docs: describe required ACLs for all commands

command/acl_policy_apply.go

@@ -21,6 +21,8 @@ Usage: nomad acl policy apply [options] <name> <path>
   Apply is used to create or update an ACL policy. The policy is
   sourced from <path> or from stdin if path is "-".
 
+  This command requires a management ACL token.
+
 General Options:
 
   ` + generalOptionsUsage(usageOptsDefault|usageOptsNoNamespace) + `

command/acl_policy_delete.go

@@ -17,6 +17,8 @@ Usage: nomad acl policy delete <name>
 
   Delete is used to delete an existing ACL policy.
 
+  This command requires a management ACL token.
+
 General Options:
 
   ` + generalOptionsUsage(usageOptsDefault|usageOptsNoNamespace)

command/acl_policy_info.go

@@ -17,6 +17,9 @@ Usage: nomad acl policy info <name>
 
   Info is used to fetch information on an existing ACL policy.
 
+  This command requires a management ACL token or a token that has the
+  associated policy.
+
 General Options:
 
   ` + generalOptionsUsage(usageOptsDefault|usageOptsNoNamespace)

command/acl_policy_list.go

@@ -18,6 +18,9 @@ Usage: nomad acl policy list
 
   List is used to list available ACL policies.
 
+  This command requires a management ACL token to view all policies. A
+  non-management token can query its own policies.
+
 General Options:
 
   ` + generalOptionsUsage(usageOptsDefault|usageOptsNoNamespace) + `

command/agent_info.go

@@ -18,6 +18,9 @@ Usage: nomad agent-info [options]
 
   Display status information about the local agent.
 
+  When ACLs are enabled, this command requires a token with the 'agent:read'
+  capability.
+
 General Options:
 
   ` + generalOptionsUsage(usageOptsDefault|usageOptsNoNamespace)

command/agent_monitor.go

@@ -27,6 +27,9 @@ Usage: nomad monitor [options]
   example your agent may only be logging at INFO level, but with the monitor
   command you can set -log-level DEBUG
 
+  When ACLs are enabled, this command requires a token with the 'agent:read'
+  capability.
+
 General Options:
 
   ` + generalOptionsUsage(usageOptsDefault|usageOptsNoNamespace) + `

command/alloc_exec.go

@@ -32,6 +32,12 @@ Usage: nomad alloc exec [options] <allocation> <command>
 
   Run command inside the environment of the given allocation and task.
 
+  When ACLs are enabled, this command requires a token with the 'alloc-exec',
+  'read-job', and 'list-jobs' capabilities for the allocation's namespace. If
+  the task driver does not have file system isolation (as with 'raw_exec'),
+  this command requires the 'alloc-node-exec', 'read-job', and 'list-jobs'
+  capabilities for the allocation's namespace.
+
 General Options:
 
   ` + generalOptionsUsage(usageOptsDefault) + `

command/alloc_fs.go

@@ -36,9 +36,12 @@ func (f *AllocFSCommand) Help() string {
 Usage: nomad alloc fs [options] <allocation> <path>
 Alias: nomad fs
 
-  fs displays either the contents of an allocation directory for the passed allocation,
-  or displays the file at the given path. The path is relative to the root of the alloc
-  dir and defaults to root if unspecified.
+  fs displays either the contents of an allocation directory for the passed
+  allocation, or displays the file at the given path. The path is relative to
+  the root of the alloc dir and defaults to root if unspecified.
+
+  When ACLs are enabled, this command requires a token with the 'read-fs',
+  'read-job', and 'list-jobs' capabilities for the allocation's namespace.
 
 General Options:
 

command/alloc_logs.go

@@ -26,6 +26,9 @@ Alias: nomad logs
 
   Streams the stdout/stderr of the given allocation and task.
 
+  When ACLs are enabled, this command requires a token with the 'read-logs',
+  'read-job', and 'list-jobs' capabilities for the allocation's namespace.
+
 General Options:
 
   ` + generalOptionsUsage(usageOptsDefault) + `

command/alloc_restart.go

@@ -17,10 +17,14 @@ func (a *AllocRestartCommand) Help() string {
 	helpText := `
 Usage: nomad alloc restart [options] <allocation> <task>
 
-  restart an existing allocation. This command is used to restart a specific alloc
+  Restart an existing allocation. This command is used to restart a specific alloc
   and its tasks. If no task is provided then all of the allocation's tasks will
   be restarted.
 
+  When ACLs are enabled, this command requires a token with the
+  'alloc-lifecycle', 'read-job', and 'list-jobs' capabilities for the
+  allocation's namespace.
+
 General Options:
 
   ` + generalOptionsUsage(usageOptsDefault) + `

command/alloc_signal.go

@@ -21,6 +21,10 @@ Usage: nomad alloc signal [options] <signal> <allocation> <task>
   and its subtasks. If no task is provided then all of the allocations subtasks
   will receive the signal.
 
+  When ACLs are enabled, this command requires a token with the
+  'alloc-lifecycle', 'read-job', and 'list-jobs' capabilities for the
+  allocation's namespace.
+
 General Options:
 
   ` + generalOptionsUsage(usageOptsDefault) + `

command/alloc_status.go

@@ -29,6 +29,9 @@ Usage: nomad alloc status [options] <allocation>
   status, metadata, and verbose failure messages reported by internal
   subsystems.
 
+  When ACLs are enabled, this command requires a token with the 'read-job' and
+  'list-jobs' capabilities for the allocation's namespace.
+
 General Options:
 
   ` + generalOptionsUsage(usageOptsDefault) + `

command/alloc_stop.go

@@ -16,12 +16,16 @@ func (a *AllocStopCommand) Help() string {
 Usage: nomad alloc stop [options] <allocation>
 Alias: nomad stop
 
-  stop an existing allocation. This command is used to signal a specific alloc
+  Stop an existing allocation. This command is used to signal a specific alloc
   to shut down. When the allocation has been shut down, it will then be
   rescheduled. An interactive monitoring session will display log lines as the
   allocation completes shutting down. It is safe to exit the monitor early with
   ctrl-c.
 
+  When ACLs are enabled, this command requires a token with the
+  'alloc-lifecycle', 'read-job', and 'list-jobs' capabilities for the
+  allocation's namespace.
+
 General Options:
 
   ` + generalOptionsUsage(usageOptsDefault) + `

command/deployment_fail.go

@@ -21,6 +21,9 @@ Usage: nomad deployment fail [options] <deployment id>
   if the job is configured to auto revert, the job will attempt to roll back to a
   stable version.
 
+  When ACLs are enabled, this command requires a token with the 'submit-job'
+  and 'read-job' capabilities for the deployment's namespace.
+
 General Options:
 
   ` + generalOptionsUsage(usageOptsDefault) + `

command/deployment_list.go

@@ -18,6 +18,9 @@ Usage: nomad deployment list [options]
 
   List is used to list the set of deployments tracked by Nomad.
 
+  When ACLs are enabled, this command requires a token with the 'read-job'
+  capability for the deployment's namespace.
+
 General Options:
 
   ` + generalOptionsUsage(usageOptsDefault) + `

command/deployment_pause.go

@@ -19,6 +19,9 @@ Usage: nomad deployment pause [options] <deployment id>
   Pause is used to pause a deployment. Pausing a deployment will pause the
   placement of new allocations as part of rolling deployment.
 
+  When ACLs are enabled, this command requires a token with the 'submit-job'
+  and 'read-job' capabilities for the deployment's namespace.
+
 General Options:
 
   ` + generalOptionsUsage(usageOptsDefault) + `

command/deployment_promote.go

@@ -26,6 +26,9 @@ Usage: nomad deployment promote [options] <deployment id>
   the job can be failed forward by submitting a new version or failed backwards by
   reverting to an older version using the "nomad job revert" command.
 
+  When ACLs are enabled, this command requires a token with the 'submit-job'
+  and 'read-job' capabilities for the deployment's namespace.
+
 General Options:
 
   ` + generalOptionsUsage(usageOptsDefault) + `

command/deployment_resume.go

@@ -19,6 +19,9 @@ Usage: nomad deployment resume [options] <deployment id>
   Resume is used to unpause a paused deployment. Resuming a deployment will
   resume the placement of new allocations as part of rolling deployment.
 
+  When ACLs are enabled, this command requires a token with the 'submit-job'
+  and 'read-job' capabilities for the deployment's namespace.
+
 General Options:
 
   ` + generalOptionsUsage(usageOptsDefault) + `

command/deployment_status.go

@@ -22,6 +22,9 @@ Usage: nomad deployment status [options] <deployment id>
   Status is used to display the status of a deployment. The status will display
   the number of desired changes as well as the currently applied changes.
 
+  When ACLs are enabled, this command requires a token with the 'read-job'
+  capability for the deployment's namespace.
+
 General Options:
 
   ` + generalOptionsUsage(usageOptsDefault) + `

command/deployment_unblock.go

@@ -19,6 +19,9 @@ Usage: nomad deployment unblock [options] <deployment id>
   Unblock is used to unblock a multiregion deployment that's waiting for
   peer region deployments to complete.
 
+  When ACLs are enabled, this command requires a token with the 'submit-job'
+  and 'read-job' capabilities for the deployment's namespace.
+
 General Options:
 
   ` + generalOptionsUsage(usageOptsDefault) + `

command/event_sink_deregister.go

@@ -12,7 +12,9 @@ func (c *EventSinkDeregisterCommand) Help() string {
 	helpText := `
 Usage: nomad event sink deregister <event sink id>
 
-   Deregister is used to deregister a registered event sink.
+  Deregister is used to deregister a registered event sink.
+
+  When ACLs are enabled, this command requires a management token.
 
 General Options:
 

command/event_sink_list.go

@@ -16,7 +16,10 @@ func (c *EventSinkListCommand) Help() string {
 	helpText := `
 Usage: nomad event sink list
 
-    List is used to list event sinks that have been registered.
+  List is used to list event sinks that have been registered.
+
+  When ACLs are enabled, this command requires a token with the
+  'operator:read' capability.
 
 General Options:
 

command/event_sink_register.go

@@ -20,8 +20,10 @@ func (c *EventSinkRegisterCommand) Help() string {
 	helpText := `
 Usage: nomad event sink register <path>
 
-   Register is used to register a new event sink. The event sink is
-   sourced from <path> or from stdin if path is "-".
+  Register is used to register a new event sink. The event sink is
+  sourced from <path> or from stdin if path is "-".
+
+  When ACLs are enabled, this command requires a management token.
 
 General Options:
 

command/job_deployments.go

@@ -19,6 +19,9 @@ Usage: nomad job deployments [options] <job>
 
   Deployments is used to display the deployments for a particular job.
 
+  When ACLs are enabled, this command requires a token with the 'read-job' and
+  'list-jobs' capabilities for the job's namespace.
+
 General Options:
 
   ` + generalOptionsUsage(usageOptsDefault) + `

command/job_dispatch.go

@@ -28,6 +28,9 @@ Usage: nomad job dispatch [options] <parameterized job> [input source]
   triggered evaluation will be monitored. This can be disabled by supplying the
   detach flag.
 
+  When ACLs are enabled, this command requires a token with the 'dispatch-job'
+  capability for the job's namespace.
+
 General Options:
 
   ` + generalOptionsUsage(usageOptsDefault) + `

command/job_eval.go

@@ -18,9 +18,13 @@ func (c *JobEvalCommand) Help() string {
 	helpText := `
 Usage: nomad job eval [options] <job_id>
 
-  Force an evaluation of the provided job ID. Forcing an evaluation will trigger the scheduler
-  to re-evaluate the job. The force flags allow operators to force the scheduler to create
-  new allocations under certain scenarios.
+  Force an evaluation of the provided job ID. Forcing an evaluation will
+  trigger the scheduler to re-evaluate the job. The force flags allow
+  operators to force the scheduler to create new allocations under certain
+  scenarios.
+
+  When ACLs are enabled, this command requires a token with the 'submit-job'
+  capability for the job's namespace.
 
 General Options:
 

command/job_history.go

@@ -26,6 +26,9 @@ Usage: nomad job history [options] <job>
   the changes that occurred to the job as well as deciding job versions to revert
   to.
 
+  When ACLs are enabled, this command requires a token with the 'read-job' and
+  'list-jobs' capabilities for the job's namespace.
+
 General Options:
 
   ` + generalOptionsUsage(usageOptsDefault) + `

command/job_inspect.go

@@ -20,6 +20,9 @@ Alias: nomad inspect
 
   Inspect is used to see the specification of a submitted job.
 
+  When ACLs are enabled, this command requires a token with the 'read-job' and
+  'list-jobs' capabilities for the job's namespace.
+
 General Options:
 
   ` + generalOptionsUsage(usageOptsDefault) + `

command/job_periodic_force.go

@@ -20,6 +20,9 @@ Usage: nomad job periodic force <job id>
   This is used to immediately run a periodic job, even if it violates the job's
   prohibit_overlap setting.
 
+  When ACLs are enabled, this command requires a token with the 'submit-job'
+  and 'list-jobs' capabilities for the job's namespace.
+
 General Options:
 
   ` + generalOptionsUsage(usageOptsDefault) + `

command/job_plan.go

@@ -63,6 +63,9 @@ Alias: nomad plan
     * 1: Allocations created or destroyed.
     * 255: Error determining plan results.
 
+  When ACLs are enabled, this command requires a token with the 'submit-job'
+  capability for the job's namespace.
+
 General Options:
 
   ` + generalOptionsUsage(usageOptsDefault) + `

command/job_promote.go

@@ -27,6 +27,9 @@ Usage: nomad job promote [options] <job id>
   a new version or failed backwards by reverting to an older version using the
   "nomad job revert" command.
 
+  When ACLs are enabled, this command requires a token with the 'submit-job',
+  'list-jobs', and 'read-job' capabilities for the job's namespace.
+
 General Options:
 
   ` + generalOptionsUsage(usageOptsDefault) + `

command/job_revert.go

@@ -21,6 +21,9 @@ Usage: nomad job revert [options] <job> <version>
   Revert is used to revert a job to a prior version of the job. The available
   versions to revert to can be found using "nomad job history" command.
 
+  When ACLs are enabled, this command requires a token with the 'submit-job'
+  and 'list-jobs' capabilities for the job's namespace.
+
 General Options:
 
   ` + generalOptionsUsage(usageOptsDefault) + `

command/job_run.go

@@ -61,6 +61,12 @@ Alias: nomad run
   precedence, going from highest to lowest: the -vault-token flag, the
   $VAULT_TOKEN environment variable and finally the value in the job file.
 
+  When ACLs are enabled, this command requires a token with the 'submit-job'
+  capability for the job's namespace. Jobs that mount CSI volumes require a
+  token with the 'csi-mount-volume' capability for the volume's
+  namespace. Jobs that mount host volumes require a token with the
+  'host_volume' capability for that volume.
+
 General Options:
 
   ` + generalOptionsUsage(usageOptsDefault) + `

command/job_scale.go

@@ -32,6 +32,9 @@ Usage: nomad job scale [options] <job> [<group>] <count>
   onto nodes. The monitor will end once job placement is done. It
   is safe to exit the monitor early using ctrl+c.
 
+  When ACLs are enabled, this command requires a token with the 'scale-job'
+  capability for the job's namespace.
+
 General Options:
 
   ` + generalOptionsUsage(usageOptsDefault) + `

command/job_scaling_events.go

@@ -27,6 +27,9 @@ Usage: nomad job scaling-events [options] <args>
 
   List the scaling events for the specified job.
 
+  When ACLs are enabled, this command requires a token with the
+  'read-job-scaling' capability for the job's namespace.
+
 General Options:
 
   ` + generalOptionsUsage(usageOptsDefault) + `

command/job_status.go

@@ -33,6 +33,9 @@ Usage: nomad status [options] <job>
   Display status information about a job. If no job ID is given, a list of all
   known jobs will be displayed.
 
+  When ACLs are enabled, this command requires a token with the 'read-job' and
+  'list-jobs' capabilities for the job's namespace.
+
 General Options:
 
   ` + generalOptionsUsage(usageOptsDefault) + `