Cannot creat Webhook : Failed to create AuthToken
138 views
Skip to first unread message
Xavier Humbert
Apr 29, 2021, 7:34:32 AM4/29/21
to rundeck...@googlegroups.com
Hi,
It's me again :-)
Today, one of my users tried to create a Webhook. I granted acces to those with the following ACL (Probably some redundancies) :
description: Allow group project-admins to list project PROJECT
context:
application: 'rundeck'
for:
project:
- allow: read
match:
name: 'PROJECT'
by:
group: project-admins
---
description: Global project admin permissions to role
context:
project: 'PROJECT'
for:
resource:
- equals:
kind: job
allow: '*'
- equals:
kind: node
allow: '*'
- equals:
kind: event
allow: '*'
- equals:
kind: webhook
allow: [read,create,update]
- equals:
kind: apitoken
allow: [generate_user_token]
adhoc:
- allow: '*'
job:
- allow: '*'
node:
- allow: '*'
project:
- allow: '*'
by:
group: project-admins
---
description: project-admins application scope permissions
context:
application: 'rundeck'
for:
resource:
- equals:
kind: project
allow: '*'
- equals:
kind: webhook
allow: [read,create,update]
- equals:
kind: apitoken
allow: [generate_user_token]
storage:
- equals:
name: 'keys'
path: 'keys'
allow: [read]
- match:
path: 'keys/PROJECT'
allow: [read,create,update,delete]
- match:
path: 'keys/PROJECT.*'
allow: [read,create,update,delete]
project:
- match:
name: 'PROJECT'
allow: '*'
by:
group: project-admins
My user is able to go to Webhooks -> create Job Webhook, select a job, the clicking Create, he gets :
Failed to save! Failed to create associated Auth Token: Unauthorized: generate API tokenEverything seems correect, especially :
resource:Any idea ?
- equals:
kind: apitoken
allow: [generate_user_token]
Many thanks in advance,
Cheers
Xavier
-- Xavier Humbert CRT Supervision et Exploitation de Niveau 1 Rectorat de Nancy-Metz 03 83 86 27 39
Xavier Humbert
Apr 29, 2021, 7:46:31 AM4/29/21
to rundeck...@googlegroups.com
Precision : Nothing appears in rundeck.audit.log nor in any logfile
Xavier
--
You received this message because you are subscribed to the Google Groups "rundeck-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rundeck-discu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rundeck-discuss/f187be51-7170-15a1-9f9f-383ce31d6a4b%40ac-nancy-metz.fr.
rac...@rundeck.com
Apr 29, 2021, 10:43:59 AM4/29/21
to rundeck-discuss
Hi Xavier,
I tested with the following ACL and works, could you try it? It seems that the first block causes some conflict with the third one.
description: project.
context:
project: 'PROJECT'
for:
resource:
- equals:
kind: job
allow: '*'
- equals:
kind: node
allow: '*'
- equals:
kind: event
allow: '*'
- equals:
kind: webhook
allow: [read,create,update]
- equals:
kind: apitoken
allow: [generate_user_token]
adhoc:
- allow: '*'
job:
- allow: '*'
node:
- allow: '*'
project:
- allow: '*'
by:
group: project-admins
---
description: app
context:
application: 'rundeck'
for:
resource:
- equals:
kind: project
allow: '*'
- equals:
kind: webhook
allow: [read,create,update]
- equals:
kind: apitoken
allow: [generate_user_token]
storage:
- equals:
name: 'keys'
path: 'keys'
allow: [read]
- match:
path: 'keys/PROJECT'
allow: [read,create,update,delete]
- match:
path: 'keys/PROJECT.*'
allow: [read,create,update,delete]
project:
- match:
name: 'PROJECT'
allow: '*'
by:
group: project-admins
Regards!
Reply all
Reply to author
Forward
0 new messages