Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ACL disabled does not equal all features being available #14392

Closed
rikhuijzer opened this issue Aug 30, 2022 · 5 comments
Closed

ACL disabled does not equal all features being available #14392

rikhuijzer opened this issue Aug 30, 2022 · 5 comments
Labels
stage/duplicate theme/ui type/bug

Comments

@rikhuijzer
Copy link

Nomad version

1.3.4

Operating system and Environment details

Ubuntu 22.04

Issue

The CPU and Memory Resource Utilization graphs in the UI are empty as well as the logs. When looking through the errors in the browsers console (errors listed below), one error points to /v1/acl/policy/anonymous. When the Nomad front end tries to load this endpoint, the endpoint returns a 400 with the text "ACL support disabled". This is correct, I have not enabled ACL. However, according to https://learn.hashicorp.com/tutorials/nomad/web-ui-considerations, "Nomad starts with ACLs disabled by default, which means all features—read and write—are available to all users of the Web UI out of the box". So, this is a contradiction.

Reproduction steps

I have a pretty basic setup where the Nomad UI is set up behind a reverse proxy.

Click here to see the task definition task "caddy" { driver = "docker" 
        volume_mount {
            volume = "caddy"
            destination = "/data"
            read_only = false
        }

        config {
            network_mode = "host"
            image = "library/caddy:2-alpine"
            ports = ["http", "https"]
            mount {
                type = "bind"
                source = "html"
                target = "/var/www/html"
            }
            mount {
                type = "bind"
                source = "local"
                target = "/templates"
            }
            args = [
                "caddy",
                "run",
                "--config=/templates/Caddyfile",
                "--adapter=caddyfile"
            ]
        }

        resources {
            cpu = 500
            memory = 500
        }

        template {
            destination = "html/index.html"
            data = <<EOH
                <center>
                    <h1>Error 1003</h1>
                    Direct IP access not allowed.<br>
                    <br>
                    A valid Host header must be supplied to reach the website.
                </center>
            EOH
        }

        env {
            ACME = var.ACME
        }

        template {
            destination = "local/Caddyfile"
            data = <<-EOF
                {
                    email <REMOVED>
                    acme_ca https://acme-v02.api.letsencrypt.org/directory
                }

                nomad.example.com nomad.localhost {
                    reverse_proxy 127.0.0.1:4646
                }

                git.example.com git.localhost {
                    reverse_proxy 127.0.0.1:3000
                }

                :80 {
                    root * /var/www/html
                    file_server
                }
            EOF
        }
    }

Nomad Client logs

This is the error that is shown in the browser developer tools:

vendor-eb07b60f7e1f309e783749d1ba18f9d7.js:8418 Uncaught Error: TypeError: Cannot read properties of null (reading 'then')
    at d.<anonymous> (nomad-ui-2337cfef252f8cd23727e6c21be6e3d8.js:2470:102)
    at Generator.next (<anonymous>)
    at e.GeneratorState.step (vendor-eb07b60f7e1f309e783749d1ba18f9d7.js:8426:155)
    at e.TaskInstanceExecutor.generatorStep (vendor-eb07b60f7e1f309e783749d1ba18f9d7.js:8544:27)
    at e.TaskInstanceExecutor.handleResolvedContinueValue (vendor-eb07b60f7e1f309e783749d1ba18f9d7.js:8537:1198)
    at e.TaskInstanceExecutor.proceedSync (vendor-eb07b60f7e1f309e783749d1ba18f9d7.js:8537:1107)
    at e.TaskInstanceExecutor.start (vendor-eb07b60f7e1f309e783749d1ba18f9d7.js:8537:283)
    at i.start (vendor-eb07b60f7e1f309e783749d1ba18f9d7.js:8513:322)
    at vendor-eb07b60f7e1f309e783749d1ba18f9d7.js:8466:107
    at Array.forEach (<anonymous>)

This error is shown when a page for an allocation is open.

/v1/acl/policy/anonymous:1          Failed to load resource: the server responded with a status of 400 ()
vendor-eb07b60f7e1f309e783749d1ba18f9d7.js:8418 Uncaught Error: TypeError: Cannot read properties of null (reading 'then')
    at d.<anonymous> (nomad-ui-2337cfef252f8cd23727e6c21be6e3d8.js:2470:102)
    at Generator.next (<anonymous>)
    at e.GeneratorState.step (vendor-eb07b60f7e1f309e783749d1ba18f9d7.js:8426:155)
    at e.TaskInstanceExecutor.generatorStep (vendor-eb07b60f7e1f309e783749d1ba18f9d7.js:8544:27)
    at e.TaskInstanceExecutor.handleResolvedContinueValue (vendor-eb07b60f7e1f309e783749d1ba18f9d7.js:8537:1198)
    at e.TaskInstanceExecutor.proceedSync (vendor-eb07b60f7e1f309e783749d1ba18f9d7.js:8537:1107)
    at e.TaskInstanceExecutor.start (vendor-eb07b60f7e1f309e783749d1ba18f9d7.js:8537:283)
    at i.start (vendor-eb07b60f7e1f309e783749d1ba18f9d7.js:8513:322)
    at vendor-eb07b60f7e1f309e783749d1ba18f9d7.js:8466:107
    at Array.forEach (<anonymous>)

I've checked the /v1/acl/policy/anonymous link by browsing to the page manually and it responds with

ACL support disabled
@Great-Stone
Copy link

similar issues - #14359

@lszmit-nm
Copy link

This exact error scenario also applies to the "Exec" functionality, including when the workaround in #14359 is used.
The exec box appears empty, with an error in console after a call to /v1/acl/token/self

Uncaught (in promise) TypeError: Cannot read properties of null (reading 'name')
    at we (vendor-dad7c3199ebc24844bbd15f61df17122.js:1897:40)
    at _e (vendor-dad7c3199ebc24844bbd15f61df17122.js:1896:39)
    at vendor-dad7c3199ebc24844bbd15f61df17122.js:3008:175
    at Array.sort (<anonymous>)
    at vendor-dad7c3199ebc24844bbd15f61df17122.js:3008:94
    at P.<anonymous> (vendor-dad7c3199ebc24844bbd15f61df17122.js:3009:47)
    at vendor-dad7c3199ebc24844bbd15f61df17122.js:1930:50
    at e.track (vendor-dad7c3199ebc24844bbd15f61df17122.js:3975:5)
    at Me.get (vendor-dad7c3199ebc24844bbd15f61df17122.js:1930:39)
    at P.sortedTaskGroups (vendor-dad7c3199ebc24844bbd15f61df17122.js:1881:250)

@tgross
Copy link
Member

tgross commented Aug 30, 2022

Hi folks. This is indeed a dupe of #14359 and has been fixed on main with #14381. That'll be shipped as a patch shortly.

@tgross tgross closed this as completed Aug 30, 2022
@rikhuijzer
Copy link
Author

My apologies for missing that issue and thanks for all the work!

@github-actions
Copy link

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 29, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
stage/duplicate theme/ui type/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@tgross @Great-Stone @rikhuijzer @lszmit-nm