Rundeck SCM Plugin Configuration
1,400 views
Skip to first unread message
wildxy49
Dec 1, 2015, 1:58:58 PM12/1/15
to rundeck-discuss
Hi,
I'm trying to configure rundeck SCM to allow sync job defintions to github. I've uploaded ssh key to key storage at /keys/github, and the ssh key file name is ec2_deplloyer. The git url is set to use ssh://g...@github.com:xxx/. Yet, rundeck is unable to access key storage area. This error show in the service.log,
Any idea what went wrong?
-CK
I'm trying to configure rundeck SCM to allow sync job defintions to github. I've uploaded ssh key to key storage at /keys/github, and the ssh key file name is ec2_deplloyer. The git url is set to use ssh://g...@github.com:xxx/. Yet, rundeck is unable to access key storage area. This error show in the service.log,
ERROR StorageController: Unauthorized: resource keys/github/ec2_deployer: Unauthorized access
ERROR StorageController: Unauthorized: resource keys/github/ec2_deployer: Unauthorized access
ERROR StorageController: Unauthorized: resource keys/github/ec2_deployer: Unauthorized access
ERROR StorageController: Unauthorized: resource keys/github/ec2_deployer: Unauthorized access
Now the rd-acl test passedERROR StorageController: Unauthorized: resource keys/github/ec2_deployer: Unauthorized access
ERROR StorageController: Unauthorized: resource keys/github/ec2_deployer: Unauthorized access
ERROR StorageController: Unauthorized: resource keys/github/ec2_deployer: Unauthorized access
[rundeck]$ rd-acl test -c application -c dreambox-west -g admin -R storage -a read,update
Using configured Rundeck etc dir: /etc/rundeck
The decision was: allowed
The test passed
Using configured Rundeck etc dir: /etc/rundeck
The decision was: allowed
The test passed
Any idea what went wrong?
-CK
Greg Schueler
Dec 1, 2015, 2:09:08 PM12/1/15
to rundeck...@googlegroups.com
Try your rd-acl test using -s instead of -R
rd-acl test -c application -g admin -s keys/github/ec2_deployer -a read,update
Is the user performing the scm action the 'admin' user?
I see you said "ec2_deplloyer" in one case and "ec2_deployer" in another.
--
You received this message because you are subscribed to the Google Groups "rundeck-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rundeck-discu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rundeck-discuss/c5abd1f3-78fb-4a22-a847-335c231db482%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
wildxy49
Dec 1, 2015, 2:14:26 PM12/1/15
to rundeck-discuss
ec2_deployer is actually an ssh private key. I am running under user admin.
wildxy49
Dec 1, 2015, 2:15:46 PM12/1/15
to rundeck-discuss
Here's the output
[rundeck@xxxx rundeck]$ rd-acl test -c application -g admin -s keys/github/ec2_deployer -a read,update
[rundeck@xxxx rundeck]$ rd-acl test -c application -g admin -s keys/github/ec2_deployer -a read,update
Using configured Rundeck etc dir: /etc/rundeck
The decision was: allowed
The test passed
On Tuesday, December 1, 2015 at 10:58:58 AM UTC-8, wildxy49 wrote:
wildxy49
Dec 3, 2015, 3:02:50 PM12/3/15
to rundeck-discuss
Any word on this?
On Tuesday, December 1, 2015 at 10:58:58 AM UTC-8, wildxy49 wrote:
Greg Schueler
Dec 3, 2015, 3:04:42 PM12/3/15
to rundeck...@googlegroups.com
can you look in the rundeck.audit.log to find where the access is being denied?
--
You received this message because you are subscribed to the Google Groups "rundeck-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rundeck-discu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rundeck-discuss/4a0db690-7db2-4df7-b7d9-d17a3a7270dc%40googlegroups.com.
wildxy49
Dec 4, 2015, 9:56:01 AM12/4/15
to rundeck-discuss
Greg,
Here's the rundeck.audit.log that I captured when I click setup button for scm plugin:
2015-12-04 14:53:53,315 - Evaluating Decision for: res<type:resource, kind:project> subject<Username:admin Group:architect Group:admin Group:deploy Group:build Group:user> action
<create> env<http://dtolabs.com/rundeck/env/application:rundeck>: authorized: true: GRANTED, reason: GRANTED, evaluations: ACLRule</etc/rundeck/admin.aclpolicy[2][type:resou
rce][rule: 1]>{'Admin, all access.' context={application='rundeck'} type='resource' for: { group='admin'} allow=[*]} GRANTED for action create => GRANTED (0ms)
2015-12-04 14:53:53,394 - Evaluating Decision for: res<type:adhoc> subject<Username:admin Group:architect Group:admin Group:deploy Group:build Group:user> action<run> env<http://
dtolabs.com/rundeck/env/project:dreambox-west>: authorized: true: GRANTED, reason: GRANTED, evaluations: ACLRule</etc/rundeck/admin.aclpolicy[1][type:adhoc][rule: 1]>{'Adm
in, all access.' context={project='.*'} type='adhoc' for: { group='admin'} allow=[*]} GRANTED for action run => GRANTED (0ms)
2015-12-04 14:53:53,395 - Evaluating Decision for: res<type:adhoc> subject<Username:admin Group:architect Group:admin Group:deploy Group:build Group:user> action<run> env<http://
dtolabs.com/rundeck/env/project:dreambox-west>: authorized: false: No context matches subject or environment => REJECTED_NO_SUBJECT_OR_ENV_FOUND (0ms)
2015-12-04 14:53:53,472 - Evaluating Decision for: res<type:project, name:dreambox-west> subject<Username:admin Group:architect Group:admin Group:deploy Group:build Group:user> a
ction<configure> env<http://dtolabs.com/rundeck/env/application:rundeck>: authorized: true: GRANTED, reason: GRANTED, evaluations: ACLRule</etc/rundeck/admin.aclpolicy[2][ty
pe:project][rule: 1]>{'Admin, all access.' context={application='rundeck'} type='project' for: { group='admin'} allow=[*]} GRANTED for action configure => GRANTED (0ms)
Here's the rundeck.audit.log that I captured when I click setup button for scm plugin:
2015-12-04 14:53:53,315 - Evaluating Decision for: res<type:resource, kind:project> subject<Username:admin Group:architect Group:admin Group:deploy Group:build Group:user> action
<create> env<http://dtolabs.com/rundeck/env/application:rundeck>: authorized: true: GRANTED, reason: GRANTED, evaluations: ACLRule</etc/rundeck/admin.aclpolicy[2][type:resou
rce][rule: 1]>{'Admin, all access.' context={application='rundeck'} type='resource' for: { group='admin'} allow=[*]} GRANTED for action create => GRANTED (0ms)
2015-12-04 14:53:53,394 - Evaluating Decision for: res<type:adhoc> subject<Username:admin Group:architect Group:admin Group:deploy Group:build Group:user> action<run> env<http://
dtolabs.com/rundeck/env/project:dreambox-west>: authorized: true: GRANTED, reason: GRANTED, evaluations: ACLRule</etc/rundeck/admin.aclpolicy[1][type:adhoc][rule: 1]>{'Adm
in, all access.' context={project='.*'} type='adhoc' for: { group='admin'} allow=[*]} GRANTED for action run => GRANTED (0ms)
2015-12-04 14:53:53,395 - Evaluating Decision for: res<type:adhoc> subject<Username:admin Group:architect Group:admin Group:deploy Group:build Group:user> action<run> env<http://
dtolabs.com/rundeck/env/project:dreambox-west>: authorized: false: No context matches subject or environment => REJECTED_NO_SUBJECT_OR_ENV_FOUND (0ms)
2015-12-04 14:53:53,472 - Evaluating Decision for: res<type:project, name:dreambox-west> subject<Username:admin Group:architect Group:admin Group:deploy Group:build Group:user> a
ction<configure> env<http://dtolabs.com/rundeck/env/application:rundeck>: authorized: true: GRANTED, reason: GRANTED, evaluations: ACLRule</etc/rundeck/admin.aclpolicy[2][ty
pe:project][rule: 1]>{'Admin, all access.' context={application='rundeck'} type='project' for: { group='admin'} allow=[*]} GRANTED for action configure => GRANTED (0ms)
On Tuesday, December 1, 2015 at 10:58:58 AM UTC-8, wildxy49 wrote:
wildxy49
Dec 4, 2015, 11:40:41 AM12/4/15
to rundeck-discuss
would this be helpful?
On Tuesday, December 1, 2015 at 10:58:58 AM UTC-8, wildxy49 wrote:
wildxy49
Dec 7, 2015, 1:52:25 PM12/7/15
to rundeck-discuss
Does these log output helpful?
Greg Schueler
Dec 7, 2015, 5:59:24 PM12/7/15
to rundeck...@googlegroups.com
no, what is the output that occurs when you get the "Unauthorized access' message?
--
You received this message because you are subscribed to the Google Groups "rundeck-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rundeck-discu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rundeck-discuss/8a1147f8-5001-4f95-ab5f-2083be4019d2%40googlegroups.com.
wildxy49
Dec 8, 2015, 7:48:15 AM12/8/15
to rundeck-discuss
The 'Unauthorized access' message does not show up in rundeck.audit.log but here,
rundeck.log:
rundeck.log.2015-11-30:2015-11-30 22:08:52,337 [qtp1395568819-59] ERROR grails.app.controllers.rundeck.controllers.StorageController - Unauthorized: resource keys/github/ec2_deployer: Unauthorized access
rundeck.log.2015-11-30:2015-11-30 22:13:36,241 [qtp1395568819-61] ERROR grails.app.controllers.rundeck.controllers.StorageController - Unauthorized: resource keys/github/ec2_deployer: Unauthorized access
rundeck.log.2015-11-30:2015-11-30 22:17:43,121 [qtp1395568819-62] ERROR grails.app.controllers.rundeck.controllers.StorageController - Unauthorized: resource keys/github/ec2_deployer: Unauthorized access
rundeck.log.2015-11-30:2015-11-30 22:21:59,829 [qtp1395568819-62] ERROR grails.app.controllers.rundeck.controllers.StorageController - Unauthorized: resource keys/github/ec2_deployer: Unauthorized access
service.log
service.log:ERROR StorageController: Unauthorized: resource keys/github/ec2-deployer/ec2_deployer: Unauthorized access
service.log:ERROR StorageController: Unauthorized: resource keys/github/ec2-deployer/ec2_deployer: Unauthorized access
service.log- at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:609)
service.log- at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:45)
service.log- at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:599)
service.log- at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:534)
service.log- at java.lang.Thread.run(Thread.java:744)
service.log:ERROR StorageController: Unauthorized: resource keys/github/ec2_deployer: Unauthorized access
service.log:ERROR StorageController: Unauthorized: resource keys/github/ec2_deployer: Unauthorized access
service.log:ERROR StorageController: Unauthorized: resource keys/github/ec2_deployer: Unauthorized access
service.log:ERROR StorageController: Unauthorized: resource keys/github/ec2_deployer: Unauthorized access
service.log-INFO ExecutionUtilService: Execution successful: 4
service.log-INFO ExecutionService: updated scheduled Execution
service.log-
service.log-Session terminated, killing shell...2015-12-01 12:28:46.204:INFO:/:Destroying Spring FrameworkServlet 'grails'
-Chengkai
rundeck.log:
rundeck.log.2015-11-30:2015-11-30 22:08:52,337 [qtp1395568819-59] ERROR grails.app.controllers.rundeck.controllers.StorageController - Unauthorized: resource keys/github/ec2_deployer: Unauthorized access
rundeck.log.2015-11-30:2015-11-30 22:13:36,241 [qtp1395568819-61] ERROR grails.app.controllers.rundeck.controllers.StorageController - Unauthorized: resource keys/github/ec2_deployer: Unauthorized access
rundeck.log.2015-11-30:2015-11-30 22:17:43,121 [qtp1395568819-62] ERROR grails.app.controllers.rundeck.controllers.StorageController - Unauthorized: resource keys/github/ec2_deployer: Unauthorized access
rundeck.log.2015-11-30:2015-11-30 22:21:59,829 [qtp1395568819-62] ERROR grails.app.controllers.rundeck.controllers.StorageController - Unauthorized: resource keys/github/ec2_deployer: Unauthorized access
service.log
service.log:ERROR StorageController: Unauthorized: resource keys/github/ec2-deployer/ec2_deployer: Unauthorized access
service.log:ERROR StorageController: Unauthorized: resource keys/github/ec2-deployer/ec2_deployer: Unauthorized access
service.log- at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:609)
service.log- at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:45)
service.log- at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:599)
service.log- at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:534)
service.log- at java.lang.Thread.run(Thread.java:744)
service.log:ERROR StorageController: Unauthorized: resource keys/github/ec2_deployer: Unauthorized access
service.log:ERROR StorageController: Unauthorized: resource keys/github/ec2_deployer: Unauthorized access
service.log:ERROR StorageController: Unauthorized: resource keys/github/ec2_deployer: Unauthorized access
service.log:ERROR StorageController: Unauthorized: resource keys/github/ec2_deployer: Unauthorized access
service.log-INFO ExecutionUtilService: Execution successful: 4
service.log-INFO ExecutionService: updated scheduled Execution
service.log-
service.log-Session terminated, killing shell...2015-12-01 12:28:46.204:INFO:/:Destroying Spring FrameworkServlet 'grails'
-Chengkai
wildxy49
Dec 8, 2015, 7:56:34 AM12/8/15
to rundeck-discuss
Another message found in rundeck.audit.log file,
2015-12-08 12:54:45,667 - Evaluating Decision for: res<type:adhoc> subject<Username:admin Group:architect Group:admin Group:deploy Group:build Group:user> action<run> env<http://dtolabs.com/rundeck/env/project:dreambox-west>: authorized: false: No context matches subject or environment => REJECTED_NO_SUBJECT_OR_ENV_FOUND (0ms)
2015-12-08 12:54:45,735 - Evaluating Decision for: res<type:project, name:dreambox-west> subject<Username:admin Group:architect Group:admin Group:deploy Group:build Group:user> action<configure> env<http://dtolabs.com/rundeck/env/application:rundeck>: authorized: true: GRANTED, reason: GRANTED, evaluations: ACLRule</etc/rundeck/admin.aclpolicy[2][type:project][rule: 1]>{'Admin, all access.' context={application='rundeck'} type='project' for: { group='admin'} allow=[*]} GRANTED for action configure => GRANTED (0ms)
2015-12-08 12:54:45,667 - Evaluating Decision for: res<type:adhoc> subject<Username:admin Group:architect Group:admin Group:deploy Group:build Group:user> action<run> env<http://dtolabs.com/rundeck/env/project:dreambox-west>: authorized: false: No context matches subject or environment => REJECTED_NO_SUBJECT_OR_ENV_FOUND (0ms)
2015-12-08 12:54:45,735 - Evaluating Decision for: res<type:project, name:dreambox-west> subject<Username:admin Group:architect Group:admin Group:deploy Group:build Group:user> action<configure> env<http://dtolabs.com/rundeck/env/application:rundeck>: authorized: true: GRANTED, reason: GRANTED, evaluations: ACLRule</etc/rundeck/admin.aclpolicy[2][type:project][rule: 1]>{'Admin, all access.' context={application='rundeck'} type='project' for: { group='admin'} allow=[*]} GRANTED for action configure => GRANTED (0ms)
wildxy49
Dec 8, 2015, 8:10:27 AM12/8/15
to rundeck-discuss
Maybe this is the actual cause,
2015-12-08 12:54:45,667 - Evaluating Decision for: res<type:adhoc> subject<Username:admin Group:architect Group:admin Group:deploy Group:build Group:user> action<run> env<http://dtolabs.com/rundeck/env/project:dreambox-west>: authorized: false: No context matches subject or environment => REJECTED_NO_SUBJECT_OR_ENV_FOUND (0ms)
2015-12-08 12:54:45,735 - Evaluating Decision for: res<type:project, name:dreambox-west> subject<Username:admin Group:architect Group:admin Group:deploy Group:build Group:user> action<configure> env<http://dtolabs.com/rundeck/env/application:rundeck>: authorized: true: GRANTED, reason: GRANTED, evaluations: ACLRule</etc/rundeck/admin.aclpolicy[2][type:project][rule: 1]>{'Admin, all access.' context={application='rundeck'} type='project' for: { group='admin'} allow=[*]} GRANTED for action configure => GRANTED (0ms)
It seems like that rundeck was unable to access git repo or not able to get the key I stored in the key storage. I did manually test the key and it can access github though.
On Monday, December 7, 2015 at 2:59:24 PM UTC-8, greg wrote:
Reply all
Reply to author
Forward
0 new messages