Can't make ACL to allow run jobs in one group

[Genna Reingold]

Hi

I'm trying to lime access to a number of users to run some jobs only in one project. I also want to be able to add jobs without modifying ACL rules for each new job. So I have 3 jobs and I have added 1 job to group "admin" and 2 jobs to "non-admin". The following ACL works for me :

 ---
context:
  project: TES_BAUMPH
description: generated
for:
  resource:
    - allow: [run,read]
  job:
    - equals:
        name: Non Admin Job 1
      allow: [run,read]
    - equals:
        name: Non Admin Job 2
      allow: [run,read]
by:
  username:
  - user1  
  - user2
 

User can run both jobs as expected. Both jobs are added to group "non-admin"  

However when I try this:

---
context:
  project: TES_BAUMPH
description: generated
for:
  resource:
    - allow: [run,read]
  job:
    - equals:
        group: non-admin
      allow: [run,read]
by:
  username:
  - user1  
  - user2

User can login and see the job ( because of other  wider ACL) but cannot run those jobs.

Please let me know what am I doing wrong.

 Genna

[Reiner Acuña]

Hi Genna,

I tested your ACL and you need to give read/run access to nodes, I leave an ACL that works, feel free to modify it :-)

description: project context.
context:
  project: MyProject

for:
  resource:
    - allow: [run,read]
  job:
    - equals:

        group: mygroup
      allow: [run,read]
  node:
    - allow: [read,run]
by:
  username: [user1,user2]
 
---

description: app context.
context:
  application: 'rundeck'
for:
  project:
    - match:
        name: MyProject
      allow: [read]
  storage:
     - allow: [read]
by:
  username: [user1,user2]

Hope it helps!

[Genna Reingold]

Hi Reiner

Thank you - that worked