Ciberterminal Wiki

User Tools

Site Tools

Trace: Creating ACL's on rundeck
linux:rundeck:creating_acls

Table of Contents

Creating ACL's on rundeck

Documentation
Name: Creating ACL's on rundeck
Description: Creating ACL's on rundeck
Modification date : 10/10/2019
Owner:dodger
Notify changes to: dodger & zumi
Tags: proftpd, rundeck
Scalate to:The_fucking_bofh

Official documentation

Initial concepts

  • By default everything is DENIED.
  • So everything that is not specified in a whitelist is REJECTED (REJECTED_NO_SUBJECT_OR_ENV_FOUND).
  • Rundeck has a extreme granularity in its permissions, take care!!

Rundeck has a refresh jobs for the ACL's, so if you create a new ACL on the filesystem, it will take some minutes to update on the application, in the meanwhile it will not work!

Basic rules

Variables to be replaced:

  • ${PROJECTNAME} : the name of the project in rundeck
  • ${GROUPNAME} : the name of the Group in the AD

Allow a domain group to access a project

This not involves execution!

context:
  application: rundeck
description: "normal users will only have read permissions"
for:
  project:
    - match:
        name: ${PROJECTNAME}
      allow: [read]
  system:
    - match:
        name: '.*'
      allow: [read]
by:
  group: ${GROUPNAME}
 
---

context:
  project: ${PROJECTNAME}
description: "normal users will only have read permissions"
for:
  resource:
    - equals:
        kind: 'node'
      allow: [read,refresh]
    - equals:
        kind: 'job'
      allow: [read]
    - equals:
        kind: 'event'
      allow: [read]
  job:
    - match:
        name: '.*'
      allow: [read]
  node:
    - match:
        nodename: '.*'
      allow: [read,refresh]
by:
  group: ${GROUPNAME}

Allow a domain group to execute jobs from a project

context:
  project: '.*'
description: "Allow ${GROUPNAME} to execute jobs on nodes"
for:
  job:
    - match:
        name: '.*'
      allow: [run]
  node:
    - match:
        nodename: '.*'
      allow: [run]
by:
  group: ${GROUPNAME}

Create a readonly group (on all projects)

context:
  application: rundeck
description: "normal users will only have read permissions"
for:
  project:
    - match:
        name: '.*'
      allow: [read]
  system:
    - match:
        name: '.*'
      allow: [read]
by:
  group: ${GROUPNAME}
 
---

context:
  project: '.*'
description: "normal users will only have read permissions"
for:
  resource:
    - equals:
        kind: 'node'
      allow: [read,refresh]
    - equals:
        kind: 'job'
      allow: [read]
    - equals:
        kind: 'event'
      allow: [read]
  job:
    - match:
        name: '.*'
      allow: [read]
  node:
    - match:
        nodename: '.*'
      allow: [read,refresh]
by:
  group: ${GROUPNAME}

Using rd-acl

rd-acl is totally user-unfriendly… So you must 1st get familiar with it.

Read carefully the 1st paragraph on rd-acl documentation page.

Always test your ACL's before loading into production!!!

Creating ACL

Deny Creation of projects to ALL

rd-acl create -c application -u '.*' -G project -D '*'

Test: 

rd-acl test --file /etc/rundeck/rundeckusers.aclpolicy -c application -u mongui -G project -a create

Allow user to run jobs on project

Example: 

rd-acl create -c project -p prod-sftp-config -u mongui -j '*' -a run

Test: 

rd-acl test --file /etc/rundeck/rundeckusers.aclpolicy -c project -p prod-sftp-config -u mongui -j '*' -a run
linux/rundeck/creating_acls.txt · Last modified: 2022/02/11 11:36 by 127.0.0.1