ACLs interrogation

[Xavier Humbert]

Hi,

I have a question about ACLs multiple match :

Say I have one which restricts acces to some ressource to group A
And another which allow access to the same ressource to anyone

Which ACL will match ? The most strict or the most permissive ?

Regards,

Xavier

--
Xavier Humbert
CRT Supervision et Exploitation de Niveau 1
Direction des Services d'Information du Grand Est
Rectorat de l'Académie de Nancy-Metz
Ministère de l'Éducation Nationale et de la Jeunesse
03 83 86 27 39

[Xavier Humbert]

Hi,

Just tried, and unfortunately, it's the stricter rule that matches,
permissive rule is not evaluated even if forced to be first in
alphabetical order.

Here is the permissive rule. It works to allow all users to access one
job in one project, but not for the keys

==================================================
---
description: Allow groups to execute job
a8928ddf-bd40-441d-8d22-9eaed77186d1
  application: 'rundeck'
for:
  project:
  - allow: read
    match:
      name: 'INFRA-RSO'
by:
  group: '.*'

---
description: Global project [read] permissions to role
context:
  project: 'INFRA-RSO'
for:
  resource:
  - equals:
      kind: job
    allow: '*'
  - equals:
      kind: node
    allow: '*'
  - equals:
      kind: event
    allow: '*'
  adhoc:
    - deny: '*'
  job:
    - match:
        uuid: 'a8928ddf-bd40-441d-8d22-9eaed77186d1'
      allow: [run,read]
  node:
    - allow: '*'
  project:
    - allow: '*'
  storage:
    - equals:
        name: 'keys'
      allow: [read]
    - match:
        path: 'keys/INFRA-RSO'
      allow: [read]
    - match:
        path: 'keys/INFRA-RSO/.*'
      allow: [read]
  project:
    - match:
        name: 'INFRA-RSO'
      allow: '*'
by:
  group: '.*'
==================================================

Regards,

Xavier

[Xavier Humbert]

Here is an excerpt from rundeck.audit.log, showing the problem :

[2024-06-10T09:57:41,143] INFO authorization.LoggingAuthorization -
Evaluating Decision for: res<name:INFRA-RSO, type:project>
subject<Username:polfoad Group:user Group:polfoad-admins> action<read>
env<rundeck:auth:env:application:rundeck>: authorized: true: GRANTED,
reason: GRANTED, evaluations:
ACLRule</etc/rundeck/touslesgroupes-special-policy.aclpolicy[1][type:project][rule:
1]>{'Allow groups to execute a8928ddf-bd40-441d-8d22-9eaed77186d1  for
INFRA-RSO' context={application='rundeck'} type='project' match ,
resource={name=INFRA-RSO} for: { group='.*'} allow=[read]} GRANTED for
action read => GRANTED (0ms)
[2024-06-10T09:57:48,169] WARN authorization.LoggingAuthorization -
Evaluating Decision for: res<name:INFRA-RSO, type:storage,
path:keys/INFRA-RSO> subject<Username:polfoad Group:user
Group:polfoad-admins> action<read>
env<rundeck:auth:env:application:rundeck>: authorized: false: REJECTED,
reason: REJECTED, evaluations:
ACLRule</etc/rundeck/polfoad.aclpolicy[3][type:storage][rule:
1]>{'polfoad application scope permissions'
context={application='rundeck'} type='storage' equals ,
resource={name=keys, path=keys} for: { group='polfoad'} allow=[read]}
REJECTED for action read => REJECTED (0ms)

[Xavier Humbert]

Correction, with this, it works :

---
description: tout le monde application scope permissions
context:
  application: 'rundeck'
for:
  resource:
    - equals:
        kind: project

      allow: '*'
  storage:
    - equals:
        name: 'keys'

        path: 'keys'

      allow: [read]
    - match:
        path: 'keys/INFRA-RSO'
      allow: [read]
    - match:
        path: 'keys/INFRA-RSO/.*'
      allow: [read]
  project:
    - match:
        name: 'INFRA-RSO'
      allow: '*'
by:
  group: '.*'