What capability does a policy need in order to start jobs in Nomad?
With Hashicorp's Nomad, based on the documentation in the Namespace Rules section of the ACL Policy Specification documentation, I've configured a policy with these capabilities:
namespace "default" {
policy = "read"
capabilities = ["alloc-lifecycle", "dispatch-job", "submit-job", "read-logs"]
}
node {
policy = "read"
}
agent {
policy = "read"
}
operator {
policy = "read"
}
plugin {
policy = "read"
}
I want the user token that was created with this policy to be able to do the following in the web UI:
- Create (submit / run) a new job
- Stop a job
- Start a job
- Stop an allocation
- Start an allocation
- Restart an allocation
Unfortunately, the user can only:
- Stop a job
- Stop an allocation
- Restart an allocation
What capabilities should be added in order for the user to also:
- Create (submit / run) a new job
- Start a job
- Start an allocation
I finally managed to figure out what the problem was. The job that I'm trying to submit or start makes use of a host volume on the client:
Nomad Agent client config:
client {
enabled = true
host_volume "foo-bar-storage" {
path = "/path/to/foo/bar"
read_only = false
}
}
Job:
job "example" {
type = "service"
group "example" {
volume "foo-bar-storage" {
type = "host"
source = "foo-bar-storage"
read_only = false
}
task "example" {
driver = "docker"
config {
image = "some/image:tag"
volumes = ["/path/to/foo/bar:/mnt/foo/bar"]
}
}
}
}
I therefore needed to add a block in the ACL policy that grants access to the host volume:
host_volume "foo-bar-storage" {
policy = "write"
}
The lesson learnt here is that I need to ensure I've granted the necessary permissions as required by a specific job. For example, if the job makes use of host volume support, then the user's ACL policy needs to grant access to that host volume.
- What is the purpose of a "Refresh Token"?
- Azure B2C IdP-Access Token fails with IDX10511: Signature validation failed
- Revoking a Github app's authorization 404 not found error
- The authorization grant type is not supported by the authorization server in laravel
- Getting 404 page when using NextResponse.next() in the Next.js 14 middleware
- Error APNS device token not set before retrieving FCM Token for Sender ID
- How to update a GitHub access token via command line
- Wrong Token on the send mail API on microsoft graph
- Google API Client "refresh token must be passed in or set as part of setAccessToken"
- Request an access token in Azure Active Directory B2C Error
- B2C authentication not returning access_token
- Why does my HttpOnly Flag Cookie not get saved?
- Session expired or invalid on using access token
- Do Google refresh tokens expire?
- How can i generate a dropbox api access token that doesnt expire?
- Azure access token generation from Postman
- Facebook Long-Lived Pages Access Token
- Is there a way to add roles to ID or Access Token as an optional claim in Entra ID / Azure Active Directory
- Can not create and use token to use ACS for a teams user: "CallAgent must be created only with ACS token."
- Run JMeter script in AzureDevOps - Bearer Access Token generation
- May an OAuth 2.0 access token be a JWT?
- 403 Forbidden when trying to call Graph API to add calendar event
- How to get new access token from refresh token in salesforce?
- How scopes are added to token in Azure Entra ID?
- "error_description":"Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown."
- How to provide custom expiration for each access token in keycloak?
- A question around the access token frontend get after authentication
- Extract an access token from a Post request and use it in another post request in Postman
- Express.js with Azure Managed Identity not able to refresh access token after it expires
- Is there way to login automatically using access_token?