Based on the documentation in the Namespace Rules section of the ACL Policy Specification documentation, I’ve configured a policy with these capabilities:
namespace "default" {
policy = "read"
capabilities = ["alloc-lifecycle", "dispatch-job", "submit-job", "read-logs"]
}
node {
policy = "read"
}
agent {
policy = "read"
}
operator {
policy = "read"
}
plugin {
policy = "read"
}
I want the user token that was created with this policy to be able to do the following in the web UI:
- Run (create) a new job
- Stop a job
- Start a job
- Stop an allocation
- Start an allocation
- Restart an allocation
Unfortunately, the user can only:
- Run (create) a new job
- Stop a job
- Stop an allocation
- Restart an allocation
What capabilities should be added in order for the user to also:
- Start a job
- Start an allocation
The same is true of the following policy, used for a different type of user which basically has “write” access across the board:
namespace "*" {
policy = "write"
}
node {
policy = "write"
}
agent {
policy = "write"
}
operator {
policy = "write"
}
plugin {
policy = "read"
}
In other words, even this user with write access is unable to start a job that was previously stopped.
I’ve only been able to start a job using a user with a management token.