Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Nomad ACL roles with dangling policies cause permission evaluation issues #18619

Closed
the-nando opened this issue Sep 29, 2023 · 2 comments · Fixed by #18972
Closed

Nomad ACL roles with dangling policies cause permission evaluation issues #18619

the-nando opened this issue Sep 29, 2023 · 2 comments · Fixed by #18972
Assignees
@jrasell
Labels
stage/accepted Confirmed, and intend to work on. No timeline committment though. theme/allocation API theme/security type/bug

Comments

@the-nando
Copy link
Contributor

the-nando commented Sep 29, 2023
edited
Loading

Nomad version

Nomad v1.6.2

Issue

#17201 addressed the issue of roles with overlapping policies but there's another issue I stumbled upon related to a role containing one or more policies which have been deleted, which causes the list of allowed permissions to be erroneously computed; ultimately this results in allowed actions being denied to the user.
The involved code path is the same as for #17201, ACL.GetPolicies.

Reproduction steps

  1. Create two namespaces monitoring and system and deploy a simple job in the system one.
  2. Create two policies:
cat > policy1.hcl << EOF
operator {
  policy = "read"
}

namespace "monitoring" {
  policy = "write"
}
EOF

cat > policy2.hcl << EOF
operator {
  policy = "read"
}

namespace "system" {
  policy = "write"
}
EOF

nomad acl policy apply monitoring-admin policy1.hcl
nomad acl policy apply system-admin policy2.hcl
  1. Create a role and get a token:
nomad acl role create -name test-role -policy system-admin -policy monitoring-admin
export NOMAD_TOKEN=$(nomad acl token create -ttl=10m -name=test-token -role-name=test-role -t '{{ .SecretID }}')
  1. Exec in the test container
~ nomad alloc exec -namespace='system' -job my-test-job echo foo
foo
~
  1. With another token, delete the monitoring-admin policy
nomad acl policy delete monitoring-admin
  1. Re-try to exec
~ nomad alloc exec -namespace='system' -job my-test-job echo foo
failed to exec into task: rpc error: Permission denied
~

Expected Result

~ nomad alloc exec -namespace='system' -job my-test-job echo foo
foo
~

Actual Result

~ nomad alloc exec -namespace='system' -job my-test-job echo foo
failed to exec into task: rpc error: Permission denied
~
@jrasell jrasell self-assigned this Sep 29, 2023
@jrasell
Copy link
Member

jrasell commented Sep 29, 2023

Hi @the-nando and thanks for raising this issue with some great information. I'll take a look into reproducing this locally next week and report back with any findings.

@jrasell jrasell added theme/security theme/allocation API stage/accepted Confirmed, and intend to work on. No timeline committment though. labels Oct 2, 2023
@jrasell
Copy link
Member

jrasell commented Oct 2, 2023

Hi @the-nando; I have been able to reproduce this locally, the setup I am using can be found: https://github.com/jrasell/dev-mess/tree/main/nomad/development/gh18619

I'll try and find some time to look into what is causing this and report back what I find.

@jrasell jrasell mentioned this issue Nov 2, 2023
Merged
This was referenced Nov 2, 2023
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jrasell jrasell

Labels
stage/accepted Confirmed, and intend to work on. No timeline committment though. theme/allocation API theme/security type/bug
Projects
Nomad - Community Issues Triage
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

acl/client: fix incorrect denied error on calls with dangling policies. hashicorp/nomad
2 participants
@jrasell @the-nando