Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to submit Connect jobs when disabling allow_unauthenticated #10718

Closed
shoenig opened this issue Jun 7, 2021 · 1 comment · Fixed by #10720
Closed

Unable to submit Connect jobs when disabling allow_unauthenticated #10718

shoenig opened this issue Jun 7, 2021 · 1 comment · Fixed by #10720
Assignees
@shoenig
Labels
stage/accepted Confirmed, and intend to work on. No timeline committment though. theme/consul type/bug
Milestone
1.1.1

Comments

@shoenig
Copy link
Member

shoenig commented Jun 7, 2021

Nomad v1.1.0 introduced consul namespaces support when using Nomad Enterprise + Consul Enterprise, however we broke functionality around ACL validation in the OSS use case.

Jobs are incorrectly being blocked when following conditions are true

  • Submitting a Consul Connect job
  • Consul is OSS
  • Consul ACLs are enabled
  • Nomad's allow_unauthenticated is set to false

The error looks like,

$ nomad job run -consul-token 76221243-1631-e241-9b34-ffbcb6c36025 api.nomad 
Error submitting job: Unexpected response code: 500 (job-submitter consul token denied: consul ACL token cannot use namespace "default")

Which is nonsensical, since Namespaces do not exist in Consul OSS.
@shoenig shoenig self-assigned this Jun 7, 2021
@shoenig shoenig added this to the 1.1.1 milestone Jun 7, 2021
@shoenig shoenig added the stage/accepted Confirmed, and intend to work on. No timeline committment though. label Jun 7, 2021
shoenig added a commit that referenced this issue Jun 7, 2021
@shoenig
consul: correctly check consul acl token namespace when using consul oss
bdf2227 
This PR fixes the Nomad Object Namespace <-> Consul ACL Token relationship
check when using Consul OSS (or Consul ENT without namespace support).

Nomad v1.1.0 introduced a regression where Nomad would fail the validation
when submitting Connect jobs and allow_unauthenticated set to true, with
Consul OSS - because it would do the namespace check against the Consul ACL
token assuming the "default" namespace, which does not work because Consul OSS
does not have namespaces.

Instead of making the bad assumption, expand the namespace check to handle
each special case explicitly.

Fixes #10718
@shoenig shoenig mentioned this issue Jun 7, 2021
Merged
shoenig added a commit that referenced this issue Jun 8, 2021
@shoenig
consul: correctly check consul acl token namespace when using consul oss
af9d1d4 
This PR fixes the Nomad Object Namespace <-> Consul ACL Token relationship
check when using Consul OSS (or Consul ENT without namespace support).

Nomad v1.1.0 introduced a regression where Nomad would fail the validation
when submitting Connect jobs and allow_unauthenticated set to true, with
Consul OSS - because it would do the namespace check against the Consul ACL
token assuming the "default" namespace, which does not work because Consul OSS
does not have namespaces.

Instead of making the bad assumption, expand the namespace check to handle
each special case explicitly.

Fixes #10718
shoenig added a commit that referenced this issue Jun 8, 2021
@shoenig
consul: correctly check consul acl token namespace when using consul oss
a5f908f 
This PR fixes the Nomad Object Namespace <-> Consul ACL Token relationship
check when using Consul OSS (or Consul ENT without namespace support).

Nomad v1.1.0 introduced a regression where Nomad would fail the validation
when submitting Connect jobs and allow_unauthenticated set to true, with
Consul OSS - because it would do the namespace check against the Consul ACL
token assuming the "default" namespace, which does not work because Consul OSS
does not have namespaces.

Instead of making the bad assumption, expand the namespace check to handle
each special case explicitly.

Fixes #10718
shoenig added a commit that referenced this issue Jun 8, 2021
@shoenig
consul: correctly check consul acl token namespace when using consul oss
09c9a17 
This PR fixes the Nomad Object Namespace <-> Consul ACL Token relationship
check when using Consul OSS (or Consul ENT without namespace support).

Nomad v1.1.0 introduced a regression where Nomad would fail the validation
when submitting Connect jobs and allow_unauthenticated set to true, with
Consul OSS - because it would do the namespace check against the Consul ACL
token assuming the "default" namespace, which does not work because Consul OSS
does not have namespaces.

Instead of making the bad assumption, expand the namespace check to handle
each special case explicitly.

Fixes #10718
@shoenig shoenig mentioned this issue Jun 14, 2021
Merged
@github-actions
Copy link

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 18, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@shoenig shoenig

Labels
stage/accepted Confirmed, and intend to work on. No timeline committment though. theme/consul type/bug
Projects
None yet
Milestone
1.1.1
Development

Successfully merging a pull request may close this issue.

consul: correctly check consul acl token namespace when using consul oss hashicorp/nomad
1 participant
@shoenig