====== Creating ACL's on rundeck ======
^ Documentation ^|
^Name:| Creating ACL's on rundeck |
^Description:| Creating ACL's on rundeck |
^Modification date :| 10/10/2019|
^Owner:|dodger|
^Notify changes to:| dodger & zumi |
^Tags:| proftpd, rundeck|
^Scalate to:|The_fucking_bofh|
====== Official documentation ======
* [[https://docs.rundeck.com/docs/manual/document-format-reference/aclpolicy-v10.html]]
* [[https://docs.rundeck.com/docs/administration/security/authorization.html]]
* [[https://docs.rundeck.com/docs/manual/command-line-tools/rd-acl.html]]
====== Initial concepts ======
* By default everything is **DENIED**.\\
* So everything that is not specified in a whitelist is REJECTED (''REJECTED_NO_SUBJECT_OR_ENV_FOUND'').\\
* Rundeck has a extreme granularity in its permissions, take care!!\\
Rundeck has a refresh jobs for the ACL's, so if you create a new ACL on the filesystem, it will take some minutes to update on the application, in the meanwhile it will not work!
====== Basic rules ======
Variables to be replaced:
* ''${PROJECTNAME}'' : the name of the project in rundeck
* ''${GROUPNAME}'' : the name of the Group in the AD
===== Allow a domain group to access a project =====
This not involves execution!\\
context:
application: rundeck
description: "normal users will only have read permissions"
for:
project:
- match:
name: ${PROJECTNAME}
allow: [read]
system:
- match:
name: '.*'
allow: [read]
by:
group: ${GROUPNAME}
---
context:
project: ${PROJECTNAME}
description: "normal users will only have read permissions"
for:
resource:
- equals:
kind: 'node'
allow: [read,refresh]
- equals:
kind: 'job'
allow: [read]
- equals:
kind: 'event'
allow: [read]
job:
- match:
name: '.*'
allow: [read]
node:
- match:
nodename: '.*'
allow: [read,refresh]
by:
group: ${GROUPNAME}
===== Allow a domain group to execute jobs from a project =====
context:
project: '.*'
description: "Allow ${GROUPNAME} to execute jobs on nodes"
for:
job:
- match:
name: '.*'
allow: [run]
node:
- match:
nodename: '.*'
allow: [run]
by:
group: ${GROUPNAME}
===== Create a readonly group (on all projects) =====
context:
application: rundeck
description: "normal users will only have read permissions"
for:
project:
- match:
name: '.*'
allow: [read]
system:
- match:
name: '.*'
allow: [read]
by:
group: ${GROUPNAME}
---
context:
project: '.*'
description: "normal users will only have read permissions"
for:
resource:
- equals:
kind: 'node'
allow: [read,refresh]
- equals:
kind: 'job'
allow: [read]
- equals:
kind: 'event'
allow: [read]
job:
- match:
name: '.*'
allow: [read]
node:
- match:
nodename: '.*'
allow: [read,refresh]
by:
group: ${GROUPNAME}
====== Using rd-acl ======
''rd-acl'' is totally user-unfriendly... So you must 1st get familiar with it.\\
Read carefully the [[https://docs.rundeck.com/docs/manual/command-line-tools/rd-acl.html#description|1st paragraph]] on ''rd-acl'' documentation page.
**Always** test your ACL's before loading into production!!!
====== Creating ACL ======
====== Deny Creation of projects to ALL ======
rd-acl create -c application -u '.*' -G project -D '*'
Test:
rd-acl test --file /etc/rundeck/rundeckusers.aclpolicy -c application -u mongui -G project -a create
===== Allow user to run jobs on project =====
Example:
rd-acl create -c project -p prod-sftp-config -u mongui -j '*' -a run
Test:
rd-acl test --file /etc/rundeck/rundeckusers.aclpolicy -c project -p prod-sftp-config -u mongui -j '*' -a run