From 33c0de708d1d95d6a7bfb3409d14349f3054ca57 Mon Sep 17 00:00:00 2001 From: Laurent Raufaste Date: Thu, 30 Oct 2014 21:44:23 -0400 Subject: [PATCH] ACL doc clarification Fixes #443 --- website/source/docs/agent/options.html.markdown | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/website/source/docs/agent/options.html.markdown b/website/source/docs/agent/options.html.markdown index 98fa59be8f..b34c555e9e 100644 --- a/website/source/docs/agent/options.html.markdown +++ b/website/source/docs/agent/options.html.markdown @@ -178,7 +178,12 @@ definitions support being updated during a reload. * `acl_datacenter` - Only used by servers. This designates the datacenter which is authoritative for ACL information. It must be provided to enable ACLs. - All servers and datacenters must agree on the ACL datacenter. + All servers and datacenters must agree on the ACL datacenter. Setting it on + the servers is all you need for enforcement, but for the APIs to work on the + clients, it must be set (to forward properly). Also, if we want to enhance + the ACL support for other features like service discovery, enforcement + might move to the edges, so it's best to just set the acl_datacenter on all + the nodes. * `acl_default_policy` - Either "allow" or "deny", defaults to "allow". The default policy controls the behavior of a token when there is no matching