diff --git a/nomad/job_endpoint.go b/nomad/job_endpoint.go index c5a20d3c3..6830a1402 100644 --- a/nomad/job_endpoint.go +++ b/nomad/job_endpoint.go @@ -102,6 +102,15 @@ func (j *Job) Register(args *structs.JobRegisterRequest, reply *structs.JobRegis } defer metrics.MeasureSince([]string{"nomad", "job", "register"}, time.Now()) + aclObj, err := j.srv.ResolveACL(args) + if err != nil { + return err + } + if ok, err := registrationsAreAllowed(aclObj, j.srv.State()); !ok || err != nil { + j.logger.Warn("job registration is currently disabled for non-management ACL") + return structs.ErrJobRegistrationDisabled + } + // Validate the arguments if args.Job == nil { return fmt.Errorf("missing job for registration") @@ -136,10 +145,7 @@ func (j *Job) Register(args *structs.JobRegisterRequest, reply *structs.JobRegis reply.Warnings = helper.MergeMultierrorWarnings(warnings...) // Check job submission permissions - aclObj, err := j.srv.ResolveACL(args) - if err != nil { - return err - } else if aclObj != nil { + if aclObj != nil { if !aclObj.AllowNsOp(args.RequestNamespace(), acl.NamespaceCapabilitySubmitJob) { return structs.ErrPermissionDenied } @@ -198,11 +204,6 @@ func (j *Job) Register(args *structs.JobRegisterRequest, reply *structs.JobRegis } } - if ok, err := registrationsAreAllowed(aclObj, j.srv.State()); !ok || err != nil { - j.logger.Warn("job registration is currently disabled for non-management ACL") - return structs.ErrJobRegistrationDisabled - } - // Lookup the job snap, err := j.srv.State().Snapshot() if err != nil { diff --git a/nomad/job_endpoint_test.go b/nomad/job_endpoint_test.go index 2c1e2c539..01608f050 100644 --- a/nomad/job_endpoint_test.go +++ b/nomad/job_endpoint_test.go @@ -2416,7 +2416,7 @@ func TestJobRegister_ACL_RejectedBySchedulerConfig(t *testing.T) { name: "reject enabled, without a token", token: "", rejectEnabled: true, - errExpected: structs.ErrPermissionDenied.Error(), + errExpected: structs.ErrJobRegistrationDisabled.Error(), }, { name: "reject enabled, with a management token",