From 77bb2c51b8e41bb853a4d46d93aee544e75623d7 Mon Sep 17 00:00:00 2001 From: Mahmood Ali Date: Tue, 27 Oct 2020 16:33:01 -0400 Subject: [PATCH 1/2] dispatch-job capability to dispatch periodic jobs --- nomad/periodic_endpoint.go | 2 +- nomad/periodic_endpoint_test.go | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/nomad/periodic_endpoint.go b/nomad/periodic_endpoint.go index 4864fdd6832..b8e4807cf2b 100644 --- a/nomad/periodic_endpoint.go +++ b/nomad/periodic_endpoint.go @@ -28,7 +28,7 @@ func (p *Periodic) Force(args *structs.PeriodicForceRequest, reply *structs.Peri // Check for write-job permissions if aclObj, err := p.srv.ResolveToken(args.AuthToken); err != nil { return err - } else if aclObj != nil && !aclObj.AllowNsOp(args.RequestNamespace(), acl.NamespaceCapabilitySubmitJob) { + } else if aclObj != nil && !aclObj.AllowNsOp(args.RequestNamespace(), acl.NamespaceCapabilityDispatchJob) && !aclObj.AllowNsOp(args.RequestNamespace(), acl.NamespaceCapabilitySubmitJob) { return structs.ErrPermissionDenied } diff --git a/nomad/periodic_endpoint_test.go b/nomad/periodic_endpoint_test.go index b4dd8ec26e5..5f2a5ed8e9e 100644 --- a/nomad/periodic_endpoint_test.go +++ b/nomad/periodic_endpoint_test.go @@ -127,6 +127,24 @@ func TestPeriodicEndpoint_Force_ACL(t *testing.T) { } } + // Fetch the response with a valid token having dispatch permission + { + policy := mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityDispatchJob}) + token := mock.CreatePolicyAndToken(t, state, 1005, "valid", policy) + req.AuthToken = token.SecretID + var resp structs.PeriodicForceResponse + assert.Nil(msgpackrpc.CallWithCodec(codec, "Periodic.Force", req, &resp)) + assert.NotEqual(uint64(0), resp.Index) + + // Lookup the evaluation + ws := memdb.NewWatchSet() + eval, err := state.EvalByID(ws, resp.EvalID) + assert.Nil(err) + if assert.NotNil(eval) { + assert.Equal(eval.CreateIndex, resp.EvalCreateIndex) + } + } + // Fetch the response with management token { req.AuthToken = root.SecretID From f04cd73997f8cf44f54d6ebdbb6851de3752f4d5 Mon Sep 17 00:00:00 2001 From: Mahmood Ali Date: Mon, 2 Nov 2020 12:42:57 -0500 Subject: [PATCH 2/2] update docs and changelog --- CHANGELOG.md | 1 + website/pages/api-docs/jobs.mdx | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 318f2f9f3f6..54e6d7e3cb2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ FEATURES: IMPROVEMENTS: * core: Improved job deregistration error logging. [[GH-8745](https://github.com/hashicorp/nomad/issues/8745)] + * acl: Allow operators with `namespace:dispatch-job` capability to force periodic job invocation [[GH-9205](https://github.com/hashicorp/nomad/issues/9205)] * api: Added support for cancellation contexts to HTTP API. [[GH-8836](https://github.com/hashicorp/nomad/issues/8836)] * api: Job Register API now permits non-zero initial Version to accommodate multi-region deployments. [[GH-9071](https://github.com/hashicorp/nomad/issues/9071)] * api: Added ?resources=true query parameter to /v1/nodes and /v1/allocations to include resource allocations in listings. [[GH-9055](https://github.com/hashicorp/nomad/issues/9055)] diff --git a/website/pages/api-docs/jobs.mdx b/website/pages/api-docs/jobs.mdx index be85fdb565b..1b64afd973b 100644 --- a/website/pages/api-docs/jobs.mdx +++ b/website/pages/api-docs/jobs.mdx @@ -1666,9 +1666,9 @@ The table below shows this endpoint's support for [blocking queries](/api-docs#blocking-queries) and [required ACLs](/api-docs#acls). -| Blocking Queries | ACL Required | -| ---------------- | ---------------------- | -| `NO` | `namespace:submit-job` | +| Blocking Queries | ACL Required | +| ---------------- | -------------------------------------------------- | +| `NO` | `namespace:dispatch-job` or `namespace:submit-job` | ### Parameters