api: apply new ACL check for wildcard namespace (#13608)

api: apply new ACL check for wildcard namespace

In #13606 the ACL check was refactored to better support the all
namespaces wildcard (`*`). This commit applies the changes to the jobs
and alloc list endpoints.
This commit is contained in:
Luiz Aoqui 2022-07-06 16:17:16 -04:00 committed by GitHub
parent 74c5578432
commit a9a66ad018
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 16 additions and 38 deletions

3
.changelog/13608.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:improvement
api: refactor ACL check when using the all namespaces wildcard in the job and alloc list endpoints
```

View File

@ -35,29 +35,16 @@ func (a *Alloc) List(args *structs.AllocListRequest, reply *structs.AllocListRes
defer metrics.MeasureSince([]string{"nomad", "alloc", "list"}, time.Now())
namespace := args.RequestNamespace()
var allow func(string) bool
// Check namespace read-job permissions
aclObj, err := a.srv.ResolveToken(args.AuthToken)
switch {
case err != nil:
if err != nil {
return err
case aclObj == nil:
allow = func(string) bool {
return true
}
case namespace == structs.AllNamespacesSentinel:
allow = func(ns string) bool {
return aclObj.AllowNsOp(ns, acl.NamespaceCapabilityReadJob)
}
case !aclObj.AllowNsOp(namespace, acl.NamespaceCapabilityReadJob):
if !aclObj.AllowNsOp(namespace, acl.NamespaceCapabilityReadJob) {
return structs.ErrPermissionDenied
default:
allow = func(string) bool {
return true
}
}
allow := aclObj.AllowNsOpFunc(acl.NamespaceCapabilityReadJob)
// Setup the blocking query
sort := state.SortOption(args.Reverse)

View File

@ -1284,8 +1284,9 @@ func TestAllocEndpoint_List_AllNamespaces_ACL_OSS(t *testing.T) {
{
Label: "all namespaces with insufficient token",
Namespace: "*",
Allocs: []*structs.Allocation{},
Token: ns1tokenInsufficient.SecretID,
Error: true,
Message: structs.ErrPermissionDenied.Error(),
},
{
Label: "ns1 with ns1 token",

View File

@ -1297,29 +1297,16 @@ func (j *Job) List(args *structs.JobListRequest, reply *structs.JobListResponse)
defer metrics.MeasureSince([]string{"nomad", "job", "list"}, time.Now())
namespace := args.RequestNamespace()
var allow func(string) bool
// Check for list-job permissions
aclObj, err := j.srv.ResolveToken(args.AuthToken)
switch {
case err != nil:
if err != nil {
return err
case aclObj == nil:
allow = func(string) bool {
return true
}
case namespace == structs.AllNamespacesSentinel:
allow = func(ns string) bool {
return aclObj.AllowNsOp(ns, acl.NamespaceCapabilityListJobs)
}
case !aclObj.AllowNsOp(namespace, acl.NamespaceCapabilityListJobs):
if !aclObj.AllowNsOp(namespace, acl.NamespaceCapabilityListJobs) {
return structs.ErrPermissionDenied
default:
allow = func(string) bool {
return true
}
}
allow := aclObj.AllowNsOpFunc(acl.NamespaceCapabilityListJobs)
// Setup the blocking query
opts := blockingOptions{
@ -1330,7 +1317,7 @@ func (j *Job) List(args *structs.JobListRequest, reply *structs.JobListResponse)
var err error
var iter memdb.ResultIterator
// check if user has permission to all namespaces
// Get the namespaces the user is allowed to access.
allowableNamespaces, err := allowedNSes(aclObj, state, allow)
if err == structs.ErrPermissionDenied {
// return empty jobs if token isn't authorized for any