Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ui] Read-based checks for viewing templates and write-based checks for saving them #23458

Merged
merged 1 commit into from
Jun 28, 2024
Merged

[ui] Read-based checks for viewing templates and write-based checks for saving them #23458

merged 1 commit into from
Jun 28, 2024

Conversation

philrenaud
Copy link
Contributor

This adds nuance to the ACL policy checks for a user to be able to see Job Templates (which are specifically-named Nomad Variables behind the scenes).

The way it works today has some specific checks in place:

  • to even get into the job templates section, you have to first click the "Run Job" button, which only exists if you have the submit-job ACL capability, or a general "write" policy.
  • Once there, we only show you a "Choose from template" button if you can write variables to *.

I think the original intent here was to do up-front checks for full CRUD access, but this PR moves that access check a little downstream. Here, you'll see that the check to see the "Choose from template" button requires specifically read variable access (and I could be convinced to make it list variables, but that would make the subsequent page pretty useless), and the write variable check is moved downstream to the "save as template" button, and to manually edit a given job template via the Management page.

Here is a sample ACL policy to test with:

namespace "default" {
  policy = "read"
  capabilities = ["submit-job"]
  variables {
    # give read access to all job templates related to this namespace
    path "nomad/job-templates/*" {
      capabilities = ["read","list","write"]
    }
    path "*" {
      capabilities = ["write","list"]
    }
  }
}

^--- the submit-job capability is in place, so the "Run Job" button will be present. Also, the nomad/job-templates/* rule has both read and write, which will show both a "Choose from template" and a "Save as template" button. Remove either read or write to see how buttons disappear accordingly.

User has read and write, but not delete, variable capability:

image

User has read variables for nomad/job-templates/*:

image

User has write variables for nomad/job-templates/*:

image

Resolves #23438

@philrenaud philrenaud self-assigned this Jun 27, 2024
@philrenaud philrenaud linked an issue Jun 27, 2024 that may be closed by this pull request
UI: wrong policy ACLs when access Job Templates/Nomad Variables #23438
Closed
@philrenaud philrenaud mentioned this pull request Jun 27, 2024
Closed
@github-actions GitHub Actions
Copy link

github-actions bot commented Jun 27, 2024
edited
Loading

Ember Test Audit comparison

main e05c580 change
passes 1573 1573 0
failures 0 0 0
flaky 0 0 0
duration 11m 32s 421ms 11m 24s 155ms -08s 266ms

tgross
tgross approved these changes Jun 27, 2024
View reviewed changes
Copy link
Member

@tgross tgross left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! 👍

ui/app/templates/components/job-editor.hbs
@@ -16,7 +16,7 @@
Paste or author HCL or JSON to submit to your cluster, or select from a list of templates. A plan will be requested before the job is submitted. You can also attach a job spec by uploading a job file or dragging & dropping a file to the editor.
</p>

{{#if (can "write variable" path="*" namespace="*")}}
{{#if (can "read variable" path="nomad/job-templates/*" namespace="*")}}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

At first glance I thought this would get us into trouble, but the write policy for Variables is a little different than it is for anything else:

Create or update Variables at this path. Includes the "list" capability but not the "read" or "destroy" capabilities.

👍

@philrenaud philrenaud added the backport/1.8.x backport to 1.8.x release line label Jun 28, 2024
@philrenaud philrenaud force-pushed the 23438-ui-wrong-policy-acls-when-access-job-templatesnomad-variables branch from 1d8936a to e05c580 Compare June 28, 2024 21:04
@philrenaud philrenaud merged commit bbd1bb3 into main Jun 28, 2024
15 checks passed
@philrenaud philrenaud deleted the 23438-ui-wrong-policy-acls-when-access-job-templatesnomad-variables branch June 28, 2024 21:30
@hc-github-team-nomad-core hc-github-team-nomad-core mentioned this pull request Jun 28, 2024
Merged
@github-actions GitHub Actions
Copy link

I'm going to lock this pull request because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 31, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@martisah martisah martisah approved these changes

@tgross tgross tgross approved these changes

@pkazmierczak pkazmierczak Awaiting requested review from pkazmierczak

Assignees

@philrenaud philrenaud

Labels
backport/1.8.x backport to 1.8.x release line
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

UI: wrong policy ACLs when access Job Templates/Nomad Variables
3 participants
@philrenaud @tgross @martisah