Fixes

2017-09-27 13:42:56 -07:00 · 2017-09-27 13:42:56 -07:00 · 765b030bec
parent 14e6026938
commit 765b030bec
2 changed files with 15 additions and 5 deletions
--- a/nomad/acl_endpoint.go
+++ b/nomad/acl_endpoint.go
@ -627,6 +627,11 @@ func (a *ACL) GetToken(args *structs.ACLTokenSpecificRequest, reply *structs.Sin
 		return err
 	}

+	// Ensure ACLs are enabled and this call is made with one
+	if acl == nil {
+		return structs.ErrPermissionDenied
+	}
+
 	// Setup the blocking query
 	opts := blockingOptions{
 		queryOpts: &args.QueryOptions,
@ -638,12 +643,17 @@ func (a *ACL) GetToken(args *structs.ACLTokenSpecificRequest, reply *structs.Sin
 				return err
 			}

-			// Check management level permissions or that the secret ID matches the
-			// accessor ID
-			if acl != nil && out != nil {
-				if !acl.IsManagement() && out.SecretID != args.SecretID {
+			if out == nil {
+				// If the token doesn't resolve, only allow management tokens to
+				// block.
+				if !acl.IsManagement() {
 					return structs.ErrPermissionDenied
 				}
+
+				// Check management level permissions or that the secret ID matches the
+				// accessor ID
+			} else if !acl.IsManagement() && out.SecretID != args.SecretID {
+				return structs.ErrPermissionDenied
 			}

 			// Setup the output
--- a/website/source/api/acl-tokens.html.md
+++ b/website/source/api/acl-tokens.html.md
@ -241,7 +241,7 @@ The table below shows this endpoint's support for

 | Blocking Queries | Consistency Modes | ACL Required |
 | ---------------- | ----------------- | ------------ |
-| `YES`            | `all`             | `management` for query other tokens<br>Matching SecretID to AccessorID for querying self |
+| `YES`            | `all`             | `management` or a SecretID matching the AccessorID |

 ### Sample Request