ACL to allow global variables access

Nomad
1

Hi,

we are currently setting up our Nomad Cluster.

We had the whole cluster running fine in testing mode (no tls, no acl) now we wanted to switch to the production env with tls and acl enabled.

We have “short lived“ batch jobs as workload.

Each individual job is only run once and for each “work request” a new job is created by using the Nomad REST api /jobs endpoint.

The jobs (template render engine) needs a way to access variables from the Nomad variable store.

Without acl we created the following paths in the variables space:

  • /dev/*
  • /test/*
  • /prod/*

Which path to use is set in the job template before posting it to the /jobs api endpoint.

With acl enabled this fails now because there is no policy available to grant the job access to the above paths.

Since each job is created “on the fly“ via the REST api using the “nomad acl policy apply“ command is not really a solution.

Is there a way to setup a policy that just allows all jobs “global“ access to the paths above or any other solution to work around ?

2

Hello. As far as I understand. Create 3 nomad namespaces - dev test and prod. Create variables access policy for each namespace - so jobs in namespace dev are allowed to access dev/* variables, test can access test/ and prod can access prod/. Then the acl of the job is controlled by the job namespace.

3

Hi @Kamilcuk

Thank you for the suggestion. I created namespaces “dev, test, prod“ now as well as ACLs for the three namespaces allowing access to the path “my_vars/*“.

The jobs are also placed in the corresponding namespaces but still cant access the my_vars path without explicit assignment of the ACL to the Job.

Seems like the ACLs are not automatically assigned just by using the namespace.

But what worked as a workaround for now is using the “nomad/jobs“ path in combination with Namespaces to have different global accessible key value pairs for each environment.

But downside is still that i can only use the “nomad/jobs“ path so all key value pairs have to be in one path to be globally accessible without ACL assignment. (Does not allow to simply group key value pairs)