From 5f467a84d3d03f247f120a6d6270531441b1ad8b Mon Sep 17 00:00:00 2001 From: Chelsea Holland Komlo Date: Tue, 26 Sep 2017 16:05:17 +0000 Subject: [PATCH 1/3] add read job permissions to evaluate endpoint --- nomad/job_endpoint.go | 7 ++++ nomad/job_endpoint_test.go | 70 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 77 insertions(+) diff --git a/nomad/job_endpoint.go b/nomad/job_endpoint.go index a788f57aa..ab248c9ca 100644 --- a/nomad/job_endpoint.go +++ b/nomad/job_endpoint.go @@ -497,6 +497,13 @@ func (j *Job) Evaluate(args *structs.JobEvaluateRequest, reply *structs.JobRegis } defer metrics.MeasureSince([]string{"nomad", "job", "evaluate"}, time.Now()) + // Check for read-job permissions + if aclObj, err := j.srv.resolveToken(args.SecretID); err != nil { + return err + } else if aclObj != nil && !aclObj.AllowNsOp(args.RequestNamespace(), acl.NamespaceCapabilityReadJob) { + return structs.ErrPermissionDenied + } + // Validate the arguments if args.JobID == "" { return fmt.Errorf("missing job ID for evaluation") diff --git a/nomad/job_endpoint_test.go b/nomad/job_endpoint_test.go index 5cac4b670..00be4da2d 100644 --- a/nomad/job_endpoint_test.go +++ b/nomad/job_endpoint_test.go @@ -1230,6 +1230,76 @@ func TestJobEndpoint_Evaluate(t *testing.T) { } } +func TestJobEndpoint_Evaluate_ACL(t *testing.T) { + t.Parallel() + assert := assert.New(t) + + s1, root := testACLServer(t, func(c *Config) { + c.NumSchedulers = 0 // Prevent automatic dequeue + }) + defer s1.Shutdown() + codec := rpcClient(t, s1) + testutil.WaitForLeader(t, s1.RPC) + state := s1.fsm.State() + + // Create the job + job := mock.Job() + err := state.UpsertJob(300, job) + assert.Nil(err) + + // Force a re-evaluation + reEval := &structs.JobEvaluateRequest{ + JobID: job.ID, + WriteRequest: structs.WriteRequest{ + Region: "global", + Namespace: job.Namespace, + }, + } + + // Attempt to fetch the response without a token + var resp structs.JobRegisterResponse + err = msgpackrpc.CallWithCodec(codec, "Job.Evaluate", reEval, &resp) + assert.NotNil(err) + + // Attempt to fetch the response with an invalid token + invalidToken := CreatePolicyAndToken(t, state, 1003, "test-invalid", + NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) + + reEval.SecretID = invalidToken.SecretID + var invalidResp structs.JobRegisterResponse + err = msgpackrpc.CallWithCodec(codec, "Job.Evaluate", reEval, &invalidResp) + assert.NotNil(err) + + // Fetch the response with a valid management token + reEval.SecretID = root.SecretID + var validResp structs.JobRegisterResponse + err = msgpackrpc.CallWithCodec(codec, "Job.Evaluate", reEval, &validResp) + assert.Nil(err) + + // Fetch the response with a valid token + validToken := CreatePolicyAndToken(t, state, 1005, "test-valid", + NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) + + reEval.SecretID = validToken.SecretID + var validResp2 structs.JobRegisterResponse + err = msgpackrpc.CallWithCodec(codec, "Job.Evaluate", reEval, &validResp2) + assert.Nil(err) + + // Lookup the evaluation + ws := memdb.NewWatchSet() + eval, err := state.EvalByID(ws, validResp2.EvalID) + assert.Nil(err) + assert.NotNil(eval) + + assert.Equal(eval.CreateIndex, validResp2.EvalCreateIndex) + assert.Equal(eval.Priority, job.Priority) + assert.Equal(eval.Type, job.Type) + assert.Equal(eval.TriggeredBy, structs.EvalTriggerJobRegister) + assert.Equal(eval.JobID, job.ID) + assert.Equal(eval.JobModifyIndex, validResp2.JobModifyIndex) + assert.Equal(eval.Status, structs.EvalStatusPending) +} + func TestJobEndpoint_Evaluate_Periodic(t *testing.T) { t.Parallel() s1 := testServer(t, func(c *Config) { From 09cd8b2792e2d239ac143d13bc7a0ba01676eb01 Mon Sep 17 00:00:00 2001 From: Chelsea Holland Komlo Date: Wed, 27 Sep 2017 21:06:13 +0000 Subject: [PATCH 2/3] add documnetation --- website/source/api/jobs.html.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/website/source/api/jobs.html.md b/website/source/api/jobs.html.md index 89261fa97..e4be80837 100644 --- a/website/source/api/jobs.html.md +++ b/website/source/api/jobs.html.md @@ -1273,9 +1273,9 @@ The table below shows this endpoint's support for [blocking queries](/api/index.html#blocking-queries) and [required ACLs](/api/index.html#acls). -| Blocking Queries | ACL Required | -| ---------------- | ------------ | -| `NO` | `none` | +| Blocking Queries | ACL Required | +| ---------------- | -------------------------- | +| `NO` | `namespace:read-job` | ### Parameters From 90adc4dbc91e5aa5e6f5b20574f07b4d0c29c639 Mon Sep 17 00:00:00 2001 From: Chelsea Holland Komlo Date: Wed, 27 Sep 2017 21:35:03 +0000 Subject: [PATCH 3/3] add checks for error message --- nomad/job_endpoint_test.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nomad/job_endpoint_test.go b/nomad/job_endpoint_test.go index 00be4da2d..5b59957fd 100644 --- a/nomad/job_endpoint_test.go +++ b/nomad/job_endpoint_test.go @@ -1260,6 +1260,7 @@ func TestJobEndpoint_Evaluate_ACL(t *testing.T) { var resp structs.JobRegisterResponse err = msgpackrpc.CallWithCodec(codec, "Job.Evaluate", reEval, &resp) assert.NotNil(err) + assert.Contains(err.Error(), "Permission denied") // Attempt to fetch the response with an invalid token invalidToken := CreatePolicyAndToken(t, state, 1003, "test-invalid", @@ -1269,6 +1270,7 @@ func TestJobEndpoint_Evaluate_ACL(t *testing.T) { var invalidResp structs.JobRegisterResponse err = msgpackrpc.CallWithCodec(codec, "Job.Evaluate", reEval, &invalidResp) assert.NotNil(err) + assert.Contains(err.Error(), "Permission denied") // Fetch the response with a valid management token reEval.SecretID = root.SecretID