Subscribing to an event topic without a filter using the Go SDK can fail #27063
Description
Nomad version
Nomad v1.10.5
BuildDate 2025-09-09T14:36:45Z
Revision a3b86c6
Operating system and Environment details
Go package github.com/hashicorp/nomad/api v0.0.0-20251104171905-3f42610f2ab1
Issue
The Go SDK client returns a 403 error when subscribing to events if no filter keys are provided for a topic and a client token is provided, even if the token has the correct capability for the requested topic.
Reproduction steps
Call api.NewClient to construct nomadClient as usual, provide a secret ID for a token which has the read-job capability on the * namespace, and then:
ev, err := nomadClient.EventStream().Stream(
context.Background(),
map[nomad.Topic][]string{
nomad.TopicJob: {}},
0,
&nomad.QueryOptions{})Expected Result
The client issues a request to /v1/event/stream?topic=Job&index=0 which returns 200 and begins streaming all Job events.
Actual Result
The request is issued to /v1/event/stream?index=0, which has no topic specified, so the API bypasses the ACL checks and instead requires a management token.
Additional Info
Per the API documentation:
A valid topic parameter includes a topic type and an optional filter_key separated by a colon :
I expected that providing an empty slice of filter keys to the Stream function would indicate that I want to subscribe to all jobs, since the filter key is optional in the API itself.
Instead, the SDK's request only contains the topic query parameter if I provide an explicit wildcard filter key, like so:
ev, err := nomadClient.EventStream().Stream(
context.Background(),
map[nomad.Topic][]string{
nomad.TopicJob: {"*"}},
0,
&nomad.QueryOptions{})