search

hashicorp / nomad

Nomad is an easy-to-use, flexible, and performant workload orchestrator that can deploy a mix of microservice, batch, containerized, and non-containerized applications. Nomad is easy to operate and scale and has native Consul and Vault integrations.
https://www.nomadproject.io/
Other
14.88k stars 1.95k forks source link

Read Only permissions allowed to stop a job from the UI #24044

Closed kkawatra09 closed 1 month ago

kkawatra09 commented 1 month ago

Nomad version

Output from nomad version 1.6.1

Issue

namespace "*" {
  capabilities = ["list-jobs","read-job", "read-logs"]
  variables {
    path "*" {
      capabilities = ["list"]
    }
  }
}

Reproduction steps

Expected Result

Our goal is to allow users to list jobs, read individual jobs, and read logs.

Actual Result

Users are able to do the above plus stop a job from the UI

tgross commented 1 month ago

Hi @kkawatra09! I wasn't able to reproduce what you're seeing. I grabbed an old Noamd 1.6.1 binary and deployed a job to it using a root token. Then I took your ACL policy document and created both a policy and a token using that policy:

$ nomad acl policy apply test ./test.hcl
Successfully wrote "test" ACL policy!

$ nomad acl token create -type client -name test -policy test
Accessor ID  = c06be604-d085-c4ef-772c-6a2b5d5a18d4
Secret ID    = b2dcb567-c35f-4f33-3e66-ba3bee3168c0
Name         = test
Type         = client
Global       = false
Create Time  = 2024-09-23 18:21:41.933116489 +0000 UTC
Expiry Time  = <none>
Create Index = 34
Modify Index = 34
Policies     = [test]

Roles
<none>

Then I went to the UI, logged in with the token above, and tried to stop the job. I get the following warning:

no-repro

And my job was left running:

$ nomad job status
ID       Type     Priority  Status   Submit Date
example  service  50        running  2024-09-23T14:20:30-04:00

You might be using the wrong token in the web UI.

Also, in the future if you see a potential security problem like this, we ask that you email security@hashicorp.com instead of posting it here in the public GitHub and dropping a 0-day on the entire Nomad community! :grin: Thanks!

kkawatra09 commented 1 month ago

I'm sorry about not sending this as an email or ask the question on the community first. I had a different post on the community page and I wasn't getting much response, so I thought this might be a better way to get this looked at, since it looked like a potential security issue. Also, you're right I had issues with my policy. Please mark this issue as resolved. Thank you for your prompt response and sorry for any inconvenience caused.