-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Nomad ACL support for meta tag filtering. #24715
Comments
Hi @dkyanakiev, this is a cool idea! There are some interesting architectural challenges here. The ACL policies you write are turned into a set of in-memory immutable radix tries for fast lookups. There's two for each top-level type of policy, one for direct lookups and one for wildcard lookups. (Ex. there are 2 tries for all That being said, the transformation from the ACL policy document into the trie is itself fairly expensive already, and we amortize that cost by caching the ACL policy trie (with a bounded LRU cache). So in theory if we could figure out a way to transform the expressions you're talking about into an index represented as one of those immutable radix tries (or heck, some other data structure we can do cheap lookups in), we could do the expensive work up front and then the ACL policy checks would still be cheap. I'm going to tag this for further discussion and roadmapping. Would love to hear if you have implementation thoughts based on what I've written above as well. |
Thanks for the detailed explanation @tgross .. I'll definitely have to sit and think about this in a bit more detail and maybe look at the code.
The old/current lookups will still work as expected but simply add an addition lookup to see if the more "broad" lookup policies. For the sake of simplicity they could be prevented from working together in the same policy.. |
Another possible approach could be to evaluate the ACL policy |
Namespace creations shouldn't be too taxing but eventual meta changes on namespaces could be.. |
Proposal
Hi there 👋
Currently the ACLs for namespaces have to be created on a per namespace basis or if you use a wildcard.
The problem comes when you want to have a policy that is applied to X namespaces that for example don't follow name pattern, so the wildcard cant work. If they are a handful you can always duplicate the policy but this scales really poorly. Since namespaces already have meta tags, it makes sense to be able to create a policy applicable to many namespaces based on meta tags.
Use-cases
Example of a policy with a filter
This way in a scenario where namespaces and change ownerships and teams that interact with them, you could easily have a policy that would match all the namespaces with the correct meta.
This basically flips the filter from the name to inside the filter block, it would allow for combinations
Which would works as before, when you have a name with wildcard
or allow for a combination
Have something be applied on a specific name + meta tag match
Because meta changes on the namespace, do not impact the workloads, unlike the job changes to the meta, this would allow for generic policies controlled by the meta tags
Attempted Solutions
Could not any existing feature that solves this, right now the issue is to just have a namespace naming pattern tied to a team for example, but that is not ideal as teams can change and it causes lots of issues to move workloads to updates namespaces.
The text was updated successfully, but these errors were encountered: