Deployment Status Command Does Not Respect -namespace Wildcard (#16792)

* func: add namespace support for list deployment * func: add wildcard to namespace filter for deployments * Update deployment_endpoint.go * style: use must instead of require or asseert * style: rename paginator to avoid clash with import * style: add changelog entry * fix: add missing parameter for upsert jobs
hashicorp · Apr 12, 2023 · 14520c4 · 14520c4
1 parent 01d083d
commit 14520c4
Show file tree

Hide file tree

Showing 5 changed files with 241 additions and 125 deletions.
diff --git a/.changelog/16792.txt b/.changelog/16792.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+core: the deployment's list endpoint now supports look up by prefix using the wildcard for namespace
+```
diff --git a/nomad/deployment_endpoint.go b/nomad/deployment_endpoint.go
@@ -396,20 +396,33 @@ func (d *Deployment) List(args *structs.DeploymentListRequest, reply *structs.De
 
 	// Check namespace read-job permissions against request namespace since
 	// results are filtered by request namespace.
-	if aclObj, err := d.srv.ResolveToken(args.AuthToken); err != nil {
+	aclObj, err := d.srv.ResolveToken(args.AuthToken)
+	if err != nil {
 		return err
-	} else if aclObj != nil && !aclObj.AllowNsOp(namespace, acl.NamespaceCapabilityReadJob) {
+	}
+
+	if aclObj != nil && !aclObj.AllowNsOp(namespace, acl.NamespaceCapabilityReadJob) {
 		return structs.ErrPermissionDenied
 	}
 
+	allow := aclObj.AllowNsOpFunc(acl.NamespaceCapabilityReadJob)
+
 	// Setup the blocking query
 	sort := state.SortOption(args.Reverse)
 	opts := blockingOptions{
 		queryOpts: &args.QueryOptions,
 		queryMeta: &reply.QueryMeta,
 		run: func(ws memdb.WatchSet, store *state.StateStore) error {
+			allowableNamespaces, err := allowedNSes(aclObj, store, allow)
+			if err != nil {
+				if err == structs.ErrPermissionDenied {
+					reply.Deployments = make([]*structs.Deployment, 0)
+					return nil
+				}
+				return err
+			}
+
 			// Capture all the deployments
-			var err error
 			var iter memdb.ResultIterator
 			var opts paginator.StructsTokenizerOptions
 
@@ -437,8 +450,14 @@ func (d *Deployment) List(args *structs.DeploymentListRequest, reply *structs.De
 
 			tokenizer := paginator.NewStructsTokenizer(iter, opts)
 
+			filters := []paginator.Filter{
+				paginator.NamespaceFilter{
+					AllowableNamespaces: allowableNamespaces,
+				},
+			}
+
 			var deploys []*structs.Deployment
-			paginator, err := paginator.NewPaginator(iter, tokenizer, nil, args.QueryOptions,
+			pnator, err := paginator.NewPaginator(iter, tokenizer, filters, args.QueryOptions,
 				func(raw interface{}) error {
 					deploy := raw.(*structs.Deployment)
 					deploys = append(deploys, deploy)
@@ -449,7 +468,7 @@ func (d *Deployment) List(args *structs.DeploymentListRequest, reply *structs.De
 					http.StatusBadRequest, "failed to create result paginator: %v", err)
 			}
 
-			nextToken, err := paginator.Page()
+			nextToken, err := pnator.Page()
 			if err != nil {
 				return structs.NewErrRPCCodedf(
 					http.StatusBadRequest, "failed to read result page: %v", err)
@@ -468,7 +487,9 @@ func (d *Deployment) List(args *structs.DeploymentListRequest, reply *structs.De
 			// Set the query response
 			d.srv.setQueryMeta(&reply.QueryMeta)
 			return nil
-		}}
+		},
+	}
+
 	return d.srv.blockingRPC(&opts)
 }