Closed kkawatra09 closed 1 month ago
Hi @kkawatra09! I wasn't able to reproduce what you're seeing. I grabbed an old Noamd 1.6.1 binary and deployed a job to it using a root token. Then I took your ACL policy document and created both a policy and a token using that policy:
$ nomad acl policy apply test ./test.hcl
Successfully wrote "test" ACL policy!
$ nomad acl token create -type client -name test -policy test
Accessor ID = c06be604-d085-c4ef-772c-6a2b5d5a18d4
Secret ID = b2dcb567-c35f-4f33-3e66-ba3bee3168c0
Name = test
Type = client
Global = false
Create Time = 2024-09-23 18:21:41.933116489 +0000 UTC
Expiry Time = <none>
Create Index = 34
Modify Index = 34
Policies = [test]
Roles
<none>
Then I went to the UI, logged in with the token above, and tried to stop the job. I get the following warning:
And my job was left running:
$ nomad job status
ID Type Priority Status Submit Date
example service 50 running 2024-09-23T14:20:30-04:00
You might be using the wrong token in the web UI.
Also, in the future if you see a potential security problem like this, we ask that you email security@hashicorp.com instead of posting it here in the public GitHub and dropping a 0-day on the entire Nomad community! :grin: Thanks!
I'm sorry about not sending this as an email or ask the question on the community first. I had a different post on the community page and I wasn't getting much response, so I thought this might be a better way to get this looked at, since it looked like a potential security issue. Also, you're right I had issues with my policy. Please mark this issue as resolved. Thank you for your prompt response and sorry for any inconvenience caused.
Nomad version
Output from
nomad version
1.6.1Issue
Reproduction steps
Expected Result
Our goal is to allow users to list jobs, read individual jobs, and read logs.
Actual Result
Users are able to do the above plus stop a job from the UI