Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSI plugins don't get ACL tokens to send to RPCs #8373

Closed
mishel170 opened this issue Jul 7, 2020 · 2 comments · Fixed by #8626
Closed

CSI plugins don't get ACL tokens to send to RPCs #8373

mishel170 opened this issue Jul 7, 2020 · 2 comments · Fixed by #8626
Assignees
@langmartin
Labels
theme/auth theme/storage type/bug
Milestone
0.12.2

Comments

@mishel170
Copy link

Nomad version - 0.11.3

Hi,
When I use Nomad with ACL and volumes, I have to add to the anonymous policy the following rules:

namespace "default" {
  capabilities = ["csi-mount-volume"]
}

plugin {
  policy = "read"
}

These rules allow any user without a token to enter the UI and enter the "Storage" section and see there everything except making any actions like restart stop or exec.
The only reason I added the rules is because when a plugin tries to mount a volume to the task, it encounters a permission denied exception.
My wish is that the token request screen will appear at the "Storage" section and if possible, running the CSI-plugins without even using the anonymous policy.
Please let me know if this is a bug.

Looking forward to your reply
@tgross
Copy link
Member

tgross commented Jul 7, 2020
edited
Loading

Hi @mishel170! Unfortunately this looks like a bug. The ACL is getting checked when you submit the job as we'd expect but it looks like the plugin isn't being given the appropriate token to make the internal RPC. I'll get this on our list of work for CSI to go GA.

I'm going to change the title of the issue a bit to make it a little easier for us to get it assigned to the right folks

@tgross tgross changed the title Running nomad with ACL and volumes exposes the "Storage" section along with its allocation details to the anonymous user CSI plugins don't get ACL tokens to send to RPCs Jul 7, 2020
@langmartin langmartin self-assigned this Aug 5, 2020
@tgross tgross mentioned this issue Aug 7, 2020
Merged
@langmartin langmartin mentioned this issue Aug 10, 2020
Merged
@tgross tgross added this to the 0.12.2 milestone Oct 9, 2020
@github-actions
Copy link

github-actions bot commented Nov 1, 2022

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 1, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@langmartin langmartin

Labels
theme/auth theme/storage type/bug
Projects
None yet
Milestone
0.12.2
Development

Successfully merging a pull request may close this issue.

CSI RPC Token hashicorp/nomad
3 participants
@langmartin @tgross @mishel170