diff --git a/website/content/api-docs/search.mdx b/website/content/api-docs/search.mdx index 290fc2abd..247ed3945 100644 --- a/website/content/api-docs/search.mdx +++ b/website/content/api-docs/search.mdx @@ -22,14 +22,15 @@ The table below shows this endpoint's support for [blocking queries](/nomad/api-docs#blocking-queries) and [required ACLs](/nomad/api-docs#acls). -| Blocking Queries | ACL Required | -| ---------------- | ------------------------------------------------ | -| `NO` | `node:read, node_pool:read, namespace:read-jobs` | +| Blocking Queries | ACL Required | +|------------------|--------------| +| `NO` | see below | -When ACLs are enabled, requests must have a token valid for `node:read`, -`node_pool:read`, or `namespace:read-jobs` roles. If the token is only valid -for a portion of these capabilities, then results will include results -including only data readable with the given token. +When ACLs are enabled, requests must have a token that grants access to "list" +or "read" capabilities for the objects in the search context. For example, +`node:read`, `node_pool:read`, `plugin:read`, or `namespace:read-jobs` roles. If +the token is only valid for a portion of these capabilities, then results will +include results including only data readable with the given token. ### Parameters @@ -141,14 +142,15 @@ The table below shows this endpoint's support for [blocking queries](/nomad/api-docs#blocking-queries) and [required ACLs](/nomad/api-docs#acls). -| Blocking Queries | ACL Required | -| ---------------- | --------------------------------------------------------------------------- | -| `NO` | `node:read, node_pool:read, namespace:read-jobs, namespace:csi-list-plugin` | +| Blocking Queries | ACL Required | +|------------------|--------------| +| `NO` | see below | -When ACLs are enabled, requests must have a token valid for `node:read`, -`node_pool:read`, `plugin:read`, or `namespace:read-jobs` roles. If the token -is only valid for a portion of these capabilities, then results will include -results including only data readable with the given token. +When ACLs are enabled, requests must have a token that grants access to "list" +or "read" capabilities for the objects in the search context. For example, +`node:read`, `node_pool:read`, `plugin:read`, or `namespace:read-jobs` roles. If +the token is only valid for a portion of these capabilities, then results will +include results including only data readable with the given token. ### Parameters diff --git a/website/content/api-docs/volumes.mdx b/website/content/api-docs/volumes.mdx index 2aa54e5de..9b56c16e8 100644 --- a/website/content/api-docs/volumes.mdx +++ b/website/content/api-docs/volumes.mdx @@ -546,7 +546,7 @@ The table below shows this endpoint's support for | Blocking Queries | ACL Required | | ---------------- | ---------------------------- | -| `YES` | `namespace:csi-write-volume` | +| `YES` | `namespace:csi-list-volume` | ### Parameters diff --git a/website/content/docs/other-specifications/acl-policy.mdx b/website/content/docs/other-specifications/acl-policy.mdx index 8e1a46a65..fe3df647f 100644 --- a/website/content/docs/other-specifications/acl-policy.mdx +++ b/website/content/docs/other-specifications/acl-policy.mdx @@ -120,13 +120,16 @@ of `capabilities`. This includes: - `deny` - When multiple policies are associated with a token, deny will take precedence and prevent any capabilities. -- `list-jobs` - Allows listing the jobs and seeing coarse grain status. +- `list-jobs` - Allows listing the jobs and seeing coarse grain status. This + implicitly grants `csi-list-volume`. - `parse-job` - Allows parsing a job from HCL to JSON. -- `read-job` - Allows inspecting a job and seeing fine grain status. +- `read-job` - Allows inspecting a job and seeing fine grain status. This + implicitly grants `csi-read-volume`. - `submit-job` - Allows jobs to be submitted, updated, or stopped. - `dispatch-job` - Allows jobs to be dispatched - `read-logs` - Allows the logs associated with a job to be viewed. -- `read-fs` - Allows the filesystem of allocations associated to be viewed. +- `read-fs` - Allows the filesystem of allocations associated to be + viewed. Implicitly grants `read-logs`. - `alloc-exec` - Allows an operator to connect and run commands in running allocations. - `alloc-node-exec` - Allows an operator to connect and run commands in @@ -135,11 +138,15 @@ of `capabilities`. This includes: manually. - `csi-register-plugin` - Allows jobs to be submitted that register themselves as CSI plugins. -- `csi-write-volume` - Allows CSI volumes to be registered or deregistered. -- `csi-read-volume` - Allows inspecting a CSI volume and seeing fine grain - status. -- `csi-list-volume` - Allows listing CSI volumes and seeing coarse grain status. -- `csi-mount-volume` - Allows jobs to be submitted that claim a CSI volume. +- `csi-write-volume` - Allows CSI volumes to be registered or deregistered. This + implicitly grants `csi-read-volume`. +- `csi-read-volume` - Allows inspecting a CSI volume, seeing fine grain status, + and listing external volumes and snapshots. This implicitly grants + `csi-list-volume`. +- `csi-list-volume` - Allows listing CSI volumes, seeing coarse grain status, + and listing external volumes and snapshots. +- `csi-mount-volume` - Allows jobs to be submitted that claim a CSI volume. This + implicitly grants `csi-read-volume`. - `list-scaling-policies` - Allows listing scaling policies. - `read-scaling-policy` - Allows inspecting a scaling policy. - `read-job-scaling` - Allows inspecting the current scaling of a job.