ACL for disable schedule and execution

[Tom De Blende]

Since a few months it is possible to Disable Schedule and Disable Execution for jobs. One can simply click the down arrow next to the job name and select the options.

I want one user to be able to do that: disable scheduled jobs. He already has the option to run jobs at cetera. What acl does he need to achieve this?

This is what he currently has:

---

description: "x can launch jobs but not edit them"

context:

  application: rundeck

for:

  project:

    - match:

        name: 'Manage_EC2_Nodes'

      allow: [read]

  system:

    - match:

        name: '.*'

      allow: [read]

by:

  group: x

---

description: "x can launch jobs but not edit them"

context:

  project: 'Manage_EC2_Nodes'

for:

  resource:

    - equals:

        kind: 'job'

      allow: [read,run,kill]

    - equals:

        kind: 'adhoc'

      allow: [read,run,kill]

    - equals:

        kind: 'event'

      allow: [read,create]

  job:

    - match:

        name: '.*'

      allow: [read,run,kill]

  adhoc:

    - match:

        name: '.*'

      allow: [read,run,kill]

  node:

    - match:

        nodename: '.*'

      allow: [read,run,refresh]

by:

  group: x

I did some testing with trial and error, which is tedious as the deamon needs to get restarted each time, and I have noticed some inconsistencies in the GUI as well. So it's better just to ask what is required.

[Alex Honor]

Hi Tom,

Here's a policy I generated using the rd-acl command:

🍔  rd-acl create -c project -p Manage_EC2_Nodes -g x -j g1/myjob -a toggle_schedule

---

by:

  group: x

context:

  project: Manage_EC2_Nodes

for:

  job:

  - allow: toggle_schedule

    equals:

      name: myjob

      group: g1

description: generated

--
You received this message because you are subscribed to the Google Groups "rundeck-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rundeck-discu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rundeck-discuss/b677fd96-8860-439d-a39f-219727e3f342%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Alex Honor

[SimplifyOps, Inc | a...@simplifyops.com ]

Be sure to comment and vote on Rundeck Feature Development!

[Tom De Blende]

Perfect! Will try that out tomorrow at work. I didn't know this could be done. Is it documented somewhere?

Alex Honor

[SimplifyOps, Inc | a....@simplifyops.com ]

[Tom De Blende]

Skip that, just tried it and got it to work. I read here that the documentation is missing:

https://github.com/rundeck/rundeck/issues/1578

That's why I didn't  find it. I was looking here:

http://rundeck.org/docs/jp/administration/10-authorization.html

But there is no mention of these toggles.

Thanks again!

--
You received this message because you are subscribed to a topic in the Google Groups "rundeck-discuss" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rundeck-discuss/NmvoeSqqBLg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rundeck-discu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rundeck-discuss/ecada808-9b48-4744-ac9a-a62f841c074e%40googlegroups.com.

[Tom De Blende]

OK, despite the toggles indeed being visible, the user is not able to use it. You can press the toggle, the page will refresh, but still show the previous toggle state. 

I could solve this by adding the update right to the user. But then he can edit the job, which is what I would like to avoid. Is there any way around this?