From e0a9dc1c58779bf6f5c712667bbdceb800ef8669 Mon Sep 17 00:00:00 2001
From: Alex Dadgar <alex.dadgar@gmail.com>
Date: Mon, 23 Oct 2017 15:11:13 -0700
Subject: [PATCH] clear the token

---
 nomad/acl.go    | 2 +-
 nomad/leader.go | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/nomad/acl.go b/nomad/acl.go
index 1743c85e4..902ef933c 100644
--- a/nomad/acl.go
+++ b/nomad/acl.go
@@ -21,7 +21,7 @@ func (s *Server) ResolveToken(secretID string) (*acl.ACL, error) {
 
 	// Check if the secret ID is the leader secret ID, in which case treat it as
 	// a management token.
-	if secretID == s.getLeaderAcl() {
+	if leaderAcl := s.getLeaderAcl(); leaderAcl != "" && secretID == leaderAcl {
 		return acl.ManagementACL, nil
 	}
 
diff --git a/nomad/leader.go b/nomad/leader.go
index bbc469e54..8a4d2dbab 100644
--- a/nomad/leader.go
+++ b/nomad/leader.go
@@ -522,6 +522,9 @@ func (s *Server) periodicUnblockFailedEvals(stopCh chan struct{}) {
 // revokeLeadership is invoked once we step down as leader.
 // This is used to cleanup any state that may be specific to a leader.
 func (s *Server) revokeLeadership() error {
+	// Clear the leader token since we are no longer the leader.
+	s.setLeaderAcl("")
+
 	// Disable the plan queue, since we are no longer leader
 	s.planQueue.SetEnabled(false)