parse-job access is missing from ACL write defaults

[idrennanvmware]

When upgrading to Nomad 1.2.6 we noticed a functional regression in our tests. This was caused due to a test that was using the "write" acl (documented here: https://learn.hashicorp.com/tutorials/nomad/access-control-policies?in=nomad/access-control#write) which is missing the 'parse-job' granular item and is only present in "read" currently.

Request is to add this to the "write" as well

Thanks!
Ian

[tgross]

Hi @idrennanvmware! I took a look at the code and also tried to test the behavior and I think this is a documentation issue.

With a policy like:

namespace "*" {
  policy = "write"
}

I was able to validate a jobspec.

If you look at the ACLs code you can see that the new parse-job capability is found in the coarse-grained read ACL, as documented (ref policy.go#L170). But the read capabilities are copied into the write capabilities (on line 180).

All that being said, you mentioned that there was a failed regression test. Can you share the policy file and error you saw? Maybe there's something we missed.

That documentation page is in a closed repo. I'll open up a PR over there shortly to fix the docs as well.

[lgfa29]

@idrennanvmware another documentation piece that is missing is that the namespace in your request must match a namespace that is allowed by your policy.

I opened #12258 to describe this.

[idrennanvmware]

@tgross and @lgfa29

Apologies for not getting back sooner - was OOO.

You are right - our test failures weren't related to the policy and the "fix" was just a timing issue that gave us the red herring. I believe you are both right and it's just missing from documentation and the 'write' section needs to be updated.

Functionally the root cause of our problem was actually latency from the time a token was issued from Nomad until it was valid for use. Interestingly we haven't encountered this in the past so the latency seems new (we were creating and immediately using a token) - we just ensure the token is valid now in our tests and move on. Not sure why it's more latent than before or if there are external factors contributing - but please feel free to close this issue when you're ready.

Thanks for the help and time - apologies for the misdirection.

[tgross]

I've got the PR for Learn open and once that gets merged for deployment, I'll close it this issue.

[tgross]

Ok, fixed on https://learn.hashicorp.com/tutorials/nomad/access-control-policies?in=nomad/access-control#write. Thanks @idrennanvmware !

[github-actions]

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.