ACL not working

297 views
Skip to first unread message

Xeon1400

unread,
Mar 14, 2017, 10:32:24 AM3/14/17
to rundeck-discuss
HI,

I created a new aclpolicy file (bereitschaft.aclpolicy) with following content:

description: Bereitschaft, limited Access.
context:
  project: '.*'
for:
  resource:
    - equals:
        kind: event
      allow: [read]
  job:
    - allow: [read,run,kill,toggle_schedule,toggle_execution]
  node:
    - allow: [read]
by:
  group: bereitschaft

description: Bereitschaft, limited Access.
context:
  application: 'rundeck'
for:
  resource:
    - allow: [read]
  project:
    - allow: [read]
  project_acl:
    - allow: [read]
  storage:
    - allow: [read]
by:
  group: bereitschaft

Created a new user and put him in the "bereitschaft" group.

I want the user to login, see all projects, run jobs, kill them. But no adhoc or changing, creating of jobs.

Now I can login with the user see all projects: But when I select a project i can't see any Jobs. Just a empty list. I can't see any nodes or events. On the events Tab it shows (only there): Not authorized to read Events in project (Projectname)

What is wrong ?

Thanks a lot
Xeon


Xeon1400

unread,
Mar 16, 2017, 4:12:21 AM3/16/17
to rundeck-discuss
Nobody an idea ? 

Matthew Thompson

unread,
Mar 16, 2017, 3:16:59 PM3/16/17
to rundeck-discuss
Not sure if this will help but here is an aclpolicy I used to restrict people in the security group "epltesters" to just a job group "Self Service/EPL Testers"

description: epltesters access.
context:
  project: '.*' # all projects
for:
  job:
    - equals:
        group: 'Self Service/EPL Testers'
      allow: [read,run]
by:
  group: epltesters

---

description: epltesters access.
context:
  application: 'rundeck'
for:
  resource:
    - allow: 'read' 
  project:
    - allow: 'read' 
  project_acl:
    - allow: 'read' 
  storage:
    - allow: 'read' 
by:
  group: epltesters

Good luck.

Matt.

Matthew Thompson

unread,
Mar 16, 2017, 3:20:42 PM3/16/17
to rundeck-discuss
Also I restarted the rundeckd service after each change to ensure it "grabbed".

Dominik Platzdasch

unread,
Mar 20, 2017, 11:40:48 AM3/20/17
to rundeck-discuss
I am working with him on this problem and i have opened the logs and we are getting rejections even though the settings should grant access i.e.
"Evaluating Decision for: res<name:Periodic Suse Register, type:job, group:Linux> subject<Username:platz Group:bereitschaft         Group:platz Group:user> action<read> env<rundeck:auth:env:project:ALL_SYSTEMS>: authorized: false: REJECTED, reason: REJECTED, evaluations:     ACLRule<     /rundeckd/rundeck/etc/bereitschaft.aclpolicy[1][type:resource][rule: 3]>{'Bereitschaft. Limited access.' context={project='.*'} type='resource'              equals , resource={kind=event} for: { group='bereitschaft'} allow=[read]} REJECTED for action read => REJECTED" 


Reply all
Reply to author
Forward
0 new messages