I want to grant access to developers so they can view and work with their specific job, but I don’t like them able to view definition of that job, is it possible to define restrict access?
here is my read policy for my developers and unfortunately I couldn’t restrict access for developers to deny them access apisix or nginx config on definition
namespace "default" {
policy = "read"
capabilities = ["read-logs"]
}
node {
policy = "read"
}
An other user asked such question and didn’t get answer
Hello!
so they can view and work with their specific job, but I don’t like them able to view definition
What do you mean by “view a job but not able to view”? If they can view the job, they can view it, how they may be not able to view it and be able to view?
“Work on a job” in what way?
You can put your service “config definition” into nomad variables or vault or consul and keep it separately protected from your job definition.
Looking at Nomad ACL policy concepts | Nomad | HashiCorp Developer do not give developers “read-job” permissions.
I am sorry for my bad explanation, let me try again with screenshots
here are my nomad jobs, cause I have a read policy developers are able to view all jobs
But I don’t want them to be able to view/check other jobs like
nginx or
apisix, as it show below, I login with developers token and I can see
nginx definition
and If I click on
view=full-definition I am able to see/copy secrets and certificate files, I want to prevent developers to do so.
Thank you for your quick response.
Hi. If you want to restrict specific developers from specific jobs, move the jobs to a different namespace and do not give them tokens with access to that namespace.
If you do not want developers to see job definition, do not give them “read-job” capability. See
Nomad ACL policy concepts | Nomad | HashiCorp Developer .
You can also provision docker access from nomad agent definition, not in jobs, see Docker task driver | Nomad | HashiCorp Developer .
If you would want developers to work on part of the job… I would set up a git repository with parts of the job and give them access to, then set up another repository to deploy the job after templating, fir example like it’s done with ansible variables in one repo and playbooks in another.
1 Like
Thanks again, I would create another namespace for apisix and nginx, for other services, they want to see logs on nomad (even though I gave them Graylog to read logs but they like Nomad UI the most) and that’s why I gave them read-job capability.
For clarification, does Nomad support such capability so I can grant access to my user specific container, for example portainer or K8s
I searched and asked AI a lot for this but didn’t found any solution
