Cannot read a job in Nomad UI with ACL

[ptry2024]

Hi,
I running a nomad cluster with 3 nodes with version is Nomad v1.2.2 (78b8c171a211f967a8b297a88a7e844b3543f2b0
I have created Nomad ACL Client Token with below policy:

namespace "default" {
  capabilities = ["read-logs","list-jobs","read-job"]
}

I can use its token in command cli and view allocation status like below:

(uat-aws) root@uat-1:~$ nomad job status ui
ID            = ui
Name          = ui
Submit Date   = 2021-12-07T10:09:06Z
Type          = service
Priority      = 50
Datacenters   = uat
Namespace     = default
Status        = running
Periodic      = false
Parameterized = false

Summary
Task Group  Queued  Starting  Running  Failed  Complete  Lost
ui          0       0         1        0       0         0

Latest Deployment
ID          = e7e65770
Status      = successful
Description = Deployment completed successfully

Deployed
Task Group  Desired  Placed  Healthy  Unhealthy  Progress Deadline
ui          1        1       1        0          2021-12-07T10:39:33Z

Allocations
ID        Node ID   Task Group  Version  Desired  Status   Created    Modified
6118ba3d  f3d34ae3  ui          0        run      running  2d21h ago  2d20h ago
(uat-aws) root@uat-1:~$ omad alloc status 6118ba3d
bash: omad: command not found
(uat-aws) root@uat-1:~$ nomad alloc status 6118ba3d
ID                  = 6118ba3d-9997-15c4-680f-38133e4f6434
Eval ID             = 02dad60d
Name                = ui.ui[0]
Node ID             = f3d34ae3
Node Name           = uat-2
Job ID              = ui
Job Version         = 0
Client Status       = running
Client Description  = Tasks are running
Desired Status      = run
Desired Description = <none>
Created             = 2d21h ago
Modified            = 2d20h ago
Deployment ID       = e7e65770
Deployment Health   = healthy

Allocation Addresses (mode = "bridge")
Label              Dynamic  Address
*http              yes      xx.xxx.xx.xx:90 -> 443
*connect-proxy-ui  yes      xx.xxx.xx.xx:23437 -> 23437

Task "connect-proxy-ui" (prestart sidecar) is "running"
Task Resources
CPU        Memory          Disk     Addresses
4/250 MHz  22 MiB/128 MiB  300 MiB  

Task Events:
Started At     = 2021-12-07T10:09:32Z
Finished At    = N/A
Total Restarts = 0
Last Restart   = N/A

Recent Events:
Time                  Type        Description
2021-12-07T10:09:32Z  Started     Task started by client
2021-12-07T10:09:30Z  Task Setup  Building Task Directory
2021-12-07T10:09:06Z  Received    Task received by client

Task "ui" is "running"
Task Resources
CPU        Memory           Disk     Addresses
0/500 MHz  7.6 MiB/2.9 GiB  300 MiB  

Task Events:
Started At     = 2021-12-07T10:09:33Z
Finished At    = N/A
Total Restarts = 0
Last Restart   = N/A

Recent Events:
Time                  Type        Description
2021-12-07T10:09:33Z  Started     Task started by client
2021-12-07T10:09:32Z  Task Setup  Building Task Directory
2021-12-07T10:09:06Z  Received    Task received by client

but when I tried access nomad web portal that I used this token, I can see the job running

however, I clicked ui job it says Not Authorized

BTW, This ones not happen when I use nomad version 1.1.5
Could anyone please have a look and advise me?
Many thanks

[tgross]

Hi @hoangphuc1662! The UI provides richer data than the CLI does in some places, so I suspect what's happening there is that the ACL token is missing a permission for just one of the API calls that page makes. For example, if I bring up the page for my job example, I see all the following API endpoints get hit:

/v1/job/example/allocations
/v1/job/example/evaluations
/v1/jobs?namespace=default 
/v1/namespaces
/v1/nodes 
/v1/job/example/deployment?index=1 
/v1/job/example/summary?index=1 
/v1/job/example/deployment 
/v1/client/allocation/:alloc_id/stats
/v1/job/example/versions?diffs=true 

If you bring up your browser's development tools, you should be able to see which request gets a 403. I suspect your policy needs node-read as well:

node {
  policy = "read"
}

[ptry2024]

@tgross I added node policy, now I can view the jobs in Nomad UI. Thanks a lot.

namespace "default" {
  capabilities = ["read-logs","list-jobs","read-job"]
}

node {
  policy = "read"
}

[tgross]

Just FYI we've opened #11672 as a way to make sure this kind of thing doesn't blank out the whole page, so thanks again for bringing this to our attention!

[github-actions]

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.