Nomad UI Exec namespace issues

hashicorp / nomad

Nomad is an easy-to-use, flexible, and performant workload orchestrator that can deploy a mix of microservice, batch, containerized, and non-containerized applications. Nomad is easy to operate and scale and has native Consul and Vault integrations.

https://www.nomadproject.io/

Other

14.93k stars 1.96k forks source link

Nomad UI Exec namespace issues #8135

Open gmichalec-pandora opened 4 years ago

gmichalec-pandora commented 4 years ago

For reporting security vulnerabilities please refer to the website.

If you have a question, prepend your issue with [question] or preferably use the nomad mailing list.

If filing a bug please include the following:

Nomad version

Output from nomad version 0.12.5+ent

Operating system and Environment details

Debian 9.12

Issue

It looks like the Nomad UI does not support the exec UI for namespaced jobs. When I browse to a job running in a namespace, then to a task or allocation for that job, clicking the 'Exec' button pops open a window saying "Not Found". Inspecting the JS console for this window, I see that it is attempting to fetch the job from the api, but without the namespace parameter. Note that if I use the exec button from the Job or task group UI, the namespace parameter is passed to the popup window and the exec UI works correctly

Reproduction steps

Launch a namespaced job
Browse to the allocation or task view for the job
Use the UI to try to exec to it

gmichalec-pandora commented 4 years ago

I take that back - the exec window launches fine! But the button is still disabled

gmichalec-pandora commented 4 years ago

Ok - it actually looks like the Exec button from the Job or Task Group views will launch the window with the namespace arg (if I remove 'disabled' from the button using devtools). But the exec button in the allocation view launches a window w/o the namespace arg

gmichalec-pandora commented 4 years ago

Hmm...upon further experimentation - If I provide a token only valid for a particular namespace, the exec UI seems to work fine. This may be related to the fact that we are generating tokens that include policies that do not yet exist, which results in a bunch of 404s on the policy lookups. This may be breaking something in the UI that manages namespace validation

gmichalec-pandora commented 4 years ago

We've updated the process we use to issue nomad tokens to only include valid nomad polices in the token. When using a token with no invalid policies, the exec button works as expected. I'd assume it's not a high priority to support tokens with invalid policies, but I'll leave this open in just in case. For our end, I think I'm satisfied with our solution to this.

gmichalec-pandora commented 4 years ago

I've tested this again on nomad 0.12.5-ent, and the issue does still exist, even with a token without invalid policies. To clarify, the exec button works fine for namespaced jobs if used from the job or task group views, however, if you click it from a task or allocation view, it does not send the namespace parameter to the popup window, and thus the allocation id can not be found.

backspace commented 3 years ago

Hey, thanks for the report, and sorry for not seeing this earlier. Can you try this out with 1.0.4, as this fix may have solved it for you.