search

hashicorp / nomad

Nomad is an easy-to-use, flexible, and performant workload orchestrator that can deploy a mix of microservice, batch, containerized, and non-containerized applications. Nomad is easy to operate and scale and has native Consul and Vault integrations.
https://www.nomadproject.io/
Other
14.81k stars 1.94k forks source link

Operators with ACL-Limited Namespace Access Can't Easily Create Variable in `nomad/jobs` Path #23905

Open ChefAustin opened 2 weeks ago

ChefAustin commented 2 weeks ago

Nomad version

$ nomad version
Nomad v1.8.3+ent
BuildDate 2024-08-13T07:52:39Z
Revision 82fa712be0e7c1e07d6d630e0583c188347411ee

Operating system and Environment details

$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=22.04
DISTRIB_CODENAME=jammy
DISTRIB_DESCRIPTION="Ubuntu 22.04.4 LTS"

Issue

Nomad Operators with access limited to a singular namespace cannot click "+ Create Variable" button from Variables UI page when within the /nomad/jobs/ path (/ui/variables/nomad/jobs/) as it is greyed out but the button is able to be clicked from the main Nomad Variables UI page (/ui/variables/) but that then requires them to type nomad/jobs/someJobName in the "Path" field during creation.

Conversely, one workaround for this is to explicitly add the respective namespace query parameter to the URL (i.e. /ui/variables/path/nomad/jobs?namespace=<someNamespace>) and then they are able to use the "+ Create Variable" button from that page view (whereby "Path" field is pre-populated). This is obscure as the page view already filters-out items from the Nomad Variables table which do not correspond to the authenticated user's permitted namespace.

In our case have a internal team ("cpe" ) that acts as Nomad Operators within their own eponymous namespace. They authenticate to Nomad via OIDC and assume a role with the following ACL policy:

namespace "cpe" {
  policy = "read"
  capabilities = ["alloc-exec", "read-logs"]

  variables {
    path "*" {
      capabilities = ["write", "read", "destroy", "list"]
    }
  }
}

quota {
  policy = "read"
}

plugin {
  policy = "read"
}

node {
  policy = "read"
}

agent {
  policy = "read"
}

When they go to Nomad Variables UI page (/ui/variables/) they are able to create a variable from that view. image

When they then click into the nomad/jobs/ path (/ui/variables/path/nomad/jobs), they are unable to create a variable from that view. image

If they then modify the URL to explicitly include the namespace query param (/ui/variables/path/nomad/jobs?namespace=cpe), they are then able to create a variable from that view. image

In my eyes, this is undesirable behavior (but perhaps I'm just not understanding the underlying design decision behind this).

philrenaud commented 2 weeks ago

Hi @ChefAustin, thanks for raising this ticket — you're right that this is not great DX, we're probably overly tight on disabling that button based on namespace, and should take a more "If any namespace is allowed, make show the enabled button, and sort out the namespace on the subsequent page" approach. I believe we do exactly this in the /jobs creation flow.

I'll give this a look soon, otherwise, happy to accept PRs.