roles versus groups
Jim Richard
I am very familiar with RBAC in general in other contexts, AWS, Jenkins etc but in the Rundeck world and documentation the terms seem to be loosely intermixed.
Let me start with a more general question:
rac...@rundeck.com
Hi! Let me answer,
Am I correct that groups and roles are very similar concepts in Rundeck?
Yes, in the Rundeck context, a role is a group of users.
Groups are easier to understand, you have an external auth provider like LDAP, you have jaas config’d to get auth info from your LDAP, a successful LDAP auth would return a list of groups that this user is a member of but now…
how do members of this group get attached to a role in RD?
Rundeck takes the Roles (as you said) from the jaas-ldap.conf file, specifically from the roleBaseDn parameter, and then Rundeck “understands” those groups as rundeck roles. Check this example.
and how do specific roles get assigned specific permissions?
I might be answering some of my own question here by saying “ACL’s” it’s all ACL’s.
That’s correct, Rundeck gets the users and roles (groups) from LDAP/AD, and then you need a user/role based ACL to grant/deny permissions to projects and jobs.
The only place a role in RD is actually defined (besides the out of the box roles we can’t mess with) in within the context of an ACL rule/policy.
Is that last statement 100% correct?
Yes, that’s correct.
Sorry for rambling a bit, ACL’s, roles and groups in RD is just hard, is what it is :)
No worries! Welcome to the Rundeck Community :-)
Regards.