diff --git a/nomad/job_endpoint.go b/nomad/job_endpoint.go index a788f57aa..cc2eeceec 100644 --- a/nomad/job_endpoint.go +++ b/nomad/job_endpoint.go @@ -783,6 +783,13 @@ func (j *Job) Allocations(args *structs.JobSpecificRequest, } defer metrics.MeasureSince([]string{"nomad", "job", "allocations"}, time.Now()) + // Check for read-job permissions + if aclObj, err := j.srv.resolveToken(args.SecretID); err != nil { + return err + } else if aclObj != nil && !aclObj.AllowNsOp(args.RequestNamespace(), acl.NamespaceCapabilityReadJob) { + return structs.ErrPermissionDenied + } + // Setup the blocking query opts := blockingOptions{ queryOpts: &args.QueryOptions, diff --git a/nomad/job_endpoint_test.go b/nomad/job_endpoint_test.go index 5cac4b670..0c5f6fb6e 100644 --- a/nomad/job_endpoint_test.go +++ b/nomad/job_endpoint_test.go @@ -2517,6 +2517,67 @@ func TestJobEndpoint_Allocations(t *testing.T) { } } +func TestJobEndpoint_Allocations_ACL(t *testing.T) { + t.Parallel() + assert := assert.New(t) + + s1, root := testACLServer(t, nil) + defer s1.Shutdown() + codec := rpcClient(t, s1) + testutil.WaitForLeader(t, s1.RPC) + + // Create the register request + alloc1 := mock.Alloc() + alloc2 := mock.Alloc() + alloc2.JobID = alloc1.JobID + state := s1.fsm.State() + state.UpsertJobSummary(998, mock.JobSummary(alloc1.JobID)) + state.UpsertJobSummary(999, mock.JobSummary(alloc2.JobID)) + err := state.UpsertAllocs(1000, + []*structs.Allocation{alloc1, alloc2}) + assert.Nil(err) + + // Lookup the jobs + get := &structs.JobSpecificRequest{ + JobID: alloc1.JobID, + QueryOptions: structs.QueryOptions{ + Region: "global", + Namespace: alloc1.Job.Namespace, + }, + } + + // Attempt to fetch the response without a token should fail + var resp structs.JobAllocationsResponse + err = msgpackrpc.CallWithCodec(codec, "Job.Allocations", get, &resp) + assert.NotNil(err) + + // Attempt to fetch the response with an invalid token should fail + invalidToken := CreatePolicyAndToken(t, state, 1001, "test-invalid", + NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) + + get.SecretID = invalidToken.SecretID + var invalidResp structs.JobAllocationsResponse + err = msgpackrpc.CallWithCodec(codec, "Job.Allocations", get, &invalidResp) + assert.NotNil(err) + + // Attempt to fetch the response with valid management token should succeed + get.SecretID = root.SecretID + var validResp structs.JobAllocationsResponse + err = msgpackrpc.CallWithCodec(codec, "Job.Allocations", get, &validResp) + assert.Nil(err) + + // Attempt to fetch the response with valid management token should succeed + validToken := CreatePolicyAndToken(t, state, 1005, "test-valid", + NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) + + get.SecretID = validToken.SecretID + var validResp2 structs.JobAllocationsResponse + err = msgpackrpc.CallWithCodec(codec, "Job.Allocations", get, &validResp2) + assert.Nil(err) + + assert.Equal(2, len(validResp2.Allocations)) +} + func TestJobEndpoint_Allocations_Blocking(t *testing.T) { t.Parallel() s1 := testServer(t, nil) diff --git a/website/source/api/jobs.html.md b/website/source/api/jobs.html.md index 89261fa97..d106cb44d 100644 --- a/website/source/api/jobs.html.md +++ b/website/source/api/jobs.html.md @@ -622,9 +622,9 @@ The table below shows this endpoint's support for [blocking queries](/api/index.html#blocking-queries) and [required ACLs](/api/index.html#acls). -| Blocking Queries | ACL Required | -| ---------------- | ------------ | -| `YES` | `none` | +| Blocking Queries | ACL Required | +| ---------------- | -------------------------- | +| `YES` | `namespace:read-job` | ### Parameters