kemko/nomad
1
0
Fork 0
mirror of https://github.com/kemko/nomad.git synced 2026-01-05 18:05:42 +03:00
Code Issues Packages Projects Releases Wiki Activity

job endpoint: reorder check for disabled job registrations (#18523)

Browse Source 
When job registrations are disabled, there's no reason to do the potentially
expensive job mutation and admission hooks. Move the ACL resolution and this
check before those hooks.
This commit is contained in:
Tim Gross
2023-09-18 09:15:02 -04:00
committed by GitHub
parent 5bd8b89c19
commit b105e41265
2 changed files with 11 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
nomad/job_endpoint.go
View File

@@ -102,6 +102,15 @@ func (j *Job) Register(args *structs.JobRegisterRequest, reply *structs.JobRegis
}
defer metrics.MeasureSince([]string{"nomad", "job", "register"}, time.Now())
aclObj, err := j.srv.ResolveACL(args)
if err != nil {
return err
}
if ok, err := registrationsAreAllowed(aclObj, j.srv.State()); !ok || err != nil {
j.logger.Warn("job registration is currently disabled for non-management ACL")
return structs.ErrJobRegistrationDisabled
}
// Validate the arguments
if args.Job == nil {
return fmt.Errorf("missing job for registration")
@@ -136,10 +145,7 @@ func (j *Job) Register(args *structs.JobRegisterRequest, reply *structs.JobRegis
reply.Warnings = helper.MergeMultierrorWarnings(warnings...)
// Check job submission permissions
aclObj, err := j.srv.ResolveACL(args)
if err != nil {
return err
} else if aclObj != nil {
if aclObj != nil {
if !aclObj.AllowNsOp(args.RequestNamespace(), acl.NamespaceCapabilitySubmitJob) {
return structs.ErrPermissionDenied
}
@@ -198,11 +204,6 @@ func (j *Job) Register(args *structs.JobRegisterRequest, reply *structs.JobRegis
}
}
if ok, err := registrationsAreAllowed(aclObj, j.srv.State()); !ok || err != nil {
j.logger.Warn("job registration is currently disabled for non-management ACL")
return structs.ErrJobRegistrationDisabled
}
// Lookup the job
snap, err := j.srv.State().Snapshot()
if err != nil {

2
nomad/job_endpoint_test.go
View File

@@ -2416,7 +2416,7 @@ func TestJobRegister_ACL_RejectedBySchedulerConfig(t *testing.T) {
name: "reject enabled, without a token",
token: "",
rejectEnabled: true,
errExpected: structs.ErrPermissionDenied.Error(),
errExpected: structs.ErrJobRegistrationDisabled.Error(),
},
{
name: "reject enabled, with a management token",