Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: describe the default Workload Identity ACL policy #17245

Merged
merged 1 commit into from
May 19, 2023
Merged

docs: describe the default Workload Identity ACL policy #17245

merged 1 commit into from
May 19, 2023

Conversation

tgross
Copy link
Member

@tgross tgross commented May 18, 2023

Workload Identities have an implicit default policy. This policy can't currently be described via HCL because it includes task interpolation for Variables and access to the Services API (which doesn't exist as its own ACL capbility). Describe this in our WI documentation.

Fixes: #16277

@tgross
docs: describe the default Workload Identity ACL policy
63e761a 
Workload Identities have an implicit default policy. This policy can't currently
be described via HCL because it includes task interpolation for Variables and
access to the Services API (which doesn't exist as its own ACL
capbility). Describe this in our WI documentation.

Fixes: #16277
@tgross tgross requested review from schmichael and jrasell May 18, 2023 20:58
@tgross tgross mentioned this pull request May 18, 2023
Closed
jrasell
jrasell approved these changes May 19, 2023
View reviewed changes
Copy link
Member

@jrasell jrasell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, although which a clarifying suggestion around the service registration detail.

website/content/docs/concepts/workload-identity.mdx
Comment on lines +50 to +52
described in [Task Access to Variables][]. The implicit policy also allows
access to list or read any Nomad service registration as with the [List Services
API][] or [Read Service API][].
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
described in [Task Access to Variables][]. The implicit policy also allows
access to list or read any Nomad service registration as with the [List Services
API][] or [Read Service API][].
described in [Task Access to Variables][]. The implicit policy also allows
access to list or read any Nomad service registration in the same namespace
as the job, as with the [List Services API][] or [Read Service API][].

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking at the code I don't think that's the case? The template block uses the job's namespace but we don't enforce that as an ACL policy. So if a workload uses the Task API it can read services in another namespace.

The current code assumes that if you have a valid WI claim that we don't need to check the namespace (ref service_registration_endpoint.go#L220). Which seems like it could have been a regression in behavior. But if I look at the original auth code from 1.3.0 (ref service_registration_endpoint.go#L437-L477) where we only had a node secret and not a WI, that's always been the policy.

I don't think this is unintentional either, as we have #14177 open which is saying "hey let's make sure the template block can do that too!"

@tgross tgross merged commit 2275a83 into main May 19, 2023
@tgross tgross deleted the docs-default-workload-identity-policy branch May 19, 2023 15:38
@tgross tgross added backport/1.4.x backport to 1.4.x release line backport/1.5.x backport to 1.5.x release line labels May 19, 2023
This was referenced May 19, 2023
Merged
Merged
tgross added a commit that referenced this pull request May 19, 2023
@tgross
docs: describe the default Workload Identity ACL policy (#17245)
1178c9e 
Workload Identities have an implicit default policy. This policy can't currently
be described via HCL because it includes task interpolation for Variables and
access to the Services API (which doesn't exist as its own ACL
capbility). Describe this in our WI documentation.

Fixes: #16277
tgross added a commit that referenced this pull request May 19, 2023
@hc-github-team-nomad-core @tgross
docs: describe the default Workload Identity ACL policy (#17245) (#17259
eccd394 
)

Workload Identities have an implicit default policy. This policy can't currently
be described via HCL because it includes task interpolation for Variables and
access to the Services API (which doesn't exist as its own ACL
capbility). Describe this in our WI documentation.

Fixes: #16277

Co-authored-by: Tim Gross <[email protected]>
@msherman13 msherman13 mentioned this pull request Jan 23, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jrasell jrasell jrasell approved these changes

@schmichael schmichael Awaiting requested review from schmichael

Assignees
No one assigned
Labels
backport/1.4.x backport to 1.4.x release line backport/1.5.x backport to 1.5.x release line theme/auth theme/docs Documentation issues and enhancements theme/service-discovery/nomad theme/variables Variables feature theme/workload-identity
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Document default ACL policy for Workload
2 participants
@tgross @jrasell