event stream: fix wildcard namespace bypass

[mismithhisler]

Description

Fixes an issue when reading from the Event stream API, the wildcard namespace can be used to bypass ACL policy checks that would not otherwise permit access to a given namespace. Having policy = "read" for any namespace allows the equivalent of policy = "read" for all namespaces.

Testing & Reproduction steps

Create two namespaces:

$ nomad namespace apply dev
Successfully applied namespace "dev"!

$ nomad namespace apply prod
Successfully applied namespace "prod"!

Create the following ACL policy file:

namespace "dev" {
  policy = "read"
}

Apply that policy and create a token that uses that policy

$ nomad acl policy apply developer ./developer.acl.hcl
Successfully wrote "developer" ACL policy!

$ nomad acl token create -type client -name dev -policy developer
Accessor ID  = 6a78c08a-df74-6f33-de84-ddceef9a0a6a
Secret ID    = 6dc3baba-e362-4c27-e6f7-db9ac0aec27e
Name         = dev
Type         = client
Global       = false
Create Time  = 2025-01-29 21:14:44.219254895 +0000 UTC
Expiry Time  = <none>
Create Index = 17
Modify Index = 17
Policies     = [developer]

Roles
<none>

In another terminal, set NOMAD_TOKEN to the new token secret:

export NOMAD_TOKEN=6dc3baba-e362-4c27-e6f7-db9ac0aec27e

In the original terminal, create this minimal jobspec:

job "example" {

  group "group" {

    task "task" {

      driver = "docker"

      config {
        image   = "busybox:1"
        command = "httpd"
        args    = ["-vv", "-f", "-p", "8001", "-h", "/local"]
      }

      resources {
        cpu    = 100
        memory = 100
      }

    }
  }
}

Run it and deploy it to the dev namespace:

$ nomad job run -namespace dev ./example.nomad.hcl

In the "dev" terminal, read the event stream for the Job topic in the "dev" namespace:

$ nomad operator api '/v1/event/stream?topic=Job&namespace=dev'

You'll see events for the job deployed to the dev namespace, as expected. Hit Ctrl-C and try again, this time using the wildcard namespace.

$ nomad operator api '/v1/event/stream?topic=Job&namespace=*'

You'll see the same set of events for the job deployed to the dev namespace. Leave this running.

Go back to the other terminal where you have the management token and run the job again, this time deploying to the prod namespace:

$ nomad job run -namespace prod ./example.nomad.hcl

Watch the other terminal, and you'll see events for the job in the prod namespace appear, in violation of the ACL policy. Note that if you hit Ctrl-C and try again, this time using the prod namespace, it will fail as expected:

$ nomad operator api '/v1/event/stream?topic=Job&namespace=prod'
Permission denied%

Links

Contributor Checklist

• Changelog Entry If this PR changes user-facing behavior, please generate and add a
  changelog entry using the make cl command.
• Testing Please add tests to cover any new functionality or to demonstrate bug fixes and
  ensure regressions will be caught.
• Documentation If the change impacts user-facing functionality such as the CLI, API, UI,
  and job configuration, please update the Nomad website documentation to reflect this. Refer to
  the website README for docs guidelines. Please also consider whether the
  change requires notes within the upgrade guide.

Reviewer Checklist

• Backport Labels Please add the correct backport labels as described by the internal
  backporting document.
• Commit Type Ensure the correct merge method is selected which should be "squash and merge"
  in the majority of situations. The main exceptions are long-lived feature branches or merges where
  history should be preserved.
• Enterprise PRs If this is an enterprise only PR, please add any required changelog entry
  within the public repository.