Authentication and authorization

[F21]

For production use, authentication so that we can restrict who has access to administrate the cluster is important.

It would be nice to also have some sort of authorization, for example:

• Users can only manage their own jobs.
• Users can only use x amount of resources in the cluster.
• etc

[dadgar]

This is something we will do, however are not focusing on currently.

[ghost]

For the authentication/encryption bits, an interim solution could be to give nomad cli and option to set simple auth, and then stick nginx or something in front of the endpoint doing ssl and authentication (like how private docker registry works).

[cdrage]

@rvm2015 @dadgar
Would the plan be perhaps to go a similar route as Consul with it's encryption? https://www.consul.io/docs/agent/encryption.html

[davidpelaez]

@dadgar I understand this in the level of expressiveness suggested by @F21 is not a priority. How about encryption of gossip and raft traffic? I think that would be within the scope of a issue with this title but I want to confirm if it should have it's own issue.

[dadgar]

@davidpelaez: Yep that should be its own issue!

[mortaliorchard]

For companies which are trying to add authentication (or at least a system that would restrict using specific features), what would you recommend? Many thanks!

[dadgar]

@mortaliorchard without Nomad enforcing it you would essentially need the HTTP API to be behind a proxy that enforces your ACLs.

[mortaliorchard]

Thanks @dadgar.

[sheerun]

@dadgar Ideally nomad would use the same simple authorization scheme as docker or kubernetes - being able to provide single token that is used to deterministically generate both https certificates, key encrypting gossip traffic, and is used for authentication. Currently setting up secure nomad is a chore..

[rokka-n]

I like it as well: having token-based auth for the client would make jobs scheduling and cluster management a breeze.

[cl0udgeek]

how has this not been prioritized yet??? Need auth for prod....

[pznamensky]

This is the critical issue for me.
Yes, I can tell nomad to bind on 127.0.0.1 and setup a proxy in front of nomad. But solution with HTTP basic auth breaks several commands: #2773
Besides, this doesn't let to start at least docker with --net=host, because nomad's API would be reachable inside docker at localhost.

[dadgar]

This will be a focus of Nomad 0.7.0!

[hauleth]

@dadgar I have found small project Open Policy Agent which seems like nice idea to manage policies in Nomad. I am not saying that this should be project integrated into Nomad/Hashistack (however that also wouldn't be bad idea), but some ideas are nice.

[dadgar]

Hey all! This has landed in Nomad 0.7! https://www.nomadproject.io/guides/acl.html

[github-actions]

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.