downscope `AllowClientOp` ACL to specific node pool #23925

tgross · 2024-09-06T13:53:16Z

As of Nomad 1.8.1 and even more so in 1.9.0, we've reduced the permissions of the node secret to a limited set of RPCs necessary for the client (see #23304 #23838 #23910).

Although it seems like many of the remaining RPCs could be scoped to a specific nodes, in practice nodes sometimes need to get data about allocs running on other nodes in the cluster (ex. to do migrations). But we could probably tight up the AllowClientOp operation to allow access only to other nodes in the same node pool.

The text was updated successfully, but these errors were encountered:

tgross added type/enhancement theme/auth labels Sep 6, 2024

tgross added this to Nomad - Community Issues Triage Sep 6, 2024

github-project-automation bot moved this to Needs Triage in Nomad - Community Issues Triage Sep 6, 2024

tgross moved this from Needs Triage to Needs Roadmapping in Nomad - Community Issues Triage Sep 6, 2024

tgross removed this from Nomad - Community Issues Triage Sep 6, 2024

tgross added hcc/jira theme/security labels Sep 6, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

downscope `AllowClientOp` ACL to specific node pool #23925

downscope `AllowClientOp` ACL to specific node pool #23925

tgross commented Sep 6, 2024

downscope AllowClientOp ACL to specific node pool #23925

downscope AllowClientOp ACL to specific node pool #23925

Comments

tgross commented Sep 6, 2024

downscope `AllowClientOp` ACL to specific node pool #23925

downscope `AllowClientOp` ACL to specific node pool #23925