-1

With Hashicorp's Nomad, based on the documentation in the Namespace Rules section of the ACL Policy Specification documentation, I've configured a policy with these capabilities:

namespace "default" {
  policy       = "read"
  capabilities = ["alloc-lifecycle", "dispatch-job", "submit-job", "read-logs"]
}

node {
  policy = "read"
}

agent {
  policy = "read"
}

operator {
  policy = "read"
}

plugin {
  policy = "read"
}

I want the user token that was created with this policy to be able to do the following in the web UI:

  • Create (submit / run) a new job
  • Stop a job
  • Start a job
  • Stop an allocation
  • Start an allocation
  • Restart an allocation

Unfortunately, the user can only:

  • Stop a job
  • Stop an allocation
  • Restart an allocation

enter image description here

What capabilities should be added in order for the user to also:

  • Create (submit / run) a new job
  • Start a job
  • Start an allocation
HeatZync
  • 160
  • 1
  • 10
  • ? Did you read the docs? – KamilCuk Aug 14 '23 at 22:26
  • 1
    Yes, I did read the documentation. That's how I got to the policy as shown in the question. So I either don't understand something correctly or I'm doing something wrong or I discovered a bug. Hence this question. If it turns out to be a bug then I'll report it as an issue on the GitHub project page, but I don't want to create unnecessary noise over there. – HeatZync Aug 17 '23 at 06:44

2 Answers2

1

I finally managed to figure out what the problem was. The job that I'm trying to submit or start makes use of a host volume on the client:

Nomad Agent client config:

client {
  enabled = true

  host_volume "foo-bar-storage" {
    path      = "/path/to/foo/bar"
    read_only = false
  }
}

Job:

job "example" {
  type = "service"

  group "example" {

    volume "foo-bar-storage" {
      type      = "host"
      source    = "foo-bar-storage"
      read_only = false
    }

    task "example" {
      driver = "docker"

      config {
        image   = "some/image:tag"
        volumes = ["/path/to/foo/bar:/mnt/foo/bar"]
      }
    }
  }
}

I therefore needed to add a block in the ACL policy that grants access to the host volume:

host_volume "foo-bar-storage" {
  policy = "write"
}

The lesson learnt here is that I need to ensure I've granted the necessary permissions as required by a specific job. For example, if the job makes use of host volume support, then the user's ACL policy needs to grant access to that host volume.

HeatZync
  • 160
  • 1
  • 10
0

From the link you posted https://developer.hashicorp.com/nomad/docs/other-specifications/acl-policy :

submit-job - Allows jobs to be submitted, updated, or stopped.

alloc-lifecycle - Allows an operator to stop individual allocations manually.

There are also:

dispatch-job - Allows jobs to be dispatched

scale-job: Allows scaling a job up or down.

able to do the following in the web UI:

All the actions like "stop a job", "post a new job", "start a job" are done by reading the job spec, modifying it, and posting it back. You can even see it in UI - when you "stop a job", a new version of the job is posted with "Stop": true in the json spec.

Except Stop an allocation and Restart an allocation - these are done via separate API calls. https://developer.hashicorp.com/nomad/api-docs/allocations#stop-allocation

It is not possible to "start an allocation". This is done automatically by the scheduler.

KamilCuk
  • 120,984
  • 8
  • 59
  • 111
  • Thanks @KamilCuk. Point taken about starting an allocation. The thing is, even though the policy assigned to the user token has the `dispatch-job` and `submit-job` capabilities, the user is not able to start a job that was stopped. I also have a management token that is able to do so. – HeatZync Aug 17 '23 at 06:35
  • How do you start a job that was stopped? You mean in the UI? `the policy assigned to the user token` You are using normal ACL not OIDC with vault? – KamilCuk Aug 17 '23 at 06:50
  • Yes, normal ACL. In the UI, the user clicks the "Stop job" button, and the next one to confirm. Then, when the user clicks the "Start job" button the error message is displayed as per the screenshot in the question. – HeatZync Aug 17 '23 at 07:28
  • Open debug window in the browser and go to network and get the API endpoint that returns an error. Then check documentation for that API endpoint. – KamilCuk Aug 17 '23 at 07:31
  • The response status code is HTTP 403 FORBIDDEN – HeatZync Aug 28 '23 at 12:01
  • Sure, but which url? – KamilCuk Aug 28 '23 at 12:14
  • `POST /v1/jobs` – HeatZync Aug 28 '23 at 12:27
  • Thanks for all your help @KamilCuk. I found the issue and added my own answer. – HeatZync Aug 28 '23 at 12:28