acl policy issues
55 views
Skip to first unread message
Andrew Meyer
Jul 1, 2024, 12:11:49 PM (yesterday) Jul 1
to rundeck-discuss
I am having issues with with my ACL that I created.
I have 1 user (so far) who is trying to run a few jobs under a specific project. We have been able to get them access to some of those jobs, but i'm seeing rejected runs on the others. I have checked the group assignments and they are correct.
We are using AD groups for this.
How are acl policies decided?
rac...@rundeck.com
Jul 1, 2024, 12:15:50 PM (yesterday) Jul 1
to rundeck-discuss
Hi Andrew,
Could you elaborate? Can you share the ACL definition for that user? Which jobs (or projects) are accessible for that user, and which jobs are rejected? Any example?
Regards.
Could you elaborate? Can you share the ACL definition for that user? Which jobs (or projects) are accessible for that user, and which jobs are rejected? Any example?
Regards.
Andrew Meyer
Jul 1, 2024, 12:23:37 PM (yesterday) Jul 1
to rundeck-discuss
There are a lot of jobs. But I will focus on the ones we are working on. These are the 3 we are having issues with. It seems this user is getting stopped by the first ACL for some of the jobs but others he is not.
description: .* project level access control
context:
project: '.*' # all projects
for:
resource:
- equals:
kind: job
allow: [read] # allow create and delete jobs
- equals:
kind: node
allow: [read] # allow refresh node sources
- equals:
kind: event
allow: [read] # allow read/create events
adhoc:
- allow: [disable_executions] # disable adhoc jobs
job:
- allow: [read] # allow create/read/write/delete/run/kill of all jobs
node:
- allow: [read] # allow read/run for all nodes
by:
group: AD_Group_RundeckUsers
---
description: API Application level access control
context:
application: 'rundeck'
for:
resource:
- equals:
kind: system
allow: [read,enable_executions] # allow read of system info
project:
- match:
name: '.*'
allow: [read] # allow view of all projects
by:
group: AD_Group_RundeckUsers
description: Group project level access control
context:
project: 'Group' # all projects
for:
resource:
- equals:
kind: job
allow: [read] # allow create and delete jobs
- equals:
kind: node
allow: [read,refresh] # allow refresh node sources
- equals:
kind: event
allow: [read,create] # allow read/create events
adhoc:
- allow: [disable_executions] # disable adhoc jobs
job:
- allow: [read,run,kill] # allow create/read/write/delete/run/kill of all jobs
node:
- allow: [read,run] # allow read/run for all nodes
by:
group: G_Group2
---
description: API Application level access control
context:
application: 'rundeck'
for:
resource:
- equals:
kind: system
allow: [read,enable_executions] # allow read of system info
project:
- match:
name: 'Project2'
allow: [read] # allow view of all projects
by:
group: G_Group2
---
description: Group_key
by:
group: G_Group2
for:
storage:
- match:
path: 'keys/PDI/.*'
allow: [read]
- equals:
path: 'keys/PDI/svc_group_passwd'
allow: [read,create,update,delete]
context:
application: rundeck
context:
project: 'Group' # all projects
for:
resource:
- equals:
kind: job
allow: [read] # allow create and delete jobs
- equals:
kind: node
allow: [read,refresh] # allow refresh node sources
- equals:
kind: event
allow: [read,create] # allow read/create events
adhoc:
- allow: [disable_executions] # disable adhoc jobs
job:
- allow: [read,run,kill] # allow create/read/write/delete/run/kill of all jobs
node:
- allow: [read,run] # allow read/run for all nodes
by:
group: G_Group2
---
description: API Application level access control
context:
application: 'rundeck'
for:
resource:
- equals:
kind: system
allow: [read,enable_executions] # allow read of system info
project:
- match:
name: 'Project2'
allow: [read] # allow view of all projects
by:
group: G_Group2
---
description: Group_key
by:
group: G_Group2
for:
storage:
- match:
path: 'keys/PDI/.*'
allow: [read]
- equals:
path: 'keys/PDI/svc_group_passwd'
allow: [read,create,update,delete]
context:
application: rundeck
description: project level access control
context:
project: '' # all projects
for:
resource:
- equals:
kind: job
allow: [read] # allow create and delete jobs
- equals:
kind: node
allow: [read,refresh] # allow refresh node sources
- equals:
kind: event
allow: [read,create] # allow read/create events
adhoc:
- allow: [disable_executions] # disable adhoc jobs
job:
- allow: [read,run,kill] # allow create/read/write/delete/run/kill of all jobs
node:
- allow: [read,run] # allow read/run for all nodes
by:
group: AD_Group
---
description: API Application level access control
context:
application: 'rundeck'
for:
resource:
- equals:
kind: system
allow: [read,enable_executions] # allow read of system info
project:
- match:
name: 'MDM'
allow: [read] # allow view of all projects
by:
group: AD_Group
---
description: MDM project level access control
context:
project: 'DBA' # all projects
for:
resource:
- equals:
kind: job
allow: [read] # allow create and delete jobs
- equals:
kind: node
allow: [read,refresh] # allow refresh node sources
- equals:
kind: event
allow: [read,create] # allow read/create events
adhoc:
- allow: [disable_executions] # disable adhoc jobs
job:
- allow: [read,run,kill] # allow create/read/write/delete/run/kill of all jobs
node:
- allow: [read,run] # allow read/run for all nodes
by:
group: AD_Group
context:
project: '' # all projects
for:
resource:
- equals:
kind: job
allow: [read] # allow create and delete jobs
- equals:
kind: node
allow: [read,refresh] # allow refresh node sources
- equals:
kind: event
allow: [read,create] # allow read/create events
adhoc:
- allow: [disable_executions] # disable adhoc jobs
job:
- allow: [read,run,kill] # allow create/read/write/delete/run/kill of all jobs
node:
- allow: [read,run] # allow read/run for all nodes
by:
group: AD_Group
---
description: API Application level access control
context:
application: 'rundeck'
for:
resource:
- equals:
kind: system
allow: [read,enable_executions] # allow read of system info
project:
- match:
name: 'MDM'
allow: [read] # allow view of all projects
by:
group: AD_Group
---
description: MDM project level access control
context:
project: 'DBA' # all projects
for:
resource:
- equals:
kind: job
allow: [read] # allow create and delete jobs
- equals:
kind: node
allow: [read,refresh] # allow refresh node sources
- equals:
kind: event
allow: [read,create] # allow read/create events
adhoc:
- allow: [disable_executions] # disable adhoc jobs
job:
- allow: [read,run,kill] # allow create/read/write/delete/run/kill of all jobs
node:
- allow: [read,run] # allow read/run for all nodes
by:
group: AD_Group
rac...@rundeck.com
Jul 1, 2024, 5:52:43 PM (yesterday) Jul 1
to rundeck-discuss
Hi Andrew,
Your project-scope definitions seem wrong, could you double-check them?
project: '' # all projects^ Do you know if this line is intentional? (it points to nowhere)
project: 'Group' # all projects
^ Is this project a valid project name?
project: '.*' # all projects
^ This applies to all projects. Is this intentional?
You can learn more about ACLs here. Here you can see some examples.
Regards.
Andrew Meyer
9:07 AM (14 hours ago) 9:07 AM
to rundeck-discuss
I changed the name. The first one applies to AD users. The second and third apply to specific projects IN rundeck and reflect specific groups. I'm sorry if I wasn't clear. I edited this for security purposes.
rac...@rundeck.com
11:05 AM (12 hours ago) 11:05 AM
to rundeck-discuss
No worries. So, the groups involved here are: AD_Group, and G_Group2, right? (AD_Group_RundeckUsers is AD_Group).
Regards.
Andrew Meyer
12:09 PM (11 hours ago) 12:09 PM
to rundeck-discuss
For this purpose let's say that AD_Group_RundeckUsers is a generic policy that allows everyone access to Rundeck, so view.
AD_Group and AD_Group2 are more specific. This would be a nested group with a more refined list of people that have more capabilities. This is probably going to be confusing.
rac...@rundeck.com
3:53 PM (8 hours ago) 3:53 PM
to rundeck-discuss
Hi Andrew,
Regarding this:
We have been able to get them access to some of those jobs, but i’m seeing rejected runs on the others.
Projects in your case are MDM , Project2, Group, and DBA right? What particular groups are unable to access particular projects or jobs? Your ACL definition doesn’t deny/allow anything for specific jobs. Probably another ACL is blocking your users/roles.
In this case, you can see how to define specific access to groups/users for specific jobs (using job group but you can use the match -> name).
Regards.
Reply all
Reply to author
Forward
0 new messages