Skip to content

auth: allow nodes to sync their own allocations during node pool changes#28110

Open
vky5 wants to merge 2 commits into
hashicorp:mainfrom
vky5:bugfix/node-pool-alloc-sync
Open

auth: allow nodes to sync their own allocations during node pool changes#28110
vky5 wants to merge 2 commits into
hashicorp:mainfrom
vky5:bugfix/node-pool-alloc-sync

Conversation

@vky5

@vky5 vky5 commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

Description

Fixes the server-side check so that when a node's node pool changes, the node can still fetch and sync allocations that are already assigned to it.

Right now, if the node pool names mismatch (because the old allocations are still on the old pool), the server blocks the node from syncing them.

How I fixed it:

  • Updated AuthorizeClientAllocation in nomad/auth/auth.go to take the node's AuthenticatedIdentity. Added a check at the top using AuthorizeSameNode to bypass node pool/namespace checks if the caller node matches the allocation's assigned NodeID.
  • Updated the Server wrapper method in nomad/acl.go to match the signature.
  • Passed args.GetIdentity() at call-sites in nomad/alloc_endpoint.go (inside GetAlloc, GetAllocs, and SignIdentities).

Testing & Reproduction steps

Added new test cases to TestResolveAuthorizedClientNodePoolHelpers in nomad/auth/auth_test.go:

  • Verified that if node pool mismatches but node ID matches, authorization passes.
  • Verified that if both node pool and node ID mismatch, it fails with permission denied.

To run:

GOTOOLCHAIN=auto go test -v ./nomad/auth -run TestResolveAuthorizedClientNodePoolHelpers

Links

Contributor Checklist

  • Changelog Entry If this PR changes user-facing behavior, please generate and add a
    changelog entry using the make cl command.
  • Testing Please add tests to cover any new functionality or to demonstrate bug fixes and
    ensure regressions will be caught.
  • Documentation If the change impacts user-facing functionality...

Reviewer Checklist

  • Backport Labels Please add the correct backport labels as described by the internal
    backporting document.
  • Commit Type Ensure the correct merge method is selected which should be "squash and merge"
    in the majority of situations.

Changes to Security Controls

Are there any changes to security controls (access controls, encryption, logging) in this pull request? If so, explain.

Yes, modified AuthorizeClientAllocation in nomad/auth/auth.go to accept the caller's identity. If the caller is the same node the alloc is scheduled on, it bypasses the node pool check. This is safe since the node is already running that allocation.

@vky5 vky5 requested review from a team as code owners June 11, 2026 09:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

Nomad - Community Issues Triage
Status: Needs Triage

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

nodes can't stop allocations if they've changed node pools

2 participants

@vky5 @jrasell