Anonymous access to API
212 views
Skip to first unread message
Takeshi Yaegashi
Jun 26, 2015, 5:12:34 AM6/26/15
to rundeck...@googlegroups.com
Hi there,
How can I grant anonymous/unauthenticated access to Rundeck API?
---
description: SSH public key anonymous access
context:
application: 'rundeck'
for:
storage:
- match:
path: 'keys/export(/.*)?'
allow: [read]
by: # XXX: how?
user: anonymous
group: anonymous
I want to enable users to get SSH public keys in the storage using common web browsers
via a simple URL like http://server/api/13/storage/keys/export/hoge/id_rsa.pub
I don't want to create any dedicated users/groups for this.
Regards,
--
YAEGASHI Takeshi <yaeg...@debian.org>
Greg Schueler
Jun 26, 2015, 12:21:49 PM6/26/15
to rundeck...@googlegroups.com
Hi Takeshi,
There is no direct “anonymous” access level, you should file a feature request for this.
You could fake it by using an API token for a non-existent user “anonymous", and then granting access based on username.
However, the access level for this user would be the combination of ACL policies matching "group: api_token_group" and the "username: anonymous”. if you want to allow api_token_group to do other things, but disallow this “anonymous” user, you would have to add DENY rules for everything you don’t want “anonymous” to do. Basically you could start with the admin.aclpolicy, but change `- allow: “*”`to `- deny: “*”`, except for the Key storage.
You could use two ways to create the anonymous token, either generate a random one via the API, for the “anonymous” username:
curl -X POST -H ‘x-rundeck-auth-token:$TOKEN’ http://$RUNDECK_SERVER/api/11/tokens/anonymous
Or, use the “static authentication tokens file” feature http://rundeck.org/docs/administration/configuration-file-reference.html#framework.properties and use a “dummy” token in `tokens.properties`:
anonymous: anon
Then use the token in a URL parameter `?authtoken=anon` in your later requests.
--
You received this message because you are subscribed to the Google Groups "rundeck-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rundeck-discu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rundeck-discuss/d1887d06-d2b1-48d6-9cae-5202dc7bb2b3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Takeshi Yaegashi
Jun 26, 2015, 2:33:18 PM6/26/15
to rundeck...@googlegroups.com
Hi,
Thanks for your help! Defining static tokens seems the way to go. It suffices for us to be able to fetch it using Chrome/Firefox via a single URL http://server/api/13/storage/keys/export/hoge/id_rsa.pub?authtoken=xxxx.
At the first attempt I put -Drundeck.tokens.file=/etc/rundeck/tokens.properties in JVM arguments, but it didn't work. Is it mandatory to define it in framework.properties?
Regards,
--
Greg Schueler
Jun 26, 2015, 2:37:38 PM6/26/15
to rundeck...@googlegroups.com
Yes, it must be set in framework.properties right now
To view this discussion on the web visit https://groups.google.com/d/msgid/rundeck-discuss/c6f1532b-a1f5-45ee-a1f7-6330589eaaec%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages