Regarding to Rundeck ACL Configuration
1,112 views
Skip to first unread message
chengkai liang
Oct 4, 2011, 4:21:02 PM10/4/11
to rundeck...@googlegroups.com, chengkai liang
I am following the http://rundeck.org/1.4rc/aclpolicy-v10.html to setup rundeck ACL for our environment, and here's what I have configured under admin.aclpolicy
context:project: '.*' # reTestfor:resource:- equals:kind: projectallow: create- equals:kind: joballow: [read] # allow read/create all kinds- equals:kind: nodeallow: [read,write,refresh]contains: [localhost]- equals:kind: eventallow: [read,create]adhoc:- allow: '.*' # allow running/killing adhoc jobsjob:- allow: [read,write,run,kill] # allow read/write/delete/run/kill of all jobs- deny: [delete]project:- match:name: 'reTest'allow: [read,write]by:username: ctierusergroup: deploy
Based on what document said,
contains: elements can have a sub predicate tag to include a list of tags. Yet when trying that it actually blows out. The above syntax works, yet when try to execute job, this error what spew out,
Status: Failed  Save as Job… |
| Time | Message | ||
|---|---|---|---|
 | 12:53:52 | No matched nodes: NodeSet{includes={name=localhost, dominant=false, }} | |
Looking at the rundeck.auth.log, it has this error message:
2011-10-04 12:53:51,990 - Evaluating Decision for: res<osFamily:unix, username:ctieruser, osArch:amd64, osVersion:2.6.38-11-server, description:Rundeck server node, nodename:localhost, hostname:localhost, type:node, osName:Linux, rundeck_server:true> subject<Username:re-deploy Group:deploy> action<run> env<http://dtolabs.com/rundeck/env/project:reTest>: authorized: false: REJECTED, reason: REJECTED_NO_RULES_DECLARED, evaluations: Section for type 'node' was not declared in for section => REJECTED_NO_RULES_DECLARED (0ms):REJECTED, reason: REJECTED_NO_RULES_DECLARED, evaluations: Section for type 'node' was not declared in for section => REJECTED_NO_RULES_DECLARED
So,
- What's the right syntax for acl policy?
- It seems that information is pulled from project but why highlight part is always localhost instead of real hostname?
- Is there a real world example of how to configure a working aclpolicy?
Thanks,
chengkai liang
The Z shell is to unix what OS X is to the rest of the computing world.
Greg Schueler
Oct 4, 2011, 4:35:22 PM10/4/11
to rundeck...@googlegroups.com
Hi chengkai liang,
a few issues:
1. the rc1 didn't support restricting what resources could be viewed/executed, it only restricted read/update/refresh of *all nodes*
2. the syntax you used is not quite correct
The rc2 will be posted today, but here is what you would include in your aclpolicy for rc2:
# to support read/update/refresh of *all* nodes:
for:
resource:
- equals:
kind: node
allow: [read,update,refresh]
# to allow user to view/execute only on nodes matching nodename:
for:
node:
- equals:
nodename: 'localhost'
allow: [read,run]
# to allow user to view/execute only on matching tag:
for:
node:
- contains:
tag: 'sometag'
allow: [read,run]
chengkai liang
Oct 4, 2011, 5:03:30 PM10/4/11
to rundeck...@googlegroups.com, chengkai liang
for nodename part, if we have more than one nodes, then is
nodename: ['ABC','DEF','...']
right syntax?
Is there a tag that can support tagging in rundeck's project resources file?
Thanks,
chengkai liang
The Z shell is to unix what OS X is to the rest of the computing world.
Greg Schueler
Oct 4, 2011, 5:11:47 PM10/4/11
to rundeck...@googlegroups.com
On Oct 4, 2011, at 2:03 PM, chengkai liang wrote:
for nodename part, if we have more than one nodes, then isnodename: ['ABC','DEF','...']right syntax?
to match multiple names you need to either have multiple entries and use "equals:" to match by name, or you can use a regular expression with "match:"
for:
node:
- equals:
nodename: 'localhost'
node:
- equals:
nodename: 'localhost'
allow: [read,run]
- equals:nodename: 'monkey1'
allow: [read,run]
nodename: 'monkey2'
allow: [read,run]
or
for:
node:
- match:
nodename: '(localhost|monkey.*)'
node:
- match:
nodename: '(localhost|monkey.*)'
allow: [read,run]
Is there a tag that can support tagging in rundeck's project resources file?
you can set "tags" on a node in resources format: http://rundeck.org/1.4rc/resource-yaml-v13.html or http://rundeck.org/1.4rc/resource-v13.html
chengkai liang
Oct 4, 2011, 5:50:04 PM10/4/11
to rundeck...@googlegroups.com, chengkai liang
I have followed your syntax and configure the acl, yet I have this message shown up in rundeck.auth.log,
2011-10-04 14:47:32,746 - Evaluating Decision for: res<osFamily:unix, username:ctieruser, osArch:amd64, osVersion:2.6.38-11-server, description:Rundeck server node, nodename:localhost, hostname:localhost, type:node, osName:Linux, rundeck_server:true> subject<Username:vm-deploy Group:deploy> action<run> env<http://dtolabs.com/rundeck/env/project:reTest>: authorized: false: REJECTED, reason: REJECTED_NO_RULES_DECLARED, evaluations: Section for type 'node' was not declared in for section => REJECTED_NO_RULES_DECLARED (1ms):REJECTED, reason: REJECTED_NO_RULES_DECLARED, evaluations: Section for type 'node' was not declared in for section => REJECTED_NO_RULES_DECLARED
And here's my configuration,
description: vm-deploy only allow deploy virutial machine
context:
project: '.*' # reTest
for:
resource:
- equals:
kind: project
allow: create
- equals:
kind: job
allow: 'read' # allow read/create all kinds
- equals:
kind: event
allow: [read,create]
adhoc:
- allow: '.*' # allow running/killing adhoc jobs
job:
- allow: [read,write,run,kill] # allow read/write/delete/run/kill of all jobs
- deny: [delete]
node:
- equals:
nodename: 'localhost'
allow: [read,run]
project:
- match:
name: 'vmdeployment'
allow: [read,write]
by:
group: deploy
Any idea?
chengkai liang
The Z shell is to unix what OS X is to the rest of the computing world.
Greg Schueler
Oct 4, 2011, 6:37:37 PM10/4/11
to rundeck...@googlegroups.com
"Section for type 'node' was not declared in for section"
i think your formatting is incorrect somehow
Reply all
Reply to author
Forward
0 new messages