UI: wrong policy ACLs when access Job Templates/Nomad Variables

[Mac2]

Nomad version

Nomad v1.8.1
BuildDate 2024-06-19T06:43:57Z
Revision 5022543

Operating system and Environment details

RHEL 8.6 - RHEL 8.8

Issue

We try to give users access to some Job Templates via UI.
As I understand the templates (beside the default ones) are stored as Nomad Variables. So I added the following ACLs to the user policy:

namespace "default" {
  policy = "read"
  variables {
    # give read access to all job templates related to this namespace
    path "nomad/job-templates/*" {
      capabilities = ["read","list"]
    }
    # needed at least once specified to get access to "template" buttons in UI
    # but because of read/list above user cannot write/create new templates! (this has to be the second rule!!!)
    path "nomad/job-templates/notexisting" {
      capabilities = ["write"]
    }
  }
}

with this Policy read-only access works as expected. But without the second write-capability, the "choose template/upload template" Button when trying to "Run a Job" is gone.
As my policy suggest, the path of the write-capability is not existing. So it looks like the check for the Buttonvisibility only looks for the presence of any write-capability.
I've also checked with different namespaces ... I need the write-capability only once a namespace, and then it works as expected.

If I check the "Variables" page, I could see the "nomad/job-templates" path as expected, and also access the stored custom template values. So it might only be a problem with the ui-buttons, and not with the underlying permissions checks.

Reproduction steps

• Create a Nomad Policy with only read/list access to Nomad Variables (or one without any Variable permissions)
• Run a Job and try to load a job template

-> no Choose template button accessible

Expected Result

"Choose Template" Button should be available also with read-only permissions

And maybe access to default templates should be possible without access to nomad Variables?

Actual Result

Button is only useable if at least one write permission is granted

Job file (if appropriate)

---

Nomad Server logs (if appropriate)

---

Nomad Client logs (if appropriate)

---

thanks,
Mac

[tgross]

Hi @Mac2! This looks like it's probably an issue with the logic in the UI to hide the button, rather than the ACL policy itself being managed incorrectly. I'm going to flag this for @philrenaud to see if he has thoughts on it.

[philrenaud]

Hi @Mac2 — we chose to put job templates within the Run Job part of the UI because we figured that was their main purpose (to be used in order to run a new job), and as such the only way to get access in the UI is with the write job policy rule.

You can view these templates (and edit them, if you have write variable permissions) via the variables page in the UI at /nomad/job-templates/

If there's a good use-case for users who can manage/write job template variables but who don't themselves shouldn't have job run access, I'd consider moving template gallery page elsewhere in the UI, but my hope is that it's in the most appropriate place today.

[Mac2]

Hi @philrenaud ,
thanks for the explanation.
I totally aggree with you, that access to templates without permission to run any job is not really useful :-) So placing them behind "Run Job" is fine.

I've just noticed that I missed an importand fact ... in my test-policy there was also included a write-permission for another namespace (policy=write). So the user has access to "Run Job", but the "Choose Template" Button is only missing.

So it look for me that this button checks explicitly für "write variable", instead of "read variable".
I think changing this to "read", should be no problem, because inside the "template area", all write/create actions are checked again, right ?

So in my testcase mentioned above I was able to read the templates, but can not create new ones (except the "notexisting" dummy in default ns of course)

thanks,
Mac

[philrenaud]

Thank you so much for the detail, @Mac2 . I've put up a PR that should improve this situation generally:

• "Run Job" still requires a general submit-jobs or write policy, but now....
• You'll be able to see templates with variable read, and variable write checks have been moved to more appropriate conditional buttons (like "save as template" and links to edit a template)

I hope that you find this change addresses your need. I found your example ACL policy helpful to test with, and included my own in the PR description in case you wanted to check if the new change works for you.

[Mac2]

Sorry for the long delay, due to vacation ... many thanks for applying this code change so fast.
This is exactly the solution I had in mind!

thanks,
Mac