rundeck PAM setup
1,167 views
Skip to first unread message
lorenzo carleo
Apr 6, 2016, 10:18:12 AM4/6/16
to rundeck-discuss
Hi guys
any help how to setup rundeck and PAM.
I want to use the local users to authenticate to rundeck.
any help how to setup rundeck and PAM.
I want to use the local users to authenticate to rundeck.
Sven Nebel
Apr 6, 2016, 10:55:59 AM4/6/16
to rundeck-discuss
I never used it before but there is a looks-like well documented section on rundeck documentaiton about PAM authentication
lorenzo carleo
Apr 7, 2016, 4:31:07 AM4/7/16
to rundeck-discuss
Hi Sven,
the documentation is not very helpful. I`m struggling to setup it.
the documentation is not very helpful. I`m struggling to setup it.
Sven Nebel
Apr 7, 2016, 4:38:01 AM4/7/16
to rundeck-discuss
And what exactly are you doing? could paste the configuration that are you using? any error?
Regards
lorenzo carleo
Apr 7, 2016, 5:51:05 AM4/7/16
to rundeck-discuss
Thanks Sven
# /etc/rundeck/jaas-loginmodule.conf
RDpropertyfilelogin {
org.rundeck.jaas.jetty.JettyPamLoginModule requisite
debug="true"
service="sshd"
supplementalRoles="rundeck,readonly"
storePass="true";
org.eclipse.jetty.plus.jaas.spi.PropertyFileLoginModule required
debug="true"
useFirstPass="true"
file="/etc/rundeck/realm.properties";
};
# cat /var/log/rundeck/rundeck.access.log
[2016-04-07 11:43:26,841] "GET /user/error" 192.168.122.1 http admin form 10 ? [] (Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.117 Safari/537.36)
[2016-04-07 11:45:10,690] "GET /user/error" 192.168.122.1 http admin form 30 ? [] (Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.117 Safari/537.36)
[2016-04-07 11:46:39,891] "GET /user/error" 192.168.122.1 http admin form 6 ? [] (Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.117 Safari/537.36)
# cat /etc/rundeck/realm.properties
#
# This file defines users passwords and roles for a HashUserRealm
#
# The format is
# <username>: <password>[,<rolename> ...]
#
# Passwords may be clear text, obfuscated or checksummed. The class
# org.mortbay.util.Password should be used to generate obfuscated
# passwords or password checksums
#
# If DIGEST Authentication is used, the password must be in a recoverable
# format, either plain text or OBF:.
#
#jetty: MD5:164c88b302622e17050af52c89945d44,user
#admin: CRYPT:ad1ks..kc.1Ug,server-administrator,content-administrator,admin
#other: OBF:1xmk1w261u9r1w1c1xmq
#plain: plain
#user: password
# This entry is for digest auth. The credential is a MD5 hash of username:realmname:password
#digest: MD5:6e120743ad67abfbc385bc2bb754e297
#
# This sets the default user accounts for the Rundeck app
#
admin:admin,user,admin,architect,deploy,build
#@jetty.user.deploy.name@:@jetty.user.deploy.password@,user,deploy
#@jetty.user.build.name@:@jetty.user.build.password@,user,build
# cat /etc/rundeck/admin.aclpolicy
description: Admin, all access.
context:
project: '.*' # all projects
for:
resource:
- allow: '*' # allow read/create all kinds
adhoc:
- allow: '*' # allow read/running/killing adhoc jobs
job:
- allow: '*' # allow read/write/delete/run/kill of all jobs
node:
- allow: '*' # allow read/run for all nodes
by:
group: admin
---
description: Admin, all access.
context:
application: 'rundeck'
for:
resource:
- allow: '*' # allow create of projects
project:
- allow: '*' # allow view/admin of all projects
project_acl:
- allow: '*' # allow admin of all project-level ACL policies
storage:
- allow: '*' # allow read/create/update/delete for all /keys/* storage content
by:
group: admin
# cat /var/log/rundeck/service.log
Apr 07, 2016 11:45:08 AM org.rundeck.jaas.pam.AbstractPamLoginModule debug
INFO: PAM authentication trying (sshd) for: root
Apr 07, 2016 11:45:10 AM org.rundeck.jaas.pam.AbstractPamLoginModule debug
INFO: pam_authenticate failed : Authentication failure
org.jvnet.libpam.PAMException: pam_authenticate failed : Authentication failure
at org.jvnet.libpam.PAM.check(PAM.java:106)
at org.jvnet.libpam.PAM.authenticate(PAM.java:124)
at org.rundeck.jaas.pam.AbstractPamLoginModule.authenticate(AbstractPamLoginModule.java:85)
at org.rundeck.jaas.AbstractSharedLoginModule.login(AbstractSharedLoginModule.java:78)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695)
at javax.security.auth.login.LoginContext.login(LoginContext.java:594)
at org.eclipse.jetty.plus.jaas.JAASLoginService.login(JAASLoginService.java:217)
at org.eclipse.jetty.security.authentication.FormAuthenticator.validateRequest(FormAuthenticator.java:183)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:456)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:227)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1031)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:406)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:186)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:965)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:111)
at org.eclipse.jetty.server.Server.handle(Server.java:349)
at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:449)
at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:925)
at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:857)
at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)
at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:76)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:609)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:45)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:599)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:534)
at java.lang.Thread.run(Thread.java:744)
2016-04-07 11:45:10.642:WARN:oejpj.JAASLoginService:
javax.security.auth.login.LoginException: Login Failure: all modules ignored
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:935)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695)
at javax.security.auth.login.LoginContext.login(LoginContext.java:594)
at org.eclipse.jetty.plus.jaas.JAASLoginService.login(JAASLoginService.java:217)
at org.eclipse.jetty.security.authentication.FormAuthenticator.validateRequest(FormAuthenticator.java:183)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:456)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:227)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1031)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:406)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:186)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:965)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:111)
at org.eclipse.jetty.server.Server.handle(Server.java:349)
at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:449)
at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:925)
at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:857)
at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)
at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:76)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:609)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:45)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:599)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:534)
at java.lang.Thread.run(Thread.java:744)
# /etc/rundeck/jaas-loginmodule.conf
RDpropertyfilelogin {
org.rundeck.jaas.jetty.JettyPamLoginModule requisite
debug="true"
service="sshd"
supplementalRoles="rundeck,readonly"
storePass="true";
org.eclipse.jetty.plus.jaas.spi.PropertyFileLoginModule required
debug="true"
useFirstPass="true"
file="/etc/rundeck/realm.properties";
};
# cat /var/log/rundeck/rundeck.access.log
[2016-04-07 11:43:26,841] "GET /user/error" 192.168.122.1 http admin form 10 ? [] (Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.117 Safari/537.36)
[2016-04-07 11:45:10,690] "GET /user/error" 192.168.122.1 http admin form 30 ? [] (Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.117 Safari/537.36)
[2016-04-07 11:46:39,891] "GET /user/error" 192.168.122.1 http admin form 6 ? [] (Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.117 Safari/537.36)
# cat /etc/rundeck/realm.properties
#
# This file defines users passwords and roles for a HashUserRealm
#
# The format is
# <username>: <password>[,<rolename> ...]
#
# Passwords may be clear text, obfuscated or checksummed. The class
# org.mortbay.util.Password should be used to generate obfuscated
# passwords or password checksums
#
# If DIGEST Authentication is used, the password must be in a recoverable
# format, either plain text or OBF:.
#
#jetty: MD5:164c88b302622e17050af52c89945d44,user
#admin: CRYPT:ad1ks..kc.1Ug,server-administrator,content-administrator,admin
#other: OBF:1xmk1w261u9r1w1c1xmq
#plain: plain
#user: password
# This entry is for digest auth. The credential is a MD5 hash of username:realmname:password
#digest: MD5:6e120743ad67abfbc385bc2bb754e297
#
# This sets the default user accounts for the Rundeck app
#
admin:admin,user,admin,architect,deploy,build
#@jetty.user.deploy.name@:@jetty.user.deploy.password@,user,deploy
#@jetty.user.build.name@:@jetty.user.build.password@,user,build
# cat /etc/rundeck/admin.aclpolicy
description: Admin, all access.
context:
project: '.*' # all projects
for:
resource:
- allow: '*' # allow read/create all kinds
adhoc:
- allow: '*' # allow read/running/killing adhoc jobs
job:
- allow: '*' # allow read/write/delete/run/kill of all jobs
node:
- allow: '*' # allow read/run for all nodes
by:
group: admin
---
description: Admin, all access.
context:
application: 'rundeck'
for:
resource:
- allow: '*' # allow create of projects
project:
- allow: '*' # allow view/admin of all projects
project_acl:
- allow: '*' # allow admin of all project-level ACL policies
storage:
- allow: '*' # allow read/create/update/delete for all /keys/* storage content
by:
group: admin
# cat /var/log/rundeck/service.log
Apr 07, 2016 11:45:08 AM org.rundeck.jaas.pam.AbstractPamLoginModule debug
INFO: PAM authentication trying (sshd) for: root
Apr 07, 2016 11:45:10 AM org.rundeck.jaas.pam.AbstractPamLoginModule debug
INFO: pam_authenticate failed : Authentication failure
org.jvnet.libpam.PAMException: pam_authenticate failed : Authentication failure
at org.jvnet.libpam.PAM.check(PAM.java:106)
at org.jvnet.libpam.PAM.authenticate(PAM.java:124)
at org.rundeck.jaas.pam.AbstractPamLoginModule.authenticate(AbstractPamLoginModule.java:85)
at org.rundeck.jaas.AbstractSharedLoginModule.login(AbstractSharedLoginModule.java:78)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695)
at javax.security.auth.login.LoginContext.login(LoginContext.java:594)
at org.eclipse.jetty.plus.jaas.JAASLoginService.login(JAASLoginService.java:217)
at org.eclipse.jetty.security.authentication.FormAuthenticator.validateRequest(FormAuthenticator.java:183)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:456)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:227)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1031)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:406)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:186)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:965)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:111)
at org.eclipse.jetty.server.Server.handle(Server.java:349)
at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:449)
at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:925)
at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:857)
at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)
at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:76)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:609)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:45)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:599)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:534)
at java.lang.Thread.run(Thread.java:744)
2016-04-07 11:45:10.642:WARN:oejpj.JAASLoginService:
javax.security.auth.login.LoginException: Login Failure: all modules ignored
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:935)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695)
at javax.security.auth.login.LoginContext.login(LoginContext.java:594)
at org.eclipse.jetty.plus.jaas.JAASLoginService.login(JAASLoginService.java:217)
at org.eclipse.jetty.security.authentication.FormAuthenticator.validateRequest(FormAuthenticator.java:183)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:456)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:227)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1031)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:406)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:186)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:965)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:111)
at org.eclipse.jetty.server.Server.handle(Server.java:349)
at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:449)
at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:925)
at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:857)
at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)
at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:76)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:609)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:45)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:599)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:534)
at java.lang.Thread.run(Thread.java:744)
Sven Nebel
Apr 7, 2016, 6:04:18 AM4/7/16
to rundeck-discuss
Hi Lorenzo,
To clarify, you want to authenticate using local user created on real.properties or using local OS users?
The error you posted says authentication failure on the PAM module, is that user created correctly on the Operating System?
If what you really want to do is to authenticate using the local realm.property file you should use the following module instead
Let me know,
Regards
lorenzo carleo
Apr 7, 2016, 6:10:08 AM4/7/16
to rundeck-discuss
Sorry had passwd issue on the user rundeck
now I get this error on the WEB page
now I get this error on the WEB page
HTTP ERROR 403
Problem accessing /menu/home. Reason:
!role
[root@rundeck ~]# tail -f /var/log/rundeck/service.log
at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:76)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:609)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:45)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:599)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:534)
at java.lang.Thread.run(Thread.java:744)
Apr 07, 2016 12:06:40 PM org.rundeck.jaas.pam.AbstractPamLoginModule debug
INFO: PAM authentication trying (sshd) for: rundeck
Apr 07, 2016 12:06:40 PM org.rundeck.jaas.pam.AbstractPamLoginModule debug
INFO: PAM authentication succeeded for: rundeck
Message has been deleted
Sven Nebel
Apr 7, 2016, 6:15:28 AM4/7/16
to rundeck-discuss
Cool, we move forward, the 403 is a well known issue, basically you have to configure a general role which is allowed to login to Rundeck within the web.xml file
Regards
lorenzo carleo
Apr 7, 2016, 6:28:18 AM4/7/16
to rundeck-discuss
:) cool
now I have
now I have
You have no authorized access to projects.
Contact your administrator. (User roles: rundeck, readonly)
Sven Nebel
Apr 7, 2016, 6:33:18 AM4/7/16
to rundeck-discuss
Well now you have to play with your aclpolicy files in order to get authorization to do whatever you want to do, try by adding admin role to the user you're using to log in, try by replacing "group: admin" on your admin.aclpolicy file by "user: admin" and so on...
Good luck!
lorenzo carleo
Apr 7, 2016, 6:46:44 AM4/7/16
to rundeck-discuss
Thanks a lot for your time. Thank you so much! ;)
lorenzo carleo
Apr 7, 2016, 9:01:32 AM4/7/16
to rundeck-discuss
Hi there
I`ve tried to configure user and readonly
but still the same error
========================================================================================
I`ve tried to configure user and readonly
but still the same error
========================================================================================
You have no authorized access to projects.
Contact your administrator. (User roles: readonly, user)
========================================================================================# cat /etc/rundeck/realm.properties
admin:admin,user,admin,architect,deploy,build
rundeck: user, readonly
# cat /var/lib/rundeck/exp/webapp/WEB-INF/web.xml
<security-role>
<role-name>admin</role-name>
</security-role>
<security-role>
<role-name>user</role-name>
</security-role>
<security-role>
<role-name>readonly</role-name>
</security-role>
cat /etc/rundeck/admin.aclpolicy
description: Admin project level access control. Applies to resources within a specific project.
context:
project: '.*' # all projects
for:
resource:
- equals:
kind: job
allow: [create] # allow create jobs
- equals:
kind: node
allow: [read,create,update,refresh] # allow refresh node sources
- equals:
kind: event
allow: [read,create] # allow read/create events
adhoc:
- allow: [read,run,runAs,kill,killAs] # allow running/killing adhoc jobs
job:
- allow: [create,read,update,delete,run,runAs,kill,killAs] # allow create/read/write/delete/run/kill of all jobs
node:
- allow: [read,run] # allow read/run for nodes
by:
group: admin
---
description: Admin Application level access control, applies to creating/deleting projects, admin of user profiles, viewing projects and reading system information.
kind: job
allow: [create] # allow create jobs
- equals:
kind: node
allow: [read,create,update,refresh] # allow refresh node sources
- equals:
kind: event
allow: [read,create] # allow read/create events
adhoc:
- allow: [read,run,runAs,kill,killAs] # allow running/killing adhoc jobs
job:
- allow: [create,read,update,delete,run,runAs,kill,killAs] # allow create/read/write/delete/run/kill of all jobs
node:
- allow: [read,run] # allow read/run for nodes
by:
group: admin
---
description: Admin Application level access control, applies to creating/deleting projects, admin of user profiles, viewing projects and reading system information.
context:
application: 'rundeck'
for:
resource:
- equals:
kind: project
allow: [create] # allow create of projects
- equals:
kind: system
allow: [read,enable_executions,disable_executions,admin] # allow read of system info, enable/disable all executions
- equals:
kind: system_acl
allow: [read,create,update,delete,admin] # allow modifying system ACL files
- equals:
kind: user
allow: [admin] # allow modify user profiles
project:
- match:
name: '.*'
allow: [read,import,export,configure,delete,admin] # allow full access of all projects or use 'admin'
project_acl:
- match:
name: '.*'
allow: [read,create,update,delete,admin] # allow modifying project-specific ACL files
storage:
- allow: [read,create,update,delete] # allow access for /ssh-key/* storage content
by:
group: admin
description: "Normal users will only have read permissions"
context:
project: .*
for:
resource:
- equals:
kind: 'node'
allow: [read,refresh]
- equals:
kind: 'job'
allow: [read]
- equals:
kind: 'adhoc'
allow: [read]
- equals:
kind: 'event'
allow: [read]
job:
- match:
name: '.*'
allow: [read]
adhoc:
- match:
name: '.*'
allow: [read]
node:
- match:
nodename: '.*'
allow: [read,refresh]
by:
group: user
---
context:
application: rundeck
description: "Normal users will only have read permissions"
for:
project:
- match:
name: '.*'
allow: [read]
system:
- match:
name: '.*'
allow: [read]
by:
group: user
---
description: "Normal users will only have read permissions"
context:
project: .*
for:
resource:
- equals:
kind: 'node'
allow: [read,refresh]
- equals:
kind: 'job'
allow: [read]
- equals:
kind: 'adhoc'
allow: [read]
- equals:
kind: 'event'
allow: [read]
job:
- match:
name: '.*'
allow: [read]
adhoc:
- match:
name: '.*'
allow: [read]
node:
- match:
nodename: '.*'
allow: [read,refresh]
by:
group: readonly
---
context:
application: rundeck
description: "Ops Engineers can read jobs but not launch them"
for:
project:
- match:
name: '.*'
allow: [read]
system:
- match:
name: '.*'
allow: [read]
by:
group: readonly
kind: project
allow: [create] # allow create of projects
- equals:
kind: system
allow: [read,enable_executions,disable_executions,admin] # allow read of system info, enable/disable all executions
- equals:
kind: system_acl
allow: [read,create,update,delete,admin] # allow modifying system ACL files
- equals:
kind: user
allow: [admin] # allow modify user profiles
project:
- match:
name: '.*'
allow: [read,import,export,configure,delete,admin] # allow full access of all projects or use 'admin'
project_acl:
- match:
name: '.*'
allow: [read,create,update,delete,admin] # allow modifying project-specific ACL files
storage:
- allow: [read,create,update,delete] # allow access for /ssh-key/* storage content
by:
group: admin
description: "Normal users will only have read permissions"
context:
project: .*
for:
resource:
- equals:
kind: 'node'
allow: [read,refresh]
- equals:
kind: 'job'
allow: [read]
- equals:
kind: 'adhoc'
allow: [read]
- equals:
kind: 'event'
allow: [read]
job:
- match:
name: '.*'
allow: [read]
adhoc:
- match:
name: '.*'
allow: [read]
node:
- match:
nodename: '.*'
allow: [read,refresh]
by:
group: user
---
context:
application: rundeck
description: "Normal users will only have read permissions"
for:
project:
- match:
name: '.*'
allow: [read]
system:
- match:
name: '.*'
allow: [read]
by:
group: user
---
description: "Normal users will only have read permissions"
context:
project: .*
for:
resource:
- equals:
kind: 'node'
allow: [read,refresh]
- equals:
kind: 'job'
allow: [read]
- equals:
kind: 'adhoc'
allow: [read]
- equals:
kind: 'event'
allow: [read]
job:
- match:
name: '.*'
allow: [read]
adhoc:
- match:
name: '.*'
allow: [read]
node:
- match:
nodename: '.*'
allow: [read,refresh]
by:
group: readonly
---
context:
application: rundeck
description: "Ops Engineers can read jobs but not launch them"
for:
project:
- match:
name: '.*'
allow: [read]
system:
- match:
name: '.*'
allow: [read]
by:
group: readonly
Reply all
Reply to author
Forward
0 new messages