ACL Policy - Allow for duplicate jobs without full admin acl

84 views
Skip to first unread message

Russ Robinson

unread,
Mar 22, 2021, 9:27:09 AM3/22/21
to rundeck-discuss
Team,

  Am I overlooking it in the ACL policy documentation or is there not an option to give a group the authority to "Duplicate this job" without giving the group full "admin" authority?

rac...@rundeck.com

unread,
Mar 22, 2021, 10:25:34 AM3/22/21
to rundeck-discuss

Hi Russ,

Try with the following ACL definition:

description: Desc.
context:
  project: 'ProjectEXAMPLE'
for:
  resource:
    - equals:
        kind: job
      allow: [create]
    - equals:
        kind: node
      allow: [read,refresh]
    - equals:
        kind: event
      allow: [read] 
  adhoc:
    - allow: [read,run]
  job:
    - allow: [read,run]
  node:
    - allow: [read,run]
by:
  group: my_group

---

description: Desc.
context:
  application: 'rundeck'
for:
  resource:
    - equals:
        kind: user
      allow: [admin]
  project:
    - match:
        name: 'ProjectEXAMPLE'
      allow: [read]
  storage:
    - allow: [read]
by:
  group: my_group

You need to give the job creation rule at project level to duplicate jobs:

    - equals:
        kind: job
      allow: [create]

Hope it helps!

Russ Robinson

unread,
Mar 22, 2021, 12:20:20 PM3/22/21
to rundeck-discuss
In the application section's resource, does it require the user to be an admin?

description: Desc.
  context: application: 'rundeck'
for:
  resource:
    - equals:
        kind: user
      allow: [admin]


rac...@rundeck.com

unread,
Mar 22, 2021, 12:29:10 PM3/22/21
to rundeck-discuss

Hi Russ,

Not needed, also works without that block, so, an ACL with restricted group and rights to duplicate jobs would be:

description: Desc.
context:
  project: 'ProjectEXAMPLE'
for:
  resource:
    - equals:
        kind: job
      allow: [create]
    - equals:
        kind: node
      allow: [read,refresh]
    - equals:
        kind: event
      allow: [read] 
  adhoc:
    - allow: [read,run]
  job:
    - allow: [read,run]
  node:
    - allow: [read,run]
by:
  group: your_group

---

description: Desc.
context:
  application: 'rundeck'
for:
  project:
    - match:
        name: 'ProjectEXAMPLE'
      allow: [read]
  storage:
    - allow: [read]
by:
  group: your_group

Regards!

Russ Robinson

unread,
Mar 22, 2021, 12:50:25 PM3/22/21
to rundeck-discuss
Thanks for the help!
Reply all
Reply to author
Forward
0 new messages