hashicorp · vky5 · Jun 11, 2026 · Jun 11, 2026
@@ -157,7 +157,7 @@ rules:
             return structs.ErrPermissionDenied
           }
           ...
-          if err := $A.$B.AuthorizeClientAllocation(aclObj, ..., ...); err != nil {
+          if err := $A.$B.AuthorizeClientAllocation(..., aclObj, ..., ...); err != nil {
             return err
           }
           ...

@@ -29,11 +29,12 @@ func (s *Server) ResolveAuthorizedClientNodePoolByNodeID(aclObj *acl.ACL, nodeID
 }
 
 func (s *Server) AuthorizeClientAllocation(
+	identity *structs.AuthenticatedIdentity,
 	aclObj *acl.ACL,
 	alloc *structs.Allocation,
 	allowNsOp func(*acl.ACL, string) bool,
 ) error {
-	return s.auth.AuthorizeClientAllocation(aclObj, alloc, allowNsOp)
+	return s.auth.AuthorizeClientAllocation(identity, aclObj, alloc, allowNsOp)
 }
 
 func (s *Server) ResolveAuthorizedClientNodePoolByServiceRegistrationID(

@@ -165,7 +165,7 @@ func (a *Alloc) GetAlloc(args *structs.AllocSpecificRequest,
 				reply.Alloc = out
 
 				// Re-check namespace in case it differs from request.
-				if err := a.srv.AuthorizeClientAllocation(aclObj, out, allowNsOp); err != nil {
+				if err := a.srv.AuthorizeClientAllocation(args.GetIdentity(), aclObj, out, allowNsOp); err != nil {
 					return structs.NewErrUnknownAllocation(args.AllocID)
 				}
 
@@ -231,7 +231,7 @@ func (a *Alloc) GetAllocs(args *structs.AllocsGetRequest,
 					continue
 				}
 
-				if err := a.srv.AuthorizeClientAllocation(aclObj, out, nil); err != nil {
+				if err := a.srv.AuthorizeClientAllocation(args.GetIdentity(), aclObj, out, nil); err != nil {
 					return err
 				}
 
@@ -492,7 +492,7 @@ func (a *Alloc) SignIdentities(args *structs.AllocIdentitiesRequest, reply *stru
 					continue
 				}
 
-				if err := a.srv.AuthorizeClientAllocation(aclObj, out, nil); err != nil {
+				if err := a.srv.AuthorizeClientAllocation(args.GetIdentity(), aclObj, out, nil); err != nil {
 					return err
 				}
 

@@ -665,6 +665,7 @@ func (s *Authenticator) ResolveAuthorizedClientNodePoolByNodeID(aclObj *acl.ACL,
 // fall back to namespace-based authorization when client-scoped authorization
 // does not apply.
 func (s *Authenticator) AuthorizeClientAllocation(
+	identity *structs.AuthenticatedIdentity,
 	aclObj *acl.ACL,
 	alloc *structs.Allocation,
 	allowNsOp func(*acl.ACL, string) bool,
@@ -673,6 +674,10 @@ func (s *Authenticator) AuthorizeClientAllocation(
 		return structs.ErrPermissionDenied
 	}
 
+	if identity != nil && AuthorizeSameNode(identity, alloc.NodeID) == nil {
+		return nil
+	}
+
 	if aclObj.AllowClientOp(alloc.Job.NodePool) {
 		return nil
 	}

@@ -1713,14 +1713,37 @@ func TestResolveAuthorizedClientNodePoolHelpers(t *testing.T) {
 	t.Run("authorize client allocation", func(t *testing.T) {
 		alloc := mock.Alloc()
 		alloc.Job.NodePool = node.NodePool
+		alloc.NodeID = node.ID
 
-		must.NoError(t, auth.AuthorizeClientAllocation(aclObj, alloc, nil))
-		must.ErrorIs(t, auth.AuthorizeClientAllocation(acl.NewClientACL("other-pool"), alloc, nil), structs.ErrPermissionDenied)
+		must.NoError(t, auth.AuthorizeClientAllocation(nil, aclObj, alloc, nil))
+		must.ErrorIs(t, auth.AuthorizeClientAllocation(nil, acl.NewClientACL("other-pool"), alloc, nil), structs.ErrPermissionDenied)
 		must.NoError(t, auth.AuthorizeClientAllocation(
+			nil,
 			acl.NewClientACL("other-pool"),
 			alloc,
 			func(_ *acl.ACL, ns string) bool { return ns == alloc.Namespace },
 		))
+
+		// Test identity-based authorization when node pool mismatches
+		matchingIdentity := &structs.AuthenticatedIdentity{
+			ClientID: node.ID,
+		}
+		must.NoError(t, auth.AuthorizeClientAllocation(
+			matchingIdentity,
+			acl.NewClientACL("other-pool"),
+			alloc,
+			nil,
+		))
+
+		mismatchIdentity := &structs.AuthenticatedIdentity{
+			ClientID: "other-node",
+		}
+		must.ErrorIs(t, auth.AuthorizeClientAllocation(
+			mismatchIdentity,
+			acl.NewClientACL("other-pool"),
+			alloc,
+			nil,
+		), structs.ErrPermissionDenied)
 	})
 
 	t.Run("resolve by service registration id", func(t *testing.T) {