diff --git a/api/api.go b/api/api.go index 3a346267b..03ede6e5f 100644 --- a/api/api.go +++ b/api/api.go @@ -26,7 +26,7 @@ var ( ClientConnTimeout = 1 * time.Second ) -// QueryOptions are used to parameterize a query +// QueryOptions are used to parametrize a query type QueryOptions struct { // Providing a datacenter overwrites the region provided // by the Config @@ -57,7 +57,7 @@ type QueryOptions struct { AuthToken string } -// WriteOptions are used to parameterize a write +// WriteOptions are used to parametrize a write type WriteOptions struct { // Providing a datacenter overwrites the region provided // by the Config diff --git a/api/jobs.go b/api/jobs.go index 60e78a5ca..e22dcd25c 100644 --- a/api/jobs.go +++ b/api/jobs.go @@ -321,13 +321,14 @@ func (j *Jobs) Dispatch(jobID string, meta map[string]string, // enforceVersion is set, the job is only reverted if the current version is at // the passed version. func (j *Jobs) Revert(jobID string, version uint64, enforcePriorVersion *uint64, - q *WriteOptions) (*JobRegisterResponse, *WriteMeta, error) { + q *WriteOptions, vaultToken string) (*JobRegisterResponse, *WriteMeta, error) { var resp JobRegisterResponse req := &JobRevertRequest{ JobID: jobID, JobVersion: version, EnforcePriorVersion: enforcePriorVersion, + VaultToken: vaultToken, } wm, err := j.client.write("/v1/job/"+jobID+"/revert", req, &resp, q) if err != nil { @@ -930,6 +931,12 @@ type JobRevertRequest struct { // version before reverting. EnforcePriorVersion *uint64 + // VaultToken is the Vault token that proves the submitter of the job revert + // has access to any Vault policies specified in the targeted job version. This + // field is only used to transfer the token and is not stored after the Job + // revert. + VaultToken string `json:",omitempty"` + WriteRequest } diff --git a/api/jobs_test.go b/api/jobs_test.go index ee0ebfabb..e131d49dc 100644 --- a/api/jobs_test.go +++ b/api/jobs_test.go @@ -716,13 +716,13 @@ func TestJobs_Revert(t *testing.T) { assertWriteMeta(t, wm) // Fail revert at incorrect enforce - _, _, err = jobs.Revert(*job.ID, 0, uint64ToPtr(10), nil) + _, _, err = jobs.Revert(*job.ID, 0, uint64ToPtr(10), nil, "") if err == nil || !strings.Contains(err.Error(), "enforcing version") { t.Fatalf("expected enforcement error: %v", err) } // Works at correct index - revertResp, wm, err := jobs.Revert(*job.ID, 0, uint64ToPtr(1), nil) + revertResp, wm, err := jobs.Revert(*job.ID, 0, uint64ToPtr(1), nil, "") if err != nil { t.Fatalf("err: %s", err) } diff --git a/command/job_revert.go b/command/job_revert.go index 9893333bf..618873b59 100644 --- a/command/job_revert.go +++ b/command/job_revert.go @@ -2,6 +2,7 @@ package command import ( "fmt" + "os" "strings" "github.com/hashicorp/nomad/api/contexts" @@ -32,6 +33,10 @@ Revert Options: -verbose Display full information. + + -vault-token + The Vault token used to verify that the caller has access to the Vault + policies i the targeted version of the job. ` return strings.TrimSpace(helpText) } @@ -67,11 +72,13 @@ func (c *JobRevertCommand) Name() string { return "job revert" } func (c *JobRevertCommand) Run(args []string) int { var detach, verbose bool + var vaultToken string flags := c.Meta.FlagSet(c.Name(), FlagSetClient) flags.Usage = func() { c.Ui.Output(c.Help()) } flags.BoolVar(&detach, "detach", false, "") flags.BoolVar(&verbose, "verbose", false, "") + flags.StringVar(&vaultToken, "vault-token", "", "") if err := flags.Parse(args); err != nil { return 1 @@ -98,6 +105,12 @@ func (c *JobRevertCommand) Run(args []string) int { return 1 } + // Parse the Vault token + if vaultToken == "" { + // Check the environment variable + vaultToken = os.Getenv("VAULT_TOKEN") + } + jobID := args[0] revertVersion, ok, err := parseVersion(args[1]) if !ok { @@ -125,7 +138,7 @@ func (c *JobRevertCommand) Run(args []string) int { } // Prefix lookup matched a single job - resp, _, err := client.Jobs().Revert(jobs[0].ID, revertVersion, nil, nil) + resp, _, err := client.Jobs().Revert(jobs[0].ID, revertVersion, nil, nil, vaultToken) if err != nil { c.Ui.Error(fmt.Sprintf("Error retrieving job versions: %s", err)) return 1