HashiCorp Developer AI Private beta now available Sign up today
Nomad
Nomad Variables

Nomad Variables access control

  • 5min
  • |
  • Nomad

Nomad's Access Control List (ACL) system controls access to data and APIs, including access to encrypted Nomad Variables. This tutorial will show how to configure ACL policies for variables.

Requirements

This tutorial extends the state of a Nomad cluster that has had both the Bootstrap Nomad ACL System tutorial and the Create Nomad ACL Policies tutorial performed on it. As part of completing the Bootstrap Nomad ACL System tutorial, you generated a management token during bootstrap. For this tutorial, you will need to have either that token or another management token set in the NOMAD_TOKEN environment variable. Replace BOOTSTRAP_SECRET_ID in the following command with a bootstrap or management token:

## Store our token secret ID
$ export NOMAD_TOKEN="BOOTSTRAP_SECRET_ID"

While completing the Create Nomad ACL Policies tutorial, you created policies for two user personas: an Application Developer persona and a Production Operations persona. In this tutorial, you'll extend these policies to control access to variables in namespaces.

Create tutorial namespaces

First, create two namespaces named prod and dev.

$ nomad namespace apply -description "production environment" prod
Successfully applied namespace "prod"!

$ nomad namespace apply -description "development environment" dev
Successfully applied namespace "dev"!

Create ACL policies

Create a policy file for Production Operations named prod-ops.policy.hcl

namespace "*" {
  policy = "write"

  # this policy can write, read, or destroy any variable in any namespace
  variables {
    path "*" {
      capabilities = ["write", "read", "destroy"]
    }
  }
}

Create another policy file for the Application Developer named app-dev.policy.hcl

namespace "default" {
  policy = "read"
}

namespace "prod" {
  policy = "read"

  # this policy can list any variable in this namespace but
  # cannot see the contents
  variables {
    path "*" {
      capabilities = ["list"]
    }
  }
}

namespace "dev" {
  policy = "write"

  variables {

    # this policy can read variables that are under the system/ prefix
    # but cannot edit or delete them
    path "system/*" {
      capabilities = ["read"]
    }

    # this policy can write, read, or destroy any other variables
    # in this namespace
    path "*" {
      capabilities = ["write", "read", "destroy"]
    }

  }
}

Use the nomad acl policy apply command to upload your policy specifications.

Upload the "Production Operations policy."

$ nomad acl policy apply -description "Production Operations policy" prod-ops prod-ops.policy.hcl
Successfully wrote "prod-ops" ACL policy!

Upload the "Application Developer policy."

$ nomad acl policy apply -description "Application Developer policy" app-dev app-dev.policy.hcl
Successfully wrote "app-dev" ACL policy!

Create tokens for the policies

To use these policies for variables, you will need to create tokens.

Create an app-dev token. For this tutorial, pipe your output into the awk command to save the secret ID it as app-dev.token.

$ nomad acl token create -name="app-dev token" -policy=app-dev | \
    awk '/Secret ID/{print $4}' > app-dev.token

Next, create a prod-ops token, piping your output into the awk command to save the secret ID as prod-ops.token.

$ nomad acl token create -name="prod-ops token" -policy=prod-ops | \
    awk '/Secret ID/{print $4}' > prod-ops.token

View variables with restricted permissions

The ACL policies you've created can control access to the variables you created in the Storing Nomad Variables tutorial.

Switch to the app-dev token in your shell environment. You will create and view variables as app-dev.

$ export NOMAD_TOKEN="$(cat ./app-dev.token)"

Using a wildcard namespace, list all the variables. Note that you have list permission to all the variables because of the app-dev ACL policy.

$ nomad var list -namespace '*'
Namespace  Path                     Last Updated
dev        another-project/example  2022-09-19T11:29:54-04:00
dev        project/example          2022-09-19T11:29:54-04:00
dev        system/config            2022-09-19T11:29:54-04:00
prod       project/another-example  2022-09-19T11:21:56-04:00
prod       project/example          2022-09-19T11:29:03-04:00

Read a variable from the dev namespace. You have permission to read all the variables in that namespace.

$ nomad var get -namespace dev project/example
Namespace   = dev
Path        = project/example
Create Time = 2022-09-19T11:29:54-04:00
Check Index = 42

Items
foo = bar

Update a variable under the project prefix.

$ nomad var get -namespace dev project/example | \
    nomad var put -namespace dev -out json - foo=update

The command will return the updated variable in JSON format.

{
  "Namespace": "dev",
  "Path": "project/example",
  "CreateIndex": 42,
  "ModifyIndex": 53,
  "CreateTime": 1663601394642568835,
  "ModifyTime": 1663601667627121554,
  "Items": {
    "foo": "update"
  }
}

Try to update a variable under the system prefix. This will return a permission denied error because the app-dev policy only has read permission to that path.

$ nomad var get -namespace dev system/config | \
    nomad var put -namespace dev -out json - foo=update

As stated earlier, the app-dev policy doesn't have permissions to perform the update, so the command returns an error message.

Error creating variable: Unexpected response code: 403 (Permission denied)

Try to read a variable under the prod namespace. This will return a "not found" error because the app-dev policy only has list permission to that namespace.

$ nomad var get -namespace prod project/example
Variable not found

Next steps

Learn more about using Nomad Variables in tasks with the Accessing Variables From Tasks tutorial. Also, explore the Nomad Variables CLI commands with the Storing Nomad Variables tutorial.

Previous

Store variables

 Next

Access variables