Anonymous token - ACL capabilities list-jobs

campbell · February 13, 2022, 4:52am

Hi,
I have anonymous token ACL policy on a Nomad cluster as follows:

namespace "default" {
  policy       = "read"
  capabilities = ["list-jobs"]
}
...

With this policy, I can still inspect the job anonymously (which seems rather granular rather than coarse?)

nomad job inspect blah
{
    "Job": {
        "Affinities": null,
        "AllAtOnce": false,
        "Constraints": null,
....

Is this the expected behaviour?

How could I configure the policy so that:

~% nomad job status

shows me the list of jobs, but it’s not possible to inspect them.

Same behaviour happens in the UI - under the definition tab for the job.

Topic		Replies	Views
Access control for Nomad clients Nomad	2	583	January 24, 2022
What capability does a policy need in order to start jobs in Nomad UI? Nomad acl , jobs	0	234	July 25, 2023
Getting 'Not Authorized' when trying to view files via UI Nomad	1	350	March 4, 2022
Nomad ACL returning 403 even with submit-job policy permission Nomad nomad-release	5	2704	September 17, 2024
A reliable way to tell if Nomad client/server has joined a cluster without ACL? Nomad acl	2	292	April 29, 2023