You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
These rules allow any user without a token to enter the UI and enter the "Storage" section and see there everything except making any actions like restart stop or exec.
The only reason I added the rules is because when a plugin tries to mount a volume to the task, it encounters a permission denied exception.
My wish is that the token request screen will appear at the "Storage" section and if possible, running the CSI-plugins without even using the anonymous policy.
Please let me know if this is a bug.
Looking forward to your reply
The text was updated successfully, but these errors were encountered:
Hi @mishel170! Unfortunately this looks like a bug. The ACL is getting checked when you submit the job as we'd expect but it looks like the plugin isn't being given the appropriate token to make the internal RPC. I'll get this on our list of work for CSI to go GA.
I'm going to change the title of the issue a bit to make it a little easier for us to get it assigned to the right folks
tgross
changed the title
Running nomad with ACL and volumes exposes the "Storage" section along with its allocation details to the anonymous user
CSI plugins don't get ACL tokens to send to RPCs
Jul 7, 2020
I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
Nomad version - 0.11.3
Hi,
When I use Nomad with ACL and volumes, I have to add to the anonymous policy the following rules:
These rules allow any user without a token to enter the UI and enter the "Storage" section and see there everything except making any actions like restart stop or exec.
The only reason I added the rules is because when a plugin tries to mount a volume to the task, it encounters a permission denied exception.
My wish is that the token request screen will appear at the "Storage" section and if possible, running the CSI-plugins without even using the anonymous policy.
Please let me know if this is a bug.
Looking forward to your reply
The text was updated successfully, but these errors were encountered: