Skip to content

Commit

Permalink
Backport of [bugfix, ui] Allow running jobs from a namespace-limited …
Browse files Browse the repository at this point in the history
…token into release/1.3.x (#13678)

This pull request was automerged via backport-assistant
  • Loading branch information
hc-github-team-nomad-core authored Jul 11, 2022
1 parent f35e8d0 commit 3bbd8a0
Show file tree
Hide file tree
Showing 7 changed files with 73 additions and 15 deletions.
32 changes: 29 additions & 3 deletions ui/app/abilities/job.js
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
import AbstractAbility from './abstract';
import { computed } from '@ember/object';
import { computed, get } from '@ember/object';
import { or } from '@ember/object/computed';

export default class Job extends AbstractAbility {
Expand All @@ -9,7 +9,7 @@ export default class Job extends AbstractAbility {
@or(
'bypassAuthorization',
'selfTokenIsManagement',
'policiesSupportRunning',
'specificNamespaceSupportsRunning',
'policiesSupportScaling'
)
canScale;
Expand All @@ -27,8 +27,34 @@ export default class Job extends AbstractAbility {
)
canDispatch;

@computed('[email protected]')
policyNamespacesIncludePermissions(policies = [], permissions = []) {
// For each policy record, extract all policies of all namespaces
const allNamespacePolicies = policies
.toArray()
.map((policy) => get(policy, 'rulesJSON.Namespaces'))
.flat()
.map((namespace = {}) => {
return namespace.Capabilities;
})
.flat()
.compact();

// Check for requested permissions
return allNamespacePolicies.some((policy) => {
return permissions.includes(policy);
});
}

@computed('token.selfTokenPolicies.[]')
get policiesSupportRunning() {
return this.policyNamespacesIncludePermissions(
this.token.selfTokenPolicies,
['submit-job']
);
}

@computed('[email protected]')
get specificNamespaceSupportsRunning() {
return this.namespaceIncludesCapability('submit-job');
}

Expand Down
2 changes: 1 addition & 1 deletion ui/app/adapters/job.js
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ export default class JobAdapter extends WatchableNamespaceIDs {
}

parse(spec) {
const url = addToPath(this.urlForFindAll('job'), '/parse');
const url = addToPath(this.urlForFindAll('job'), '/parse?namespace=*');
return this.ajax(url, 'POST', {
data: {
JobHCL: spec,
Expand Down
6 changes: 4 additions & 2 deletions ui/app/components/job-editor.js
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,8 @@ export default class JobEditor extends Component {
try {
yield this.job.parse();
} catch (err) {
const error = messageFromAdapterError(err) || 'Could not parse input';
const error =
messageFromAdapterError(err, 'parse jobs') || 'Could not parse input';
this.set('parseError', error);
this.scrollToError();
return;
Expand All @@ -72,7 +73,8 @@ export default class JobEditor extends Component {
const plan = yield this.job.plan();
this.set('planOutput', plan);
} catch (err) {
const error = messageFromAdapterError(err) || 'Could not plan job';
const error =
messageFromAdapterError(err, 'plan jobs') || 'Could not plan job';
this.set('planError', error);
this.scrollToError();
}
Expand Down
31 changes: 31 additions & 0 deletions ui/tests/acceptance/jobs-list-test.js
Original file line number Diff line number Diff line change
Expand Up @@ -468,6 +468,37 @@ module('Acceptance | jobs list', function (hooks) {
await JobsList.visit({ namespace: READ_AND_WRITE_NAMESPACE });
assert.notOk(JobsList.runJobButton.isDisabled);

await JobsList.visit({ namespace: READ_ONLY_NAMESPACE });
assert.notOk(JobsList.runJobButton.isDisabled);
});

test('when the user has no client tokens that allow them to run a job', async function (assert) {
const READ_AND_WRITE_NAMESPACE = 'read-and-write-namespace';
const READ_ONLY_NAMESPACE = 'read-only-namespace';

server.create('namespace', { id: READ_ONLY_NAMESPACE });

const policy = server.create('policy', {
id: 'something',
name: 'something',
rulesJSON: {
Namespaces: [
{
Name: READ_ONLY_NAMESPACE,
Capabilities: ['list-job'],
},
],
},
});

clientToken.policyIds = [policy.id];
clientToken.save();

window.localStorage.nomadTokenSecret = clientToken.secretId;

await JobsList.visit({ namespace: READ_AND_WRITE_NAMESPACE });
assert.ok(JobsList.runJobButton.isDisabled);

await JobsList.visit({ namespace: READ_ONLY_NAMESPACE });
assert.ok(JobsList.runJobButton.isDisabled);
});
Expand Down
2 changes: 1 addition & 1 deletion ui/tests/integration/components/job-editor-test.js
Original file line number Diff line number Diff line change
Expand Up @@ -177,7 +177,7 @@ module('Integration | Component | job-editor', function (hooks) {
await planJob(spec);
const requests = this.server.pretender.handledRequests.mapBy('url');
assert.ok(
requests.includes('/v1/jobs/parse'),
requests.includes('/v1/jobs/parse?namespace=*'),
'HCL job spec is parsed first'
);
assert.ok(
Expand Down
13 changes: 6 additions & 7 deletions ui/tests/unit/abilities/job-test.js
Original file line number Diff line number Diff line change
Expand Up @@ -251,19 +251,18 @@ module('Unit | Ability | job', function (hooks) {
this.owner.register('service:token', mockToken);

assert.ok(
this.can.cannot('run job', null, { namespace: 'production-web' })
this.can.can(
'run job',
null,
{ namespace: 'production-web' },
'The existence of a single namespace where a job can be run means that can run is enabled'
)
);
assert.ok(this.can.can('run job', null, { namespace: 'production-api' }));
assert.ok(this.can.can('run job', null, { namespace: 'production-other' }));
assert.ok(
this.can.can('run job', null, { namespace: 'something-suffixed' })
);
assert.ok(
this.can.cannot('run job', null, {
namespace: 'something-more-suffixed',
}),
'expected the namespace with the greatest number of matched characters to be chosen'
);
assert.ok(
this.can.can('run job', null, { namespace: '000-abc-999' }),
'expected to be able to match against more than one wildcard'
Expand Down
2 changes: 1 addition & 1 deletion ui/tests/unit/adapters/job-test.js
Original file line number Diff line number Diff line change
Expand Up @@ -522,7 +522,7 @@ module('Unit | Adapter | Job', function (hooks) {
await this.subject().parse('job "name-goes-here" {');

const request = this.server.pretender.handledRequests[0];
assert.equal(request.url, `/v1/jobs/parse?region=${region}`);
assert.equal(request.url, `/v1/jobs/parse?namespace=*&region=${region}`);
assert.equal(request.method, 'POST');
assert.deepEqual(JSON.parse(request.requestBody), {
JobHCL: 'job "name-goes-here" {',
Expand Down

0 comments on commit 3bbd8a0

Please sign in to comment.