Commit Graph

36 Commits

Author SHA1 Message Date
Luiz Aoqui 15f9d54dea
api: prevent excessice CPU load on job parse
Add new namespace ACL requirement for the /v1/jobs/parse endpoint and
return early if HCLv2 parsing fails.

The endpoint now requires the new `parse-job` ACL capability or
`submit-job`.
2022-02-09 19:51:47 -05:00
James Rasell d4a333e9b5
lint: mark false positive or fix gocritic append lint errors. 2021-09-06 10:49:44 +02:00
Chris Baker 719077a26d added new policy capabilities for recommendations API
state store: call-out to generic update of job recommendations from job update method
recommendations API work, and http endpoint errors for OSS
support for scaling polices in task block of job spec
add query filters for ScalingPolicy list endpoint
command: nomad scaling policy list: added -job and -type
2020-10-28 14:32:16 +00:00
Mahmood Ali c6a7734ee7 fixup! handle when hcl parser panics 2020-08-25 11:28:55 -04:00
Mahmood Ali 1200c8185f handle when hcl parser panics
Apparently `\` followed by a digit number can cause hcl parser to panic!
Will fix in hcl library, but using a hammer to squash any similar issue
here.
2020-08-24 20:35:58 -04:00
Anthony Scalisi 9664c6b270
fix spelling errors (#6985) 2020-04-20 09:28:19 -04:00
Chris Baker 5979d6a81e more testing for ScalingPolicy, mainly around parsing and canonicalization for Min/Max 2020-03-24 19:43:50 +00:00
Chris Baker ca49563c94 added new ACL capabilities related to autoscaling:
- read-job-scaling
- scale-job
- list-scaling-policies
- read-scaling-policy

updated the read and right policy dispositions, added the new autoscaler disposition
2020-03-24 14:38:58 +00:00
Chris Baker 179ab68258 wip: added job.scale rpc endpoint, needs explicit test (tested via http now) 2020-03-24 13:57:09 +00:00
Lang Martin 6b6ae6c2bd csi: ACLs for plugin endpoints (#7380)
* acl/policy: add PolicyList for global ACLs

* acl/acl: plugin policy

* acl/acl: maxPrivilege is required to allow "list"

* nomad/csi_endpoint: enforce plugin access with PolicyPlugin

* nomad/csi_endpoint: check job ACL swapped params

* nomad/csi_endpoint_test: test alloc filtering

* acl/policy: add namespace csi-register-plugin

* nomad/job_endpoint: check csi-register-plugin ACL on registration

* nomad/job_endpoint_test: add plugin job cases
2020-03-23 13:59:25 -04:00
Lang Martin b596e67f47 csi: implement volume ACLs (#7339)
* acl/policy: add the volume ACL policies

* nomad/csi_endpoint: enforce ACLs for volume access

* nomad/search_endpoint_oss: volume acls

* acl/acl: add plugin read as a global policy

* acl/policy: add PluginPolicy global cap type

* nomad/csi_endpoint: check the global plugin ACL policy

* nomad/mock/acl: PluginPolicy

* nomad/csi_endpoint: fix list rebase

* nomad/core_sched_test: new test since #7358

* nomad/csi_endpoint_test: use correct permissions for list

* nomad/csi_endpoint: allowCSIMount keeps ACL checks together

* nomad/job_endpoint: check mount permission for jobs

* nomad/job_endpoint_test: need plugin read, too
2020-03-23 13:59:25 -04:00
Lang Martin 03817e16d4 acl: new NamespaceCapabilityCSIAccess, CSICreateVolume 2020-03-23 13:58:29 -04:00
Mahmood Ali 4b2ba62e35 acl: check ACL against object namespace
Fix a bug where a millicious user can access or manipulate an alloc in a
namespace they don't have access to.  The allocation endpoints perform
ACL checks against the request namespace, not the allocation namespace,
and performs the allocation lookup independently from namespaces.

Here, we check that the requested can access the alloc namespace
regardless of the declared request namespace.

Ideally, we'd enforce that the declared request namespace matches
the actual allocation namespace.  Unfortunately, we haven't documented
alloc endpoints as namespaced functions; we suspect starting to enforce
this will be very disruptive and inappropriate for a nomad point
release.  As such, we maintain current behavior that doesn't require
passing the proper namespace in request.  A future major release may
start enforcing checking declared namespace.
2019-10-08 12:59:22 -04:00
Danielle Lancashire 91bb67f713
acls: Break mount acl into mount-rw and mount-ro 2019-08-21 21:17:30 +02:00
Danielle Lancashire 5f734652f2
acl: Add HostVolume ACLs
This adds an initial implementation of ACLs for HostVolumes.

Because HostVolumes are a cluster-wide resource, they cannot be tied to
a namespace, thus here we allow similar wildcard definitions based on
their names, tied to a set of capabilities.

Initially, the only available capabilities are deny, or mount. These
may be extended in the future to allow read-fs, mount-readonly and
similar capabilities.
2019-08-12 15:39:09 +02:00
Mahmood Ali 40e62a6f17 Add ACL capabilities for nomad exec
This adds `alloc-exec` capability to allow operator to execute command into a
running task.  Furthermore, it adds `alloc-node-exec` capability, required when
the alloc task is raw_exec or a driver with no FSIsolation.
2019-04-30 14:02:16 -04:00
Danielle Tomlinson 803e1a8b86 acl: Add alloc-lifecycle namespace capability
This capability will gate access to features that allow interacting with
a running allocation, for example, signalling, stopping, and rescheduling
specific allocations.
2019-04-01 11:35:09 +02:00
Danielle Tomlinson cbfa1388db fixup: Code Review 2018-12-12 12:43:16 +01:00
Danielle Tomlinson 1ee0777521 fixup: Correctly sort based on distance, use iradix for ordering 2018-12-11 17:35:51 +01:00
Danielle Tomlinson 8d76d9c24b acl: Add support for globbing namespaces
This commit adds basic support for globbing namespaces in acl
definitions.

For concrete definitions, we merge all of the defined policies at load time, and
perform a simple lookup later on. If an exact match of a concrete
definition is found, we do not attempt to resolve globs.

For glob definitions, we merge definitions of exact replicas of a glob.

When loading a policy for a glob defintion, we choose the glob that has
the closest match to the namespace we are resolving for. We define the
closest match as the one with the _smallest character difference_
between the glob and the namespace we are matching.
2018-12-11 16:33:19 +01:00
Chelsea Holland Komlo 8574696bb3 fixup from code review 2017-10-17 17:34:06 -04:00
Chelsea Holland Komlo bcfebe032b update error message for invalid policy 2017-10-17 12:21:38 -04:00
Chelsea Holland Komlo a90205f16e policy must specify at least one namespace 2017-10-17 12:12:54 -04:00
Alex Dadgar c1cc51dbee sync 2017-10-13 14:36:02 -07:00
Chelsea Komlo 7c8a5228d4 Merge pull request #3290 from hashicorp/f-acl-job-dispatch
Add ACL for dispatch job
2017-10-06 13:33:21 -04:00
Chelsea Holland Komlo 10528b01ba fix up policy test 2017-09-29 21:22:36 +00:00
Chelsea Holland Komlo c242ac1431 job dispatch should have dispatch policy 2017-09-28 14:28:28 +00:00
Alex Dadgar 4173834231 Enable more linters 2017-09-26 15:26:33 -07:00
Alex Dadgar e5ec915ac3 sync 2017-09-19 10:08:23 -05:00
Alex Dadgar a2363e7583 sync acls 2017-09-13 11:38:29 -07:00
Armon Dadgar 99cea1ac23 Moving shared ACL objects 2017-09-04 13:04:45 -07:00
Armon Dadgar e5154d4499 acl: Adding IsManagement check 2017-09-04 13:04:45 -07:00
Armon Dadgar f147f25fe5 Addressing @dadgar review feedback 2017-09-04 13:03:15 -07:00
Armon Dadgar a0c3787a9e acl: adding validation to the namespace name 2017-09-04 13:03:14 -07:00
Armon Dadgar d06f15d910 acl: Adding compiled ACL object 2017-09-04 13:03:14 -07:00
Armon Dadgar 4c3373cdef acl: Adding policy parsing with tests 2017-09-04 13:03:14 -07:00