acls: reduce permissions of client agent virtual policy (#23304)

Nomad client agents run as privileged processes and require access to much of the cluster state, secrets, etc. to operate. But we can improve upon this by tightening up the virtual policy that use for RPC requests authenticated by the node secret ID. This changeset removes the `node:read`, `plugin:read`, and `plugin:list` policy, as well as namespace operations. In return, we add a `AllowClientOp` check to the RPCs the client uses that would otherwise need those policies. Where possible, the update RPCs have also been changed to match on node ID so that a client can only make the RPC that impacts itself. In future work, we may be able to downscope further by adding node pool filtering to `AllowClientOp`. Ref: https://github.com/hashicorp/nomad-enterprise/issues/1528 Ref: https://github.com/hashicorp/nomad-enterprise/pull/1529 Ref: https://hashicorp.atlassian.net/browse/NET-9925
2026-01-01 16:05:42 +03:00 · 2024-06-12 11:32:22 -04:00
parent 830297bcf0
commit ce04fe4a4e
7 changed files with 29 additions and 36 deletions
--- a/.semgrep/rpc_endpoint.yml
+++ b/.semgrep/rpc_endpoint.yml
@@ -40,7 +40,8 @@ rules:

      # Pattern used by endpoints that are used only for client-to-server.
      # Authorization can be done after forwarding, but must check the
-      # AllowClientOp policy
+      # AllowClientOp policy; the AllowClientOp condition is left open so that
+      # additional ACL checks can be made (ex. to scope to a given node/pool).
      - pattern-not-inside: |
          aclObj, err := $A.$B.AuthenticateClientOnly($A.ctx, args)
          ...
@@ -48,7 +49,7 @@ rules:
            return err
          }
          ...
-          if !aclObj.AllowClientOp() {
+          if !aclObj.AllowClientOp()
            return structs.ErrPermissionDenied
          }
          ...