Commit Graph

23 Commits

Author SHA1 Message Date
Danielle Lancashire 91bb67f713
acls: Break mount acl into mount-rw and mount-ro 2019-08-21 21:17:30 +02:00
Danielle Lancashire 5f734652f2
acl: Add HostVolume ACLs
This adds an initial implementation of ACLs for HostVolumes.

Because HostVolumes are a cluster-wide resource, they cannot be tied to
a namespace, thus here we allow similar wildcard definitions based on
their names, tied to a set of capabilities.

Initially, the only available capabilities are deny, or mount. These
may be extended in the future to allow read-fs, mount-readonly and
similar capabilities.
2019-08-12 15:39:09 +02:00
Mahmood Ali 40e62a6f17 Add ACL capabilities for nomad exec
This adds `alloc-exec` capability to allow operator to execute command into a
running task.  Furthermore, it adds `alloc-node-exec` capability, required when
the alloc task is raw_exec or a driver with no FSIsolation.
2019-04-30 14:02:16 -04:00
Danielle Tomlinson 803e1a8b86 acl: Add alloc-lifecycle namespace capability
This capability will gate access to features that allow interacting with
a running allocation, for example, signalling, stopping, and rescheduling
specific allocations.
2019-04-01 11:35:09 +02:00
Danielle Tomlinson cbfa1388db fixup: Code Review 2018-12-12 12:43:16 +01:00
Danielle Tomlinson 1ee0777521 fixup: Correctly sort based on distance, use iradix for ordering 2018-12-11 17:35:51 +01:00
Danielle Tomlinson 8d76d9c24b acl: Add support for globbing namespaces
This commit adds basic support for globbing namespaces in acl
definitions.

For concrete definitions, we merge all of the defined policies at load time, and
perform a simple lookup later on. If an exact match of a concrete
definition is found, we do not attempt to resolve globs.

For glob definitions, we merge definitions of exact replicas of a glob.

When loading a policy for a glob defintion, we choose the glob that has
the closest match to the namespace we are resolving for. We define the
closest match as the one with the _smallest character difference_
between the glob and the namespace we are matching.
2018-12-11 16:33:19 +01:00
Chelsea Holland Komlo 8574696bb3 fixup from code review 2017-10-17 17:34:06 -04:00
Chelsea Holland Komlo bcfebe032b update error message for invalid policy 2017-10-17 12:21:38 -04:00
Chelsea Holland Komlo a90205f16e policy must specify at least one namespace 2017-10-17 12:12:54 -04:00
Alex Dadgar c1cc51dbee sync 2017-10-13 14:36:02 -07:00
Chelsea Komlo 7c8a5228d4 Merge pull request #3290 from hashicorp/f-acl-job-dispatch
Add ACL for dispatch job
2017-10-06 13:33:21 -04:00
Chelsea Holland Komlo 10528b01ba fix up policy test 2017-09-29 21:22:36 +00:00
Chelsea Holland Komlo c242ac1431 job dispatch should have dispatch policy 2017-09-28 14:28:28 +00:00
Alex Dadgar 4173834231 Enable more linters 2017-09-26 15:26:33 -07:00
Alex Dadgar e5ec915ac3 sync 2017-09-19 10:08:23 -05:00
Alex Dadgar a2363e7583 sync acls 2017-09-13 11:38:29 -07:00
Armon Dadgar 99cea1ac23 Moving shared ACL objects 2017-09-04 13:04:45 -07:00
Armon Dadgar e5154d4499 acl: Adding IsManagement check 2017-09-04 13:04:45 -07:00
Armon Dadgar f147f25fe5 Addressing @dadgar review feedback 2017-09-04 13:03:15 -07:00
Armon Dadgar a0c3787a9e acl: adding validation to the namespace name 2017-09-04 13:03:14 -07:00
Armon Dadgar d06f15d910 acl: Adding compiled ACL object 2017-09-04 13:03:14 -07:00
Armon Dadgar 4c3373cdef acl: Adding policy parsing with tests 2017-09-04 13:03:14 -07:00