Hi Nate,
I tested with the following ACL for the user “user”:
description: project context.
context:
project: ProjectEXAMPLE
for:
resource:
- allow: [run,read]
job:
- equals:
name: Job2
allow: [run,read]
node:
- allow: [read,run]
by:
username: user
---
description: app context.
context:
application: 'rundeck'
for:
project:
- match:
name: ProjectEXAMPLE
allow: [read]
storage:
- allow: [read]
by:
username: user
And evaluating with the following command: ./rd acl list --file user.aclpolicy -u user -p ProjectEXAMPLE -j Job2
I get the right permissions:
# # Project "ProjectEXAMPLE" access for username user
- kill: Adhoc executions [REJECTED]
- killAs: Adhoc executions [REJECTED]
- read: Adhoc executions [REJECTED]
- run: Adhoc executions [REJECTED]
- runAs: Adhoc executions [REJECTED]
- view: Adhoc executions [REJECTED]
- create: Job "Job2" [REJECTED]
- delete: Job "Job2" [REJECTED]
- kill: Job "Job2" [REJECTED]
- killAs: Job "Job2" [REJECTED]
+ read: Job "Job2"
+ run: Job "Job2"
- runAs: Job "Job2" [REJECTED]
- scm_create: Job "Job2" [REJECTED]
- scm_delete: Job "Job2" [REJECTED]
- scm_update: Job "Job2" [REJECTED]
- toggle_execution: Job "Job2" [REJECTED]
- toggle_schedule: Job "Job2" [REJECTED]
- update: Job "Job2" [REJECTED]
- view: Job "Job2" [REJECTED]
- view_history: Job "Job2" [REJECTED]
So, trying by uuid: rd acl list --file user.aclpolicy -u user -p ProjectEXAMPLE -i 1437576d-bf3e-4235-8bf5-2ac622ea8659
I obtain the bad result:
# # Project "ProjectEXAMPLE" access for username user
- kill: Adhoc executions [REJECTED]
- killAs: Adhoc executions [REJECTED]
- read: Adhoc executions [REJECTED]
- run: Adhoc executions [REJECTED]
- runAs: Adhoc executions [REJECTED]
- view: Adhoc executions [REJECTED]
- create: Job UUID"1437576d-bf3e-4235-8bf5-2ac622ea8659" [REJECTED]
- delete: Job UUID"1437576d-bf3e-4235-8bf5-2ac622ea8659" [REJECTED]
- kill: Job UUID"1437576d-bf3e-4235-8bf5-2ac622ea8659" [REJECTED]
- killAs: Job UUID"1437576d-bf3e-4235-8bf5-2ac622ea8659" [REJECTED]
- read: Job UUID"1437576d-bf3e-4235-8bf5-2ac622ea8659" [REJECTED]
- run: Job UUID"1437576d-bf3e-4235-8bf5-2ac622ea8659" [REJECTED]
- runAs: Job UUID"1437576d-bf3e-4235-8bf5-2ac622ea8659" [REJECTED]
- scm_create: Job UUID"1437576d-bf3e-4235-8bf5-2ac622ea8659" [REJECTED]
- scm_delete: Job UUID"1437576d-bf3e-4235-8bf5-2ac622ea8659" [REJECTED]
- scm_update: Job UUID"1437576d-bf3e-4235-8bf5-2ac622ea8659" [REJECTED]
- toggle_execution: Job UUID"1437576d-bf3e-4235-8bf5-2ac622ea8659" [REJECTED]
- toggle_schedule: Job UUID"1437576d-bf3e-4235-8bf5-2ac622ea8659" [REJECTED]
- update: Job UUID"1437576d-bf3e-4235-8bf5-2ac622ea8659" [REJECTED]
- view: Job UUID"1437576d-bf3e-4235-8bf5-2ac622ea8659" [REJECTED]
- view_history: Job UUID"1437576d-bf3e-4235-8bf5-2ac622ea8659" [REJECTED]
Drilling down the issue, it’s about how rd acl
evaluates the ACL, if you define your ACL using the job name and evaluate by UUID then fails.
So, changing the ACL to indicate the job by UUID:
description: project context.
context:
project: ProjectEXAMPLE
for:
resource:
- allow: [run,read]
job:
- equals:
uuid: 1437576d-bf3e-4235-8bf5-2ac622ea8659
allow: [run,read]
node:
- allow: [read,run]
by:
username: user
---
description: app context.
context:
application: 'rundeck'
for:
project:
- match:
name: ProjectEXAMPLE
allow: [read]
storage:
- allow: [read]
by:
username: user
Then the evaluation by UUID looks ok:
# # Project "ProjectEXAMPLE" access for username user
- kill: Adhoc executions [REJECTED]
- killAs: Adhoc executions [REJECTED]
- read: Adhoc executions [REJECTED]
- run: Adhoc executions [REJECTED]
- runAs: Adhoc executions [REJECTED]
- view: Adhoc executions [REJECTED]
- create: Job UUID"1437576d-bf3e-4235-8bf5-2ac622ea8659" [REJECTED]
- delete: Job UUID"1437576d-bf3e-4235-8bf5-2ac622ea8659" [REJECTED]
- kill: Job UUID"1437576d-bf3e-4235-8bf5-2ac622ea8659" [REJECTED]
- killAs: Job UUID"1437576d-bf3e-4235-8bf5-2ac622ea8659" [REJECTED]
+ read: Job UUID"1437576d-bf3e-4235-8bf5-2ac622ea8659"
+ run: Job UUID"1437576d-bf3e-4235-8bf5-2ac622ea8659"
- runAs: Job UUID"1437576d-bf3e-4235-8bf5-2ac622ea8659" [REJECTED]
- scm_create: Job UUID"1437576d-bf3e-4235-8bf5-2ac622ea8659" [REJECTED]
- scm_delete: Job UUID"1437576d-bf3e-4235-8bf5-2ac622ea8659" [REJECTED]
- scm_update: Job UUID"1437576d-bf3e-4235-8bf5-2ac622ea8659" [REJECTED]
- toggle_execution: Job UUID"1437576d-bf3e-4235-8bf5-2ac622ea8659" [REJECTED]
- toggle_schedule: Job UUID"1437576d-bf3e-4235-8bf5-2ac622ea8659" [REJECTED]
- update: Job UUID"1437576d-bf3e-4235-8bf5-2ac622ea8659" [REJECTED]
- view: Job UUID"1437576d-bf3e-4235-8bf5-2ac622ea8659" [REJECTED]
- view_history: Job UUID"1437576d-bf3e-4235-8bf5-2ac622ea8659" [REJECTED]
(and fails if you evaluate by name).
Basically, if you define your jobs by name, use the -j
parameter, if you define it using UUID, use the -i
parameter.
Greetings.