job dispatch should have dispatch policy

2017-09-28 14:27:51 +00:00 · 2017-09-28 14:27:51 +00:00 · c242ac1431
parent 0db1367d43
commit c242ac1431
4 changed files with 9 additions and 6 deletions
--- a/acl/policy.go
+++ b/acl/policy.go
@ -25,6 +25,7 @@ const (
 	NamespaceCapabilityListJobs         = "list-jobs"
 	NamespaceCapabilityReadJob          = "read-job"
 	NamespaceCapabilitySubmitJob        = "submit-job"
+	NamespaceCapabilityDispatchJob      = "dispatch-job"
 	NamespaceCapabilityReadLogs         = "read-logs"
 	NamespaceCapabilityReadFS           = "read-fs"
 	NamespaceCapabilitySentinelOverride = "sentinel-override"
@ -76,7 +77,8 @@ func isPolicyValid(policy string) bool {
 func isNamespaceCapabilityValid(cap string) bool {
 	switch cap {
 	case NamespaceCapabilityDeny, NamespaceCapabilityListJobs, NamespaceCapabilityReadJob,
-		NamespaceCapabilitySubmitJob, NamespaceCapabilityReadLogs, NamespaceCapabilityReadFS:
+		NamespaceCapabilitySubmitJob, NamespaceCapabilityDispatchJob, NamespaceCapabilityReadLogs,
+		NamespaceCapabilityReadFS:
 		return true
 	// Seperate the enterprise-only capabilities
 	case NamespaceCapabilitySentinelOverride:
@ -102,6 +104,7 @@ func expandNamespacePolicy(policy string) []string {
 			NamespaceCapabilityListJobs,
 			NamespaceCapabilityReadJob,
 			NamespaceCapabilitySubmitJob,
+			NamespaceCapabilityDispatchJob,
 			NamespaceCapabilityReadLogs,
 			NamespaceCapabilityReadFS,
 		}
--- a/nomad/job_endpoint.go
+++ b/nomad/job_endpoint.go
@ -1176,7 +1176,7 @@ func (j *Job) Dispatch(args *structs.JobDispatchRequest, reply *structs.JobDispa
 	// Check for submit-job permissions
 	if aclObj, err := j.srv.resolveToken(args.SecretID); err != nil {
 		return err
-	} else if aclObj != nil && !aclObj.AllowNsOp(args.RequestNamespace(), acl.NamespaceCapabilitySubmitJob) {
+	} else if aclObj != nil && !aclObj.AllowNsOp(args.RequestNamespace(), acl.NamespaceCapabilityDispatchJob) {
 		return structs.ErrPermissionDenied
 	}

--- a/nomad/job_endpoint_test.go
+++ b/nomad/job_endpoint_test.go
@ -3275,7 +3275,7 @@ func TestJobEndpoint_Dispatch_ACL(t *testing.T) {

 	// Dispatch with a valid token should succeed
 	validToken := CreatePolicyAndToken(t, state, 1003, "test-valid",
-		NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilitySubmitJob}))
+		NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityDispatchJob}))
 	req.SecretID = validToken.SecretID

 	var validResp2 structs.JobDispatchResponse
--- a/website/source/api/jobs.html.md
+++ b/website/source/api/jobs.html.md
@ -1103,9 +1103,9 @@ The table below shows this endpoint's support for
 [blocking queries](/api/index.html#blocking-queries) and
 [required ACLs](/api/index.html#acls).

-| Blocking Queries | ACL Required                 |
-| ---------------- | ---------------------------- |
-| `NO`             | `namespace:submit-job`       |
+| Blocking Queries | ACL Required                   |
+| ---------------- | ------------------------------ |
+| `NO`             | `namespace:dispatch-job`       |

 ### Parameters