Nomad version

Nomad v1.8.2
BuildDate 2024-07-16T08:50:09Z
Revision 7f0822c

Operating system and Environment details

RHEL 8.6 - RHEL 8.8

Issue

When trying to access the Container Logs via "UI -> Jobname -> Taskgroup -> Allocation -> Task -> Logs" we get a "permission denied" error.
But the current policy should allow access because of "namespace:write" policy:

namespace "playground" {
  policy = "write"
  variables {
  	# give read access to all job templates related to this namespace
    path "nomad/job-templates/*" {
      capabilities = ["read","list"]
    }
  }
}
node {
  policy = "deny"
}
agent {
  policy = "deny"
}

We can prove this because log access via "UI -> Job -> View Logs (of the task)" is working as expected and if we change the policy to

node {
  policy = "read"
}
agent {
  policy = "deny"
}

accecss to logs is working also as expected. So it looks like the UI-Button is not checking correctly for the "namespace:read-logs" capability, but instead for a "node:read" policy.

Reproduction steps

Using Policy like:

namespace "playground" {
  policy = "write"
  variables {
  	# give read access to all job templates related to this namespace
    path "nomad/job-templates/*" {
      capabilities = ["read","list"]
    }
  }
}

# used for UI Access - nicht wirklich ?
node {
  policy = "deny"
}
agent {
  policy = "deny"
}

1. trying to access logs of running container via "Jobs -> -> View Logs (in recent allocations tab)"

2. trying to access logs of running container via "Jobs -> -> TaskGroup -> Allocation -> Task -> Logs (on top menu line)"

Expected Result

1. Access to logs is possible (depending on namespace:read-logs capability)
2. Access to logs is possible (depending on namespace:read-logs capability)

Actual Result

1. Access works as expected
2. Access is denied due to node-policy=deny

Job file (if appropriate)

Nomad Server logs (if appropriate)

Nomad Client logs (if appropriate)

thanks
Mac