gitrgoliveira · December 3, 2024 12:25 · Oct 2, 2023 · Mar 25, 2023 · Mar 25, 2023 · Mar 25, 2023
diff --git a/.gitignore b/.gitignore
@@ -1,5 +0,0 @@
-
-test.sentinel
-*.json
-*.hcl
-nomad-server.log

diff --git a/nomad_sentinel_demo.sh b/nomad_sentinel_demo.sh
@@ -72,7 +72,7 @@ EOF
 nomad acl policy apply -description "Anonymous policy" anonymous anonymous.policy.hcl
 nomad acl policy apply -description "Application Developer policy" app-dev app-dev.policy.hcl
 
-nomad acl role create -name=app-developers -policy=app-dev
+nomad acl role create -name=app-developers -description "Role for Application Developers" -policy=app-dev
 nomad acl token create -json -name="Doug" -ttl=5m -role-name=app-developers > client_token.json
 
 

diff --git a/.gitignore b/.gitignore
@@ -2,3 +2,4 @@
 test.sentinel
 *.json
 *.hcl
+nomad-server.log
diff --git a/nomad_sentinel_demo.sh b/nomad_sentinel_demo.sh
@@ -1,4 +1,4 @@
-nomad agent -dev -bind 0.0.0.0  -acl-enabled &
+nomad agent -dev -bind 0.0.0.0  -acl-enabled >nomad-server.log &
 sleep 5
 
 nomad acl bootstrap -json > bootstrap.json
@@ -29,13 +29,8 @@ nomad namespace apply namespace.hcl
 
 # creating policy and token
 cat << EOF > anonymous.policy.hcl
-# Allow read only access to the default namespace
-namespace "default" {
-  policy = "read"
-}
-
-# Allow writing to the `foo` namespace
-namespace "web-qa" {
+# Allow read only access to all namespaces
+namespace "*" {
   policy = "read"
 }
 
@@ -57,7 +52,7 @@ namespace "default" {
   policy = "read"
 }
 
-# Allow writing to the `foo` namespace
+# Allow writing to the web-qa namespace
 namespace "web-qa" {
   policy = "write"
 }
@@ -74,7 +69,7 @@ quota {
   policy = "read"
 }
 EOF
-nomad acl policy apply -description "Anonymous policy (full-access)" anonymous anonymous.policy.hcl
+nomad acl policy apply -description "Anonymous policy" anonymous anonymous.policy.hcl
 nomad acl policy apply -description "Application Developer policy" app-dev app-dev.policy.hcl
 
 nomad acl role create -name=app-developers -policy=app-dev
@@ -86,7 +81,7 @@ cat << EOF > test.sentinel
 
 # ACLToken fields from https://github.com/hashicorp/nomad/blob/main/nomad/structs/structs.go#L12367-L12395
 print("Token information on AccessorID", nomad_acl_token.accessor_id)
-print("Token information on SecretID", nomad_acl_token.secret_id)
+# print("Token information on SecretID", nomad_acl_token.secret_id)
 print("Token information on Name", nomad_acl_token.name)
 print("Token information on Type", nomad_acl_token.type)
 print("Token information on Policies", nomad_acl_token.policies)

diff --git a/nomad_sentinel_demo.sh b/nomad_sentinel_demo.sh
@@ -4,6 +4,83 @@ sleep 5
 nomad acl bootstrap -json > bootstrap.json
 export NOMAD_TOKEN=$(jq -r .SecretID bootstrap.json)
 
+# creating a namespace and quota
+nomad namespace apply -description "QA instances of webservers" web-qa
+nomad quota init
+nomad quota apply spec.hcl
+
+cat << EOF > namespace.hcl
+name        = "web-qa"
+description = "Namespace for developers"
+quota       = "default-quota"
+
+capabilities {
+  enabled_task_drivers  = ["docker", "exec"]
+  disabled_task_drivers = ["raw_exec"]
+}
+
+meta {
+  owner        = "Doug"
+  contact_mail = "[email protected]"
+}
+EOF
+nomad namespace apply namespace.hcl
+
+
+# creating policy and token
+cat << EOF > anonymous.policy.hcl
+# Allow read only access to the default namespace
+namespace "default" {
+  policy = "read"
+}
+
+# Allow writing to the `foo` namespace
+namespace "web-qa" {
+  policy = "read"
+}
+
+agent {
+  policy = "read"
+}
+
+node {
+  policy = "read"
+}
+
+quota {
+  policy = "read"
+}
+EOF
+cat << EOF > app-dev.policy.hcl
+# Allow read only access to the default namespace
+namespace "default" {
+  policy = "read"
+}
+
+# Allow writing to the `foo` namespace
+namespace "web-qa" {
+  policy = "write"
+}
+
+agent {
+  policy = "read"
+}
+
+node {
+  policy = "read"
+}
+
+quota {
+  policy = "read"
+}
+EOF
+nomad acl policy apply -description "Anonymous policy (full-access)" anonymous anonymous.policy.hcl
+nomad acl policy apply -description "Application Developer policy" app-dev app-dev.policy.hcl
+
+nomad acl role create -name=app-developers -policy=app-dev
+nomad acl token create -json -name="Doug" -ttl=5m -role-name=app-developers > client_token.json
+
+
 cat << EOF > test.sentinel
 ## Test policy always fails for demonstration purposes
 
@@ -15,7 +92,7 @@ print("Token information on Type", nomad_acl_token.type)
 print("Token information on Policies", nomad_acl_token.policies)
 print("Token information on Roles", nomad_acl_token.roles)
 print("Token information on Global", nomad_acl_token.global)
-print("Token information on CreateTime", nomad_acl_token.create_time)
+print("Token information on ExpirationTTL (nanoseconds)", nomad_acl_token.expiration_ttl)
 
 # Namespace fields from https://github.com/hashicorp/nomad/blob/main/nomad/structs/structs.go#L5207-L5231
 print("Namespace information on Name", namespace.name)
@@ -71,4 +148,9 @@ nomad sentinel apply -level=advisory test-policy test.sentinel
 # nomad sentinel apply -level=soft-mandatory test-policy test.sentinel
 nomad job init -short
 
-nomad job run ./example.nomad.hcl
+export NOMAD_TOKEN=$(jq -r .SecretID client_token.json)
+export NOMAD_NAMESPACE=web-qa
+nomad job run -detach example.nomad.hcl
+
+# export NOMAD_TOKEN=$(jq -r .SecretID bootstrap.json)
+# nomad ui -authenticate
diff --git a/.gitignore b/.gitignore
@@ -1,4 +1,4 @@
 
-bootstrap.json
 test.sentinel
-example.nomad.hcl
+*.json
+*.hcl
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,4 @@
 
 bootstrap.json
 test.sentinel
+example.nomad.hcl
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,3 @@
+
+bootstrap.json
+test.sentinel
diff --git a/nomad_sentinel_demo.sh b/nomad_sentinel_demo.sh
@@ -15,23 +15,60 @@ print("Token information on Type", nomad_acl_token.type)
 print("Token information on Policies", nomad_acl_token.policies)
 print("Token information on Roles", nomad_acl_token.roles)
 print("Token information on Global", nomad_acl_token.global)
+print("Token information on CreateTime", nomad_acl_token.create_time)
 
 # Namespace fields from https://github.com/hashicorp/nomad/blob/main/nomad/structs/structs.go#L5207-L5231
 print("Namespace information on Name", namespace.name)
 print("Namespace information on Description", namespace.description)
 print("Namespace information on Quota", namespace.quota)
-print("Namespace information on Capabilities", namespace.capabilities.enabled_task_drivers)
-print("Namespace information on Capabilities", namespace.capabilities.disabled_task_drivers)
+print("Namespace information on Capabilities EnabledTaskDrivers", namespace.capabilities.enabled_task_drivers)
+print("Namespace information on Capabilities DisabledTaskDrivers", namespace.capabilities.disabled_task_drivers)
 print("Namespace information on Meta", namespace.meta)
 
 # Job information is from https://github.com/hashicorp/nomad/blob/main/nomad/structs/structs.go#L4253-L4386
-print("Job information on AllAtOnce", job.all_at_once)
-print("Job information on ParentID", job.parent_id)
+print("Job information on Region", job.region)
+
+# https://github.com/hashicorp/nomad/blob/main/nomad/structs/structs.go#L5194
+# print("Job information on MultiRegion Strategy (...)", job.multiregion.strategy)
+# print("Job information on MultiRegion Strategy OnFailure", job.multiregion.strategy)
+
+# https://github.com/hashicorp/nomad/blob/main/nomad/structs/structs.go#L5199-L5204
+# print("Job information on MultiRegion Regions", job.multiregion.regions)
+
+print("Job information on Namespace", job.namespace)
+print("Job information on Name", job.name)
+print("Job information on Type", job.type)
+print("Job information on Priority", job.priority)
+print("Job information on Datacenters", job.datacenters)
+
+# https://github.com/hashicorp/nomad/blob/main/nomad/structs/structs.go#L9048-L9052
+# print("Job information on Constraints", job.constraints.)
+
+# https://github.com/hashicorp/nomad/blob/main/nomad/structs/structs.go#L9163-L9168
+# print("Job information on Affinities", job.affinities.)
+
+# https://github.com/hashicorp/nomad/blob/main/nomad/structs/structs.go#L9254-L9267
+# print("Job information on Spreads", job.spreads.)
+
+# https://github.com/hashicorp/nomad/blob/main/nomad/structs/structs.go#L5039-L5079
+# print("Job information on Update Strategy", job.update.)
+
+# https://github.com/hashicorp/nomad/blob/main/nomad/structs/structs.go#L5375-L5398
+# print("Job information on Periodic", job.periodic.)
+
+# https://github.com/hashicorp/nomad/blob/main/nomad/structs/structs.go#L5543-L5552
+# print("Job information on Parameterized Job", job.parameterized_job.)
+
+print("Job information on SubmitTime", job.submit_time)
+print("Job information on Metadata", job.Meta)
+ 
 print("Job information on TaskGroups", job.task_groups)
 
 main = rule { false }
 EOF
 
 nomad sentinel apply -level=advisory test-policy test.sentinel
-nomad job init
-nomad job run example.nomad
+# nomad sentinel apply -level=soft-mandatory test-policy test.sentinel
+nomad job init -short
+
+nomad job run ./example.nomad.hcl
diff --git a/nomad_sentinel_demo.sh b/nomad_sentinel_demo.sh
@@ -6,6 +6,8 @@ export NOMAD_TOKEN=$(jq -r .SecretID bootstrap.json)
 
 cat << EOF > test.sentinel
 ## Test policy always fails for demonstration purposes
+
+# ACLToken fields from https://github.com/hashicorp/nomad/blob/main/nomad/structs/structs.go#L12367-L12395
 print("Token information on AccessorID", nomad_acl_token.accessor_id)
 print("Token information on SecretID", nomad_acl_token.secret_id)
 print("Token information on Name", nomad_acl_token.name)
@@ -14,15 +16,15 @@ print("Token information on Policies", nomad_acl_token.policies)
 print("Token information on Roles", nomad_acl_token.roles)
 print("Token information on Global", nomad_acl_token.global)
 
-
+# Namespace fields from https://github.com/hashicorp/nomad/blob/main/nomad/structs/structs.go#L5207-L5231
 print("Namespace information on Name", namespace.name)
 print("Namespace information on Description", namespace.description)
 print("Namespace information on Quota", namespace.quota)
 print("Namespace information on Capabilities", namespace.capabilities.enabled_task_drivers)
 print("Namespace information on Capabilities", namespace.capabilities.disabled_task_drivers)
 print("Namespace information on Meta", namespace.meta)
 
-
+# Job information is from https://github.com/hashicorp/nomad/blob/main/nomad/structs/structs.go#L4253-L4386
 print("Job information on AllAtOnce", job.all_at_once)
 print("Job information on ParentID", job.parent_id)
 print("Job information on TaskGroups", job.task_groups)

diff --git a/nomad_sentinel_demo.sh b/nomad_sentinel_demo.sh
@@ -0,0 +1,35 @@
+nomad agent -dev -bind 0.0.0.0  -acl-enabled &
+sleep 5
+
+nomad acl bootstrap -json > bootstrap.json
+export NOMAD_TOKEN=$(jq -r .SecretID bootstrap.json)
+
+cat << EOF > test.sentinel
+## Test policy always fails for demonstration purposes
+print("Token information on AccessorID", nomad_acl_token.accessor_id)
+print("Token information on SecretID", nomad_acl_token.secret_id)
+print("Token information on Name", nomad_acl_token.name)
+print("Token information on Type", nomad_acl_token.type)
+print("Token information on Policies", nomad_acl_token.policies)
+print("Token information on Roles", nomad_acl_token.roles)
+print("Token information on Global", nomad_acl_token.global)
+
+
+print("Namespace information on Name", namespace.name)
+print("Namespace information on Description", namespace.description)
+print("Namespace information on Quota", namespace.quota)
+print("Namespace information on Capabilities", namespace.capabilities.enabled_task_drivers)
+print("Namespace information on Capabilities", namespace.capabilities.disabled_task_drivers)
+print("Namespace information on Meta", namespace.meta)
+
+
+print("Job information on AllAtOnce", job.all_at_once)
+print("Job information on ParentID", job.parent_id)
+print("Job information on TaskGroups", job.task_groups)
+
+main = rule { false }
+EOF
+
+nomad sentinel apply -level=advisory test-policy test.sentinel
+nomad job init
+nomad job run example.nomad