hashicorp · lgfa29 · Jan 13, 2022 · Dec 13, 2021 · Dec 13, 2021 · Dec 14, 2021
diff --git a/.changelog/11672.txt b/.changelog/11672.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+ui: Fix the ACL requirements for displaying the job details page
+```
diff --git a/ui/app/abilities/client.js b/ui/app/abilities/client.js
@@ -7,18 +7,30 @@ import classic from 'ember-classic-decorator';
 export default class Client extends AbstractAbility {
   // Map abilities to policy options (which are coarse for nodes)
   // instead of specific behaviors.
+  @or('bypassAuthorization', 'selfTokenIsManagement', 'policiesIncludeNodeRead')
+  canRead;
+
   @or('bypassAuthorization', 'selfTokenIsManagement', 'policiesIncludeNodeWrite')
   canWrite;
 
   @computed('token.selfTokenPolicies.[]')
-  get policiesIncludeNodeWrite() {
-    // For each policy record, extract the Node policy
-    const policies = (this.get('token.selfTokenPolicies') || [])
-      .toArray()
-      .map(policy => get(policy, 'rulesJSON.Node.Policy'))
-      .compact();
+  get policiesIncludeNodeRead() {
+    return policiesIncludePermissions(this.get('token.selfTokenPolicies'), ['read', 'write']);
+  }
 
-    // Node write is allowed if any policy allows it
-    return policies.some(policy => policy === 'write');
+  @computed('token.selfTokenPolicies.[]')
+  get policiesIncludeNodeWrite() {
+    return policiesIncludePermissions(this.get('token.selfTokenPolicies'), ['write']);
   }
 }
+
+function policiesIncludePermissions(policies = [], permissions = []) {
+  // For each policy record, extract the Node policy
+  const nodePolicies = policies
+    .toArray()
+    .map(policy => get(policy, 'rulesJSON.Node.Policy'))
+    .compact();
+
+  // Check for requested permissions
+  return nodePolicies.some(policy => permissions.includes(policy));
+}
diff --git a/ui/app/components/job-page/parameterized-child.js b/ui/app/components/job-page/parameterized-child.js
@@ -8,6 +8,7 @@ import jobClientStatus from 'nomad-ui/utils/properties/job-client-status';
 @classic
 export default class ParameterizedChild extends PeriodicChildJobPage {
   @alias('job.decodedPayload') payload;
+  @service can;
   @service store;
 
   @computed('payload')
@@ -26,4 +27,8 @@ export default class ParameterizedChild extends PeriodicChildJobPage {
   get nodes() {
     return this.store.peekAll('node');
   }
+
+  get shouldDisplayClientInformation() {
+    return this.can.can('read client') && this.job.hasClientStatus;
+  }
 }
diff --git a/ui/app/components/job-page/parts/job-client-status-summary.js b/ui/app/components/job-page/parts/job-client-status-summary.js
@@ -8,10 +8,13 @@ import classic from 'ember-classic-decorator';
 export default class JobClientStatusSummary extends Component {
   job = null;
   jobClientStatus = null;
+  forceCollapsed = false;
   gotoClients() {}
 
-  @computed
+  @computed('forceCollapsed')
   get isExpanded() {
+    if (this.forceCollapsed) return false;
+
     const storageValue = window.localStorage.nomadExpandJobClientStatusSummary;
     return storageValue != null ? JSON.parse(storageValue) : true;
   }

diff --git a/ui/app/components/job-page/periodic-child.js b/ui/app/components/job-page/periodic-child.js
@@ -6,6 +6,7 @@ import jobClientStatus from 'nomad-ui/utils/properties/job-client-status';
 
 @classic
 export default class PeriodicChild extends AbstractJobPage {
+  @service can;
   @service store;
 
   @computed('job.{name,id}', 'job.parent.{name,id}')
@@ -31,4 +32,8 @@ export default class PeriodicChild extends AbstractJobPage {
   get nodes() {
     return this.store.peekAll('node');
   }
+
+  get shouldDisplayClientInformation() {
+    return this.can.can('read client') && this.job.hasClientStatus;
+  }
 }
diff --git a/ui/app/routes/jobs/job/index.js b/ui/app/routes/jobs/job/index.js
@@ -1,4 +1,5 @@
 import Route from '@ember/routing/route';
+import { inject as service } from '@ember/service';
 import { collect } from '@ember/object/computed';
 import {
   watchRecord,
@@ -9,12 +10,20 @@ import {
 import WithWatchers from 'nomad-ui/mixins/with-watchers';
 
 export default class IndexRoute extends Route.extend(WithWatchers) {
+  @service can;
+
   async model() {
-    // Optimizing future node look ups by preemptively loading everything
-    await this.store.findAll('node');
     return this.modelFor('jobs.job');
   }
 
+  async afterModel(model) {
+    // Optimizing future node look ups by preemptively loading all nodes if
+    // necessary and allowed.
+    if (model.get('hasClientStatus') && this.can.can('read client')) {
+      await this.store.findAll('node');
+    }
+  }
+
   startWatchers(controller, model) {
     if (!model) {
       return;
@@ -29,7 +38,8 @@ export default class IndexRoute extends Route.extend(WithWatchers) {
       list:
         model.get('hasChildren') &&
         this.watchAllJobs.perform({ namespace: model.namespace.get('name') }),
-      nodes: model.get('hasClientStatus') && this.watchNodes.perform(),
+      nodes:
+        this.can.can('read client') && model.get('hasClientStatus') && this.watchNodes.perform(),
     });
   }
 

diff --git a/ui/app/templates/components/allocation-row.hbs b/ui/app/templates/components/allocation-row.hbs
@@ -1,8 +1,10 @@
 <td data-test-indicators class="is-narrow">
-  {{#if this.allocation.unhealthyDrivers.length}}
-    <span data-test-icon="unhealthy-driver" class="tooltip text-center" role="tooltip" aria-label="Allocation depends on unhealthy drivers">
-      {{x-icon "alert-triangle" class="is-warning"}}
-    </span>
+  {{#if (can "read client")}}
+    {{#if this.allocation.unhealthyDrivers.length}}
+      <span data-test-icon="unhealthy-driver" class="tooltip text-center" role="tooltip" aria-label="Allocation depends on unhealthy drivers">
+        {{x-icon "alert-triangle" class="is-warning"}}
+      </span>
+    {{/if}}
   {{/if}}
   {{#if this.allocation.nextAllocation}}
     <span data-test-icon="reschedule" class="tooltip text-center" role="tooltip" aria-label="Allocation was rescheduled">
@@ -38,21 +40,25 @@
 </td>
 {{#if (eq this.context "volume")}}
   <td data-test-client>
-    <Tooltip @text={{this.allocation.node.name}}>
-      <LinkTo @route="clients.client" @model={{this.allocation.node}}>
-        {{this.allocation.node.shortId}}
-      </LinkTo>
-    </Tooltip>
+    {{#if (can "read client")}}
+      <Tooltip @text={{this.allocation.node.name}}>
+        <LinkTo @route="clients.client" @model={{this.allocation.node}}>
+          {{this.allocation.node.shortId}}
+        </LinkTo>
+      </Tooltip>
+    {{/if}}
   </td>
 {{/if}}
 {{#if (or (eq this.context "taskGroup") (eq this.context "job"))}}
   <td data-test-job-version>{{this.allocation.jobVersion}}</td>
   <td data-test-client>
-    <Tooltip @text={{this.allocation.node.name}}>
-      <LinkTo @route="clients.client" @model={{this.allocation.node}}>
-        {{this.allocation.node.shortId}}
-      </LinkTo>
-    </Tooltip>
+    {{#if (can "read client")}}
+      <Tooltip @text={{this.allocation.node.name}}>
+        <LinkTo @route="clients.client" @model={{this.allocation.node}}>
+          {{this.allocation.node.shortId}}
+        </LinkTo>
+      </Tooltip>
+    {{/if}}
   </td>
 {{else if (or (eq this.context "node") (eq this.context "volume"))}}
   <td>

diff --git a/ui/app/templates/components/job-page/parameterized-child.hbs b/ui/app/templates/components/job-page/parameterized-child.hbs
@@ -14,15 +14,17 @@
     </:before-namespace>
   </JobPage::Parts::StatsBox>
 
-  {{#if this.job.hasClientStatus}}
+  {{#if this.shouldDisplayClientInformation}}
     <JobPage::Parts::JobClientStatusSummary
       @gotoClients={{this.gotoClients}}
       @job={{this.job}}
       @jobClientStatus={{this.jobClientStatus}}
     />
+  {{else}}
+    <JobPage::Parts::JobClientStatusSummary @job={{this.job}} @forceCollapsed="true" />
   {{/if}}
 
-  <JobPage::Parts::Summary @job={{this.job}} @forceCollapsed={{this.job.hasClientStatus}} />
+  <JobPage::Parts::Summary @job={{this.job}} @forceCollapsed={{this.shouldDisplayClientInformation}} />
 
   <JobPage::Parts::PlacementFailures @job={{this.job}} />
 

diff --git a/ui/app/templates/components/job-page/parts/job-client-status-summary.hbs b/ui/app/templates/components/job-page/parts/job-client-status-summary.hbs
@@ -1,5 +1,5 @@
 <ListAccordion
-  data-test-job-summary
+  data-test-job-client-summary
   @source={{array this.job}}
   @key="id"
   @startExpanded={{this.isExpanded}}
@@ -9,14 +9,16 @@
     <div class="columns">
       <div class="column is-minimum nowrap">
         Job Status in Client
-        <span class="badge {{if a.isOpen "is-white" "is-light"}}">
-          {{this.jobClientStatus.totalNodes}}
-        </span>
+        {{#if this.jobClientStatus}}
+          <span class="badge {{if a.isOpen "is-white" "is-light"}}">
+            {{this.jobClientStatus.totalNodes}}
+          </span>
+        {{/if}}
         <span class="tooltip multiline" aria-label="Aggreate status of job's allocations in each client.">
           {{x-icon "info-circle-outline" class="is-faded"}}
         </span>
       </div>
-      {{#unless a.isOpen}}
+      {{#if (and this.jobClientStatus (not a.isOpen))}}
         <div class="column">
           <div class="inline-chart bumper-left">
             <JobClientStatusBar
@@ -27,29 +29,38 @@
             />
           </div>
         </div>
-      {{/unless}}
+      {{/if}}
     </div>
   </a.head>
   <a.body>
-    <JobClientStatusBar
-      @onSliceClick={{action this.onSliceClick}}
-      @job={{this.job}}
-      @jobClientStatus={{this.jobClientStatus}}
-      class="split-view" as |chart|
-    >
-      <ol data-test-legend class="legend">
-        {{#each chart.data as |datum index|}}
-          <li data-test-legent-label="{{datum.className}}" class="{{datum.className}} {{if (eq datum.label chart.activeDatum.label) "is-active"}} {{if (eq datum.value 0) "is-empty" "is-clickable"}}">
-            {{#if (gt datum.value 0)}}
-              <LinkTo @route="jobs.job.clients" @model={{this.job}} @query={{datum.legendLink.queryParams}}>
+    {{#if this.jobClientStatus}}
+      <JobClientStatusBar
+        @onSliceClick={{action this.onSliceClick}}
+        @job={{this.job}}
+        @jobClientStatus={{this.jobClientStatus}}
+        class="split-view" as |chart|
+      >
+        <ol data-test-legend class="legend">
+          {{#each chart.data as |datum index|}}
+            <li data-test-legent-label="{{datum.className}}" class="{{datum.className}} {{if (eq datum.label chart.activeDatum.label) "is-active"}} {{if (eq datum.value 0) "is-empty" "is-clickable"}}">
+              {{#if (gt datum.value 0)}}
+                <LinkTo @route="jobs.job.clients" @model={{this.job}} @query={{datum.legendLink.queryParams}}>
+                  <JobPage::Parts::SummaryLegendItem @datum={{datum}} @index={{index}} />
+                </LinkTo>
+              {{else}}
                 <JobPage::Parts::SummaryLegendItem @datum={{datum}} @index={{index}} />
-              </LinkTo>
-            {{else}}
-              <JobPage::Parts::SummaryLegendItem @datum={{datum}} @index={{index}} />
-            {{/if}}
-          </li>
-        {{/each}}
-      </ol>
-    </JobClientStatusBar>
+              {{/if}}
+            </li>
+          {{/each}}
+        </ol>
+      </JobClientStatusBar>
+    {{else if (cannot "read clients") }}
+      <div data-test-not-authorized-message class="empty-message">
+        <h3 class="empty-message-headline">Not Authorized</h3>
+        <p class="empty-message-body">
+          Your <LinkTo @route="settings.tokens">ACL token</LinkTo> does not provide <code>node:read</code> permission.
+        </p>
+      </div>
+    {{/if}}
   </a.body>
 </ListAccordion>
diff --git a/ui/app/templates/components/job-page/periodic-child.hbs b/ui/app/templates/components/job-page/periodic-child.hbs
@@ -14,15 +14,17 @@
     </:before-namespace>
   </JobPage::Parts::StatsBox>
 
-  {{#if this.job.hasClientStatus}}
+  {{#if this.shouldDisplayClientInformation}}
     <JobPage::Parts::JobClientStatusSummary
       @gotoClients={{this.gotoClients}}
       @job={{this.job}}
       @jobClientStatus={{this.jobClientStatus}}
     />
+  {{else}}
+    <JobPage::Parts::JobClientStatusSummary @job={{this.job}} @forceCollapsed="true" />
   {{/if}}
 
-  <JobPage::Parts::Summary @job={{this.job}} @forceCollapsed={{this.job.hasClientStatus}} />
+  <JobPage::Parts::Summary @job={{this.job}} @forceCollapsed={{this.shouldDisplayClientInformation}} />
 
   <JobPage::Parts::PlacementFailures @job={{this.job}} />
 

diff --git a/ui/app/templates/components/job-page/sysbatch.hbs b/ui/app/templates/components/job-page/sysbatch.hbs
@@ -5,12 +5,16 @@
 
   <JobPage::Parts::StatsBox @job={{this.job}} />
 
-  <JobPage::Parts::JobClientStatusSummary
-    @job={{this.job}}
-    @jobClientStatus={{this.jobClientStatus}}
-    @gotoClients={{this.gotoClients}} />
-
-  <JobPage::Parts::Summary @job={{this.job}} @forceCollapsed="true" />
+  {{#if (can "read client")}}
+    <JobPage::Parts::JobClientStatusSummary
+      @job={{this.job}}
+      @jobClientStatus={{this.jobClientStatus}}
+      @gotoClients={{this.gotoClients}} />
+  {{else}}
+    <JobPage::Parts::JobClientStatusSummary @job={{this.job}} @forceCollapsed="true" />
+  {{/if}}
+
+  <JobPage::Parts::Summary @job={{this.job}} @forceCollapsed={{if (can "read client") true false}} />
 
   <JobPage::Parts::PlacementFailures @job={{this.job}} />
 

diff --git a/ui/app/templates/components/job-page/system.hbs b/ui/app/templates/components/job-page/system.hbs
@@ -11,12 +11,16 @@
     {{/each}}
   {{/if}}
 
-  <JobPage::Parts::JobClientStatusSummary
-    @job={{this.job}}
-    @jobClientStatus={{this.jobClientStatus}}
-    @gotoClients={{this.gotoClients}} />
+  {{#if (can "read client")}}
+    <JobPage::Parts::JobClientStatusSummary
+      @job={{this.job}}
+      @jobClientStatus={{this.jobClientStatus}}
+      @gotoClients={{this.gotoClients}} />
+  {{else}}
+    <JobPage::Parts::JobClientStatusSummary @job={{this.job}} @forceCollapsed="true" />
+  {{/if}}
 
-  <JobPage::Parts::Summary @job={{this.job}} @forceCollapsed="true" />
+  <JobPage::Parts::Summary @job={{this.job}} @forceCollapsed={{if (can "read client") true false}} />
 
   <JobPage::Parts::PlacementFailures @job={{this.job}} />
 

diff --git a/ui/app/templates/components/job-subnav.hbs b/ui/app/templates/components/job-subnav.hbs
@@ -8,7 +8,7 @@
     {{/if}}
     <li data-test-tab="allocations"><LinkTo @route="jobs.job.allocations" @query={{hash namespace=this.job.namespace.id}} @model={{@job}} @activeClass="is-active">Allocations</LinkTo></li>
     <li data-test-tab="evaluations"><LinkTo @route="jobs.job.evaluations" @query={{hash namespace=this.job.namespace.id}} @model={{@job}} @activeClass="is-active">Evaluations</LinkTo></li>
-    {{#if (and this.job.hasClientStatus (not this.job.hasChildren))}}
+    {{#if (and (can "read client") (and this.job.hasClientStatus (not this.job.hasChildren)))}}
       <li data-test-tab="clients"><LinkTo @route="jobs.job.clients" @query={{hash namespace=this.job.namespace.id}} @model={{@job}} @activeClass="is-active">Clients</LinkTo></li>
     {{/if}}
   </ul>

diff --git a/ui/app/templates/components/task-row.hbs b/ui/app/templates/components/task-row.hbs
@@ -1,9 +1,11 @@
 <td class="is-narrow">
-  {{#unless this.task.driverStatus.healthy}}
-    <span data-test-icon="unhealthy-driver" class="tooltip text-center" aria-label="{{this.task.driver}} is unhealthy">
-      {{x-icon "alert-triangle" class="is-warning"}}
-    </span>
-  {{/unless}}
+  {{#if (can "read client")}}
+    {{#unless this.task.driverStatus.healthy}}
+      <span data-test-icon="unhealthy-driver" class="tooltip text-center" aria-label="{{this.task.driver}} is unhealthy">
+        {{x-icon "alert-triangle" class="is-warning"}}
+      </span>
+    {{/unless}}
+  {{/if}}
 </td>
 <td data-test-name class="nowrap">
   <LinkTo @route="allocations.allocation.task" @models={{array this.task.allocation this.task}} class="is-primary">