nomad icon indicating copy to clipboard operation
nomad copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Operators with ACL-Limited Namespace Access Can't Easily Create Variable in `nomad/jobs` Path

Open ChefAustin opened this issue 1 year ago • 1 comments

Nomad version

$ nomad version
Nomad v1.8.3+ent
BuildDate 2024-08-13T07:52:39Z
Revision 82fa712be0e7c1e07d6d630e0583c188347411ee

Operating system and Environment details

$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=22.04
DISTRIB_CODENAME=jammy
DISTRIB_DESCRIPTION="Ubuntu 22.04.4 LTS"

Issue

Nomad Operators with access limited to a singular namespace cannot click "+ Create Variable" button from Variables UI page when within the /nomad/jobs/ path (/ui/variables/nomad/jobs/) as it is greyed out but the button is able to be clicked from the main Nomad Variables UI page (/ui/variables/) but that then requires them to type nomad/jobs/someJobName in the "Path" field during creation.

Conversely, one workaround for this is to explicitly add the respective namespace query parameter to the URL (i.e. /ui/variables/path/nomad/jobs?namespace=<someNamespace>) and then they are able to use the "+ Create Variable" button from that page view (whereby "Path" field is pre-populated). This is obscure as the page view already filters-out items from the Nomad Variables table which do not correspond to the authenticated user's permitted namespace.

In our case have a internal team ("cpe" ) that acts as Nomad Operators within their own eponymous namespace. They authenticate to Nomad via OIDC and assume a role with the following ACL policy:

namespace "cpe" {
  policy = "read"
  capabilities = ["alloc-exec", "read-logs"]

  variables {
    path "*" {
      capabilities = ["write", "read", "destroy", "list"]
    }
  }
}

quota {
  policy = "read"
}

plugin {
  policy = "read"
}

node {
  policy = "read"
}

agent {
  policy = "read"
}

When they go to Nomad Variables UI page (/ui/variables/) they are able to create a variable from that view. image

When they then click into the nomad/jobs/ path (/ui/variables/path/nomad/jobs), they are unable to create a variable from that view. image

If they then modify the URL to explicitly include the namespace query param (/ui/variables/path/nomad/jobs?namespace=cpe), they are then able to create a variable from that view. image

In my eyes, this is undesirable behavior (but perhaps I'm just not understanding the underlying design decision behind this).

ChefAustin avatar Sep 04 '24 07:09 ChefAustin

Hi @ChefAustin, thanks for raising this ticket — you're right that this is not great DX, we're probably overly tight on disabling that button based on namespace, and should take a more "If any namespace is allowed, make show the enabled button, and sort out the namespace on the subsequent page" approach. I believe we do exactly this in the /jobs creation flow.

I'll give this a look soon, otherwise, happy to accept PRs.

philrenaud avatar Sep 04 '24 13:09 philrenaud

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

github-actions[bot] avatar Jan 31 '25 02:01 github-actions[bot]