ACLs- Allowing read access to all jobs in projects, but only create/update/delete in a single project?

60 views
Skip to first unread message

Rob Byrne

unread,
Dec 7, 2023, 3:22:23 PM12/7/23
to rundeck-discuss
I'm running into an issue with our ACL file for our job permissions. We have a development group that needs to be able to view all jobs in every project, but we want them to only be able view and modify in one specific project. Currently, this ACL appears to be granting the read permissions properly for the dev group, but users in that group are still unable to create, run, or delete jobs. Any help would be appreciated!

Attached is a screenshot of the relevant section in the .aclpolicy file (Since I don't believe Google Groups supports codeblocks):Screenshot 2023-12-07 at 2.21.05 PM.png
Let me know if any more information would be useful,
Thanks!

rac...@rundeck.com

unread,
Dec 7, 2023, 4:24:13 PM12/7/23
to rundeck-discuss

Hi Rob,

I wrote a couple of ACLs to accomplish that. The first one restricts the “devs” group to all projects, and the second one “allows” only “ProjectC”, take a look:

The second one overrides the first one keeping ProjectA and ProjectB blocked.

The “block everything” ACL:

description: project context. context: project: .* for: resource: - allow: [read] job: - allow: [read] node: - allow: [read] by: group: devs --- description: app context. context: application: 'rundeck' for: project: - match: name: .* allow: [read] storage: - allow: [read] by: group: devs

Now the “only ProjectC for devs” ACL:

description: project context. context: project: ProjectC for: resource: - allow: '*' job: - allow: '*' node: - allow: '*' by: group: devs --- description: app context. context: application: 'rundeck' for: project: - match: name: ProjectC allow: '*' storage: - allow: '*' by: group: devs

I created a user called “bob” (“devs” group).

Check the Project List, ProjectA, ProjectB, and ProjectC (allowed).

Tip: if you want to add “markdown code” here in Google Groups, you can use the “Markdown Here” plugin (firefox version and chrome version). The plugin is great even for writing awesome emails in markdown format :-)

Hope it helps!

Rob Byrne

unread,
Dec 14, 2023, 2:13:14 PM12/14/23
to rundeck-discuss
Hi There!
Sorry for the delay getting back to you- I've been sick for the past few days so I haven't had a chance to follow up with you. I looked over your examples, and they were helpful. Was the issue in my original ACLs that I didn't have two app contexts for the two project contexts?
Thanks,
Rob
Reply all
Reply to author
Forward
0 new messages