Nomad Variables access control
Nomad's Access Control List (ACL) system controls access to data and APIs, including access to encrypted Nomad Variables. This tutorial will show how to configure ACL policies for variables.
Requirements
This tutorial extends the state of a Nomad cluster that has had both the
Bootstrap Nomad ACL System tutorial and the Create Nomad ACL Policies
tutorial performed on it. As part of completing the Bootstrap Nomad ACL
System tutorial, you generated a management token during bootstrap. For this
tutorial, you will need to have either that token or another management token
set in the NOMAD_TOKEN environment variable. Replace BOOTSTRAP_SECRET_ID
in
the following command with a bootstrap or management token:
## Store our token secret ID$ export NOMAD_TOKEN="BOOTSTRAP_SECRET_ID"
While completing the Create Nomad ACL Policies tutorial, you created policies for two user personas: an Application Developer persona and a Production Operations persona. In this tutorial, you'll extend these policies to control access to variables in namespaces.
Create tutorial namespaces
First, create two namespaces named prod
and dev
.
$ nomad namespace apply -description "production environment" prodSuccessfully applied namespace "prod"!
$ nomad namespace apply -description "development environment" devSuccessfully applied namespace "dev"!
Create ACL policies
Create a policy file for Production Operations named prod-ops.policy.hcl
namespace "*" { policy = "write" # this policy can write, read, or destroy any variable in any namespace variables { path "*" { capabilities = ["write", "read", "destroy"] } }}
Create another policy file for the Application Developer named app-dev.policy.hcl
namespace "default" { policy = "read"} namespace "prod" { policy = "read" # this policy can list any variable in this namespace but # cannot see the contents variables { path "*" { capabilities = ["list"] } }} namespace "dev" { policy = "write" variables { # this policy can read variables that are under the system/ prefix # but cannot edit or delete them path "system/*" { capabilities = ["read"] } # this policy can write, read, or destroy any other variables # in this namespace path "*" { capabilities = ["write", "read", "destroy"] } }}
Use the nomad acl policy apply
command to upload your policy specifications.
Upload the "Production Operations policy."
$ nomad acl policy apply -description "Production Operations policy" prod-ops prod-ops.policy.hclSuccessfully wrote "prod-ops" ACL policy!
Upload the "Application Developer policy."
$ nomad acl policy apply -description "Application Developer policy" app-dev app-dev.policy.hclSuccessfully wrote "app-dev" ACL policy!
Create tokens for the policies
To use these policies for variables, you will need to create tokens.
Create an app-dev token. For this tutorial, pipe your output into the awk
command to save the secret ID it as app-dev.token
.
$ nomad acl token create -name="app-dev token" -policy=app-dev | \ awk '/Secret ID/{print $4}' > app-dev.token
Next, create a prod-ops token, piping your output into the awk command to save
the secret ID as prod-ops.token
.
$ nomad acl token create -name="prod-ops token" -policy=prod-ops | \ awk '/Secret ID/{print $4}' > prod-ops.token
View variables with restricted permissions
The ACL policies you've created can control access to the variables you created in the Storing Nomad Variables tutorial.
Switch to the app-dev token in your shell environment. You will create and view variables as app-dev.
$ export NOMAD_TOKEN="$(cat ./app-dev.token)"
Using a wildcard namespace, list all the variables. Note that you have list permission to all the variables because of the app-dev ACL policy.
$ nomad var list -namespace '*'Namespace Path Last Updateddev another-project/example 2022-09-19T11:29:54-04:00dev project/example 2022-09-19T11:29:54-04:00dev system/config 2022-09-19T11:29:54-04:00prod project/another-example 2022-09-19T11:21:56-04:00prod project/example 2022-09-19T11:29:03-04:00
Read a variable from the dev
namespace. You have permission to read all the
variables in that namespace.
$ nomad var get -namespace dev project/exampleNamespace = devPath = project/exampleCreate Time = 2022-09-19T11:29:54-04:00Check Index = 42 Itemsfoo = bar
Update a variable under the project
prefix.
$ nomad var get -namespace dev project/example | \ nomad var put -namespace dev -out json - foo=update
The command will return the updated variable in JSON format.
{ "Namespace": "dev", "Path": "project/example", "CreateIndex": 42, "ModifyIndex": 53, "CreateTime": 1663601394642568835, "ModifyTime": 1663601667627121554, "Items": { "foo": "update" }}
Try to update a variable under the system
prefix. This will return a
permission denied error because the app-dev policy only has read permission to
that path.
$ nomad var get -namespace dev system/config | \ nomad var put -namespace dev -out json - foo=update
As stated earlier, the app-dev
policy doesn't have permissions to perform the
update, so the command returns an error message.
Error creating variable: Unexpected response code: 403 (Permission denied)
Try to read a variable under the prod
namespace. This will return a "not
found" error because the app-dev policy only has list permission to that
namespace.
$ nomad var get -namespace prod project/exampleVariable not found
Next steps
Learn more about using Nomad Variables in tasks with the Accessing Variables From Tasks tutorial. Also, explore the Nomad Variables CLI commands with the Storing Nomad Variables tutorial.