check permissions

b85a7279 · Mahmood Ali · 8aaa7940 · b85a7279 · b85a7279 · b85a7279
Commit b85a7279 authored 6 years ago by Mahmood Ali
Hide whitespace changes
Inline Side-by-side

Showing

with 38 additions and 2 deletions
+38 -2
--- a/client/alloc_endpoint.go
+++ b/client/alloc_endpoint.go
@@ -110,7 +110,8 @@ func (a *Allocations) exec(conn io.ReadWriteCloser) {
 	a.c.logger.Info("received exec request", "req", fmt.Sprintf("%#v", req))

 	// Check read permissions
-	if aclObj, err := a.c.ResolveToken(req.QueryOptions.AuthToken); err != nil {
+	aclObj, err := a.c.ResolveToken(req.QueryOptions.AuthToken)
+	if err != nil {
 		handleStreamResultError(err, nil, encoder)
 		return
 	} else if aclObj != nil {
@@ -146,6 +147,26 @@ func (a *Allocations) exec(conn io.ReadWriteCloser) {
 		return
 	}

+	capabilities, err := ar.GetTaskDriverCapabilities(req.Task)
+	if err != nil {
+		code := helper.Int64ToPtr(500)
+		if structs.IsErrUnknownAllocation(err) {
+			code = helper.Int64ToPtr(404)
+		}
+
+		handleStreamResultError(err, code, encoder)
+		return
+	}
+
+	// check node access
+	if aclObj != nil && capabilities.FSIsolation == drivers.FSIsolationNone {
+		exec := aclObj.AllowNsOp(req.QueryOptions.Namespace, acl.NamespaceCapabilityAllocNodeExec)
+		if !exec {
+			handleStreamResultError(structs.ErrPermissionDenied, nil, encoder)
+			return
+		}
+	}
+
 	allocState, err := a.c.GetAllocState(req.AllocID)
 	if err != nil {
 		code := helper.Int64ToPtr(500)

--- a/client/allocrunner/alloc_runner.go
+++ b/client/allocrunner/alloc_runner.go
@@ -945,3 +945,12 @@ func (ar *allocRunner) GetTaskExecHandler(taskName string) drivermanager.TaskExe

 	return tr.TaskExecHandler()
 }
+
+func (ar *allocRunner) GetTaskDriverCapabilities(taskName string) (*drivers.Capabilities, error) {
+	tr, ok := ar.tasks[taskName]
+	if !ok {
+		return nil, fmt.Errorf("task not found")
+	}
+
+	return tr.DriverCapabilities()
+}
--- a/client/allocrunner/taskrunner/task_runner.go
+++ b/client/allocrunner/taskrunner/task_runner.go
@@ -1233,3 +1233,7 @@ func appendTaskEvent(state *structs.TaskState, event *structs.TaskEvent, capacit
 func (tr *TaskRunner) TaskExecHandler() drivermanager.TaskExecHandler {
 	return tr.getDriverHandle().ExecStreaming
 }
+
+func (tr *TaskRunner) DriverCapabilities() (*drivers.Capabilities, error) {
+	return tr.driver.Capabilities()
+}
--- a/client/client.go
+++ b/client/client.go
@@ -44,6 +44,7 @@ import (
 	"github.com/hashicorp/nomad/nomad/structs"
 	nconfig "github.com/hashicorp/nomad/nomad/structs/config"
 	"github.com/hashicorp/nomad/plugins/device"
+	"github.com/hashicorp/nomad/plugins/drivers"
 	vaultapi "github.com/hashicorp/vault/api"
 	"github.com/shirou/gopsutil/host"
 )
@@ -125,6 +126,7 @@ type AllocRunner interface {
 	ShutdownCh() <-chan struct{}
 	GetTaskEventHandler(taskName string) drivermanager.EventHandler
 	GetTaskExecHandler(taskName string) drivermanager.TaskExecHandler
+	GetTaskDriverCapabilities(taskName string) (*drivers.Capabilities, error)
 }

 // Client is used to implement the client interaction with Nomad. Clients

--- a/nomad/client_alloc_endpoint.go
+++ b/nomad/client_alloc_endpoint.go
@@ -212,7 +212,7 @@ func (a *ClientAllocations) exec(conn io.ReadWriteCloser) {
 		handleStreamResultError(err, nil, encoder)
 		return
 	} else if aclObj != nil {
-		// FIXME: check for AllocNodeExec if task is raw_exec
+		// client ultimately checks if AllocNodeExec is required
 		exec := aclObj.AllowNsOp(args.QueryOptions.Namespace, acl.NamespaceCapabilityAllocExec)
 		if !exec {
 			handleStreamResultError(structs.ErrPermissionDenied, nil, encoder)