From 4f7bd68f5ca9f330a894bfb4375b87f786e1e7a3 Mon Sep 17 00:00:00 2001
From: Mahmood Ali <mahmood@hashicorp.com>
Date: Sun, 28 Apr 2019 16:45:15 -0400
Subject: [PATCH] Add ACL capabilities for nomad exec

This adds `alloc-exec` capability to allow operator to execute command into a
running task.  Furthermore, it adds `alloc-node-exec` capability, required when
the alloc task is raw_exec or a driver with no FSIsolation.
---
 acl/policy.go      | 6 +++++-
 acl/policy_test.go | 1 +
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/acl/policy.go b/acl/policy.go
index eba1204f2..b6efaa642 100644
--- a/acl/policy.go
+++ b/acl/policy.go
@@ -28,6 +28,8 @@ const (
 	NamespaceCapabilityDispatchJob      = "dispatch-job"
 	NamespaceCapabilityReadLogs         = "read-logs"
 	NamespaceCapabilityReadFS           = "read-fs"
+	NamespaceCapabilityAllocExec        = "alloc-exec"
+	NamespaceCapabilityAllocNodeExec    = "alloc-node-exec"
 	NamespaceCapabilityAllocLifecycle   = "alloc-lifecycle"
 	NamespaceCapabilitySentinelOverride = "sentinel-override"
 )
@@ -94,7 +96,8 @@ func isNamespaceCapabilityValid(cap string) bool {
 	switch cap {
 	case NamespaceCapabilityDeny, NamespaceCapabilityListJobs, NamespaceCapabilityReadJob,
 		NamespaceCapabilitySubmitJob, NamespaceCapabilityDispatchJob, NamespaceCapabilityReadLogs,
-		NamespaceCapabilityReadFS, NamespaceCapabilityAllocLifecycle:
+		NamespaceCapabilityReadFS, NamespaceCapabilityAllocLifecycle,
+		NamespaceCapabilityAllocExec, NamespaceCapabilityAllocNodeExec:
 		return true
 	// Separate the enterprise-only capabilities
 	case NamespaceCapabilitySentinelOverride:
@@ -123,6 +126,7 @@ func expandNamespacePolicy(policy string) []string {
 			NamespaceCapabilityDispatchJob,
 			NamespaceCapabilityReadLogs,
 			NamespaceCapabilityReadFS,
+			NamespaceCapabilityAllocExec,
 			NamespaceCapabilityAllocLifecycle,
 		}
 	default:
diff --git a/acl/policy_test.go b/acl/policy_test.go
index 3385370aa..4665d0d45 100644
--- a/acl/policy_test.go
+++ b/acl/policy_test.go
@@ -80,6 +80,7 @@ func TestParse(t *testing.T) {
 							NamespaceCapabilityDispatchJob,
 							NamespaceCapabilityReadLogs,
 							NamespaceCapabilityReadFS,
+							NamespaceCapabilityAllocExec,
 							NamespaceCapabilityAllocLifecycle,
 						},
 					},