Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

allow attaching ACL policy to entire namespace #17181

Open
michael-strigo opened this issue May 15, 2023 · 3 comments
Open

allow attaching ACL policy to entire namespace #17181

michael-strigo opened this issue May 15, 2023 · 3 comments
Labels
hcc/jira stage/accepted Confirmed, and intend to work on. No timeline committment though. theme/auth theme/workload-identity type/enhancement

Comments

@michael-strigo
Copy link

michael-strigo commented May 15, 2023
edited
Loading

Proposal

Having the ability to apply policy to the entire namespace.

Use-cases

We operate dev environments. Each env is a Nomad job. These jobs share the same set of variables under unified variable path.
It would be nice, if we could allow all of the jobs in the namespace to be able to access the variable path without having to manually apply a policy per job. Since policy apply requires a management token, this requires anyone that needs to deploy such environment to have a root token.

Attempted Solutions

Right now we just have a job that monitors the nomad event stream and applies policies to jobs in the namespace.
@tgross
Copy link
Member

tgross commented May 15, 2023

Hi @michael-strigo I took a look at the original design docs and PR #14140 for that and I think the reason we didn't do it that way originally was that it made the state store indexer (ref schema.go#L829-L891) weirdly ambiguous in some corner cases because there are very few restrictions on Job names. But it might be possible for us to come up with a reasonable workaround for it.

I'll mark this for roadmapping.

@tgross tgross changed the title Feature: applying policy to entire namespace allow attaching ACL policy to entire namespace May 15, 2023
@tgross tgross added the stage/accepted Confirmed, and intend to work on. No timeline committment though. label May 15, 2023
@michael-strigo
Copy link
Author

A possible alternative would be to maybe allow wildcards in job names.

@tgross tgross moved this to Needs Roadmapping in Nomad - Community Issues Triage Jun 24, 2024
@tgross tgross mentioned this issue Jul 23, 2024
Closed
@msherman13
Copy link

Coming in from duplicate issue #19803 , expressing support for this feature. Job name wildcards seems like a good idea.

@tgross tgross mentioned this issue Jan 14, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
hcc/jira stage/accepted Confirmed, and intend to work on. No timeline committment though. theme/auth theme/workload-identity type/enhancement
Projects
Nomad - Community Issues Triage
Status: Needs Roadmapping
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tgross @msherman13 @michael-strigo