Documentation | |
---|---|
Name: | Creating ACL's on rundeck |
Description: | Creating ACL's on rundeck |
Modification date : | 10/10/2019 |
Owner: | dodger |
Notify changes to: | dodger & zumi |
Tags: | proftpd, rundeck |
Scalate to: | The_fucking_bofh |
REJECTED_NO_SUBJECT_OR_ENV_FOUND
).Rundeck has a refresh jobs for the ACL's, so if you create a new ACL on the filesystem, it will take some minutes to update on the application, in the meanwhile it will not work!
Variables to be replaced:
${PROJECTNAME}
: the name of the project in rundeck${GROUPNAME}
: the name of the Group in the AD
This not involves execution!
context: application: rundeck description: "normal users will only have read permissions" for: project: - match: name: ${PROJECTNAME} allow: [read] system: - match: name: '.*' allow: [read] by: group: ${GROUPNAME} --- context: project: ${PROJECTNAME} description: "normal users will only have read permissions" for: resource: - equals: kind: 'node' allow: [read,refresh] - equals: kind: 'job' allow: [read] - equals: kind: 'event' allow: [read] job: - match: name: '.*' allow: [read] node: - match: nodename: '.*' allow: [read,refresh] by: group: ${GROUPNAME}
context: project: '.*' description: "Allow ${GROUPNAME} to execute jobs on nodes" for: job: - match: name: '.*' allow: [run] node: - match: nodename: '.*' allow: [run] by: group: ${GROUPNAME}
context: application: rundeck description: "normal users will only have read permissions" for: project: - match: name: '.*' allow: [read] system: - match: name: '.*' allow: [read] by: group: ${GROUPNAME} --- context: project: '.*' description: "normal users will only have read permissions" for: resource: - equals: kind: 'node' allow: [read,refresh] - equals: kind: 'job' allow: [read] - equals: kind: 'event' allow: [read] job: - match: name: '.*' allow: [read] node: - match: nodename: '.*' allow: [read,refresh] by: group: ${GROUPNAME}
rd-acl
is totally user-unfriendly… So you must 1st get familiar with it.
Read carefully the 1st paragraph on rd-acl
documentation page.
Always test your ACL's before loading into production!!!
rd-acl create -c application -u '.*' -G project -D '*'
Test:
rd-acl test --file /etc/rundeck/rundeckusers.aclpolicy -c application -u mongui -G project -a create
Example:
rd-acl create -c project -p prod-sftp-config -u mongui -j '*' -a run
Test:
rd-acl test --file /etc/rundeck/rundeckusers.aclpolicy -c project -p prod-sftp-config -u mongui -j '*' -a run