Open ChefAustin opened 2 weeks ago
Hi @ChefAustin, thanks for raising this ticket — you're right that this is not great DX, we're probably overly tight on disabling that button based on namespace, and should take a more "If any namespace is allowed, make show the enabled button, and sort out the namespace on the subsequent page" approach. I believe we do exactly this in the /jobs creation flow.
I'll give this a look soon, otherwise, happy to accept PRs.
Nomad version
Operating system and Environment details
Issue
Nomad Operators with access limited to a singular namespace cannot click "+ Create Variable" button from Variables UI page when within the
/nomad/jobs/
path (/ui/variables/nomad/jobs/
) as it is greyed out but the button is able to be clicked from the main Nomad Variables UI page (/ui/variables/
) but that then requires them to typenomad/jobs/someJobName
in the "Path" field during creation.Conversely, one workaround for this is to explicitly add the respective namespace query parameter to the URL (i.e.
/ui/variables/path/nomad/jobs?namespace=<someNamespace>
) and then they are able to use the "+ Create Variable" button from that page view (whereby "Path" field is pre-populated). This is obscure as the page view already filters-out items from the Nomad Variables table which do not correspond to the authenticated user's permitted namespace.In our case have a internal team ("cpe" ) that acts as Nomad Operators within their own eponymous namespace. They authenticate to Nomad via OIDC and assume a role with the following ACL policy:
When they go to Nomad Variables UI page (
/ui/variables/
) they are able to create a variable from that view.When they then click into the
nomad/jobs/
path (/ui/variables/path/nomad/jobs
), they are unable to create a variable from that view.If they then modify the URL to explicitly include the namespace query param (
/ui/variables/path/nomad/jobs?namespace=cpe
), they are then able to create a variable from that view.In my eyes, this is undesirable behavior (but perhaps I'm just not understanding the underlying design decision behind this).