From 4259ecd8bc80d60fda0525a940c87c4d815bea04 Mon Sep 17 00:00:00 2001
From: James Phillips <slackpad@gmail.com>
Date: Wed, 29 Mar 2017 12:24:42 -0700
Subject: [PATCH] Disables agent-level enforcement on Consul agents unless
 acl_datacenter is set.

---
 command/agent/acl.go                            |  8 +++++++-
 website/source/docs/agent/options.html.markdown | 13 ++++++-------
 website/source/docs/internals/acl.html.markdown | 17 ++++++++++++-----
 3 files changed, 25 insertions(+), 13 deletions(-)

diff --git a/command/agent/acl.go b/command/agent/acl.go
index ee1aeb620..38646809e 100644
--- a/command/agent/acl.go
+++ b/command/agent/acl.go
@@ -170,7 +170,7 @@ func (m *aclManager) lookupACL(agent *Agent, id string) (acl.ACL, error) {
 	// At this point we might have a stale cached ACL, or none at all, so
 	// try to contact the servers.
 	args := structs.ACLPolicyRequest{
-		Datacenter: agent.config.Datacenter,
+		Datacenter: agent.config.ACLDatacenter,
 		ACL:        id,
 	}
 	if cached != nil {
@@ -242,6 +242,12 @@ func (a *Agent) resolveToken(id string) (acl.ACL, error) {
 		return nil, nil
 	}
 
+	// Bail if there's no ACL datacenter configured. This means that agent
+	// enforcement isn't on.
+	if a.config.ACLDatacenter == "" {
+		return nil, nil
+	}
+
 	// Bail if the ACL manager is disabled. This happens if it gets feedback
 	// from the servers that ACLs are disabled.
 	if a.acls.isDisabled() {
diff --git a/website/source/docs/agent/options.html.markdown b/website/source/docs/agent/options.html.markdown
index 60920d09e..81029c85b 100644
--- a/website/source/docs/agent/options.html.markdown
+++ b/website/source/docs/agent/options.html.markdown
@@ -422,13 +422,12 @@ Consul will not enable TLS for the HTTP API unless the `https` port has been ass
 
 #### Configuration Key Reference
 
-* <a name="acl_datacenter"></a><a href="#acl_datacenter">`acl_datacenter`</a> - Only
-  used by servers. This designates the datacenter which
-  is authoritative for ACL information. It must be provided to enable ACLs.
-  All servers and datacenters must agree on the ACL datacenter. Setting it on
-  the servers is all you need for enforcement, but for the APIs to forward properly
-  from the clients, it must be set on them too. Future changes may move
-  enforcement to the edges, so it's best to just set `acl_datacenter` on all nodes.
+* <a name="acl_datacenter"></a><a href="#acl_datacenter">`acl_datacenter`</a> - This designates
+  the datacenter which is authoritative for ACL information. It must be provided to enable ACLs.
+  All servers and datacenters must agree on the ACL datacenter. Setting it on the servers is all
+  you need for cluster-level enforcement, but for the APIs to forward properly from the clients,
+  it must be set on them too. In Consul 0.8 and later, this also enables agent-level enforcement
+  of ACLs. Please see the [ACL internals guide](/docs/internals/acl.html) for more details.
 
 * <a name="acl_default_policy"></a><a href="#acl_default_policy">`acl_default_policy`</a> - Either
   "allow" or "deny"; defaults to "allow". The default policy controls the behavior of a token when
diff --git a/website/source/docs/internals/acl.html.markdown b/website/source/docs/internals/acl.html.markdown
index d0231ef84..4159c26fa 100644
--- a/website/source/docs/internals/acl.html.markdown
+++ b/website/source/docs/internals/acl.html.markdown
@@ -579,11 +579,18 @@ Since clients now resolve ACLs locally, the [`acl_down_policy`](/docs/agent/opti
 now applies to Consul clients as well as Consul servers. This will determine what the
 client will do in the event that the servers are down.
 
-Consul clients *do not* need to have the [`acl_master_token`](/docs/agent/options.html#acl_agent_master_token)
-or the [`acl_datacenter`](/docs/agent/options.html#acl_datacenter) configured. They will
-contact the Consul servers to determine if ACLs are enabled. If they detect that ACLs are
-not enabled, they will check at most every 2 minutes to see if they have become enabled, and
-will start enforcing ACLs automatically.
+Consul clients must have [`acl_datacenter`](/docs/agent/options.html#acl_datacenter) configured
+in order to enable agent-level ACL features. If this is set, the agents will contact the Consul
+servers to determine if ACLs are enabled at the cluster level. If they detect that ACLs are not
+enabled, they will check at most every 2 minutes to see if they have become enabled, and will
+start enforcing ACLs automatically. If an agent has an `acl_datacenter` defined, operators will
+need to use the [`acl_agent_master_token`](/docs/agent/options.html#acl_agent_master_token) to
+perform agent-level operations if the Consul servers aren't present (such as for a manual join
+to the cluster), unless the [`acl_down_policy`](/docs/agent/options.html#acl_down_policy) on the
+agent is set to "allow".
+
+Non-server agents do not need to have the [`acl_master_token`](/docs/agent/options.html#acl_agent_master_token)
+configured; it is not used by agents in any way.
 
 #### New ACL Policies