From b0ee4b4d7d467b7197242152da0dc3ce129c4825 Mon Sep 17 00:00:00 2001 From: Derek Strickland Date: Wed, 17 Aug 2022 16:13:05 -0400 Subject: [PATCH 1/2] sentinel: add support for Nomad ACL Token and Namespace --- nomad/job_endpoint.go | 34 +++++++++++++++++++++++----------- nomad/job_endpoint_oss.go | 2 +- 2 files changed, 24 insertions(+), 12 deletions(-) diff --git a/nomad/job_endpoint.go b/nomad/job_endpoint.go index cf93971e69d..311857787c4 100644 --- a/nomad/job_endpoint.go +++ b/nomad/job_endpoint.go @@ -104,12 +104,12 @@ func (j *Job) Register(args *structs.JobRegisterRequest, reply *structs.JobRegis // Attach the Nomad token's accessor ID so that deploymentwatcher // can reference the token later - tokenID, err := j.srv.ResolveSecretToken(args.AuthToken) + nomadACLToken, err := j.srv.ResolveSecretToken(args.AuthToken) if err != nil { return err } - if tokenID != nil { - args.Job.NomadTokenID = tokenID.AccessorID + if nomadACLToken != nil { + args.Job.NomadTokenID = nomadACLToken.AccessorID } // Set the warning message @@ -273,7 +273,11 @@ func (j *Job) Register(args *structs.JobRegisterRequest, reply *structs.JobRegis // Enforce Sentinel policies. Pass a copy of the job to prevent // sentinel from altering it. - policyWarnings, err := j.enforceSubmitJob(args.PolicyOverride, args.Job.Copy()) + ns, err := snap.NamespaceByName(nil, args.RequestNamespace()) + if err != nil { + return err + } + policyWarnings, err := j.enforceSubmitJob(args.PolicyOverride, args.Job.Copy(), nomadACLToken, ns) if err != nil { return err } @@ -1623,8 +1627,22 @@ func (j *Job) Plan(args *structs.JobPlanRequest, reply *structs.JobPlanResponse) } } + // Acquire a snapshot of the state + snap, err := j.srv.fsm.State().Snapshot() + if err != nil { + return err + } + // Enforce Sentinel policies - policyWarnings, err := j.enforceSubmitJob(args.PolicyOverride, args.Job) + nomadACLToken, err := snap.ACLTokenBySecretID(nil, args.AuthToken) + if err != nil && !strings.Contains(err.Error(), "missing secret id") { + return err + } + ns, err := snap.NamespaceByName(nil, args.RequestNamespace()) + if err != nil { + return err + } + policyWarnings, err := j.enforceSubmitJob(args.PolicyOverride, args.Job, nomadACLToken, ns) if err != nil { return err } @@ -1633,12 +1651,6 @@ func (j *Job) Plan(args *structs.JobPlanRequest, reply *structs.JobPlanResponse) reply.Warnings = structs.MergeMultierrorWarnings(warnings...) } - // Acquire a snapshot of the state - snap, err := j.srv.fsm.State().Snapshot() - if err != nil { - return err - } - // Interpolate the job for this region err = j.interpolateMultiregionFields(args) if err != nil { diff --git a/nomad/job_endpoint_oss.go b/nomad/job_endpoint_oss.go index 7f2b56c788d..d80281a3bca 100644 --- a/nomad/job_endpoint_oss.go +++ b/nomad/job_endpoint_oss.go @@ -8,7 +8,7 @@ import ( ) // enforceSubmitJob is used to check any Sentinel policies for the submit-job scope -func (j *Job) enforceSubmitJob(override bool, job *structs.Job) (error, error) { +func (j *Job) enforceSubmitJob(override bool, job *structs.Job, nomadACLToken *structs.ACLToken, ns *structs.Namespace) (error, error) { return nil, nil } From 047eff35f9451512a5f34429649b5297a383c20e Mon Sep 17 00:00:00 2001 From: Derek Strickland Date: Thu, 18 Aug 2022 16:31:38 -0400 Subject: [PATCH 2/2] Add changelog entry --- .changelog/14171.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 .changelog/14171.txt diff --git a/.changelog/14171.txt b/.changelog/14171.txt new file mode 100644 index 00000000000..ca84601d615 --- /dev/null +++ b/.changelog/14171.txt @@ -0,0 +1,3 @@ +```release-note:improvement +sentinel: add the ability to reference the namespace and Nomad acl token in policies +```