hashicorpnomad

How can i deny users the capability to purge jobs from nomad ui?

I have set up my nomad cluster and my team of 20 uses the same UI to check the status of our production jobs. Someone can delete a critical job from our UI and we don't have control over it.

How can we deny users the ability to purge jobs from the Nomad UI?

I have checked out: https://developer.hashicorp.com/nomad/docs/other-specifications/acl-policy

I have tried some policies like this one but it didn't work:

namespace "*" {
  policy = "write"
  capabilities = [
    "list-jobs",
    "parse-job",
    "read-job",
    "submit-job",
    "dispatch-job",
    "read-logs",
    "read-fs",
    "alloc-exec",
    "alloc-lifecycle",
    "csi-write-volume",
    "csi-mount-volume",
    "list-scaling-policies",
    "read-scaling-policy",
    "read-job-scaling",
    "scale-job"
  ]
}

host_volume "*" {
  policy = "write"
}

agent {
  policy = "write"
}

node {
  policy = "write"
}

quota {
  policy = "write"
}

operator {
  policy = "write"
}

I could not find any relevant capability that I could deny in order to prevent purging of our nomad jobs.

For our usecase, our users should be able to perform all the tasks from our UI except the ability to purge the job from UI after stopping it. How can I achieve this?

Solution

  • There is no such option. Purge is an option when stopping a job. If a user can stop, it can purge. User can stop a job, when he can submit-job.

    Nomad does not keep history of jobs. It is garbage collected. Depending on a stopped job not being purged is error-prone - the job can disappear any time.

    How can I achieve this?

    I am not 100% sure it can be done with sentinel policies https://developer.hashicorp.com/nomad/docs/enterprise/sentinel . You would have to reach to Nomad and ask them. You could ask a feature request on Nomad on github.

    The simplest on your side would be to run your own HTTP proxy server and check if the request to Nomad has stop?purge=true url and deny when such. Some time ago I started an experiment with nginx lua plugin to do that https://gitlab.com/Kamcuk/nomad-proxy/-/blob/master/lua/access.lua?ref_type=heads . It was left as an experiment.

    If instead, you want history of jobs, then instead nomad operator /v1/event/stream > logfile.json and then parse logfile.json with your favourite langauge like python.