You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, the only Sentinel-related ACL permission is that of sentinel-override. Additionally, the only way to grant an ACL policy the ability to interact with the Sentinel Policy API is by way of a management token.
I would like to propose that new fine-grained ACL capabilities be added for each CRUD action invokable upon a Sentinel policy (i.e. create-sentinel-policy, read-sentinel-policy, update-sentinel-policy and destroy-sentinel-policy).
Use-cases
Recently, I created up a pipeline for syntactically validating and then deploying new/updated Sentinel policies upon being added to our Nomad repository. When I went to run that pipeline for the first time, I got hit with "Error writing Sentinel policy: Unexpected response code: 403 (Permission denied)" and then realize that any API actions pertaining to Sentinel policies requires a management token.
Ideally, I'd like to explicitly define the capabilities that can be invoked within our CI/CD pipelines (by way of the CI/CD pipeline's leveraged token ACL Policy).
For example, I want our pipeline be able to "read" all (as a blanket rule; via the coarse-grained permission), as well as "submit-job" and "sentinel-override" but I don't want the pipeline to have the ability to, say, "alloc-exec" or "csi-mount-volume".
Attempted Solutions
No solution or workaround discovered outside of giving CI/CD pipeline a management token.
The text was updated successfully, but these errors were encountered:
Proposal
Currently, the only Sentinel-related ACL permission is that of
sentinel-override
. Additionally, the only way to grant an ACL policy the ability to interact with the Sentinel Policy API is by way of amanagement
token.I would like to propose that new fine-grained ACL capabilities be added for each CRUD action invokable upon a Sentinel policy (i.e.
create-sentinel-policy
,read-sentinel-policy
,update-sentinel-policy
anddestroy-sentinel-policy
).Use-cases
Recently, I created up a pipeline for syntactically validating and then deploying new/updated Sentinel policies upon being added to our Nomad repository. When I went to run that pipeline for the first time, I got hit with
"Error writing Sentinel policy: Unexpected response code: 403 (Permission denied)"
and then realize that any API actions pertaining to Sentinel policies requires amanagement
token.Ideally, I'd like to explicitly define the capabilities that can be invoked within our CI/CD pipelines (by way of the CI/CD pipeline's leveraged token ACL Policy).
For example, I want our pipeline be able to
"read"
all (as a blanket rule; via the coarse-grained permission), as well as"submit-job"
and"sentinel-override"
but I don't want the pipeline to have the ability to, say,"alloc-exec"
or"csi-mount-volume"
.Attempted Solutions
No solution or workaround discovered outside of giving CI/CD pipeline a
management
token.The text was updated successfully, but these errors were encountered: