Another ACL problem
10 views
Skip to first unread message
Xavier Humbert
Jun 7, 2024, 5:36:34 AMJun 7
to rundeck-discuss
Hi,
I have granted access to a new project to an user.
He can see the project in the list, but when he tries to move a job from
the old project to the newer, the new project does not appear in the
destination popup
Is there some special grant to give to that user/group ?
Here is the ACL :
======================================================================
---
description: Allow group polfoad-admins to list projects
context:
application: 'rundeck'
for:
project:
- allow: read
match:
name: 'FOAD-TRIBU-EXPLOITATION|FOAD-TRIBU-EXPLOITATION_NEW'
by:
group: polfoad-admins
---
description: Global project admin permissions to role
context:
project: 'FOAD-TRIBU-EXPLOITATION|FOAD-TRIBU-EXPLOITATION_NEW'
for:
resource:
- equals:
kind: job
allow: '*'
- equals:
kind: node
allow: '*'
- equals:
kind: event
allow: '*'
adhoc:
- allow: '*'
job:
- allow: '*'
node:
- allow: '*'
project:
- allow: '*'
by:
group: polfoad-admins
---
description: polfoad-admins application scope permissions
context:
application: 'rundeck'
for:
resource:
- equals:
kind: project
allow: '*'
storage:
- equals:
name: 'keys'
path: 'keys'
allow: [read]
- match:
path: 'keys/FOAD-TRIBU-EXPLOITATION'
allow: [read]
- match:
path: 'keys/FOAD-TRIBU-EXPLOITATION/.*'
allow: [read]
project:
- match:
name: 'FOAD-TRIBU-EXPLOITATION|FOAD-TRIBU-EXPLOITATION_NEW'
allow: '*'
by:
group: polfoad-admins
======================================================================
Regards,
Xavier
--
Xavier Humbert
CRT Supervision et Exploitation de Niveau 1
Direction des Services d'Information du Grand Est
Rectorat de l'Académie de Nancy-Metz
Ministère de l'Éducation Nationale et de la Jeunesse
03 83 86 27 39
I have granted access to a new project to an user.
He can see the project in the list, but when he tries to move a job from
the old project to the newer, the new project does not appear in the
destination popup
Is there some special grant to give to that user/group ?
Here is the ACL :
======================================================================
---
description: Allow group polfoad-admins to list projects
context:
application: 'rundeck'
for:
project:
- allow: read
match:
name: 'FOAD-TRIBU-EXPLOITATION|FOAD-TRIBU-EXPLOITATION_NEW'
by:
group: polfoad-admins
---
description: Global project admin permissions to role
context:
project: 'FOAD-TRIBU-EXPLOITATION|FOAD-TRIBU-EXPLOITATION_NEW'
for:
resource:
- equals:
kind: job
allow: '*'
- equals:
kind: node
allow: '*'
- equals:
kind: event
allow: '*'
adhoc:
- allow: '*'
job:
- allow: '*'
node:
- allow: '*'
project:
- allow: '*'
by:
group: polfoad-admins
---
description: polfoad-admins application scope permissions
context:
application: 'rundeck'
for:
resource:
- equals:
kind: project
allow: '*'
storage:
- equals:
name: 'keys'
path: 'keys'
allow: [read]
- match:
path: 'keys/FOAD-TRIBU-EXPLOITATION'
allow: [read]
- match:
path: 'keys/FOAD-TRIBU-EXPLOITATION/.*'
allow: [read]
project:
- match:
name: 'FOAD-TRIBU-EXPLOITATION|FOAD-TRIBU-EXPLOITATION_NEW'
allow: '*'
by:
group: polfoad-admins
======================================================================
Regards,
Xavier
--
Xavier Humbert
CRT Supervision et Exploitation de Niveau 1
Direction des Services d'Information du Grand Est
Rectorat de l'Académie de Nancy-Metz
Ministère de l'Éducation Nationale et de la Jeunesse
03 83 86 27 39
rac...@rundeck.com
Jun 7, 2024, 10:55:58 AMJun 7
to rundeck-discuss
Hi Xavier,
I have tested your ACL and it works. Could you double-check that another ACL is blocking that user? Pretty sure that is the root cause.
Anyway, I noticed that you’re using two app-level blocks (the first one with read permissions and the second one giving all permissions). So I made this example (tested on Rundeck 5.3) that should work:
description: projects context: project: 'ProjectA|ProjectB' for: resource: - equals: kind: job allow: '*' - equals: kind: node allow: '*' - equals: kind: event allow: '*' adhoc: - allow: '*' job: - allow: '*' node: - allow: '*' project: - allow: '*' by: group: your_group --- description: app context: application: 'rundeck' for: resource: - equals: kind: project allow: 'ProjectA|ProjectB' storage: - equals: name: 'keys' path: 'keys' allow: [read] - match: path: 'keys/mykeys' allow: [read] - match: path: 'keys/mykeys/.*' allow: [read] project: - match: name: 'ProjectA|ProjectB' allow: '*' by: group: your_groupRegards.
Reply all
Reply to author
Forward
0 new messages