Access control on job registration

[calvn]

Is there a best practice/recommendation for implementing access control on running jobs? Consul, for example, has ACLs to control who can register KVs and services. We can use Consul's ACLs to restrict service registration from Nomad jobs, but those jobs would still run on the Nomad clients (just not easily accessible without service discovery).

If ACLs or something similar is outside the scope of Nomad, what is the recommended way to control who can run jobs and how many jobs or resources as user can request? Thanks in advance!

[dadgar]

This is something that we will be tackling in Nomad 0.4. For now there is no ACL policies or enforcement in Nomad.

[calvn]

Cool to know that this is on the roadmap, thanks for the quick response!

[doherty]

I take it this didn't make it into 0.4.0, which was released recently. Is this still on the near-term roadmap?

[diptanu]

@doherty Yes, this is very much on the roadmap.

[kyhavlov]

Any chance this will go into an 0.4.x release soon? I'm looking into using nomad for deploying apps and this would be a really useful feature, even in very basic form.

[dadgar]

@kyhavlov It will not be in a 0.4.x release

[kyhavlov]

Just to lay out the things I'd be looking for in an ACL system for Nomad:

• Tokens used for authentication, similar to Consul with management and client type tokens for administrating ACL policies (and the ability to set policies on the default/anonymous token)
• Policies on tokens to limit tasks deployed by the token on total cpu/memory/disk/network usage, on a per-region/datacenter basis.
• Non-management tokens should probably be prohibited from affecting tasks run by other tokens
• Management tokens get access to all tasks

Does that align with what you guys were already planning for an ACL system in the future? I'd be interested in helping make it happen if that's the case.

[vrenjith]

Is this feature planned in any release?

[dadgar]

It will most likely be in Nomad 0.7.

Thanks,
Alex Dadgar

On Tue, Sep 20, 2016 at 9:32 AM, vrenjith [email protected] wrote:

Is this feature planned in any release?

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#589 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AA_9ahcPxHRHec7QgnxuvdzflaaJD_rfks5qsAqtgaJpZM4G120i
.

[jhmartin]

Without ACL's it looks like a single subverted nomad 'agent' node effectively subverts the entire cluster, that makes for a very difficult security story.

[mkuzmin]

related issue: #227

[dadgar]

Hey all! This has landed in Nomad 0.7! https://www.nomadproject.io/guides/acl.html

[github-actions]

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.