Permission denied to plan and run a job with namespace using client type token

[APCS0]

Nomad version

Nomad v1.5.6

Nomad-pack version

Nomad Pack v0.0.1-techpreview.4 (50d84d0)

Issue

Nomad-pack fails to plan and run a job with a namespace when it uses a client type token, using the same token with nomad it's possible to execute plan and run.

Reproduction steps

Create a policy with the following capabilities, in this example the namespace is testns

test-policy.hcl

namespace "testns" {
  capabilities = [
    "list-jobs",
    "parse-job",
    "read-job",
    "submit-job",
    "read-logs",
    "alloc-exec",
    "alloc-lifecycle"
  ]
}

nomad acl policy apply test-policy test-policy.hcl

Create a token and associate the previous policy

nomad acl token create -name 'test-token' -policy test-policy

load the newly created token

export NOMAD_TOKEN=xxxxxxxxx

plan or run a job with nomad-pack

/tmp/nomad-pack plan hello_world --var register_consul_service=false --var count=1

Expected Result

/tmp/nomad-pack plan hello_world --var register_consul_service=false --var count=1

+ Job: "hello_world"
+ Task Group: "app" (1 create)
  + Task: "server" (forces create)

» Scheduler dry-run:
- All tasks successfully allocated.
Plan succeeded

Actual Result

$ nomad-pack plan hello_world --var register_consul_service=false --var count=1
! Failed To Parse Job Specification

	Error:   Permission denied
	Type:    *v1.APIError
	Context:
	         - Template Name: hello_world/templates/hello_world.nomad.tpl
	         - Registry Name: default
	         - Pack Name: hello_world
	         - Pack Ref: latest
	         - Deployment Name: hello_world@latest

Job file

$ /tmp/nomad-pack render hello_world --var register_consul_service=false --var count=1
hello_world/hello_world.nomad:

job "hello_world" {
  datacenters = ["<redacted>"]
  namespace   = "testns"
  type        = "service"

  group "app" {
    count = 1

    network {
      port "http" {
        to = 8000
      }
    }

    restart {
      attempts = 2
      interval = "30m"
      delay    = "15s"
      mode     = "fail"
    }

    task "server" {
      driver = "docker"

      config {
        image = "mnomitch/hello_world_server"
        ports = ["http"]
      }

      env {
        MESSAGE = "Hello World!"
      }
    }
  }
}

Nomad Server logs

[DEBUG] http: request failed: method=POST path=/v1/jobs/parse error="Permission denied" code=403
[DEBUG] http: request complete: method=POST path=/v1/jobs/parse duration=1.501077ms

[pkazmierczak]

Hi @APCS0, thanks for reporting this issue. There's indeed a bug in the template parser that causes this, have a look at the linked PR for context.

[gbolo]

Nomad version

Nomad v1.5.6

Nomad-pack version

Nomad Pack v0.0.1-techpreview.4 (50d84d0)

Issue

Nomad-pack fails to plan and run a job with a namespace when it uses a client type token, using the same token with nomad it's possible to execute plan and run.

Reproduction steps

Create a policy with the following capabilities, in this example the namespace is testns

test-policy.hcl

namespace "testns" {
  capabilities = [
    "list-jobs",
    "parse-job",
    "read-job",
    "submit-job",
    "read-logs",
    "alloc-exec",
    "alloc-lifecycle"
  ]
}

nomad acl policy apply test-policy test-policy.hcl

Create a token and associate the previous policy

nomad acl token create -name 'test-token' -policy test-policy

load the newly created token

export NOMAD_TOKEN=xxxxxxxxx

plan or run a job with nomad-pack

/tmp/nomad-pack plan hello_world --var register_consul_service=false --var count=1

Expected Result

/tmp/nomad-pack plan hello_world --var register_consul_service=false --var count=1

+ Job: "hello_world"
+ Task Group: "app" (1 create)
  + Task: "server" (forces create)

» Scheduler dry-run:
- All tasks successfully allocated.
Plan succeeded

Actual Result

$ nomad-pack plan hello_world --var register_consul_service=false --var count=1
! Failed To Parse Job Specification

	Error:   Permission denied
	Type:    *v1.APIError
	Context:
	         - Template Name: hello_world/templates/hello_world.nomad.tpl
	         - Registry Name: default
	         - Pack Name: hello_world
	         - Pack Ref: latest
	         - Deployment Name: hello_world@latest

Job file

$ /tmp/nomad-pack render hello_world --var register_consul_service=false --var count=1
hello_world/hello_world.nomad:

job "hello_world" {
  datacenters = ["<redacted>"]
  namespace   = "testns"
  type        = "service"

  group "app" {
    count = 1

    network {
      port "http" {
        to = 8000
      }
    }

    restart {
      attempts = 2
      interval = "30m"
      delay    = "15s"
      mode     = "fail"
    }

    task "server" {
      driver = "docker"

      config {
        image = "mnomitch/hello_world_server"
        ports = ["http"]
      }

      env {
        MESSAGE = "Hello World!"
      }
    }
  }
}

Nomad Server logs

[DEBUG] http: request failed: method=POST path=/v1/jobs/parse error="Permission denied" code=403 [DEBUG] http: request complete: method=POST path=/v1/jobs/parse duration=1.501077ms

actually the reason for this is that unless you specify --namespace or set NOMAD_NAMESPACE then nomad-pack will make API calls to PUT /v1/jobs/parse and GET /v1/job/<job-name> without specifying a namespace (which defaults to "default")