Revert "Backport of sentinel: add support for Nomad ACL Token and Nam…

…espace into release/1.1.x (#14237)" (#14246) This reverts commit 18f8510.
hashicorp · Aug 23, 2022 · 6da33f1 · 6da33f1
1 parent 18f8510
commit 6da33f1
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 27 deletions.
diff --git a/.changelog/14171.txt b/.changelog/14171.txt
diff --git a/nomad/job_endpoint.go b/nomad/job_endpoint.go
@@ -102,12 +102,12 @@ func (j *Job) Register(args *structs.JobRegisterRequest, reply *structs.JobRegis
 
 	// Attach the Nomad token's accessor ID so that deploymentwatcher
 	// can reference the token later
-	nomadACLToken, err := j.srv.ResolveSecretToken(args.AuthToken)
+	tokenID, err := j.srv.ResolveSecretToken(args.AuthToken)
 	if err != nil {
 		return err
 	}
-	if nomadACLToken != nil {
-		args.Job.NomadTokenID = nomadACLToken.AccessorID
+	if tokenID != nil {
+		args.Job.NomadTokenID = tokenID.AccessorID
 	}
 
 	// Set the warning message
@@ -309,11 +309,7 @@ func (j *Job) Register(args *structs.JobRegisterRequest, reply *structs.JobRegis
 
 	// Enforce Sentinel policies. Pass a copy of the job to prevent
 	// sentinel from altering it.
-	ns, err := snap.NamespaceByName(nil, args.RequestNamespace())
-	if err != nil {
-		return err
-	}
-	policyWarnings, err := j.enforceSubmitJob(args.PolicyOverride, args.Job.Copy(), nomadACLToken, ns)
+	policyWarnings, err := j.enforceSubmitJob(args.PolicyOverride, args.Job.Copy())
 	if err != nil {
 		return err
 	}
@@ -1694,22 +1690,8 @@ func (j *Job) Plan(args *structs.JobPlanRequest, reply *structs.JobPlanResponse)
 		}
 	}
 
-	// Acquire a snapshot of the state
-	snap, err := j.srv.fsm.State().Snapshot()
-	if err != nil {
-		return err
-	}
-
 	// Enforce Sentinel policies
-	nomadACLToken, err := snap.ACLTokenBySecretID(nil, args.AuthToken)
-	if err != nil && !strings.Contains(err.Error(), "missing secret id") {
-		return err
-	}
-	ns, err := snap.NamespaceByName(nil, args.RequestNamespace())
-	if err != nil {
-		return err
-	}
-	policyWarnings, err := j.enforceSubmitJob(args.PolicyOverride, args.Job, nomadACLToken, ns)
+	policyWarnings, err := j.enforceSubmitJob(args.PolicyOverride, args.Job)
 	if err != nil {
 		return err
 	}
@@ -1718,6 +1700,12 @@ func (j *Job) Plan(args *structs.JobPlanRequest, reply *structs.JobPlanResponse)
 		reply.Warnings = structs.MergeMultierrorWarnings(warnings...)
 	}
 
+	// Acquire a snapshot of the state
+	snap, err := j.srv.fsm.State().Snapshot()
+	if err != nil {
+		return err
+	}
+
 	// Interpolate the job for this region
 	err = j.interpolateMultiregionFields(args)
 	if err != nil {

diff --git a/nomad/job_endpoint_oss.go b/nomad/job_endpoint_oss.go
@@ -11,7 +11,7 @@ import (
 )
 
 // enforceSubmitJob is used to check any Sentinel policies for the submit-job scope
-func (j *Job) enforceSubmitJob(override bool, job *structs.Job, nomadACLToken *structs.ACLToken, ns *structs.Namespace) (error, error) {
+func (j *Job) enforceSubmitJob(override bool, job *structs.Job) (error, error) {
 	return nil, nil
 }