSetQueryOptions(t *testing.T) {
@@ -130,6 +156,7 @@ func TestSetQueryOptions(t *testing.T) {
 		AllowStale: true,
 		WaitIndex:  1000,
 		WaitTime:   100 * time.Second,
+		SecretID:   "foobar",
 	}
 	r.setQueryOptions(q)
 
@@ -145,6 +172,9 @@ func TestSetQueryOptions(t *testing.T) {
 	if r.params.Get("wait") != "100000ms" {
 		t.Fatalf("bad: %v", r.params)
 	}
+	if r.token != "foobar" {
+		t.Fatalf("bad: %v", r.token)
+	}
 }
 
 func TestSetWriteOptions(t *testing.T) {
@@ -154,13 +184,17 @@ func TestSetWriteOptions(t *testing.T) {
 
 	r, _ := c.newRequest("GET", "/v1/jobs")
 	q := &WriteOptions{
-		Region: "foo",
+		Region:   "foo",
+		SecretID: "foobar",
 	}
 	r.setWriteOptions(q)
 
 	if r.params.Get("region") != "foo" {
 		t.Fatalf("bad: %v", r.params)
 	}
+	if r.token != "foobar" {
+		t.Fatalf("bad: %v", r.token)
+	}
 }
 
 func TestRequestToHTTP(t *testing.T) {
@@ -170,7 +204,8 @@ func TestRequestToHTTP(t *testing.T) {
 
 	r, _ := c.newRequest("DELETE", "/v1/jobs/foo")
 	q := &QueryOptions{
-		Region: "foo",
+		Region:   "foo",
+		SecretID: "foobar",
 	}
 	r.setQueryOptions(q)
 	req, err := r.toHTTP()
@@ -184,6 +219,9 @@ func TestRequestToHTTP(t *testing.T) {
 	if req.URL.RequestURI() != "/v1/jobs/foo?region=foo" {
 		t.Fatalf("bad: %v", req)
 	}
+	if req.Header.Get("X-Nomad-Token") != "foobar" {
+		t.Fatalf("bad: %v", req)
+	}
 }
 
 func TestParseQueryMeta(t *testing.T) {

api/jobs.go

@@ -729,6 +729,9 @@ func (j *Job) AddPeriodicConfig(cfg *PeriodicConfig) *Job {
 type WriteRequest struct {
 	// The target region for this write
 	Region string
+
+	// SecretID is the secret ID of an ACL token
+	SecretID string
 }
 
 // JobValidateRequest is used to validate a job

client/acl.go

+package client
+
+import (
+	"time"
+
+	metrics "github.com/armon/go-metrics"
+	lru "github.com/hashicorp/golang-lru"
+	"github.com/hashicorp/nomad/acl"
+	"github.com/hashicorp/nomad/nomad/structs"
+)
+
+const (
+	// policyCacheSize is the number of ACL policies to keep cached. Policies have a fetching cost
+	// so we keep the hot policies cached to reduce the ACL token resolution time.
+	policyCacheSize = 64
+
+	// aclCacheSize is the number of ACL objects to keep cached. ACLs have a parsing and
+	// construction cost, so we keep the hot objects cached to reduce the ACL token resolution time.
+	aclCacheSize = 64
+
+	// tokenCacheSize is the number of ACL tokens to keep cached. Tokens have a fetching cost,
+	// so we keep the hot tokens cached to reduce the lookups.
+	tokenCacheSize = 64
+)
+
+// clientACLResolver holds the state required for client resolution
+// of ACLs
+type clientACLResolver struct {
+	// aclCache is used to maintain the parsed ACL objects
+	aclCache *lru.TwoQueueCache
+
+	// policyCache is used to maintain the fetched policy objects
+	policyCache *lru.TwoQueueCache
+
+	// tokenCache is used to maintain the fetched token objects
+	tokenCache *lru.TwoQueueCache
+}
+
+// init is used to setup the client resolver state
+func (c *clientACLResolver) init() error {
+	// Create the ACL object cache
+	var err error
+	c.aclCache, err = lru.New2Q(aclCacheSize)
+	if err != nil {
+		return err
+	}
+	c.policyCache, err = lru.New2Q(policyCacheSize)
+	if err != nil {
+		return err
+	}
+	c.tokenCache, err = lru.New2Q(tokenCacheSize)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// cachedACLValue is used to manage ACL Token or Policy TTLs
+type cachedACLValue struct {
+	Token     *structs.ACLToken
+	Policy    *structs.ACLPolicy
+	CacheTime time.Time
+}
+
+// Age is the time since the token was cached
+func (c *cachedACLValue) Age() time.Duration {
+	return time.Since(c.CacheTime)
+}
+
+// ResolveToken is used to translate an ACL Token Secret ID into
+// an ACL object, nil if ACLs are disabled, or an error.
+func (c *Client) ResolveToken(secretID string) (*acl.ACL, error) {
+	// Fast-path if ACLs are disabled
+	if !c.config.ACLEnabled {
+		return nil, nil
+	}
+	defer metrics.MeasureSince([]string{"client", "acl", "resolve_token"}, time.Now())
+
+	// Resolve the token value
+	token, err := c.resolveTokenValue(secretID)
+	if err != nil {
+		return nil, err
+	}
+	if token == nil {
+		return nil, structs.ErrTokenNotFound
+	}
+
+	// Check if this is a management token
+	if token.Type == structs.ACLManagementToken {
+		return acl.ManagementACL, nil
+	}
+
+	// Resolve the policies
+	policies, err := c.resolvePolicies(token.SecretID, token.Policies)
+	if err != nil {
+		return nil, err
+	}
+
+	// Resolve the ACL object
+	aclObj, err := structs.CompileACLObject(c.aclCache, policies)
+	if err != nil {
+		return nil, err
+	}
+	return aclObj, nil
+}
+
+// resolveTokenValue is used to translate a secret ID into an ACL token with caching
+// We use a local cache up to the TTL limit, and then resolve via a server. If we cannot
+// reach a server, but have a cached value we extend the TTL to gracefully handle outages.
+func (c *Client) resolveTokenValue(secretID string) (*structs.ACLToken, error) {
+	// Hot-path the anonymous token
+	if secretID == "" {
+		return structs.AnonymousACLToken, nil
+	}
+
+	// Lookup the token in the cache
+	raw, ok := c.tokenCache.Get(secretID)
+	if ok {
+		cached := raw.(*cachedACLValue)
+		if cached.Age() <= c.config.ACLTokenTTL {
+			return cached.Token, nil
+		}
+	}
+
+	// Lookup the token
+	req := structs.ResolveACLTokenRequest{
+		SecretID: secretID,
+		QueryOptions: structs.QueryOptions{
+			Region:     c.Region(),
+			AllowStale: true,
+		},
+	}
+	var resp structs.ResolveACLTokenResponse
+	if err := c.RPC("ACL.ResolveToken", &req, &resp); err != nil {
+		// If we encounter an error but have a cached value, mask the error and extend the cache
+		if ok {
+			c.logger.Printf("[WARN] client: failed to resolve token, using expired cached value: %v", err)
+			cached := raw.(*cachedACLValue)
+			return cached.Token, nil
+		}
+		return nil, err
+	}
+
+	// Cache the response (positive or negative)
+	c.tokenCache.Add(secretID, &cachedACLValue{
+		Token:     resp.Token,
+		CacheTime: time.Now(),
+	})
+	return resp.Token, nil
+}
+
+// resolvePolicies is used to translate a set of named ACL policies into the objects.
+// We cache the policies locally, and fault them from a server as necessary. Policies
+// are cached for a TTL, and then refreshed. If a server cannot be reached, the cache TTL
+// will be ignored to gracefully handle outages.
+func (c *Client) resolvePolicies(secretID string, policies []string) ([]*structs.ACLPolicy, error) {
+	var out []*structs.ACLPolicy
+	var expired []*structs.ACLPolicy
+	var missing []string
+
+	// Scan the cache for each policy
+	for _, policyName := range policies {
+		// Lookup the policy in the cache
+		raw, ok := c.policyCache.Get(policyName)
+		if !ok {
+			missing = append(missing, policyName)
+			continue
+		}
+
+		// Check if the cached value is valid or expired
+		cached := raw.(*cachedACLValue)
+		if cached.Age() <= c.config.ACLPolicyTTL {
+			out = append(out, cached.Policy)
+		} else {
+			expired = append(expired, cached.Policy)
+		}
+	}
+
+	// Hot-path if we have no missing or expired policies
+	if len(missing)+len(expired) == 0 {
+		return out, nil
+	}
+
+	// Lookup the missing and expired policies
+	fetch := missing
+	for _, p := range expired {
+		fetch = append(fetch, p.Name)
+	}
+	req := structs.ACLPolicySetRequest{
+		Names: fetch,
+		QueryOptions: structs.QueryOptions{
+			Region:     c.Region(),
+			SecretID:   secretID,
+			AllowStale: true,
+		},
+	}
+	var resp structs.ACLPolicySetResponse
+	if err := c.RPC("ACL.GetPolicies", &req, &resp); err != nil {
+		// If we encounter an error but have cached policies, mask the error and extend the cache
+		if len(missing) == 0 {
+			c.logger.Printf("[WARN] client: failed to resolve policies, using expired cached value: %v", err)
+			out = append(out, expired...)
+			return out, nil
+		}
+		return nil, err
+	}
+
+	// Handle each output
+	for _, policy := range resp.Policies {
+		c.policyCache.Add(policy.Name, &cachedACLValue{
+			Policy:    policy,
+			CacheTime: time.Now(),
+		})
+		out = append(out, policy)
+	}
+
+	// Return the valid policies
+	return out, nil
+}

client/acl_test.go

+package client
+
+import (
+	"testing"
+
+	"github.com/hashicorp/nomad/acl"
+	"github.com/hashicorp/nomad/client/config"
+	"github.com/hashicorp/nomad/nomad/mock"
+	"github.com/hashicorp/nomad/nomad/structs"
+	"github.com/hashicorp/nomad/testutil"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestClient_ACL_resolveTokenValue(t *testing.T) {
+	s1, _, _ := testACLServer(t, nil)
+	defer s1.Shutdown()
+	testutil.WaitForLeader(t, s1.RPC)
+
+	c1 := testClient(t, func(c *config.Config) {
+		c.RPCHandler = s1
+		c.ACLEnabled = true
+	})
+	defer c1.Shutdown()
+
+	// Create a policy / token
+	policy := mock.ACLPolicy()
+	policy2 := mock.ACLPolicy()
+	token := mock.ACLToken()
+	token.Policies = []string{policy.Name, policy2.Name}
+	token2 := mock.ACLToken()
+	token2.Type = structs.ACLManagementToken
+	token2.Policies = nil
+	err := s1.State().UpsertACLPolicies(100, []*structs.ACLPolicy{policy, policy2})
+	assert.Nil(t, err)
+	err = s1.State().UpsertACLTokens(110, []*structs.ACLToken{token, token2})
+	assert.Nil(t, err)
+
+	// Test the client resolution
+	out0, err := c1.resolveTokenValue("")
+	assert.Nil(t, err)
+	assert.NotNil(t, out0)
+	assert.Equal(t, structs.AnonymousACLToken, out0)
+
+	// Test the client resolution
+	out1, err := c1.resolveTokenValue(token.SecretID)
+	assert.Nil(t, err)
+	assert.NotNil(t, out1)
+	assert.Equal(t, token, out1)
+
+	out2, err := c1.resolveTokenValue(token2.SecretID)
+	assert.Nil(t, err)
+	assert.NotNil(t, out2)
+	assert.Equal(t, token2, out2)
+
+	out3, err := c1.resolveTokenValue(token.SecretID)
+	assert.Nil(t, err)
+	assert.NotNil(t, out3)
+	if out1 != out3 {
+		t.Fatalf("bad caching")
+	}
+}
+
+func TestClient_ACL_resolvePolicies(t *testing.T) {
+	s1, _, root := testACLServer(t, nil)
+	defer s1.Shutdown()
+	testutil.WaitForLeader(t, s1.RPC)
+
+	c1 := testClient(t, func(c *config.Config) {
+		c.RPCHandler = s1
+		c.ACLEnabled = true
+	})
+	defer c1.Shutdown()
+
+	// Create a policy / token
+	policy := mock.ACLPolicy()
+	policy2 := mock.ACLPolicy()
+	token := mock.ACLToken()
+	token.Policies = []string{policy.Name, policy2.Name}
+	token2 := mock.ACLToken()
+	token2.Type = structs.ACLManagementToken
+	token2.Policies = nil
+	err := s1.State().UpsertACLPolicies(100, []*structs.ACLPolicy{policy, policy2})
+	assert.Nil(t, err)
+	err = s1.State().UpsertACLTokens(110, []*structs.ACLToken{token, token2})
+	assert.Nil(t, err)
+
+	// Test the client resolution
+	out, err := c1.resolvePolicies(root.SecretID, []string{policy.Name, policy2.Name})
+	assert.Nil(t, err)
+	assert.Equal(t, 2, len(out))
+
+	// Test caching
+	out2, err := c1.resolvePolicies(root.SecretID, []string{policy.Name, policy2.Name})
+	assert.Nil(t, err)
+	assert.Equal(t, 2, len(out2))
+
+	// Check we get the same objects back (ignore ordering)
+	if out[0] != out2[0] && out[0] != out2[1] {
+		t.Fatalf("bad caching")
+	}
+}
+
+func TestClient_ACL_ResolveToken_Disabled(t *testing.T) {
+	s1, _ := testServer(t, nil)
+	defer s1.Shutdown()
+	testutil.WaitForLeader(t, s1.RPC)
+
+	c1 := testClient(t, func(c *config.Config) {
+		c.RPCHandler = s1
+	})
+	defer c1.Shutdown()
+
+	// Should always get nil when disabled
+	aclObj, err := c1.ResolveToken("blah")
+	assert.Nil(t, err)
+	assert.Nil(t, aclObj)
+}
+
+func TestClient_ACL_ResolveToken(t *testing.T) {
+	s1, _, _ := testACLServer(t, nil)
+	defer s1.Shutdown()
+	testutil.WaitForLeader(t, s1.RPC)
+
+	c1 := testClient(t, func(c *config.Config) {
+		c.RPCHandler = s1
+		c.ACLEnabled = true
+	})
+	defer c1.Shutdown()
+
+	// Create a policy / token
+	policy := mock.ACLPolicy()
+	policy2 := mock.ACLPolicy()
+	token := mock.ACLToken()
+	token.Policies = []string{policy.Name, policy2.Name}
+	token2 := mock.ACLToken()
+	token2.Type = structs.ACLManagementToken
+	token2.Policies = nil
+	err := s1.State().UpsertACLPolicies(100, []*structs.ACLPolicy{policy, policy2})
+	assert.Nil(t, err)
+	err = s1.State().UpsertACLTokens(110, []*structs.ACLToken{token, token2})
+	assert.Nil(t, err)
+
+	// Test the client resolution
+	out, err := c1.ResolveToken(token.SecretID)
+	assert.Nil(t, err)
+	assert.NotNil(t, out)
+
+	// Test caching
+	out2, err := c1.ResolveToken(token.SecretID)
+	assert.Nil(t, err)
+	if out != out2 {
+		t.Fatalf("should be cached")
+	}
+
+	// Test management token
+	out3, err := c1.ResolveToken(token2.SecretID)
+	assert.Nil(t, err)
+	if acl.ManagementACL != out3 {
+		t.Fatalf("should be management")
+	}
+
+	// Test bad token
+	out4, err := c1.ResolveToken(structs.GenerateUUID())
+	assert.Equal(t, structs.ErrTokenNotFound, err)
+	assert.Nil(t, out4)
+}

client/client.go

@@ -150,6 +150,9 @@ type Client struct {
 	// garbageCollector is used to garbage collect terminal allocations present
 	// in the node automatically
 	garbageCollector *AllocGarbageCollector
+
+	// clientACLResolver holds the ACL resolution state
+	clientACLResolver
 }
 
 var (
@@ -192,6 +195,11 @@ func NewClient(cfg *config.Config, consulCatalog consul.CatalogAPI, consulServic
 		return nil, fmt.Errorf("failed to initialize client: %v", err)
 	}
 
+	// Initialize the ACL state
+	if err := c.clientACLResolver.init(); err != nil {
+		return nil, fmt.Errorf("failed to initialize ACL state: %v", err)
+	}
+
 	// Add the stats collector
 	statsCollector := stats.NewHostStatsCollector(logger, c.config.AllocDir)
 	c.hostStatsCollector = statsCollector

client/client_test.go

@@ -30,6 +30,21 @@ func getPort() int {
 	return 1030 + int(rand.Int31n(6440))
 }
 
+func testACLServer(t *testing.T, cb func(*nomad.Config)) (*nomad.Server, string, *structs.ACLToken) {
+	server, addr := testServer(t, func(c *nomad.Config) {
+		c.ACLEnabled = true
+		if cb != nil {
+			cb(c)
+		}
+	})
+	token := mock.ACLManagementToken()
+	err := server.State().BootstrapACLTokens(1, token)
+	if err != nil {
+		t.Fatalf("failed to bootstrap ACL token: %v", err)
+	}
+	return server, addr, token
+}
+
 func testServer(t *testing.T, cb func(*nomad.Config)) (*nomad.Server, string) {
 	// Setup the default settings
 	config := nomad.DefaultConfig()

client/config/config.go

@@ -179,6 +179,15 @@ type Config struct {
 	// NoHostUUID disables using the host's UUID and will force generation of a
 	// random UUID.
 	NoHostUUID bool
+
+	// ACLEnabled controls if ACL enforcement and management is enabled.
+	ACLEnabled bool
+
+	// ACLTokenTTL is how long we cache token values for
+	ACLTokenTTL time.Duration
+
+	// ACLPolicyTTL is how long we cache policy values for
+	ACLPolicyTTL time.Duration
 }
 
 func (c *Config) Copy() *Config {

command/agent/acl_endpoint.go

+package agent
+
+import (
+	"net/http"
+	"strings"
+
+	"github.com/hashicorp/nomad/nomad/structs"
+)
+
+func (s *HTTPServer) ACLPoliciesRequest(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
+	if req.Method != "GET" {
+		return nil, CodedError(405, ErrInvalidMethod)
+	}
+
+	args := structs.ACLPolicyListRequest{}
+	if s.parse(resp, req, &args.Region, &args.QueryOptions) {
+		return nil, nil
+	}
+
+	var out structs.ACLPolicyListResponse
+	if err := s.agent.RPC("ACL.ListPolicies", &args, &out); err != nil {
+		return nil, err
+	}
+
+	setMeta(resp, &out.QueryMeta)
+	if out.Policies == nil {
+		out.Policies = make([]*structs.ACLPolicyListStub, 0)
+	}
+	return out.Policies, nil
+}
+
+func (s *HTTPServer) ACLPolicySpecificRequest(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
+	name := strings.TrimPrefix(req.URL.Path, "/v1/acl/policy/")
+	if len(name) == 0 {
+		return nil, CodedError(400, "Missing Policy Name")
+	}
+	switch req.Method {
+	case "GET":
+		return s.aclPolicyQuery(resp, req, name)
+	case "PUT", "POST":
+		return s.aclPolicyUpdate(resp, req, name)
+	case "DELETE":
+		return s.aclPolicyDelete(resp, req, name)
+	default:
+		return nil, CodedError(405, ErrInvalidMethod)
+	}
+}
+
+func (s *HTTPServer) aclPolicyQuery(resp http.ResponseWriter, req *http.Request,
+	policyName string) (interface{}, error) {
+	args := structs.ACLPolicySpecificRequest{
+		Name: policyName,
+	}
+	if s.parse(resp, req, &args.Region, &args.QueryOptions) {
+		return nil, nil
+	}
+
+	var out structs.SingleACLPolicyResponse
+	if err := s.agent.RPC("ACL.GetPolicy", &args, &out); err != nil {
+		return nil, err
+	}
+
+	setMeta(resp, &out.QueryMeta)
+	if out.Policy == nil {
+		return nil, CodedError(404, "ACL policy not found")
+	}
+	return out.Policy, nil
+}
+
+func (s *HTTPServer) aclPolicyUpdate(resp http.ResponseWriter, req *http.Request,
+	policyName string) (interface{}, error) {
+	// Parse the policy
+	var policy structs.ACLPolicy
+	if err := decodeBody(req, &policy); err != nil {
+		return nil, CodedError(500, err.Error())
+	}
+
+	// Ensure the policy name matches
+	if policy.Name != policyName {
+		return nil, CodedError(400, "ACL policy name does not match request path")
+	}
+
+	// Format the request
+	args := structs.ACLPolicyUpsertRequest{
+		Policies: []*structs.ACLPolicy{&policy},
+	}
+	s.parseWrite(req, &args.WriteRequest)
+
+	var out structs.GenericResponse
+	if err := s.agent.RPC("ACL.UpsertPolicies", &args, &out); err != nil {
+		return nil, err
+	}
+	setIndex(resp, out.Index)
+	return nil, nil
+}
+
+func (s *HTTPServer) aclPolicyDelete(resp http.ResponseWriter, req *http.Request,
+	policyName string) (interface{}, error) {
+
+	args := structs.ACLPolicyDeleteRequest{
+		Names: []string{policyName},
+	}
+	s.parseWrite(req, &args.WriteRequest)
+
+	var out structs.GenericResponse
+	if err := s.agent.RPC("ACL.DeletePolicies", &args, &out); err != nil {
+		return nil, err
+	}
+	setIndex(resp, out.Index)
+	return nil, nil
+}
+
+func (s *HTTPServer) ACLTokensRequest(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
+	if req.Method != "GET" {
+		return nil, CodedError(405, ErrInvalidMethod)
+	}
+
+	args := structs.ACLTokenListRequest{}
+	if s.parse(resp, req, &args.Region, &args.QueryOptions) {
+		return nil, nil
+	}
+
+	var out structs.ACLTokenListResponse
+	if err := s.agent.RPC("ACL.ListTokens", &args, &out); err != nil {
+		return nil, err
+	}
+
+	setMeta(resp, &out.QueryMeta)
+	if out.Tokens == nil {
+		out.Tokens = make([]*structs.ACLTokenListStub, 0)
+	}
+	return out.Tokens, nil
+}
+
+func (s *HTTPServer) ACLTokenBootstrap(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
+	// Ensure this is a PUT or POST
+	if !(req.Method == "PUT" || req.Method == "POST") {
+		return nil, CodedError(405, ErrInvalidMethod)
+	}
+
+	// Format the request
+	args := structs.ACLTokenBootstrapRequest{}
+	s.parseWrite(req, &args.WriteRequest)
+
+	var out structs.ACLTokenUpsertResponse
+	if err := s.agent.RPC("ACL.Bootstrap", &args, &out); err != nil {
+		return nil, err
+	}
+	setIndex(resp, out.Index)
+	if len(out.Tokens) > 0 {
+		return out.Tokens[0], nil
+	}
+	return nil, nil
+}
+
+func (s *HTTPServer) ACLTokenSpecificRequest(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
+	accessor := strings.TrimPrefix(req.URL.Path, "/v1/acl/token")
+
+	// If there is no accessor, this must be a create
+	if len(accessor) == 0 {
+		if !(req.Method == "PUT" || req.Method == "POST") {
+			return nil, CodedError(405, ErrInvalidMethod)
+		}
+		return s.aclTokenUpdate(resp, req, "")
+	}
+
+	// Check if no accessor is given past the slash
+	accessor = accessor[1:]
+	if accessor == "" {
+		return nil, CodedError(400, "Missing Token Accessor")
+	}
+
+	switch req.Method {
+	case "GET":
+		return s.aclTokenQuery(resp, req, accessor)
+	case "PUT", "POST":
+		return s.aclTokenUpdate(resp, req, accessor)
+	case "DELETE":
+		return s.aclTokenDelete(resp, req, accessor)
+	default:
+		return nil, CodedError(405, ErrInvalidMethod)
+	}
+}
+
+func (s *HTTPServer) aclTokenQuery(resp http.ResponseWriter, req *http.Request,
+	tokenAccessor string) (interface{}, error) {
+	args := structs.ACLTokenSpecificRequest{
+		AccessorID: tokenAccessor,
+	}
+	if s.parse(resp, req, &args.Region, &args.QueryOptions) {
+		return nil, nil
+	}
+
+	var out structs.SingleACLTokenResponse
+	if err := s.agent.RPC("ACL.GetToken", &args, &out); err != nil {
+		return nil, err
+	}
+
+	setMeta(resp, &out.QueryMeta)
+	if out.Token == nil {
+		return nil, CodedError(404, "ACL token not found")
+	}
+	return out.Token, nil
+}
+
+func (s *HTTPServer) aclTokenUpdate(resp http.ResponseWriter, req *http.Request,
+	tokenAccessor string) (interface{}, error) {
+	// Parse the token
+	var token structs.ACLToken
+	if err := decodeBody(req, &token); err != nil {
+		return nil, CodedError(500, err.Error())
+	}
+
+	// Ensure the token accessor matches
+	if tokenAccessor != "" && (token.AccessorID != tokenAccessor) {
+		return nil, CodedError(400, "ACL token accessor does not match request path")
+	}
+
+	// Format the request
+	args := structs.ACLTokenUpsertRequest{
+		Tokens: []*structs.ACLToken{&token},
+	}
+	s.parseWrite(req, &args.WriteRequest)
+
+	var out structs.ACLTokenUpsertResponse
+	if err := s.agent.RPC("ACL.UpsertTokens", &args, &out); err != nil {
+		return nil, err
+	}
+	setIndex(resp, out.Index)
+	if len(out.Tokens) > 0 {
+		return out.Tokens[0], nil
+	}
+	return nil, nil
+}
+
+func (s *HTTPServer) aclTokenDelete(resp http.ResponseWriter, req *http.Request,
+	tokenAccessor string) (interface{}, error) {
+
+	args := structs.ACLTokenDeleteRequest{
+		AccessorIDs: []string{tokenAccessor},
+	}
+	s.parseWrite(req, &args.WriteRequest)
+
+	var out structs.GenericResponse
+	if err := s.agent.RPC("ACL.DeleteTokens", &args, &out); err != nil {
+		return nil, err
+	}
+	setIndex(resp, out.Index)
+	return nil, nil
+}

command/agent/acl_endpoint_test.go

+package agent
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/hashicorp/nomad/nomad/mock"
+	"github.com/hashicorp/nomad/nomad/structs"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestHTTP_ACLPolicyList(t *testing.T) {
+	t.Parallel()
+	httpACLTest(t, nil, func(s *TestAgent) {
+		p1 := mock.ACLPolicy()
+		p2 := mock.ACLPolicy()
+		p3 := mock.ACLPolicy()
+		args := structs.ACLPolicyUpsertRequest{
+			Policies: []*structs.ACLPolicy{p1, p2, p3},
+			WriteRequest: structs.WriteRequest{
+				Region:   "global",
+				SecretID: s.Token.SecretID,
+			},
+		}
+		var resp structs.GenericResponse
+		if err := s.Agent.RPC("ACL.UpsertPolicies", &args, &resp); err != nil {
+			t.Fatalf("err: %v", err)
+		}
+
+		// Make the HTTP request
+		req, err := http.NewRequest("GET", "/v1/acl/policies", nil)
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+		respW := httptest.NewRecorder()
+		setToken(req, s.Token)
+
+		// Make the request
+		obj, err := s.Server.ACLPoliciesRequest(respW, req)
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+
+		// Check for the index
+		if respW.HeaderMap.Get("X-Nomad-Index") == "" {
+			t.Fatalf("missing index")
+		}
+		if respW.HeaderMap.Get("X-Nomad-KnownLeader") != "true" {
+			t.Fatalf("missing known leader")
+		}
+		if respW.HeaderMap.Get("X-Nomad-LastContact") == "" {
+			t.Fatalf("missing last contact")
+		}
+
+		// Check the output
+		n := obj.([]*structs.ACLPolicyListStub)
+		if len(n) != 3 {
+			t.Fatalf("bad: %#v", n)
+		}
+	})
+}
+
+func TestHTTP_ACLPolicyQuery(t *testing.T) {
+	t.Parallel()
+	httpACLTest(t, nil, func(s *TestAgent) {
+		p1 := mock.ACLPolicy()
+		args := structs.ACLPolicyUpsertRequest{
+			Policies: []*structs.ACLPolicy{p1},
+			WriteRequest: structs.WriteRequest{
+				Region:   "global",
+				SecretID: s.Token.SecretID,
+			},
+		}
+		var resp structs.GenericResponse
+		if err := s.Agent.RPC("ACL.UpsertPolicies", &args, &resp); err != nil {
+			t.Fatalf("err: %v", err)
+		}
+
+		// Make the HTTP request
+		req, err := http.NewRequest("GET", "/v1/acl/policy/"+p1.Name, nil)
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+		respW := httptest.NewRecorder()
+		setToken(req, s.Token)
+
+		// Make the request
+		obj, err := s.Server.ACLPolicySpecificRequest(respW, req)
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+
+		// Check for the index
+		if respW.HeaderMap.Get("X-Nomad-Index") == "" {
+			t.Fatalf("missing index")
+		}
+		if respW.HeaderMap.Get("X-Nomad-KnownLeader") != "true" {
+			t.Fatalf("missing known leader")
+		}
+		if respW.HeaderMap.Get("X-Nomad-LastContact") == "" {
+			t.Fatalf("missing last contact")
+		}
+
+		// Check the output
+		n := obj.(*structs.ACLPolicy)
+		if n.Name != p1.Name {
+			t.Fatalf("bad: %#v", n)
+		}
+	})
+}
+
+func TestHTTP_ACLPolicyCreate(t *testing.T) {
+	t.Parallel()
+	httpACLTest(t, nil, func(s *TestAgent) {
+		// Make the HTTP request
+		p1 := mock.ACLPolicy()
+		buf := encodeReq(p1)
+		req, err := http.NewRequest("PUT", "/v1/acl/policy/"+p1.Name, buf)
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+		respW := httptest.NewRecorder()
+		setToken(req, s.Token)
+
+		// Make the request
+		obj, err := s.Server.ACLPolicySpecificRequest(respW, req)
+		assert.Nil(t, err)
+		assert.Nil(t, obj)
+
+		// Check for the index
+		if respW.HeaderMap.Get("X-Nomad-Index") == "" {
+			t.Fatalf("missing index")
+		}
+
+		// Check policy was created
+		state := s.Agent.server.State()
+		out, err := state.ACLPolicyByName(nil, p1.Name)
+		assert.Nil(t, err)
+		assert.NotNil(t, out)
+
+		p1.CreateIndex, p1.ModifyIndex = out.CreateIndex, out.ModifyIndex
+		assert.Equal(t, p1.Name, out.Name)
+		assert.Equal(t, p1, out)
+	})
+}
+
+func TestHTTP_ACLPolicyDelete(t *testing.T) {
+	t.Parallel()
+	httpACLTest(t, nil, func(s *TestAgent) {
+		p1 := mock.ACLPolicy()
+		args := structs.ACLPolicyUpsertRequest{
+			Policies: []*structs.ACLPolicy{p1},
+			WriteRequest: structs.WriteRequest{
+				Region:   "global",
+				SecretID: s.Token.SecretID,
+			},
+		}
+		var resp structs.GenericResponse
+		if err := s.Agent.RPC("ACL.UpsertPolicies", &args, &resp); err != nil {
+			t.Fatalf("err: %v", err)
+		}
+
+		// Make the HTTP request
+		req, err := http.NewRequest("DELETE", "/v1/acl/policy/"+p1.Name, nil)
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+		respW := httptest.NewRecorder()
+		setToken(req, s.Token)
+
+		// Make the request
+		obj, err := s.Server.ACLPolicySpecificRequest(respW, req)
+		assert.Nil(t, err)
+		assert.Nil(t, obj)
+
+		// Check for the index
+		if respW.HeaderMap.Get("X-Nomad-Index") == "" {
+			t.Fatalf("missing index")
+		}
+
+		// Check policy was created
+		state := s.Agent.server.State()
+		out, err := state.ACLPolicyByName(nil, p1.Name)
+		assert.Nil(t, err)
+		assert.Nil(t, out)
+	})
+}
+
+func TestHTTP_ACLTokenBootstrap(t *testing.T) {
+	t.Parallel()
+	conf := func(c *Config) {
+		c.ACL.Enabled = true
+		c.ACL.PolicyTTL = 0 // Special flag to disable auto-bootstrap
+	}
+	httpTest(t, conf, func(s *TestAgent) {
+		// Make the HTTP request
+		req, err := http.NewRequest("PUT", "/v1/acl/bootstrap", nil)
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+		respW := httptest.NewRecorder()
+
+		// Make the request
+		obj, err := s.Server.ACLTokenBootstrap(respW, req)
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+
+		// Check for the index
+		if respW.HeaderMap.Get("X-Nomad-Index") == "" {
+			t.Fatalf("missing index")
+		}
+
+		// Check the output
+		n := obj.(*structs.ACLToken)
+		assert.NotNil(t, n)
+		assert.Equal(t, "Bootstrap Token", n.Name)
+	})
+}
+
+func TestHTTP_ACLTokenList(t *testing.T) {
+	t.Parallel()
+	httpACLTest(t, nil, func(s *TestAgent) {
+		p1 := mock.ACLToken()
+		p1.AccessorID = ""
+		p2 := mock.ACLToken()
+		p2.AccessorID = ""
+		p3 := mock.ACLToken()
+		p3.AccessorID = ""
+		args := structs.ACLTokenUpsertRequest{
+			Tokens: []*structs.ACLToken{p1, p2, p3},
+			WriteRequest: structs.WriteRequest{
+				Region:   "global",
+				SecretID: s.Token.SecretID,
+			},
+		}
+		var resp structs.ACLTokenUpsertResponse
+		if err := s.Agent.RPC("ACL.UpsertTokens", &args, &resp); err != nil {
+			t.Fatalf("err: %v", err)
+		}
+
+		// Make the HTTP request
+		req, err := http.NewRequest("GET", "/v1/acl/tokens", nil)
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+		respW := httptest.NewRecorder()
+		setToken(req, s.Token)
+
+		// Make the request
+		obj, err := s.Server.ACLTokensRequest(respW, req)
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+
+		// Check for the index
+		if respW.HeaderMap.Get("X-Nomad-Index") == "" {
+			t.Fatalf("missing index")
+		}
+		if respW.HeaderMap.Get("X-Nomad-KnownLeader") != "true" {
+			t.Fatalf("missing known leader")
+		}
+		if respW.HeaderMap.Get("X-Nomad-LastContact") == "" {
+			t.Fatalf("missing last contact")
+		}
+
+		// Check the output (includes boostrap token)
+		n := obj.([]*structs.ACLTokenListStub)
+		if len(n) != 4 {
+			t.Fatalf("bad: %#v", n)
+		}
+	})
+}
+
+func TestHTTP_ACLTokenQuery(t *testing.T) {
+	t.Parallel()
+	httpACLTest(t, nil, func(s *TestAgent) {
+		p1 := mock.ACLToken()
+		p1.AccessorID = ""
+		args := structs.ACLTokenUpsertRequest{
+			Tokens: []*structs.ACLToken{p1},
+			WriteRequest: structs.WriteRequest{
+				Region:   "global",
+				SecretID: s.Token.SecretID,
+			},
+		}
+		var resp structs.ACLTokenUpsertResponse
+		if err := s.Agent.RPC("ACL.UpsertTokens", &args, &resp); err != nil {
+			t.Fatalf("err: %v", err)
+		}
+		out := resp.Tokens[0]
+
+		// Make the HTTP request
+		req, err := http.NewRequest("GET", "/v1/acl/token/"+out.AccessorID, nil)
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+		respW := httptest.NewRecorder()
+		setToken(req, s.Token)
+
+		// Make the request
+		obj, err := s.Server.ACLTokenSpecificRequest(respW, req)
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+
+		// Check for the index
+		if respW.HeaderMap.Get("X-Nomad-Index") == "" {
+			t.Fatalf("missing index")
+		}
+		if respW.HeaderMap.Get("X-Nomad-KnownLeader") != "true" {
+			t.Fatalf("missing known leader")
+		}
+		if respW.HeaderMap.Get("X-Nomad-LastContact") == "" {
+			t.Fatalf("missing last contact")
+		}
+
+		// Check the output
+		n := obj.(*structs.ACLToken)
+		assert.Equal(t, out, n)
+	})
+}
+
+func TestHTTP_ACLTokenCreate(t *testing.T) {
+	t.Parallel()
+	httpACLTest(t, nil, func(s *TestAgent) {
+		// Make the HTTP request
+		p1 := mock.ACLToken()
+		p1.AccessorID = ""
+		buf := encodeReq(p1)
+		req, err := http.NewRequest("PUT", "/v1/acl/token", buf)
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+		respW := httptest.NewRecorder()
+		setToken(req, s.Token)
+
+		// Make the request
+		obj, err := s.Server.ACLTokenSpecificRequest(respW, req)
+		assert.Nil(t, err)
+		assert.NotNil(t, obj)
+		outTK := obj.(*structs.ACLToken)
+
+		// Check for the index
+		if respW.HeaderMap.Get("X-Nomad-Index") == "" {
+			t.Fatalf("missing index")
+		}
+
+		// Check token was created
+		state := s.Agent.server.State()
+		out, err := state.ACLTokenByAccessorID(nil, outTK.AccessorID)
+		assert.Nil(t, err)
+		assert.NotNil(t, out)
+		assert.Equal(t, outTK, out)
+	})
+}
+
+func TestHTTP_ACLTokenDelete(t *testing.T) {
+	t.Parallel()
+	httpACLTest(t, nil, func(s *TestAgent) {
+		p1 := mock.ACLToken()
+		p1.AccessorID = ""
+		args := structs.ACLTokenUpsertRequest{
+			Tokens: []*structs.ACLToken{p1},
+			WriteRequest: structs.WriteRequest{
+				Region:   "global",
+				SecretID: s.Token.SecretID,
+			},
+		}
+		var resp structs.ACLTokenUpsertResponse
+		if err := s.Agent.RPC("ACL.UpsertTokens", &args, &resp); err != nil {
+			t.Fatalf("err: %v", err)
+		}
+		ID := resp.Tokens[0].AccessorID
+
+		// Make the HTTP request
+		req, err := http.NewRequest("DELETE", "/v1/acl/token/"+ID, nil)
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+		respW := httptest.NewRecorder()
+		setToken(req, s.Token)
+
+		// Make the request
+		obj, err := s.Server.ACLTokenSpecificRequest(respW, req)
+		assert.Nil(t, err)
+		assert.Nil(t, obj)
+
+		// Check for the index
+		if respW.HeaderMap.Get("X-Nomad-Index") == "" {
+			t.Fatalf("missing index")
+		}
+
+		// Check token was created
+		state := s.Agent.server.State()
+		out, err := state.ACLTokenByAccessorID(nil, ID)
+		assert.Nil(t, err)
+		assert.Nil(t, out)
+	})
+}

command/agent/agent.go

@@ -106,6 +106,15 @@ func convertServerConfig(agentConfig *Config, logOutput io.Writer) (*nomad.Confi
 	if agentConfig.Region != "" {
 		conf.Region = agentConfig.Region
 	}
+
+	// Set the Authoritative Region if set, otherwise default to
+	// the same as the local region.
+	if agentConfig.Server.AuthoritativeRegion != "" {
+		conf.AuthoritativeRegion = agentConfig.Server.AuthoritativeRegion
+	} else if agentConfig.Region != "" {
+		conf.AuthoritativeRegion = agentConfig.Region
+	}
+
 	if agentConfig.Datacenter != "" {
 		conf.Datacenter = agentConfig.Datacenter
 	}
@@ -134,6 +143,12 @@ func convertServerConfig(agentConfig *Config, logOutput io.Writer) (*nomad.Confi
 	if len(agentConfig.Server.EnabledSchedulers) != 0 {
 		conf.EnabledSchedulers = agentConfig.Server.EnabledSchedulers
 	}
+	if agentConfig.ACL.Enabled {
+		conf.ACLEnabled = true
+	}
+	if agentConfig.ACL.ReplicationToken != "" {
+		conf.ReplicationToken = agentConfig.ACL.ReplicationToken
+	}
 
 	// Set up the bind addresses
 	rpcAddr, err := net.ResolveTCPAddr("tcp", agentConfig.normalizedAddrs.RPC)
@@ -337,6 +352,11 @@ func (a *Agent) clientConfig() (*clientconfig.Config, error) {
 		conf.NoHostUUID = true
 	}
 
+	// Setup the ACLs
+	conf.ACLEnabled = a.config.ACL.Enabled
+	conf.ACLTokenTTL = a.config.ACL.TokenTTL
+	conf.ACLPolicyTTL = a.config.ACL.PolicyTTL
+
 	return conf, nil
 }
 

command/agent/agent_test.go

@@ -57,6 +57,7 @@ func TestAgent_ServerConfig(t *testing.T) {
 	conf.AdvertiseAddrs.Serf = "127.0.0.1:4000"
 	conf.AdvertiseAddrs.RPC = "127.0.0.1:4001"
 	conf.AdvertiseAddrs.HTTP = "10.10.11.1:4005"
+	conf.ACL.Enabled = true
 
 	// Parses the advertise addrs correctly
 	if err := conf.normalizeAddrs(); err != nil {
@@ -74,6 +75,12 @@ func TestAgent_ServerConfig(t *testing.T) {
 	if serfPort != 4000 {
 		t.Fatalf("expected 4000, got: %d", serfPort)
 	}
+	if out.AuthoritativeRegion != "global" {
+		t.Fatalf("bad: %#v", out.AuthoritativeRegion)
+	}
+	if !out.ACLEnabled {
+		t.Fatalf("ACL not enabled")
+	}
 
 	// Assert addresses weren't changed
 	if addr := conf.AdvertiseAddrs.RPC; addr != "127.0.0.1:4001" {

command/agent/config-test-fixtures/basic.hcl

@@ -63,6 +63,7 @@ client {
 }
 server {
 	enabled = true
+	authoritative_region = "foobar"
 	bootstrap_expect = 5
 	data_dir = "/tmp/data"
 	protocol_version = 3
@@ -82,6 +83,12 @@ server {
 	rejoin_after_leave = true
     encrypt = "abc"
 }
+acl {
+    enabled = true
+    token_ttl = "60s"
+    policy_ttl = "60s"
+    replication_token = "foobar"
+}
 telemetry {
 	statsite_address = "127.0.0.1:1234"
 	statsd_address = "127.0.0.1:2345"

command/agent/config.go

@@ -67,6 +67,9 @@ type Config struct {
 	// Server has our server related settings
 	Server *ServerConfig `mapstructure:"server"`
 
+	// ACL has our acl related settings
+	ACL *ACLConfig `mapstructure:"acl"`
+
 	// Telemetry is used to configure sending telemetry
 	Telemetry *Telemetry `mapstructure:"telemetry"`
 
@@ -228,11 +231,38 @@ type ClientConfig struct {
 	NoHostUUID *bool `mapstructure:"no_host_uuid"`
 }
 
+// ACLConfig is configuration specific to the ACL system
+type ACLConfig struct {
+	// Enabled controls if we are enforce and manage ACLs
+	Enabled bool `mapstructure:"enabled"`
+
+	// TokenTTL controls how long we cache ACL tokens. This controls
+	// how stale they can be when we are enforcing policies. Defaults
+	// to "30s". Reducing this impacts performance by forcing more
+	// frequent resolution.
+	TokenTTL time.Duration `mapstructure:"token_ttl"`
+
+	// PolicyTTL controls how long we cache ACL policies. This controls
+	// how stale they can be when we are enforcing policies. Defaults
+	// to "30s". Reducing this impacts performance by forcing more
+	// frequent resolution.
+	PolicyTTL time.Duration `mapstructure:"policy_ttl"`
+
+	// ReplicationToken is used by servers to replicate tokens and policies
+	// from the authoritative region. This must be a valid management token
+	// within the authoritative region.
+	ReplicationToken string `mapstructure:"replication_token"`
+}
+
 // ServerConfig is configuration specific to the server mode
 type ServerConfig struct {
 	// Enabled controls if we are a server
 	Enabled bool `mapstructure:"enabled"`
 
+	// AuthoritativeRegion is used to control which region is treated as
+	// the source of truth for global tokens and ACL policies.
+	AuthoritativeRegion string `mapstructure:"authoritative_region"`
+
 	// BootstrapExpect tries to automatically bootstrap the Consul cluster,
 	// by withholding peers until enough servers join.
 	BootstrapExpect int `mapstructure:"bootstrap_expect"`
@@ -565,6 +595,11 @@ func DefaultConfig() *Config {
 			RetryInterval:    "30s",
 			RetryMaxAttempts: 0,
 		},
+		ACL: &ACLConfig{
+			Enabled:   false,
+			TokenTTL:  30 * time.Second,
+			PolicyTTL: 30 * time.Second,
+		},
 		SyslogFacility: "LOCAL0",
 		Telemetry: &Telemetry{
 			CollectionInterval: "1s",
@@ -676,6 +711,14 @@ func (c *Config) Merge(b *Config) *Config {
 		result.Server = result.Server.Merge(b.Server)
 	}
 
+	// Apply the acl config
+	if result.ACL == nil && b.ACL != nil {
+		server := *b.ACL
+		result.ACL = &server
+	} else if b.ACL != nil {
+		result.ACL = result.ACL.Merge(b.ACL)
+	}
+
 	// Apply the ports config
 	if result.Ports == nil && b.Ports != nil {
 		ports := *b.Ports
@@ -902,6 +945,25 @@ func isTooManyColons(err error) bool {
 	return err != nil && strings.Contains(err.Error(), tooManyColons)
 }
 
+// Merge is used to merge two ACL configs together. The settings from the input always take precedence.
+func (a *ACLConfig) Merge(b *ACLConfig) *ACLConfig {
+	result := *a
+
+	if b.Enabled {
+		result.Enabled = true
+	}
+	if b.TokenTTL != 0 {
+		result.TokenTTL = b.TokenTTL
+	}
+	if b.PolicyTTL != 0 {
+		result.PolicyTTL = b.PolicyTTL
+	}
+	if b.ReplicationToken != "" {
+		result.ReplicationToken = b.ReplicationToken
+	}
+	return &result
+}
+
 // Merge is used to merge two server configs together
 func (a *ServerConfig) Merge(b *ServerConfig) *ServerConfig {
 	result := *a
@@ -909,6 +971,9 @@ func (a *ServerConfig) Merge(b *ServerConfig) *ServerConfig {
 	if b.Enabled {
 		result.Enabled = true
 	}
+	if b.AuthoritativeRegion != "" {
+		result.AuthoritativeRegion = b.AuthoritativeRegion
+	}
 	if b.BootstrapExpect > 0 {
 		result.BootstrapExpect = b.BootstrapExpect
 	}