Skip to content

Commit

Permalink
Merge pull request #9205 from hashicorp/b-gh-7703
Browse files Browse the repository at this point in the history
Repurpose dispatch-job capability to dispatch periodic jobs
  • Loading branch information
Mahmood Ali authored Nov 2, 2020
2 parents e03ec7e + f04cd73 commit bdd4134
Show file tree
Hide file tree
Showing 4 changed files with 23 additions and 4 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ FEATURES:

IMPROVEMENTS:
* core: Improved job deregistration error logging. [[GH-8745](https://github.com/hashicorp/nomad/issues/8745)]
* acl: Allow operators with `namespace:dispatch-job` capability to force periodic job invocation [[GH-9205](https://github.com/hashicorp/nomad/issues/9205)]
* api: Added support for cancellation contexts to HTTP API. [[GH-8836](https://github.com/hashicorp/nomad/issues/8836)]
* api: Job Register API now permits non-zero initial Version to accommodate multi-region deployments. [[GH-9071](https://github.com/hashicorp/nomad/issues/9071)]
* api: Added ?resources=true query parameter to /v1/nodes and /v1/allocations to include resource allocations in listings. [[GH-9055](https://github.com/hashicorp/nomad/issues/9055)]
Expand Down
2 changes: 1 addition & 1 deletion nomad/periodic_endpoint.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ func (p *Periodic) Force(args *structs.PeriodicForceRequest, reply *structs.Peri
// Check for write-job permissions
if aclObj, err := p.srv.ResolveToken(args.AuthToken); err != nil {
return err
} else if aclObj != nil && !aclObj.AllowNsOp(args.RequestNamespace(), acl.NamespaceCapabilitySubmitJob) {
} else if aclObj != nil && !aclObj.AllowNsOp(args.RequestNamespace(), acl.NamespaceCapabilityDispatchJob) && !aclObj.AllowNsOp(args.RequestNamespace(), acl.NamespaceCapabilitySubmitJob) {
return structs.ErrPermissionDenied
}

Expand Down
18 changes: 18 additions & 0 deletions nomad/periodic_endpoint_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -127,6 +127,24 @@ func TestPeriodicEndpoint_Force_ACL(t *testing.T) {
}
}

// Fetch the response with a valid token having dispatch permission
{
policy := mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityDispatchJob})
token := mock.CreatePolicyAndToken(t, state, 1005, "valid", policy)
req.AuthToken = token.SecretID
var resp structs.PeriodicForceResponse
assert.Nil(msgpackrpc.CallWithCodec(codec, "Periodic.Force", req, &resp))
assert.NotEqual(uint64(0), resp.Index)

// Lookup the evaluation
ws := memdb.NewWatchSet()
eval, err := state.EvalByID(ws, resp.EvalID)
assert.Nil(err)
if assert.NotNil(eval) {
assert.Equal(eval.CreateIndex, resp.EvalCreateIndex)
}
}

// Fetch the response with management token
{
req.AuthToken = root.SecretID
Expand Down
6 changes: 3 additions & 3 deletions website/pages/api-docs/jobs.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -1666,9 +1666,9 @@ The table below shows this endpoint's support for
[blocking queries](/api-docs#blocking-queries) and
[required ACLs](/api-docs#acls).

| Blocking Queries | ACL Required |
| ---------------- | ---------------------- |
| `NO` | `namespace:submit-job` |
| Blocking Queries | ACL Required |
| ---------------- | -------------------------------------------------- |
| `NO` | `namespace:dispatch-job` or `namespace:submit-job` |

### Parameters

Expand Down

0 comments on commit bdd4134

Please sign in to comment.