api: apply new ACL check for wildcard namespace (#13608)
api: apply new ACL check for wildcard namespace In #13606 the ACL check was refactored to better support the all namespaces wildcard (`*`). This commit applies the changes to the jobs and alloc list endpoints.
This commit is contained in:
parent
74c5578432
commit
a9a66ad018
|
@ -0,0 +1,3 @@
|
|||
```release-note:improvement
|
||||
api: refactor ACL check when using the all namespaces wildcard in the job and alloc list endpoints
|
||||
```
|
|
@ -35,29 +35,16 @@ func (a *Alloc) List(args *structs.AllocListRequest, reply *structs.AllocListRes
|
|||
defer metrics.MeasureSince([]string{"nomad", "alloc", "list"}, time.Now())
|
||||
|
||||
namespace := args.RequestNamespace()
|
||||
var allow func(string) bool
|
||||
|
||||
// Check namespace read-job permissions
|
||||
aclObj, err := a.srv.ResolveToken(args.AuthToken)
|
||||
|
||||
switch {
|
||||
case err != nil:
|
||||
if err != nil {
|
||||
return err
|
||||
case aclObj == nil:
|
||||
allow = func(string) bool {
|
||||
return true
|
||||
}
|
||||
case namespace == structs.AllNamespacesSentinel:
|
||||
allow = func(ns string) bool {
|
||||
return aclObj.AllowNsOp(ns, acl.NamespaceCapabilityReadJob)
|
||||
}
|
||||
case !aclObj.AllowNsOp(namespace, acl.NamespaceCapabilityReadJob):
|
||||
if !aclObj.AllowNsOp(namespace, acl.NamespaceCapabilityReadJob) {
|
||||
return structs.ErrPermissionDenied
|
||||
default:
|
||||
allow = func(string) bool {
|
||||
return true
|
||||
}
|
||||
}
|
||||
allow := aclObj.AllowNsOpFunc(acl.NamespaceCapabilityReadJob)
|
||||
|
||||
// Setup the blocking query
|
||||
sort := state.SortOption(args.Reverse)
|
||||
|
|
|
@ -1284,8 +1284,9 @@ func TestAllocEndpoint_List_AllNamespaces_ACL_OSS(t *testing.T) {
|
|||
{
|
||||
Label: "all namespaces with insufficient token",
|
||||
Namespace: "*",
|
||||
Allocs: []*structs.Allocation{},
|
||||
Token: ns1tokenInsufficient.SecretID,
|
||||
Error: true,
|
||||
Message: structs.ErrPermissionDenied.Error(),
|
||||
},
|
||||
{
|
||||
Label: "ns1 with ns1 token",
|
||||
|
|
|
@ -1297,29 +1297,16 @@ func (j *Job) List(args *structs.JobListRequest, reply *structs.JobListResponse)
|
|||
defer metrics.MeasureSince([]string{"nomad", "job", "list"}, time.Now())
|
||||
|
||||
namespace := args.RequestNamespace()
|
||||
var allow func(string) bool
|
||||
|
||||
// Check for list-job permissions
|
||||
aclObj, err := j.srv.ResolveToken(args.AuthToken)
|
||||
|
||||
switch {
|
||||
case err != nil:
|
||||
if err != nil {
|
||||
return err
|
||||
case aclObj == nil:
|
||||
allow = func(string) bool {
|
||||
return true
|
||||
}
|
||||
case namespace == structs.AllNamespacesSentinel:
|
||||
allow = func(ns string) bool {
|
||||
return aclObj.AllowNsOp(ns, acl.NamespaceCapabilityListJobs)
|
||||
}
|
||||
case !aclObj.AllowNsOp(namespace, acl.NamespaceCapabilityListJobs):
|
||||
if !aclObj.AllowNsOp(namespace, acl.NamespaceCapabilityListJobs) {
|
||||
return structs.ErrPermissionDenied
|
||||
default:
|
||||
allow = func(string) bool {
|
||||
return true
|
||||
}
|
||||
}
|
||||
allow := aclObj.AllowNsOpFunc(acl.NamespaceCapabilityListJobs)
|
||||
|
||||
// Setup the blocking query
|
||||
opts := blockingOptions{
|
||||
|
@ -1330,7 +1317,7 @@ func (j *Job) List(args *structs.JobListRequest, reply *structs.JobListResponse)
|
|||
var err error
|
||||
var iter memdb.ResultIterator
|
||||
|
||||
// check if user has permission to all namespaces
|
||||
// Get the namespaces the user is allowed to access.
|
||||
allowableNamespaces, err := allowedNSes(aclObj, state, allow)
|
||||
if err == structs.ErrPermissionDenied {
|
||||
// return empty jobs if token isn't authorized for any
|
||||
|
|
Loading…
Reference in New Issue