Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backport of [ui] Read-based checks for viewing templates and write-based checks for saving them into release/1.8.x #23469

Merged
merged 1 commit into from
Jul 2, 2024
Merged

Backport of [ui] Read-based checks for viewing templates and write-based checks for saving them into release/1.8.x #23469

merged 1 commit into from
Jul 2, 2024

Conversation

hc-github-team-nomad-core
Copy link
Contributor

Backport

This PR is auto-generated from #23458 to be assessed for backporting due to the inclusion of the label backport/1.8.x.

The below text is copied from the body of the original PR.

This adds nuance to the ACL policy checks for a user to be able to see Job Templates (which are specifically-named Nomad Variables behind the scenes).

The way it works today has some specific checks in place:

  • to even get into the job templates section, you have to first click the "Run Job" button, which only exists if you have the submit-job ACL capability, or a general "write" policy.
  • Once there, we only show you a "Choose from template" button if you can write variables to *.

I think the original intent here was to do up-front checks for full CRUD access, but this PR moves that access check a little downstream. Here, you'll see that the check to see the "Choose from template" button requires specifically read variable access (and I could be convinced to make it list variables, but that would make the subsequent page pretty useless), and the write variable check is moved downstream to the "save as template" button, and to manually edit a given job template via the Management page.

Here is a sample ACL policy to test with:

namespace "default" {
  policy = "read"
  capabilities = ["submit-job"]
  variables {
    # give read access to all job templates related to this namespace
    path "nomad/job-templates/*" {
      capabilities = ["read","list","write"]
    }
    path "*" {
      capabilities = ["write","list"]
    }
  }
}

^--- the submit-job capability is in place, so the "Run Job" button will be present. Also, the nomad/job-templates/* rule has both read and write, which will show both a "Choose from template" and a "Save as template" button. Remove either read or write to see how buttons disappear accordingly.

User has read and write, but not delete, variable capability:

image

User has read variables for nomad/job-templates/*:

image

User has write variables for nomad/job-templates/*:

image

Resolves #23438

Overview of commits

@hc-github-team-nomad-core hc-github-team-nomad-core force-pushed the backport/23438-ui-wrong-policy-acls-when-access-job-templatesnomad-variables/nominally-polite-lark branch from eaedc61 to 2c61a7e Compare June 28, 2024 21:31
@vercel vercel bot temporarily deployed to Preview – nomad-ui June 28, 2024 21:35 Inactive
@vercel vercel bot temporarily deployed to Preview – nomad June 28, 2024 21:37 Inactive
@github-actions GitHub Actions
Copy link

Ember Test Audit comparison

release/1.8.x 2c61a7e change
passes 1564 1564 0
failures 2 2 0
flaky 0 0 0
duration 000ms 000ms -000ms

@philrenaud philrenaud merged commit 7e985ac into release/1.8.x Jul 2, 2024
13 of 16 checks passed
@philrenaud philrenaud deleted the backport/23438-ui-wrong-policy-acls-when-access-job-templatesnomad-variables/nominally-polite-lark branch July 2, 2024 19:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@philrenaud philrenaud philrenaud approved these changes

Assignees

@philrenaud philrenaud

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@hc-github-team-nomad-core @philrenaud