ACL policy not working

126 views
Skip to first unread message

Scott K.

unread,
Mar 11, 2016, 9:20:48 AM3/11/16
to rundeck-discuss
Greetings -

I was to give access to a project group ('Deploys') and all sub-groups. However it it not working.

Here's what I have tried:

---
description: project level access
context:
  project: 'DevOps'
by:
  group: 'qagroup'
for:
  job:
    - allow: 'read'
    - equals:
        group: 'Deploys'
      allow: ['run','create','update']
  node:
    - allow: 'read'
  resource:
    - allow: 'read'


Unfortunately this does NOT work - it grants access to project groups that should not be seen at all, and it does not grant run, create, and update on jobs in the 'Deploys' group. I took this from the Rundeck ACL screencast, so it's a little frustrating that this doesn't work.
 I have spend several hours reading the docs and I am completely lost on how to proceed - any help would be greatly appreciated!


Jason Kohles

unread,
Mar 11, 2016, 9:36:21 AM3/11/16
to rundeck-discuss
I just ran into this yesterday and was going to submit a ticket today.  Although the documentation show examples that look like this:

by:
  group: qagroup

it doesn't seem to actually work that way.  If you make sure that any group or username arguments to by are a list then it will work:

by:
  group:
    - qagroup

or

by:
  group: [ qagroup ]
Message has been deleted

Jina Patton

unread,
Mar 11, 2016, 9:42:08 AM3/11/16
to rundeck-discuss
Typo corrected - 

for:
  job:
  - allow: [read]
    equals:
      name: 'Deploys'
      group: ''
description: generated
context:
  project: DevOps
by:
  group: qagroup
---
for:
  project:
  - allow: read
    equals:
      name: DevOps
description: generated
context:
  application: rundeck
by:
  group: qagroup

Scott K.

unread,
Mar 11, 2016, 9:43:45 AM3/11/16
to rundeck-discuss
Thanks Jason - unfortunately I just tried this and it doesn't change the behavior at all...

Alex Honor

unread,
Mar 11, 2016, 10:03:44 AM3/11/16
to rundeck...@googlegroups.com
Hi Scott,

Here's a variation of your ACL using the 'match' rule for subgroups:

description: project level access
context:
  project: 'DevOps'
by:
  group: 'qagroup'
for:
  job:
    - allow: 'read'
    - match:
        group: 'Deploys/.*'
      allow: ['run','create','update']
  node:
    - allow: 'read'
  resource:
    - allow: 'read'

--
You received this message because you are subscribed to the Google Groups "rundeck-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rundeck-discu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rundeck-discuss/a2d121d2-2bd5-43f7-9f2c-47427a289b5a%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.



--

Alex Honor

[SimplifyOps, Inc | a...@simplifyops.com ]

Be sure to comment and vote on Rundeck Feature Development!

Scott K.

unread,
Mar 11, 2016, 10:39:07 AM3/11/16
to rundeck-discuss
That works - thanks!
Reply all
Reply to author
Forward
0 new messages