e8bfef8148
ACL permissions for the search endpoints are done in three passes. The first (the `sufficientSearchPerms` method) is for performance and coarsely rejects requests based on the passed-in context parameter if the user has no permissions to any object in that context. The second (the `filteredSearchContexts` method) filters out contexts based on whether the user has permissions either to the requested namespace or again by context (to catch the "all" context). Finally, when iterating over the objects available, we do the usual filtering in the iterator. Internal testing found several bugs in this filtering: * CSI plugins can be searched by any authenticated user. * Variables can be searched if the user has `job:read` permissions to the variable's namespace instead of `variable:list`. * Variables cannot be searched by wildcard namespace. This is an information leak of the plugin names and variable paths, which we don't consider to be privileged information but intended to protect anyways. This changeset fixes these bugs by ensuring CSI plugins are filtered in the 1st and 2nd pass ACL filters, and changes variables to check `variable:list` in the 2nd pass filter unless the wildcard namespace is passed (at which point we'll fallback to filtering in the iterator). Fixes: CVE-2023-3300 Fixes: #17906 |
||
|---|---|---|
| .changelog | ||
| .github | ||
| .release | ||
| .semgrep | ||
| .tours | ||
| acl | ||
| api | ||
| ci | ||
| client | ||
| command | ||
| contributing | ||
| demo | ||
| dev | ||
| drivers | ||
| e2e | ||
| helper | ||
| integrations | ||
| internal/testing/apitests | ||
| jobspec | ||
| jobspec2 | ||
| lib | ||
| nomad | ||
| plugins | ||
| scheduler | ||
| scripts | ||
| terraform | ||
| testutil | ||
| tools | ||
| ui | ||
| version | ||
| website | ||
| .copywrite.hcl | ||
| .git-blame-ignore-revs | ||
| .gitattributes | ||
| .gitignore | ||
| .go-version | ||
| .golangci.yml | ||
| .semgrepignore | ||
| build_linux_arm.go | ||
| CHANGELOG-unsupported.md | ||
| CHANGELOG.md | ||
| CODEOWNERS | ||
| Dockerfile | ||
| GNUmakefile | ||
| go.mod | ||
| go.sum | ||
| LICENSE | ||
| main.go | ||
| main_test.go | ||
| README.md | ||
| Vagrantfile | ||
Nomad
Nomad is a simple and flexible workload orchestrator to deploy and manage containers (docker, podman), non-containerized applications (executable, Java), and virtual machines (qemu) across on-prem and clouds at scale.
Nomad is supported on Linux, Windows, and macOS. A commercial version of Nomad, Nomad Enterprise, is also available.
- Website: https://nomadproject.io
- Tutorials: HashiCorp Learn
- Forum: Discuss
Nomad provides several key features:
-
Deploy Containers and Legacy Applications: Nomad’s flexibility as an orchestrator enables an organization to run containers, legacy, and batch applications together on the same infrastructure. Nomad brings core orchestration benefits to legacy applications without needing to containerize via pluggable task drivers.
-
Simple & Reliable: Nomad runs as a single binary and is entirely self contained - combining resource management and scheduling into a single system. Nomad does not require any external services for storage or coordination. Nomad automatically handles application, node, and driver failures. Nomad is distributed and resilient, using leader election and state replication to provide high availability in the event of failures.
-
Device Plugins & GPU Support: Nomad offers built-in support for GPU workloads such as machine learning (ML) and artificial intelligence (AI). Nomad uses device plugins to automatically detect and utilize resources from hardware devices such as GPU, FPGAs, and TPUs.
-
Federation for Multi-Region, Multi-Cloud: Nomad was designed to support infrastructure at a global scale. Nomad supports federation out-of-the-box and can deploy applications across multiple regions and clouds.
-
Proven Scalability: Nomad is optimistically concurrent, which increases throughput and reduces latency for workloads. Nomad has been proven to scale to clusters of 10K+ nodes in real-world production environments.
-
HashiCorp Ecosystem: Nomad integrates seamlessly with Terraform, Consul, Vault for provisioning, service discovery, and secrets management.
Quick Start
Testing
See Learn: Getting Started for instructions on setting up a local Nomad cluster for non-production use.
Optionally, find Terraform manifests for bringing up a development Nomad cluster on a public cloud in the terraform directory.
Production
See Learn: Nomad Reference Architecture for recommended practices and a reference architecture for production deployments.
Documentation
Full, comprehensive documentation is available on the Nomad website: https://www.nomadproject.io/docs
Guides are available on HashiCorp Learn.
Roadmap
A timeline of major features expected for the next release or two can be found in the Public Roadmap.
This roadmap is a best guess at any given point, and both release dates and projects in each release are subject to change. Do not take any of these items as commitments, especially ones later than one major release away.
Contributing
See the contributing directory for more developer documentation.