Hi Dan,
I reproduced your issue and it seems related to your node tags (your localhost is tagged as “NonProd”?), anyway, I leave a simplified ACL to test (check the application context block), feel free to modify it:
description: project context.
context:
project: ProjectEXAMPLE
for:
resource:
- equals:
kind: 'node'
allow: [read]
- equals:
kind: 'job'
allow: [read]
- equals:
kind: 'event'
allow: [read]
adhoc:
- deny: '*'
job:
- equals:
group: NonProd
allow: [run,read]
node:
- equals:
nodename: 'localhost'
allow: [read,run]
by:
group: mygroup
---
description: app context.
context:
application: 'rundeck'
for:
project:
- match:
name: ProjectEXAMPLE
allow: [read]
storage:
- match:
path: 'keys/.*'
allow: [read]
by:
group: mygroup
Hope it helps!
Hi SysadminX,
With the following ACL, it’s possible (tested on 3.4.0). The ACL is focused on the “user” group (you can use username: myuser
instead of the group statment).
description: project context.
context:
project: ProjectEXAMPLE
for:
resource:
- equals:
kind: 'node'
allow: [read]
- equals:
kind: 'job'
allow: [read]
- equals:
kind: 'event'
allow: [read]
adhoc:
- allow: '*'
job:
- equals:
name: JobONE
allow: [run,read]
node:
- equals:
tags: 'db'
allow: [read,run]
- equals:
nodename: 'localhost'
allow: [read,run]
by:
group: user
---
description: app context.
context:
application: 'rundeck'
for:
project:
- match:
name: ProjectEXAMPLE
allow: [read]
storage:
- match:
path: 'keys/.*'
allow: [read]
by:
group: user
At the moment of executing the job, applying the .*
filter, the user only can execute on the db
tagged nodes and localhost (Rundeck server).
Hope it helps!
Hi,
Yes, the bug is related with “contains” statment. If you put those rules in two separate files Rundeck evaluates one by one, and keeps the same behavior of:
node:
- equals:
tags: 'db'
allow: [read,run]
- equals:
rundeck_server: 'true'
allow: [read,run]
So, I think that the best approach is put those rules on same file.
Regards!
Hi SysadminX,
I tested again with your ACL and works as expected (just changing the project name, group name, job name, and the node tag name).
description: project context.
context:
project: ProductionPROJECT
for:
resource:
- equals:
kind: 'node'
allow: [read]
- equals:
kind: 'job'
allow: [read]
- equals:
kind: 'event'
allow: [read]
adhoc:
- allow: '*'
job:
- equals:
name: HelloWorld
allow: [run,read]
node:
- equals:
tags: 'db'
allow: [read,run]
- equals:
rundeck_server: 'true'
allow: [read,run]
by:
group: user
---
description: app context.
context:
application: 'rundeck'
for:
project:
- match:
name: ProductionPROJECT
allow: [read]
storage:
- match:
path: 'keys/.*'
allow: [read]
by:
group: user
Ensure that another ACL does not interfere with the current one. Also, take a look at this.
Regards!