Preauthenticated mode and API Token

[Remi Ferrand]

Hi guys,

I'm just starting with Rundeck so apologize if the question has already been answered here.

I do have a working setup with the latest stable version of Rundeck available.

I'm currently using the PropertyFile based credential file used by default by Rundeck.

Everything is working fine.

What I would like to do is switch to x509 client cert authentication or GSS-API based authentication for the Web-UI.

To achieve that, running Rundeck in preauthenticated mode behind a reverse proxy in charge of the authentication seems the way to go.

So far, nothing seems quite difficult.

I do plan to use rundeck-cli and the rundeck REST API. So far I haven't played with those.

After a quick search, it seems that those two are using:

* classic user/password based authentication

* API Token based authentication

The API Token feature is quite a nice feature that I'd still like to use after switching my Rundeck authentication to x509 client cert or GSS-API.

Is that even possible ?

Is there a solution where I can setup my reverse proxy to only authenticate the Web-UI requests, but not the /api endpoint used by rundeck-cli and the REST API ?

Of course, without leaving my /api endpoint unauthenticated, but relying on API Token that would be handled by Rundeck itself.

I'm afraid that when Rundeck runs in preauthenticated mode, the API Token feature is no longer available/working. And that if I use x509 client cert authentication or GSS-API client authentication, I would no longer be able to use rundeck-cli.

Am I right ?

Thanks for your answers

Cheers

Rémi