search

hashicorp / nomad

Nomad is an easy-to-use, flexible, and performant workload orchestrator that can deploy a mix of microservice, batch, containerized, and non-containerized applications. Nomad is easy to operate and scale and has native Consul and Vault integrations.
https://www.nomadproject.io/
Other
14.86k stars 1.95k forks source link

Service identities from roles are ignored when checking Consul ACL's #18428

Open sorenisanerd opened 1 year ago

sorenisanerd commented 1 year ago

I think a bit of Terraform demonstrates the problem best:

# mysvc.tf

resource "consul_acl_token" "mysvc" {
    roles = [consul_acl_role.mysvc.name]
}

resource "consul_acl_role" "mysvc" {
    name = "mysvc"
    service_identities {
        service_name = "mysvc"
    }
}

resource "nomad_job" "mysvc" {
    jobspec = file("${path.module}/mysvc.nomad")
    consul_token = data.consul_acl_token_secret_id.mysvc.secret_id
}

data "consul_acl_token_secret_id" "mysvc" {
    accessor_id = consul_acl_token.mysvc.id
}
# mysvc.nomad
job "mysvc" {
  group "mysvc" {
    network {
      mode = "bridge"
      port "http" {}
    }
    service {
      provider = "consul"
      name     = "mysvc"
      port     = "http"
    }

    task "mysvc" {
      [...]
    }
  }
}

Attempting to apply that Terraform code yields:

Error submitting job: Unexpected response code: 500 (rpc error: job-submitter consul token denied: insufficient Consul ACL permissions to write service "mysvc")

nomad.consulACLsAPI.canWriteService goes through:

Notably absent is a check for service identities in the roles assigned to the token.

tgross commented 1 year ago

Hi @sorenisanerd I agree this seems straightforwardly a bug. We're also in the middle of deprecating this whole process for Nomad 1.7.0 so that we can use Workload Identity for jobs that need service identities, and this code will be removed outright in Nomad 1.9.0.

That being said, I don't love leaving a known bug around until 1.9.0. I'll mark this for roadmapping but it's also likely a small enough fix that we could take a community contribution, so I'll mark it as such for that as well.

sorenisanerd commented 7 months ago

I've moved entirely to the workload identity approach, so this does not affect me anymore. As such, I'm not investing more effort here.