Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The allocations endpoint with namespace=* does not interact with ACLs as expected #9268

Closed
DingoEatingFuzz opened this issue Nov 4, 2020 · 6 comments · Fixed by #9278
Closed

The allocations endpoint with namespace=* does not interact with ACLs as expected #9268

DingoEatingFuzz opened this issue Nov 4, 2020 · 6 comments · Fixed by #9278
Labels
stage/accepted Confirmed, and intend to work on. No timeline committment though. theme/allocation API theme/api HTTP API and SDK issues theme/auth type/bug
Milestone
1.0

Comments

@DingoEatingFuzz
Copy link
Contributor

Nomad version

1.0.0-beta2

Issue

When ACLs are enabled and a token has permissions to namespaces individually but no permissions for *, requesting /v1/allocations?namespace=* results in a 403 Forbidden.

I expected to get all allocations across all namespaces I have permissions for.

Reproduction steps

  1. Create some namespaces
  2. Create policies that grant read access to namespaces individually
  3. Create a token using those policies
  4. Run http localhost:4646/v1/allocations?namespace=* -- X-Nomad-Token:<token> or similar
@DingoEatingFuzz
Copy link
Contributor Author

Policy for reference.

namespace "default" {
  policy = "read"
}

namespace "other-ns" {
  policy = "read"
  capabilities = ["list-jobs", "read-job"]
}

agent {
  policy = "read"
}

node {
  policy = "read"
}

@cgbaker
Copy link
Contributor

cgbaker commented Nov 4, 2020

i suspect it's a bad check early in the RPC call, which doesn't account for the sentinel:
https://github.com/hashicorp/nomad/blame/v1.0.0-beta2/nomad/alloc_endpoint.go#L36

this code should probably be updated to reflect the pattern in job listing:
https://github.com/hashicorp/nomad/blame/v1.0.0-beta2/nomad/job_endpoint.go#L1301

also, while we're fixing bugs... it looks like the filtering on this line is backwards:
https://github.com/hashicorp/nomad/blob/master/nomad/state/state_store.go#L3356

and the allow check (in the latest version) is wrong as well (list-jobs instead of read-job):
https://github.com/hashicorp/nomad/blame/ba17e2191ba3a0dbf479b51430b9d4815a0bc112/nomad/alloc_endpoint.go#L41

@cgbaker cgbaker added stage/accepted Confirmed, and intend to work on. No timeline committment though. theme/allocation API type/bug and removed stage/needs-discussion labels Nov 4, 2020
@cgbaker cgbaker self-assigned this Nov 4, 2020
cgbaker added a commit that referenced this issue Nov 5, 2020
@cgbaker
documenting test for #9268
c5fe588
@cgbaker cgbaker mentioned this issue Nov 5, 2020
Merged
@cgbaker cgbaker added this to the 1.0 milestone Nov 5, 2020
@yitbarek123
Copy link

@cgbaker , I'm also facing this issue with the latest nomad version 1.1.6 .

Thanks.

@cgbaker cgbaker removed their assignment Nov 9, 2021
@cgbaker
Copy link
Contributor

cgbaker commented Nov 9, 2021

Hi @yitbarek123 , please file a new issue with the pertinent details and someone from Nomad will triage it. Thank you!

@yitbarek123
Copy link

OK, @cgbaker . Thanks again.

@github-actions
Copy link

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 14, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
stage/accepted Confirmed, and intend to work on. No timeline committment though. theme/allocation API theme/api HTTP API and SDK issues theme/auth type/bug
Projects
None yet
Milestone
1.0
Development

Successfully merging a pull request may close this issue.

fix ACL bugs in listing allocs across all namespaces hashicorp/nomad
3 participants
@DingoEatingFuzz @cgbaker @yitbarek123