Giving a single user access to a single project
7,901 views
Skip to first unread message
Tomas Nunez
Apr 13, 2012, 8:49:51 AM4/13/12
to rundeck-discuss
Hi
I'm new to rundeck and I'm installing it for the first time.
Everything was smooth until I tried to create users to access to
certain projects. I keep reading the manual (http://rundeck.org/docs/
administration/authorization.html) but there must be something that
I'm missing and I don't know what.
I'm trying to give a single user access to a single project, so I
edited /etc/admin.aclpolicy and added this lines:
---------------------------------
description: Devops
context:
application: 'rundeck'
for:
project:
- allow: 'Devops_Project'
by:
username: 'devops'
---
description: Devops
context:
project: 'Devops_Project'
for:
resource:
- allow: '*'
adhoc:
- allow: '*'
job:
- allow: '*'
node:
- allow: '*'
by:
username: 'devops'
--------------------------------------------
And this username is in the realm.properties:
------------------------
devops: MD5:PASSWORD,user,devops
-----------------------
But when I authenticate to the webapp with this user, I get the
following message:
"No authorized access to projects. Contact your administrator."
And in the logs:
ERROR FrameworkController: 'devops' has no authorized access. Roles:
user, devops
Funny thing is there is another user that can access to another
project with this configuration (but changing the names of username
and project, of course), and I don't know what can be the difference
between the two of them. One is working, the other one doesn't, and
everything is apparently exactly the same.
Any hint about where I am wrong?
I suppose I'm not understanding properly how the authorization works,
but this is as far as I can get with the official documentation. Is
there any place with more detailed explanation or with some examples,
where I could get a clearer picture?
Thanks in advance,
Tomàs
I'm new to rundeck and I'm installing it for the first time.
Everything was smooth until I tried to create users to access to
certain projects. I keep reading the manual (http://rundeck.org/docs/
administration/authorization.html) but there must be something that
I'm missing and I don't know what.
I'm trying to give a single user access to a single project, so I
edited /etc/admin.aclpolicy and added this lines:
---------------------------------
description: Devops
context:
application: 'rundeck'
for:
project:
- allow: 'Devops_Project'
by:
username: 'devops'
---
description: Devops
context:
project: 'Devops_Project'
for:
resource:
- allow: '*'
adhoc:
- allow: '*'
job:
- allow: '*'
node:
- allow: '*'
by:
username: 'devops'
--------------------------------------------
And this username is in the realm.properties:
------------------------
devops: MD5:PASSWORD,user,devops
-----------------------
But when I authenticate to the webapp with this user, I get the
following message:
"No authorized access to projects. Contact your administrator."
And in the logs:
ERROR FrameworkController: 'devops' has no authorized access. Roles:
user, devops
Funny thing is there is another user that can access to another
project with this configuration (but changing the names of username
and project, of course), and I don't know what can be the difference
between the two of them. One is working, the other one doesn't, and
everything is apparently exactly the same.
Any hint about where I am wrong?
I suppose I'm not understanding properly how the authorization works,
but this is as far as I can get with the official documentation. Is
there any place with more detailed explanation or with some examples,
where I could get a clearer picture?
Thanks in advance,
Tomàs
Greg Schueler
Apr 13, 2012, 12:32:21 PM4/13/12
to rundeck...@googlegroups.com
Hi Tomas, your aclpolicy definition is slightly wrong,
for:
project:
- allow: 'Devops_Project'
Refer to the example here: http://rundeck.org/docs/manpages/man5/aclpolicy-v10.html#example-admin-policy
You need to declare the name and authorization allowance like this:
for:
project:
- equals:
name: 'Devops_Project'
allow: [read]
Tomas Nunez
Apr 16, 2012, 5:27:27 AM4/16/12
to rundeck...@googlegroups.com
Thanks, it worked!
El divendres 13 d’abril de 2012 14:49:51 UTC+2, Tomas Nunez va escriure:
El divendres 13 d’abril de 2012 14:49:51 UTC+2, Tomas Nunez va escriure:
Muhammad Sheharyar Ilahi
Oct 11, 2013, 8:54:33 AM10/11/13
to rundeck...@googlegroups.com, tomas...@groupalia.com
Hi there,
I am also new to rundeck and am trying to give access to a role over a single project.
Here is what I have mentioned in admin.aclpolicy file
When I try to log in from a user who has the group assigned user, gets the message. "No authorized access to projects. Contact your administrator. (User roles: user) "
description: Admin, all access.
context:
project: '.*' # all projects
for:
resource:
- allow: '*' # allow read/create all kinds
adhoc:
- allow: '*' # allow read/running/killing adhoc jobs
job:
- allow: '*' # allow read/write/delete/run/kill of all jobs
node:
- allow: '*' # allow read/run for all nodes
by:
group: admin
---
description: Admin, all access.
context:
application: 'rundeck'
for:
resource:
- allow: '*' # allow create of projects
project:
- allow: '*' # allow view/admin of all projects
by:
group: admin
---
description: user, QA access.
context:
project: 'BetaV2' # all projects
for:
resource:
- equals:
kind: job
allow: [read,create] # allow read/create all kinds
adhoc:
- allow: [read] # allow read/running/killing adhoc jobs
job:
- allow: [create,read,update,delete,run,runAs,kill,killAs] # allow read/write/delete/run/kill of all jobs
node:
- allow: [read,run] # allow read/run for all nodes
by:
group: 'user'
---
description: user, QA access.
I am also new to rundeck and am trying to give access to a role over a single project.
Here is what I have mentioned in admin.aclpolicy file
When I try to log in from a user who has the group assigned user, gets the message. "No authorized access to projects. Contact your administrator. (User roles: user) "
description: Admin, all access.
context:
project: '.*' # all projects
for:
resource:
- allow: '*' # allow read/create all kinds
adhoc:
- allow: '*' # allow read/running/killing adhoc jobs
job:
- allow: '*' # allow read/write/delete/run/kill of all jobs
node:
- allow: '*' # allow read/run for all nodes
by:
group: admin
---
description: Admin, all access.
context:
application: 'rundeck'
for:
resource:
- allow: '*' # allow create of projects
project:
- allow: '*' # allow view/admin of all projects
by:
group: admin
---
description: user, QA access.
context:
project: 'BetaV2' # all projects
for:
resource:
- equals:
kind: job
allow: [read,create] # allow read/create all kinds
adhoc:
- allow: [read] # allow read/running/killing adhoc jobs
job:
- allow: [create,read,update,delete,run,runAs,kill,killAs] # allow read/write/delete/run/kill of all jobs
node:
- allow: [read,run] # allow read/run for all nodes
by:
group: 'user'
---
description: user, QA access.
context:
application: 'rundeck'
for:
project:
- equals:
name: 'BetaV2'
allow: [read]
job:
- allow: [create,read,update,delete,run,runAs,kill,killAs]
by:
group: 'user'
Please help.
Regards,
Shay
name: 'BetaV2'
allow: [read]
job:
- allow: [create,read,update,delete,run,runAs,kill,killAs]
by:
group: 'user'
Please help.
Regards,
Shay
Adeel Ahmad
May 12, 2016, 4:05:40 PM5/12/16
to rundeck-discuss, tomas...@groupalia.com
Hello Shay,
May be this post can help you: http://www.techpaste.com/2015/06/rundeck-user-permissions-and-access-control-setup/. if you need clarification on anything please visit me in office. i just sit opposite to your desk :-)
Regards,
Adeel Ahmad
bogasru...@gmail.com
Jan 5, 2018, 4:28:37 PM1/5/18
to rundeck-discuss
Hi,
We are using rundeck in my company. All users have access to all jobs by default. Now we want to create a project in rundeck to deploy to our UAT environments and want to restrict access to that particular UAT job.
How can we restrict ??
Alex Honor
Jan 5, 2018, 8:01:22 PM1/5/18
to rundeck...@googlegroups.com
Hi bogasrujankumar,
Are you looking for example ACL?
--
You received this message because you are subscribed to the Google Groups "rundeck-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rundeck-discuss+unsubscribe@googlegroups.com.
To post to this group, send email to rundeck-discuss@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rundeck-discuss/893c0968-7cc4-4a56-a83a-d250d9b6a598%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Alex Honor
[Rundeck | a...@rundeck.com ]
bogasru...@gmail.com
Jan 7, 2018, 7:26:51 PM1/7/18
to rundeck-discuss
Yes Please. Thanks
To unsubscribe from this group and stop receiving emails from it, send an email to rundeck-discu...@googlegroups.com.
To post to this group, send email to rundeck...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rundeck-discuss/893c0968-7cc4-4a56-a83a-d250d9b6a598%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Alex Honor
Jan 11, 2018, 1:20:16 PM1/11/18
to rundeck-discuss
Let's assume you have a project called "UAT" with a job called "MyApp/Deploy" and a team named "MyApp-Devs" that need access to run the job.
Here are system level ACL rules to grant "MyApp-Devs" access to the "UAT" project:
```
description: 'Read access for UAT project.'
context:
application: rundeck
for:
project:
- allow: read
match:
name: UAT
by:
group: MyApp-Devs
---
description: 'Read access for keys/UAT/.*'
context:
application: rundeck
for:
storage:
- allow: read
match:
name: '.*'
path: 'keys/UAT/.*'
by:
group: MyApp-Dev
```
Inside the UAT project, you can create ACL policy in that context. Below rules allow the team to see all the nodes and history in UAT and run the job:
```
by:
group: MyApp-Dev
for:
resource:
- equals:
kind: node
allow: [read]
node:
- allow: [read]
description: Allow read for all nodes
---
by:
group: MyApp-Dev
for:
resource:
- allow: read
equals:
kind: event
description: Allow read for all activity
---
description: Allow read and run for job MyApp/Deploy
for:
job:
- match:
group: MyApp
name: Deploy
allow: [run,read]
by:
group: MyApp-Dev
Reply all
Reply to author
Forward
0 new messages