Rundeck- ACL to limit access to a "Group" of jobs.
Rob Byrne
rac...@rundeck.com
Rob Byrne
Thanks for those references. I updated my ACLs to fit that new standard (and re-named the job group to API, because it's a better fit for our use case), however, I'm still not seeing the jobs listed. Here's the current job structure for a bit more information:
Windows (Project)
-API
----Integration 1
--------Job 1
--------Job 2
--------Job 3
--------Job 4
And I want the user to have access to any of the jobs under "API". Here's the changes I made to the API based on those links you've provided:
description: rundeck_api_webapps -- all projects -- read access -- app context
context:
application: 'rundeck'
for:
project:
- match:
name: .*
allow: [read]
storage:
- allow: [read]
by:
username: [rundeck_api_webapps]
---
description: rundeck_api_webapps -- Windows project -- job group "API" -- run, view access -- project context
context:
project: Windows
for:
resource:
- allow: [run,read]
job:
- equals:
group: API
allow: [run,read]
node:
- allow: [read,run]
by:
username: [rundeck_api_webapps]
---
Any idea why the jobs are not visible still? I verified there's no other ACLs that would be affecting this user.
Thanks,
Rob
From:
rundeck...@googlegroups.com <rundeck...@googlegroups.com> on behalf of rac...@rundeck.com <rac...@rundeck.com>
Date: Wednesday, March 13, 2024 at 1:53 PM
To: rundeck-discuss <rundeck...@googlegroups.com>
Subject: [rundeck] Re: Rundeck- ACL to limit access to a "Group" of jobs.
Hi Rob,
Please check this case. Also, make sure that another ACL definition isn't interfering (denying access to that user).
Greetings.
PD: Post fixed.
On Wednesday, March 13, 2024 at 3:29:24 PM UTC-3 Rob Byrne wrote:
Hi Everyone,
I need to create a user access token for running a limited set of jobs in our rundeck environment. From my research, the best way to do this is to issue the key with a "role" matching one of the ACLs we have, or create the token as a user in that role (to limit its permissions). As a result, I need to make an ACL that simply limits job viewing and execution to a folder, or 'group' of jobs in a single project.
Here's what I have currently:
However, when the user "rundeck_api_webapps" signs into Rundeck, no jobs are visible from the "webapps" folder. Thoughts?
Thanks,
Rob
--
You received this message because you are subscribed to a topic in the Google Groups "rundeck-discuss" group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/rundeck-discuss/RN-tY7jkaoo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
rundeck-discu...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/rundeck-discuss/b8949c8b-4285-4d8d-945c-94f7d1fad813n%40googlegroups.com.
rac...@rundeck.com
Hi Rob,
I recreated the environment (a project called “ProjectEXAMPLE” with a series of jobs saved on the “API/Integration 1” subfolder).
It works with the following ACL:
description: project context. context: project: ProjectEXAMPLE for: resource: - allow: [run,read] job: - equals: group: API/Integration 1 allow: [run,read] node: - allow: [read,run] by: username: your_user --- description: app context. context: application: 'rundeck' for: project: - match: name: ProjectEXAMPLE allow: [read] storage: - allow: [read] by: username: your_userCheck the full project view (admin view) and the user-specific ACL view.
Feel free to modify it.
Hope it helps!
Rob Byrne
rac...@rundeck.com
Right, Rob.
In that case, use the match clause (instead of equals) as follows (tested on Rundeck 5.1.0):
description: project context. context: project: ProjectEXAMPLE for: resource: - allow: [run,read] job: - match: group: API/.* allow: [run,read] node: - allow: [read,run] by: username: your_user --- description: app context. context: application: 'rundeck' for: project: - match: name: ProjectEXAMPLE allow: [read] storage: - allow: [read] by: username: your_userCheers!