Skip to content
GitLab
Menu
Projects
Groups
Snippets
Help
Projects
Groups
Snippets
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Menu
Open sidebar
小 白蛋
Nomad
Commits
a4026229
Commit
a4026229
authored
7 years ago
by
Michael Schurter
Browse files
Options
Download
Email Patches
Plain Diff
/v1/client/allocation/./{stats,gc} ACL enforcement
parent
0144b513
Branches unavailable
v1.4.3
v1.4.2
v1.4.1
v1.4.0
v1.4.0-rc.1
v1.4.0-beta.1
v1.3.8
v1.3.7
v1.3.6
v1.3.5
v1.3.4
v1.3.3
v1.3.2
v1.3.1
v1.3.0
v1.3.0-rc.1
v1.3.0-beta.1
v1.2.15
v1.2.14
v1.2.13
v1.2.12
v1.2.11
v1.2.10
v1.2.9
v1.2.8
v1.2.7
v1.2.6
v1.2.5
v1.2.4
v1.2.3
v1.2.2
v1.2.1
v1.2.0
v1.2.0-rc1
v1.2.0-beta1
v1.1.18
v1.1.17
v1.1.16
v1.1.15
v1.1.14
v1.1.13
v1.1.12
v1.1.11
v1.1.10
v1.1.9
v1.1.8
v1.1.7
v1.1.6
v1.1.5
v1.1.4
v1.1.3
v1.1.2
v1.1.1
v1.1.0
v1.1.0-rc1
v1.1.0-beta1
v1.0.18
v1.0.17
v1.0.16
v1.0.15
v1.0.14
v1.0.13
v1.0.12
v1.0.11
v1.0.10
v1.0.9
v1.0.8
v1.0.7
v1.0.6
v1.0.5
v1.0.4
v1.0.3
v1.0.2
v1.0.1
v1.0.0
v1.0.0-rc1
v1.0.0-beta3
v1.0.0-beta2
v0.12.12
v0.12.11
v0.12.10
v0.12.9
v0.12.8
v0.12.7
v0.12.6
v0.12.5
v0.12.4
v0.12.4-rc1
v0.12.3
v0.12.2
v0.12.1
v0.12.0
v0.12.0-rc1
v0.12.0-beta2
v0.12.0-beta1
v0.11.8
v0.11.7
v0.11.6
v0.11.5
v0.11.4
v0.11.3
v0.11.2
v0.11.1
v0.11.0
v0.11.0-rc1
v0.11.0-beta2
v0.11.0-beta1
v0.10.9
v0.10.8
v0.10.7
v0.10.6
v0.10.5
v0.10.4
v0.10.4-rc1
v0.10.3
v0.10.2
v0.10.2-rc1
v0.10.1
v0.10.0
v0.10.0-rc1
v0.10.0-connect1
v0.10.0-beta1
v0.9.7
v0.9.6
v0.9.5
v0.9.4
v0.9.4-rc1
v0.9.3
v0.9.2
v0.9.2-rc1
v0.9.1
v0.9.1-rc1
v0.9.0
v0.9.0-rc2
v0.9.0-rc1
v0.9.0-beta3
v0.9.0-beta2
v0.9.0-beta1
v0.8.7
v0.8.7-rc1
v0.8.6
v0.8.5
v0.8.4
v0.8.4-rc1
v0.8.3
v0.8.2
v0.8.1
v0.8.0
v0.8.0-rc1
v0.7.1
v0.7.1-rc1
v0.7.1-rc1+pro
v0.7.1-rc1+ent
v0.7.0
v0.7.0+pro
v0.7.0+ent
v0.7.0-rc3
v0.7.0-rc2
v0.7.0-rc1
nightly
No related merge requests found
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
command/agent/alloc_endpoint.go
+26
-0
command/agent/alloc_endpoint.go
command/agent/alloc_endpoint_test.go
+110
-0
command/agent/alloc_endpoint_test.go
website/source/api/client.html.md
+3
-3
website/source/api/client.html.md
with
139 additions
and
3 deletions
+139
-3
command/agent/alloc_endpoint.go
+
26
-
0
View file @
a4026229
...
...
@@ -6,6 +6,7 @@ import (
"strings"
"github.com/golang/snappy"
"github.com/hashicorp/nomad/acl"
"github.com/hashicorp/nomad/nomad/structs"
)
...
...
@@ -118,6 +119,18 @@ func (s *HTTPServer) ClientGCRequest(resp http.ResponseWriter, req *http.Request
}
func
(
s
*
HTTPServer
)
allocGC
(
allocID
string
,
resp
http
.
ResponseWriter
,
req
*
http
.
Request
)
(
interface
{},
error
)
{
var
secret
string
s
.
parseToken
(
req
,
&
secret
)
var
namespace
string
parseNamespace
(
req
,
&
namespace
)
// Check namespace submit-job permissions
if
aclObj
,
err
:=
s
.
agent
.
Client
()
.
ResolveToken
(
secret
);
err
!=
nil
{
return
nil
,
err
}
else
if
aclObj
!=
nil
&&
!
aclObj
.
AllowNsOp
(
namespace
,
acl
.
NamespaceCapabilitySubmitJob
)
{
return
nil
,
structs
.
ErrPermissionDenied
}
return
nil
,
s
.
agent
.
Client
()
.
CollectAllocation
(
allocID
)
}
...
...
@@ -133,6 +146,19 @@ func (s *HTTPServer) allocSnapshot(allocID string, resp http.ResponseWriter, req
}
func
(
s
*
HTTPServer
)
allocStats
(
allocID
string
,
resp
http
.
ResponseWriter
,
req
*
http
.
Request
)
(
interface
{},
error
)
{
var
secret
string
s
.
parseToken
(
req
,
&
secret
)
var
namespace
string
parseNamespace
(
req
,
&
namespace
)
// Check namespace read-job permissions
if
aclObj
,
err
:=
s
.
agent
.
Client
()
.
ResolveToken
(
secret
);
err
!=
nil
{
return
nil
,
err
}
else
if
aclObj
!=
nil
&&
!
aclObj
.
AllowNsOp
(
namespace
,
acl
.
NamespaceCapabilityReadJob
)
{
return
nil
,
structs
.
ErrPermissionDenied
}
clientStats
:=
s
.
agent
.
client
.
StatsReporter
()
aStats
,
err
:=
clientStats
.
GetAllocStats
(
allocID
)
if
err
!=
nil
{
...
...
This diff is collapsed.
Click to expand it.
command/agent/alloc_endpoint_test.go
+
110
-
0
View file @
a4026229
...
...
@@ -243,6 +243,61 @@ func TestHTTP_AllocStats(t *testing.T) {
})
}
func
TestHTTP_AllocStats_ACL
(
t
*
testing
.
T
)
{
t
.
Parallel
()
assert
:=
assert
.
New
(
t
)
httpACLTest
(
t
,
nil
,
func
(
s
*
TestAgent
)
{
state
:=
s
.
Agent
.
server
.
State
()
// Make the HTTP request
req
,
err
:=
http
.
NewRequest
(
"GET"
,
"/v1/client/allocation/123/stats"
,
nil
)
if
err
!=
nil
{
t
.
Fatalf
(
"err: %v"
,
err
)
}
// Try request without a token and expect failure
{
respW
:=
httptest
.
NewRecorder
()
_
,
err
:=
s
.
Server
.
ClientAllocRequest
(
respW
,
req
)
assert
.
NotNil
(
err
)
assert
.
Equal
(
err
.
Error
(),
structs
.
ErrPermissionDenied
.
Error
())
}
// Try request with an invalid token and expect failure
{
respW
:=
httptest
.
NewRecorder
()
token
:=
mock
.
CreatePolicyAndToken
(
t
,
state
,
1005
,
"invalid"
,
mock
.
NodePolicy
(
acl
.
PolicyWrite
))
setToken
(
req
,
token
)
_
,
err
:=
s
.
Server
.
ClientAllocRequest
(
respW
,
req
)
assert
.
NotNil
(
err
)
assert
.
Equal
(
err
.
Error
(),
structs
.
ErrPermissionDenied
.
Error
())
}
// Try request with a valid token
// Still returns an error because the alloc does not exist
{
respW
:=
httptest
.
NewRecorder
()
policy
:=
mock
.
NamespacePolicy
(
structs
.
DefaultNamespace
,
""
,
[]
string
{
acl
.
NamespaceCapabilityReadJob
})
token
:=
mock
.
CreatePolicyAndToken
(
t
,
state
,
1007
,
"valid"
,
policy
)
setToken
(
req
,
token
)
_
,
err
:=
s
.
Server
.
ClientAllocRequest
(
respW
,
req
)
assert
.
NotNil
(
err
)
assert
.
Contains
(
err
.
Error
(),
"unknown allocation ID"
)
}
// Try request with a management token
// Still returns an error because the alloc does not exist
{
respW
:=
httptest
.
NewRecorder
()
setToken
(
req
,
s
.
RootToken
)
_
,
err
:=
s
.
Server
.
ClientAllocRequest
(
respW
,
req
)
assert
.
NotNil
(
err
)
assert
.
Contains
(
err
.
Error
(),
"unknown allocation ID"
)
}
})
}
func
TestHTTP_AllocSnapshot
(
t
*
testing
.
T
)
{
t
.
Parallel
()
httpTest
(
t
,
nil
,
func
(
s
*
TestAgent
)
{
...
...
@@ -279,6 +334,61 @@ func TestHTTP_AllocGC(t *testing.T) {
})
}
func
TestHTTP_AllocGC_ACL
(
t
*
testing
.
T
)
{
t
.
Parallel
()
assert
:=
assert
.
New
(
t
)
httpACLTest
(
t
,
nil
,
func
(
s
*
TestAgent
)
{
state
:=
s
.
Agent
.
server
.
State
()
// Make the HTTP request
req
,
err
:=
http
.
NewRequest
(
"GET"
,
"/v1/client/allocation/123/gc"
,
nil
)
if
err
!=
nil
{
t
.
Fatalf
(
"err: %v"
,
err
)
}
// Try request without a token and expect failure
{
respW
:=
httptest
.
NewRecorder
()
_
,
err
:=
s
.
Server
.
ClientAllocRequest
(
respW
,
req
)
assert
.
NotNil
(
err
)
assert
.
Equal
(
err
.
Error
(),
structs
.
ErrPermissionDenied
.
Error
())
}
// Try request with an invalid token and expect failure
{
respW
:=
httptest
.
NewRecorder
()
token
:=
mock
.
CreatePolicyAndToken
(
t
,
state
,
1005
,
"invalid"
,
mock
.
NodePolicy
(
acl
.
PolicyWrite
))
setToken
(
req
,
token
)
_
,
err
:=
s
.
Server
.
ClientAllocRequest
(
respW
,
req
)
assert
.
NotNil
(
err
)
assert
.
Equal
(
err
.
Error
(),
structs
.
ErrPermissionDenied
.
Error
())
}
// Try request with a valid token
// Still returns an error because the alloc does not exist
{
respW
:=
httptest
.
NewRecorder
()
policy
:=
mock
.
NamespacePolicy
(
structs
.
DefaultNamespace
,
""
,
[]
string
{
acl
.
NamespaceCapabilitySubmitJob
})
token
:=
mock
.
CreatePolicyAndToken
(
t
,
state
,
1007
,
"valid"
,
policy
)
setToken
(
req
,
token
)
_
,
err
:=
s
.
Server
.
ClientAllocRequest
(
respW
,
req
)
assert
.
NotNil
(
err
)
assert
.
Contains
(
err
.
Error
(),
"not present"
)
}
// Try request with a management token
// Still returns an error because the alloc does not exist
{
respW
:=
httptest
.
NewRecorder
()
setToken
(
req
,
s
.
RootToken
)
_
,
err
:=
s
.
Server
.
ClientAllocRequest
(
respW
,
req
)
assert
.
NotNil
(
err
)
assert
.
Contains
(
err
.
Error
(),
"not present"
)
}
})
}
func
TestHTTP_AllocAllGC
(
t
*
testing
.
T
)
{
t
.
Parallel
()
httpTest
(
t
,
nil
,
func
(
s
*
TestAgent
)
{
...
...
This diff is collapsed.
Click to expand it.
website/source/api/client.html.md
+
3
-
3
View file @
a4026229
...
...
@@ -147,9 +147,9 @@ The table below shows this endpoint's support for
[
blocking queries
](
/api/index.html#blocking-queries
)
and
[
required ACLs
](
/api/index.html#acls
)
.
| Blocking Queries | ACL Required |
| ---------------- | ------------ |
|
`NO`
|
`n
one`
|
| Blocking Queries | ACL Required
|
| ---------------- | ------------
--------
|
|
`NO`
|
`n
amespace:read-job`
|
### Parameters
...
...
This diff is collapsed.
Click to expand it.
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
Menu
Projects
Groups
Snippets
Help