From 803e1a8b867e1bb3da843be0f7fc9f2e86ec45fa Mon Sep 17 00:00:00 2001
From: Danielle Tomlinson <dani@hashicorp.com>
Date: Tue, 5 Mar 2019 10:39:06 +0100
Subject: [PATCH] acl: Add alloc-lifecycle namespace capability

This capability will gate access to features that allow interacting with
a running allocation, for example, signalling, stopping, and rescheduling
specific allocations.
---
 acl/policy.go      | 4 +++-
 acl/policy_test.go | 1 +
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/acl/policy.go b/acl/policy.go
index db45f1194..eba1204f2 100644
--- a/acl/policy.go
+++ b/acl/policy.go
@@ -28,6 +28,7 @@ const (
 	NamespaceCapabilityDispatchJob      = "dispatch-job"
 	NamespaceCapabilityReadLogs         = "read-logs"
 	NamespaceCapabilityReadFS           = "read-fs"
+	NamespaceCapabilityAllocLifecycle   = "alloc-lifecycle"
 	NamespaceCapabilitySentinelOverride = "sentinel-override"
 )
 
@@ -93,7 +94,7 @@ func isNamespaceCapabilityValid(cap string) bool {
 	switch cap {
 	case NamespaceCapabilityDeny, NamespaceCapabilityListJobs, NamespaceCapabilityReadJob,
 		NamespaceCapabilitySubmitJob, NamespaceCapabilityDispatchJob, NamespaceCapabilityReadLogs,
-		NamespaceCapabilityReadFS:
+		NamespaceCapabilityReadFS, NamespaceCapabilityAllocLifecycle:
 		return true
 	// Separate the enterprise-only capabilities
 	case NamespaceCapabilitySentinelOverride:
@@ -122,6 +123,7 @@ func expandNamespacePolicy(policy string) []string {
 			NamespaceCapabilityDispatchJob,
 			NamespaceCapabilityReadLogs,
 			NamespaceCapabilityReadFS,
+			NamespaceCapabilityAllocLifecycle,
 		}
 	default:
 		return nil
diff --git a/acl/policy_test.go b/acl/policy_test.go
index dece35067..3385370aa 100644
--- a/acl/policy_test.go
+++ b/acl/policy_test.go
@@ -80,6 +80,7 @@ func TestParse(t *testing.T) {
 							NamespaceCapabilityDispatchJob,
 							NamespaceCapabilityReadLogs,
 							NamespaceCapabilityReadFS,
+							NamespaceCapabilityAllocLifecycle,
 						},
 					},
 					{