With Hashicorp's Nomad, based on the documentation in the Namespace Rules section of the ACL Policy Specification documentation, I've configured a policy with these capabilities:
namespace "default" {
policy = "read"
capabilities = ["alloc-lifecycle", "dispatch-job", "submit-job", "read-logs"]
}
node {
policy = "read"
}
agent {
policy = "read"
}
operator {
policy = "read"
}
plugin {
policy = "read"
}
I want the user token that was created with this policy to be able to do the following in the web UI:
Unfortunately, the user can only:
What capabilities should be added in order for the user to also:
I finally managed to figure out what the problem was. The job that I'm trying to submit or start makes use of a host volume on the client:
Nomad Agent client config:
client {
enabled = true
host_volume "foo-bar-storage" {
path = "/path/to/foo/bar"
read_only = false
}
}
Job:
job "example" {
type = "service"
group "example" {
volume "foo-bar-storage" {
type = "host"
source = "foo-bar-storage"
read_only = false
}
task "example" {
driver = "docker"
config {
image = "some/image:tag"
volumes = ["/path/to/foo/bar:/mnt/foo/bar"]
}
}
}
}
I therefore needed to add a block in the ACL policy that grants access to the host volume:
host_volume "foo-bar-storage" {
policy = "write"
}
The lesson learnt here is that I need to ensure I've granted the necessary permissions as required by a specific job. For example, if the job makes use of host volume support, then the user's ACL policy needs to grant access to that host volume.