kemko/nomad
1
0
Fork 0
mirror of https://github.com/kemko/nomad.git synced 2026-01-01 16:05:42 +03:00
Code Issues Packages Projects Releases Wiki Activity

acl: Check for duplicate or invalid keys when writing new policies (#26836)

Browse Source 
ACL policies are parsed when creating, updating, or compiling the
resulting ACL object when used. This parsing was silently ignoring
duplicate singleton keys, or invalid keys which does not grant any
additional access, but is a poor UX and can be unexpected.

This change parses all new policy writes and updates, so that
duplicate or invalid keys return an error to the caller. This is
called strict parsing. In order to correctly handle upgrades of
clusters which have existing policies that would fall foul of the
change, a lenient parsing mode is also available. This allows
the policy to continue to be parsed and compiled after an upgrade
without the need for an operator to correct the policy document
prior to further use.

Co-authored-by: Tim Gross <tgross@hashicorp.com>
This commit is contained in:
James Rasell
2025-09-30 08:16:59 +01:00
committed by GitHub
parent 250b8f9d07
commit e6a04e06d1
9 changed files with 220 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
website/content/docs/upgrade/upgrade-specific.mdx
View File

@@ -30,6 +30,24 @@ metrics refers to the parent job ID for dispatch and periodic jobs. The
running high volume dispatch workloads, this change significantly reduces
metrics cardinality and memory usage on the leader.
#### ACL policies no longer silently ignore duplicate or invalid keys
Nomad 1.11.0 introduces stricter validation for ACL policies. Policy writes that
include duplicate or invalid keys will be rejected with an error instead of
being silently ignored. Any existing policies with duplicate or invalid keys
will continue to work, but the source policy document will need to be updated
to be valid before it can be written to Nomad.
## Nomad 1.10.6
#### ACL policies no longer silently ignore duplicate or invalid keys
Nomad 1.10.6 introduces stricter validation for ACL policies. Policy writes that
include duplicate or invalid keys will be rejected with an error instead of
being silently ignored. Any existing policies with duplicate or invalid keys
will continue to work, but the source policy document will need to be updated
to be valid before it can be written to Nomad.
## Nomad 1.10.2
#### Clients respect `telemetry.publish_allocation_metrics`
@@ -188,6 +206,16 @@ labels = [
]
```
## Nomad 1.8.18
#### ACL policies no longer silently ignore duplicate or invalid keys
Nomad 1.8.18 introduces stricter validation for ACL policies. Policy writes that
include duplicate or invalid keys will be rejected with an error instead of
being silently ignored. Any existing policies with duplicate or invalid keys
will continue to work, but the source policy document will need to be updated
to be valid before it can be written to Nomad.
## Nomad 1.8.4
#### Default Docker `infra_image` changed