nomad
nomad copied to clipboard
hashicorp
Permission Check on Log Access via UI
Nomad version
Nomad v1.8.2 BuildDate 2024-07-16T08:50:09Z Revision 7f0822c1e4f25907d9f60e2d595411950dd1bd28
Operating system and Environment details
RHEL 8.6 - RHEL 8.8
Issue
When trying to access the Container Logs via "UI -> Jobname -> Taskgroup -> Allocation -> Task -> Logs" we get a "permission denied" error. But the current policy should allow access because of "namespace:write" policy:
namespace "playground" {
policy = "write"
variables {
# give read access to all job templates related to this namespace
path "nomad/job-templates/*" {
capabilities = ["read","list"]
}
}
}
node {
policy = "deny"
}
agent {
policy = "deny"
}
We can prove this because log access via "UI -> Job -> View Logs (of the task)" is working as expected and if we change the policy to
node {
policy = "read"
}
agent {
policy = "deny"
}
accecss to logs is working also as expected. So it looks like the UI-Button is not checking correctly for the "namespace:read-logs" capability, but instead for a "node:read" policy.
Reproduction steps
Using Policy like:
namespace "playground" {
policy = "write"
variables {
# give read access to all job templates related to this namespace
path "nomad/job-templates/*" {
capabilities = ["read","list"]
}
}
}
# used for UI Access - nicht wirklich ?
node {
policy = "deny"
}
agent {
policy = "deny"
}
-
trying to access logs of running container via "Jobs -> <Jobname> -> View Logs (in recent allocations tab)"
-
trying to access logs of running container via "Jobs -> <Jobname> -> TaskGroup -> Allocation -> Task -> Logs (on top menu line)"
Expected Result
- Access to logs is possible (depending on namespace:read-logs capability)
- Access to logs is possible (depending on namespace:read-logs capability)
Actual Result
- Access works as expected
- Access is denied due to node-policy=deny
Job file (if appropriate)
Nomad Server logs (if appropriate)
Nomad Client logs (if appropriate)
thanks Mac
