linux:rundeck:creating_acls
Table of Contents
Creating ACL's on rundeck
Documentation | |
---|---|
Name: | Creating ACL's on rundeck |
Description: | Creating ACL's on rundeck |
Modification date : | 10/10/2019 |
Owner: | dodger |
Notify changes to: | dodger & zumi |
Tags: | proftpd, rundeck |
Scalate to: | Thefuckingbofh |
Official documentation
Initial concepts
- By default everything is DENIED.
- So everything that is not specified in a whitelist is REJECTED (
REJECTEDNOSUBJECTORENV_FOUND
).
- Rundeck has a extreme granularity in its permissions, take care!!
Rundeck has a refresh jobs for the ACL's, so if you create a new ACL on the filesystem, it will take some minutes to update on the application, in the meanwhile it will not work!
Basic rules
Variables to be replaced:
${PROJECTNAME}
: the name of the project in rundeck${GROUPNAME}
: the name of the Group in the AD
Allow a domain group to access a project
This not involves execution!
context: application: rundeck description: "normal users will only have read permissions" for: project: - match: name: ${PROJECTNAME} allow: [read] system: - match: name: '.*' allow: [read] by: group: ${GROUPNAME} --- context: project: ${PROJECTNAME} description: "normal users will only have read permissions" for: resource: - equals: kind: 'node' allow: [read,refresh] - equals: kind: 'job' allow: [read] - equals: kind: 'event' allow: [read] job: - match: name: '.*' allow: [read] node: - match: nodename: '.*' allow: [read,refresh] by: group: ${GROUPNAME}
Allow a domain group to execute jobs from a project
context: project: '.*' description: "Allow ${GROUPNAME} to execute jobs on nodes" for: job: - match: name: '.*' allow: [run] node: - match: nodename: '.*' allow: [run] by: group: ${GROUPNAME}
Create a readonly group (on all projects)
context: application: rundeck description: "normal users will only have read permissions" for: project: - match: name: '.*' allow: [read] system: - match: name: '.*' allow: [read] by: group: ${GROUPNAME} --- context: project: '.*' description: "normal users will only have read permissions" for: resource: - equals: kind: 'node' allow: [read,refresh] - equals: kind: 'job' allow: [read] - equals: kind: 'event' allow: [read] job: - match: name: '.*' allow: [read] node: - match: nodename: '.*' allow: [read,refresh] by: group: ${GROUPNAME}
Using rd-acl
rd-acl
is totally user-unfriendly… So you must 1st get familiar with it.
Read carefully the 1st paragraph on rd-acl
documentation page.
Always test your ACL's before loading into production!!!
Creating ACL
Deny Creation of projects to ALL
rd-acl create -c application -u '.*' -G project -D '*'
Test:
rd-acl test --file /etc/rundeck/rundeckusers.aclpolicy -c application -u mongui -G project -a create
Allow user to run jobs on project
Example:
rd-acl create -c project -p prod-sftp-config -u mongui -j '*' -a run
Test:
rd-acl test --file /etc/rundeck/rundeckusers.aclpolicy -c project -p prod-sftp-config -u mongui -j '*' -a run
linux/rundeck/creating_acls.txt · Last modified: 2022/02/11 11:36 by 127.0.0.1