What capability does a policy need in order to start jobs in Nomad?
With Hashicorp's Nomad, based on the documentation in the Namespace Rules section of the ACL Policy Specification documentation, I've configured a policy with these capabilities:
namespace "default" {
policy = "read"
capabilities = ["alloc-lifecycle", "dispatch-job", "submit-job", "read-logs"]
}
node {
policy = "read"
}
agent {
policy = "read"
}
operator {
policy = "read"
}
plugin {
policy = "read"
}
I want the user token that was created with this policy to be able to do the following in the web UI:
- Create (submit / run) a new job
- Stop a job
- Start a job
- Stop an allocation
- Start an allocation
- Restart an allocation
Unfortunately, the user can only:
- Stop a job
- Stop an allocation
- Restart an allocation
What capabilities should be added in order for the user to also:
- Create (submit / run) a new job
- Start a job
- Start an allocation
I finally managed to figure out what the problem was. The job that I'm trying to submit or start makes use of a host volume on the client:
Nomad Agent client config:
client {
enabled = true
host_volume "foo-bar-storage" {
path = "/path/to/foo/bar"
read_only = false
}
}
Job:
job "example" {
type = "service"
group "example" {
volume "foo-bar-storage" {
type = "host"
source = "foo-bar-storage"
read_only = false
}
task "example" {
driver = "docker"
config {
image = "some/image:tag"
volumes = ["/path/to/foo/bar:/mnt/foo/bar"]
}
}
}
}
I therefore needed to add a block in the ACL policy that grants access to the host volume:
host_volume "foo-bar-storage" {
policy = "write"
}
The lesson learnt here is that I need to ensure I've granted the necessary permissions as required by a specific job. For example, if the job makes use of host volume support, then the user's ACL policy needs to grant access to that host volume.
- Is there any way to hide the mapbox access token when initializing the map?
- How do I persist the the user with supabase using nextjs?
- Python Script Token Refresh Mechanism Problem for Spotify API
- Keycloak Account API returns Unauthorized 401 with token from user logged in via my spring client
- SvelteKit: Run function at route change (for access token, without doing it at a layout file)
- Why Does OAuth v2 Have Both Access and Refresh Tokens?
- Signature validation of my Azure access-token, Private-key?
- Azure generation token invalid signature
- Is is safe to store access token in session storage of client browser?
- AWS API Gateway Access vs Id Token
- What is the purpose of a "Refresh Token"?
- Microsoft App Registration - how to create meetings using OnlineMeetings.ReadWrite.All within an application context and not a user context?
- The type or namespace name "IRestResponse" could not be found (are you missing a using directive or an assembly reference?)
- Azure Synapse time out - Token expire
- Where to store my Git personal access token?
- Microsoft Azure: How to get the Auth Token after SAML authentication on a enterprise application
- Do Google refresh tokens expire?
- B2C authentication not returning access_token
- Python request with authentication (access_token)
- Getting AWS cognito attributes
- Retrieve an oidc access token from Nuxt 3 app
- How to update github token on linux?
- How handle refresh token and access token for auth system
- Using PHPMailer when already have an access token
- "error_description":"Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown."
- Securely storing an access token
- Google API REST call return only user id and picture. How to get full user info with Google API REST requests?
- What is the purpose of the "access_token=" parameter when downloading a file from Google Drive?
- Device Code Flow - Microsoft Azure Authentication
- Should access tokens be refreshed automatically or manually?