Configure access control for Nomad Variables
Nomad's Access Control List (ACL) system controls access to data and APIs, including access to encrypted Nomad Variables. This tutorial will show how to configure ACL policies for variables.
Requirements
This tutorial extends the state of a Nomad cluster that has had both the
Bootstrap Nomad ACL System tutorial and the Create Nomad ACL Policies
tutorial performed on it. As part of completing the Bootstrap Nomad ACL
System tutorial, you generated a management token during bootstrap. For this
tutorial, you will need to have either that token or another management token
set in the NOMAD_TOKEN environment variable. Replace BOOTSTRAP_SECRET_ID
in
the following command with a bootstrap or management token:
While completing the Create Nomad ACL Policies tutorial, you created policies for two user personas: an Application Developer persona and a Production Operations persona. In this tutorial, you'll extend these policies to control access to variables in namespaces.
Create tutorial namespaces
First, create two namespaces named prod
and dev
.
Create ACL policies
Create a policy file for Production Operations named prod-ops.policy.hcl
Create another policy file for the Application Developer named app-dev.policy.hcl
Use the nomad acl policy apply
command to upload your policy specifications.
Upload the "Production Operations policy."
Upload the "Application Developer policy."
Create tokens for the policies
To use these policies for variables, you will need to create tokens.
Create an app-dev token. For this tutorial, pipe your output into the awk
command to save the secret ID it as app-dev.token
.
Next, create a prod-ops token, piping your output into the awk command to save
the secret ID as prod-ops.token
.
View variables with restricted permissions
The ACL policies you've created can control access to the variables you created in the Storing Nomad Variables tutorial.
Switch to the app-dev token in your shell environment. You will create and view variables as app-dev.
Using a wildcard namespace, list all the variables. Note that you have list permission to all the variables because of the app-dev ACL policy.
Read a variable from the dev
namespace. You have permission to read all the
variables in that namespace.
Update a variable under the project
prefix.
The command will return the updated variable in JSON format.
Try to update a variable under the system
prefix. This will return a
permission denied error because the app-dev policy only has read permission to
that path.
As stated earlier, the app-dev
policy doesn't have permissions to perform the
update, so the command returns an error message.
Try to read a variable under the prod
namespace. This will return a "not
found" error because the app-dev policy only has list permission to that
namespace.
Next steps
Learn more about using Nomad Variables in tasks with the Accessing Variables From Tasks tutorial. Also, explore the Nomad Variables CLI commands with the Storing Nomad Variables tutorial.