nomad icon indicating copy to clipboard operation
nomad copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

dynamic host volumes: ACL policies

Open tgross opened this issue 3 months ago • 0 comments

This changeset implements the ACLs required for dynamic host volumes RPCs:

  • host-volume-register is the highest privilege because it potentially bypasses quotas.
  • host-volume-create is implicitly granted by host-volume-register
  • host-volume-read is implicitly granted by policy = "read", host-volume-register, and host-volume-create.

These are namespaced operations, so the testing here is predominantly around parsing and granting of implicit capabilities rather than the well-tested AllowNamespaceOperation method.

This changeset does not include any changes to the host_volumes policy which we'll need for claiming volumes on job submit (if any). That'll be covered in a later PR.

Ref: https://hashicorp.atlassian.net/browse/NET-11549

tgross avatar Nov 01 '24 19:11 tgross