Groups keyboard shortcuts have been updated
Dismiss
See shortcuts
Rundeck 5.6 ACL to disable access to thread_dump.json
15 views
Skip to first unread message
javed...@gmail.com
Feb 13, 2025, 10:04:53 AMFeb 13
to rundeck-discuss
Hello,
Under menu/systemInfo is there a way to hide the button of thread_dump.json?
Goal being to reduce load on system if users can be prohibited from clicking that.
Or in the alternative just deny access to that systemInfo screen.
I tried looking for a rule under context "application" here https://docs.rundeck.com/docs/administration/security/authorization.html#example
And I tried using rd-cli to create one but I can't seem to find the right parameter.
# rd acl create -c application -g testgroup --generic system
--allow or --deny is required. Possible actions in this context:
*
read
enable_executions
disable_executions
admin
app_admin
ops_admin
Usage: rd acl [COMMAND]
Generate, Test, and Validate ACLPolicy files
Commands:
create Create ACL Policies
list List ACL Policies
test Test ACL Policies
validate Validate ACL Policies
#
--allow or --deny is required. Possible actions in this context:
*
read
enable_executions
disable_executions
admin
app_admin
ops_admin
Usage: rd acl [COMMAND]
Generate, Test, and Validate ACLPolicy files
Commands:
create Create ACL Policies
list List ACL Policies
test Test ACL Policies
validate Validate ACL Policies
#
rac...@rundeck.com
Feb 13, 2025, 11:12:48 AMFeb 13
to rundeck-discuss
Hi,
Currently the ACL doesn’t cover that level of granularity. It sounds good for an enhancement, please open a new suggestion here.
Now, via ACL you can block the system-wide resources to "hide" the system report menu link as follows (tested on rundeck 5.9.0):
description: Admin, all access. context: project: '.*' # all projects for: resource: - equals: kind: job allow: [create] # allow create jobs - equals: kind: node allow: [read,create,update,refresh] # allow refresh node sources - equals: kind: event allow: [read,create] # allow read/create events adhoc: - allow: [read,run,runAs,kill,killAs] # allow running/killing adhoc jobs job: - allow: [create,read,update,delete,run,runAs,kill,killAs] # allow create/read/write/delete/run/kill of all jobs node: - allow: [read,run] # allow read/run for nodes by: username: user --- description: Admin, all access. context: application: 'rundeck' for: resource: - equals: kind: project allow: [create] # allow create of projectss - equals: kind: system_acl allow: [read,create,update,delete,admin] # allow modifying system ACL files - equals: kind: user allow: [admin] # allow modify user profiles project: - match: name: '.*' allow: [read,import,export,configure,delete,promote,admin] # allow full access of all projects or use 'admin' project_acl: - match: name: '.*' allow: [read,create,update,delete,admin] # allow modifying project-specific ACL files storage: - allow: [read,create,update,delete] # allow access for /ssh-key/* storage content by: username: userThis example is based on the documentation example, feel free to restrict/modify it.
Greetings!
Reply all
Reply to author
Forward
0 new messages