Groups keyboard shortcuts have been updated
Dismiss
See shortcuts

Parse group list for admin ACL in Preauthenticated mode

45 views
Skip to first unread message

Loth

unread,
Dec 3, 2024, 6:46:13 PM12/3/24
to rundeck...@googlegroups.com
Hello All,

I've got preauthenticated mode setup and it is forwarding user/group
headers correctly, however it only works when I have a singular group
for the user. Is there any way I can have the ACL parse a string of
groups such as "Accountants, Rundeck Users, Engineers" or something
like that?

Thanks for any assistance you can provide.

rac...@rundeck.com

unread,
Dec 4, 2024, 7:20:20 AM12/4/24
to rundeck-discuss

Hello!

You can focus your Acls on multiple roles, check the group line in the following example.:

description: project context. context: project: ProjectEXAMPLE for: resource: - allow: [run,read] job: - match: name: HelloWorld allow: [run,read] node: - allow: [read,run] by: group: [dba,devops] --- description: app context. context: application: 'rundeck' for: project: - match: name: ProjectEXAMPLE allow: [read] storage: - allow: [read] by: group: [dba,devops]

Hope it helps!

Loth

unread,
Dec 5, 2024, 5:24:42 PM12/5/24
to rundeck...@googlegroups.com
Thanks for your reply, I can see how that would give access to
multiple groups however my issue is the groups passed by
'rundeck.security.authorization.preauthenticated.userRolesHeader'
contains multiple groups including the 'rundeck_users' group. However
rundeck sees this as one string and compares it to what group is
configured in the ACL, then denies it, since group1, group2,
rundeck_users, group3 != rundeck_users. I only got this to work if i
removed all other groups for the user except rundeck_users. Is there
any way to unstruct rundeck to parse this comma separated string as
multiple groups?

Thanks for your help
> --
> You received this message because you are subscribed to the Google Groups "rundeck-discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to rundeck-discu...@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/rundeck-discuss/6eaeac41-ec97-48b0-bef7-ad2d017c4fdcn%40googlegroups.com.

rac...@rundeck.com

unread,
Dec 6, 2024, 6:52:16 AM12/6/24
to rundeck-discuss
Hi,

Can you share how the header stores the roles and your ACL definition to take a look?

Regards.

Loth

unread,
Dec 7, 2024, 5:23:11 PM12/7/24
to rundeck...@googlegroups.com
Hello,

Thanks for your reply. It is sent as a comma delimited string from
AD/SAML. Here is the error when adding additional groups to the user
logging in

You have no authorized access to projects.

Contact your administrator. (User roles: rundeck,Engineers,Testers,Employees)

Where 'rundeck' is the group in the ACL, as defined here:
https://pastebin.com/RCQL5RRT

If I remove all the other groups except 'rundeck', the user can access
the project as normal.

Thanks for any assistance you can provide.

> To view this discussion visit https://groups.google.com/d/msgid/rundeck-discuss/5b22430d-51f2-4a1c-aeaf-c9c3d488a033n%40googlegroups.com.

rac...@rundeck.com

unread,
Dec 10, 2024, 7:56:17 AM12/10/24
to rundeck-discuss
Hi,

If I understand correctly when you have a user with multiple roles like "rundeck,Engineers,Testers,Employees" the ACL doesn't work. Only works if the user is part of a single role (Rundeck). Is correct?

I've tested here using a NINGX pre-auth environment, but I'm pretty sure that was reported on GitHub before (and it seemed related to AD) I'm still looking.

Regards.
Reply all
Reply to author
Forward
0 new messages