Skip to content

Commit

Permalink
store ACL Accessor ID from Job.Register with Job (#8204)
Browse files Browse the repository at this point in the history 
In multiregion deployments when ACLs are enabled, the deploymentwatcher needs
an appropriately scoped ACL token with the same `submit-job` rights as the
user who submitted it. The token will already be replicated, so store the
accessor ID so that it can be retrieved by the leader.
  • Loading branch information
@tgross
tgross authored Jun 19, 2020
1 parent 8ce13f3 commit 8fc76f5
Show file tree
Hide file tree
Showing 5 changed files with 27 additions and 0 deletions.
4 changes: 4 additions & 0 deletions api/jobs.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -787,6 +787,7 @@ type Job struct {
Meta map[string]string
ConsulToken *string `mapstructure:"consul_token"`
VaultToken *string `mapstructure:"vault_token"`
NomadTokenID *string `mapstructure:"nomad_token_id"`
Status *string
StatusDescription *string
Stable *bool
Expand Down Expand Up @@ -849,6 +850,9 @@ func (j *Job) Canonicalize() {
if j.VaultToken == nil {
j.VaultToken = stringToPtr("")
}
if j.NomadTokenID == nil {
j.NomadTokenID = stringToPtr("")
}
if j.Status == nil {
j.Status = stringToPtr("")
}
Expand Down
8 changes: 8 additions & 0 deletions api/jobs_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -243,6 +243,7 @@ func TestJobs_Canonicalize(t *testing.T) {
AllAtOnce: boolToPtr(false),
ConsulToken: stringToPtr(""),
VaultToken: stringToPtr(""),
NomadTokenID: stringToPtr(""),
Status: stringToPtr(""),
StatusDescription: stringToPtr(""),
Stop: boolToPtr(false),
Expand Down Expand Up @@ -332,6 +333,7 @@ func TestJobs_Canonicalize(t *testing.T) {
AllAtOnce: boolToPtr(false),
ConsulToken: stringToPtr(""),
VaultToken: stringToPtr(""),
NomadTokenID: stringToPtr(""),
Status: stringToPtr(""),
StatusDescription: stringToPtr(""),
Stop: boolToPtr(false),
Expand Down Expand Up @@ -404,6 +406,7 @@ func TestJobs_Canonicalize(t *testing.T) {
AllAtOnce: boolToPtr(false),
ConsulToken: stringToPtr(""),
VaultToken: stringToPtr(""),
NomadTokenID: stringToPtr(""),
Stop: boolToPtr(false),
Stable: boolToPtr(false),
Version: uint64ToPtr(0),
Expand Down Expand Up @@ -569,6 +572,7 @@ func TestJobs_Canonicalize(t *testing.T) {
AllAtOnce: boolToPtr(false),
ConsulToken: stringToPtr(""),
VaultToken: stringToPtr(""),
NomadTokenID: stringToPtr(""),
Stop: boolToPtr(false),
Stable: boolToPtr(false),
Version: uint64ToPtr(0),
Expand Down Expand Up @@ -726,6 +730,7 @@ func TestJobs_Canonicalize(t *testing.T) {
AllAtOnce: boolToPtr(false),
ConsulToken: stringToPtr(""),
VaultToken: stringToPtr(""),
NomadTokenID: stringToPtr(""),
Stop: boolToPtr(false),
Stable: boolToPtr(false),
Version: uint64ToPtr(0),
Expand Down Expand Up @@ -811,6 +816,7 @@ func TestJobs_Canonicalize(t *testing.T) {
AllAtOnce: boolToPtr(false),
ConsulToken: stringToPtr(""),
VaultToken: stringToPtr(""),
NomadTokenID: stringToPtr(""),
Stop: boolToPtr(false),
Stable: boolToPtr(false),
Version: uint64ToPtr(0),
Expand Down Expand Up @@ -975,6 +981,7 @@ func TestJobs_Canonicalize(t *testing.T) {
AllAtOnce: boolToPtr(false),
ConsulToken: stringToPtr(""),
VaultToken: stringToPtr(""),
NomadTokenID: stringToPtr(""),
Stop: boolToPtr(false),
Stable: boolToPtr(false),
Version: uint64ToPtr(0),
Expand Down Expand Up @@ -1137,6 +1144,7 @@ func TestJobs_Canonicalize(t *testing.T) {
AllAtOnce: boolToPtr(false),
ConsulToken: stringToPtr(""),
VaultToken: stringToPtr(""),
NomadTokenID: stringToPtr(""),
Stop: boolToPtr(false),
Stable: boolToPtr(false),
Version: uint64ToPtr(0),
Expand Down
10 changes: 10 additions & 0 deletions nomad/job_endpoint.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,16 @@ func (j *Job) Register(args *structs.JobRegisterRequest, reply *structs.JobRegis
}
args.Job = job

// Attach the Nomad token's accessor ID so that deploymentwatcher
// can reference the token later
tokenID, err := j.srv.ResolveSecretToken(args.AuthToken)
if err != nil {
return err
}
if tokenID != nil {
args.Job.NomadTokenID = tokenID.AccessorID
}

// Set the warning message
reply.Warnings = structs.MergeMultierrorWarnings(warnings...)

Expand Down
4 changes: 4 additions & 0 deletions nomad/structs/structs.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3631,6 +3631,10 @@ type Job struct {
// transfer the token and is not stored after Job submission.
VaultToken string

// NomadTokenID is the Accessor ID of the ACL token (if any)
// used to register this version of the job. Used by deploymentwatcher.
NomadTokenID string

// Job status
Status string

Expand Down
1 change: 1 addition & 0 deletions vendor/github.com/hashicorp/nomad/api/jobs.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit 8fc76f5

Please sign in to comment.