User can launch a job but not authorized to run jobs in a different project
35 views
Skip to first unread message
skp15
Jun 5, 2024, 9:00:48 PMJun 5
to rundeck-discuss
Hello,
I was able to create a job (A) to disable/enable schedules on another job (B). Reference - https://groups.google.com/g/rundeck-discuss/c/Y6Laas1HOYA
These two jobs were in the same project while testing, but now when I move this to another project and if another user tries to run this job, they are getting an unauthorized error.
{"error":true,"apiversion":47,"errorCode":"unauthorized","message":"(unauthenticated) is not authorized for: /api/21/job/job-d/schedule/disable"}
I have the authorization token copied over to this new project but for some reason they are unable to run the job in other project.
Is this a problem with ACL?
rac...@rundeck.com
Jun 6, 2024, 9:32:34 AMJun 6
to rundeck-discuss
Hi,
Could you share the job definition to take a look?
Regards.
skp15
Jun 6, 2024, 11:40:24 AMJun 6
to rundeck-discuss
Attached is the job definition and the ACL.
The cURL job to disable/enable schedules is in `developer-tools` project and the actual job that gets the call for enable/disable is in `devops-tools` project.
The user running the cURL job has permissions to run job in `developer-tools` project.
skp15
Jun 7, 2024, 12:14:20 PMJun 7
to rundeck-discuss
Hi, any chance you could review this?
rac...@rundeck.com
Jun 7, 2024, 1:07:40 PMJun 7
to rundeck-discuss
Hi,
Issue replicated, you need to grant access to the key storage in your ACL.
In the app level section:
storage: - allow: [read] # allow read access to keys and passwords stored in key storageHere how your ACL must looks like:
--- description: "Allow users in runjobs group to run, kill jobs, etc. in a specific project" # They can also read the activity logs and view the nodes. context: project: developer-tools by: group: eng-jobs-only for: resource: - equals: kind: job allow: [read, run, kill] - equals: kind: node allow: [read] - equals: kind: event allow: [read] # allow reading activity logs - equals: kind: 'adhoc' allow: [read,run,kill] adhoc: - allow: [read,run,kill] # allow running/killing adhoc jobs job: - allow: [read,run,kill] node: - allow: [read,run] # allow read/run for nodes --- context: application: rundeck description: "Users in the 'eng-run-jobs' group can launch jobs in a specific project but not edit them" for: project: - match: name: 'developer-tools' allow: [read] system: - match: name: '.*' allow: [read] storage: - allow: [read] # allow read access to keys and passwords stored in key storage by: group: - eng-jobs-onlyHope it helps!
skp15
Jun 7, 2024, 3:00:05 PMJun 7
to rundeck-discuss
That worked.
Thank you so much.
Thank you so much.
Reply all
Reply to author
Forward
0 new messages