Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backport of [bugfix, ui] Allow running jobs from a namespace-limited token into release/1.2.x #13687

Merged
merged 1 commit into from
Jul 11, 2022
Merged

Backport of [bugfix, ui] Allow running jobs from a namespace-limited token into release/1.2.x #13687

merged 1 commit into from
Jul 11, 2022

Conversation

hc-github-team-nomad-core
Copy link
Contributor

Backport

This PR is auto-generated from #13659 to be assessed for backporting due to the inclusion of the label backport/1.2.x.

WARNING automatic cherry-pick of commits failed. Commits will require human attention.

The below text is copied from the body of the original PR.

Currently, there are a few things preventing a user from running a new job via the UI, in an environment where their ACL token has limited namespace abilities:

  1. We had previously tied the "Run job" button to an ability that depended on the current namespace. However, this means that your ability to run a job is dependent on filtering your jobs index table, which is pretty confusing to an end-user. Worse, if you don't have any jobs currently running, you don't get any option to set this namespace filter at all.
    • The abilities/job can run ability now looks at all abilities across all namespaces within your policy. This means there's a chance you submit a job for which you don't have write permissions, but good news: it gets caught at several steps along the way upon submission. It's better to not restrict access to this editor and this change reflects that.
  2. If you did somehow manage to make it to the /run page, ever since 1.2.6, Nomad job parsing requires an ACL token but namespaces have never been sent along with that request. Thus, if you had * { read } and myNamespace { write }, it would try to parse your job without a namespace and return a 403.
    • This is a pretty circular issue: the thing that let us determine the namespace of a job was the /parse request. But now that that parse request is conditional upon the namespace... you get where this is going.
    • So, we could try to move the parse() functionality into the browser, which comes with a lot of its own chance for error (Job HCL parsing within the Nomad UI doesn't sound like something we should be doing). Instead, this PR opts to include a Namespaces dropdown on the job/run UI. It uses this when passing the job to /parse.
      ^--- great news update: Turns out we don't need to parse the namespace, we just need a namespace. All other things being equal, a POST to /parse will 403 but /parse?namespace=* will 20x.

Side-effect: Includes better error messaging for ACL permission errors upon job submission.

image

@hashicorp-cla
Copy link

hashicorp-cla commented Jul 11, 2022
edited
Loading

CLA assistant check
All committers have signed the CLA.

@philrenaud @lgfa29
[bugfix, ui] Allow running jobs from a namespace-limited token (#13659)
fcd9b9f 
* Allow running jobs from a namespace-limited token

* qpNamespace cleanup

* Looks like parse can deal with a * namespace

* A little diff cleanup

* Defensive destructuring

* Removing accidental friendly-fire on can-scale

* Testfix: Job run buttons from jobs index

* Testfix: activeRegion job adapter string

* Testfix: unit tests for job abilities correctly reflect the any-namespace rule

* Testfix: job editor test looks for requests with namespace applied on plan
@lgfa29 lgfa29 force-pushed the backport/job-parse-with-namespaces-enabled/seemingly-polite-wren branch from 725c1a0 to fcd9b9f Compare July 11, 2022 19:21
@github-actions
Copy link

Ember Asset Size action

As of fcd9b9f

Files that got Bigger 🚨:

File raw gzip
nomad-ui.js +563 B +133 B

Files that stayed the same size 🤷‍:

File raw gzip
vendor.js 0 B 0 B
nomad-ui.css 0 B 0 B
vendor.css 0 B 0 B

@github-actions
Copy link

Ember Test Audit comparison

release/1.2.x fcd9b9f change
passes 1259 1260 +1
failures 0 0 0
flaky 0 0 0
duration 9m 43s 047ms 10m 00s 746ms +17s 699ms

@lgfa29 lgfa29 merged commit 2a9efef into release/1.2.x Jul 11, 2022
@lgfa29 lgfa29 deleted the backport/job-parse-with-namespaces-enabled/seemingly-polite-wren branch July 11, 2022 20:00
@github-actions
Copy link

github-actions bot commented Nov 9, 2022

I'm going to lock this pull request because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 9, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@philrenaud philrenaud Awaiting requested review from philrenaud

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@hc-github-team-nomad-core @hashicorp-cla @lgfa29 @philrenaud