-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
secure vars implicit ACL policy expects invalid name #13995
Comments
Includes concept docs for secure variables, concept docs for workload identity, and an operations docs for keyring management.
@schmichael I'm going to revisit this when I get back after next week but do you know if there's a hidden reason for this regex other than maybe CLI/UI ergonomics? It seems like it could be safe to allow |
tl;dr - Naming things is impossible. Lifting the restriction seems ok with caveats. Context
The digital record seems to be lacking in explanation, and my fuzzy memory isn't dredging up anything... ...however I'm guessing this is around the time we were feeling regret in Nomad and Consul about our lack of identifier validation early on. Consul obviously needs DNS-friendly identifiers in a number of places. Nomad had also just run face first into the issue of So it seems likely this was an attempt to start with the minimum-viable-allowable-characters as it's far easier to expand allowed characters over time than restrict them further. Problems with proposalsBoth proposed naming schemes run afoul of the
A single path would match both regardless of whether Normally I'd be open to saying "well people just shouldn't name things in confusing ways without expecting negative consequences," but this I don't feel comfortable here for 2 reasons:
Alternative Approach: Secondary IndexI think the only way to address all naming issues is by adding fields to ACLPolicy and requiring explicitly linking policies to jobs: type ACLPolicy struct {
Rules string // HCL or JSON format
RulesJSON *acl.Policy // Generated from Rules on read
Hash []byte
+ JobID string
+ Group string
+ Task string
CreateIndex uint64
ModifyIndex uint64
} We could either add an index on JobID and treat empty Group and Task fields as wildcards to apply to the whole job, or we could add a compound index on all 3 and require explicitness. Unfortunately this also means a bunch of new command line options:
Compromise Approach: No slashes in jobs that use this featureThe above is a lot of work for no real functional benefit. Error messages on typos wouldn't even be possible because you have to create the policy before the job (although allowing jobspecs to just include policy blocks and adding a new atomic raft message could be interesting). So what if we just started warning on jobspecs with If we ever add a sub-path to ACL policy API endpoints we even special case the I think we'd also want to drop the Dispatched JobsAs if the I think it's safe to match Job's to a policy based on their ParentID if one is set. Apologies if you've already implemented or dismissed this, and I missed it. I'm not sure we can switch our use of |
Given the use in API endpoints it seems to be better to forbid Coming from CPP I can recommend |
Yeah, this is why the notion of having a name that couldn't possibly match an existing policy was ideal, but the I really like the secondary index approach, as it gives us a lot of future flexibility for applying policies. It has a tiny bit of friction at the time of creation, but it's not likely to be a very frequent operation either (and has to be done with a management token which implies someone in the org who knows what they're doing). I also think we should probably start warning about |
Thinking about this loud (very loud). What if we were to fast-track this deprecation. What about "hiding" secure variables behind a feature flag and one would have to put a setting (like with the SchedulerAlgorithm in https://www.nomadproject.io/api-docs/operator/scheduler) to enable them. Enabling them would also enforce job names without slashes. This way we could still keep the hierarchical structure in the policy names and wouldn't need the secondary index. New clusters could have this feature flag enabled by default and operators could opt into it for new clusters. |
I've opened #14140 with the secondary index approach and I'm pretty happy with how it turns out.
I think where I'm coming down on this is that using the name of the policy is way too "magic" to be safe for operators. It's a little gross to have to add the flags to new policies, but that's an infrequent operation so I think it's worth the tiny added friction. |
Yeah security wise it certainly makes sense to use the secondary index. Too bad, the other syntax looked really nice 🙂
…On Tue, Aug 16, 2022, at 20:20, Tim Gross wrote:
I've opened #14140 <#14140> with
the secondary index approach and I'm pretty happy with how it turns out.
> Enabling them would also enforce job names without slashes. This way we could still keep the hierarchical structure in the policy names and wouldn't need the secondary index.
>
I think where I'm coming down on this is that using the *name* of the
policy is way too "magic" to be safe for operators. It's a little gross
to have to add the flags to new policies, but that's an infrequent
operation so I think it's worth the tiny added friction.
—
Reply to this email directly, view it on GitHub
<#13995 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAT5CZNLCYBANA6ETYGTLDVZPLYXANCNFSM55P45G5A>.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues. |
The ACL policy parsing we added for secure variables (scheduled to ship in Nomad 1.4.0) allows workload identities to gain new privileges when an appropriately named policy is created. As noted in a conversation with @apollo13 9384ba1#r80061480, the name template for this policy is the rather ugly
_:$job_id/$group/$task
.As it turns out, this isn't just ugly it's actually an invalid ACL policy name! We use this regex to check the policy name. I'm going to have to circle back to fix this later in the week but wanted to write it down so we don't forget to fix it. A proposed naming convention:
nomadjob-$job-$group-$task
The text was updated successfully, but these errors were encountered: