From 77bb2c51b8e41bb853a4d46d93aee544e75623d7 Mon Sep 17 00:00:00 2001 From: Mahmood Ali Date: Tue, 27 Oct 2020 16:33:01 -0400 Subject: [PATCH] dispatch-job capability to dispatch periodic jobs --- nomad/periodic_endpoint.go | 2 +- nomad/periodic_endpoint_test.go | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/nomad/periodic_endpoint.go b/nomad/periodic_endpoint.go index 4864fdd68..b8e4807cf 100644 --- a/nomad/periodic_endpoint.go +++ b/nomad/periodic_endpoint.go @@ -28,7 +28,7 @@ func (p *Periodic) Force(args *structs.PeriodicForceRequest, reply *structs.Peri // Check for write-job permissions if aclObj, err := p.srv.ResolveToken(args.AuthToken); err != nil { return err - } else if aclObj != nil && !aclObj.AllowNsOp(args.RequestNamespace(), acl.NamespaceCapabilitySubmitJob) { + } else if aclObj != nil && !aclObj.AllowNsOp(args.RequestNamespace(), acl.NamespaceCapabilityDispatchJob) && !aclObj.AllowNsOp(args.RequestNamespace(), acl.NamespaceCapabilitySubmitJob) { return structs.ErrPermissionDenied } diff --git a/nomad/periodic_endpoint_test.go b/nomad/periodic_endpoint_test.go index b4dd8ec26..5f2a5ed8e 100644 --- a/nomad/periodic_endpoint_test.go +++ b/nomad/periodic_endpoint_test.go @@ -127,6 +127,24 @@ func TestPeriodicEndpoint_Force_ACL(t *testing.T) { } } + // Fetch the response with a valid token having dispatch permission + { + policy := mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityDispatchJob}) + token := mock.CreatePolicyAndToken(t, state, 1005, "valid", policy) + req.AuthToken = token.SecretID + var resp structs.PeriodicForceResponse + assert.Nil(msgpackrpc.CallWithCodec(codec, "Periodic.Force", req, &resp)) + assert.NotEqual(uint64(0), resp.Index) + + // Lookup the evaluation + ws := memdb.NewWatchSet() + eval, err := state.EvalByID(ws, resp.EvalID) + assert.Nil(err) + if assert.NotNil(eval) { + assert.Equal(eval.CreateIndex, resp.EvalCreateIndex) + } + } + // Fetch the response with management token { req.AuthToken = root.SecretID