Rundeck is an awesome tools which we simply impressed recently. It has an inbuilt to run commands, creating jobs, scheduling jobs, etc., Refer our previous posts to know more about rundeck.

In this post, we will try to give some example how can we restrict user access to project level. All the file which has an extension .aclpolicy on the directory /etc/rundeck(default installation location) will be consider as  valid file for access restriction by rundeck.

 

rd-acl is a build in command which helps to create user policy , group policy, rundeck policy. The following are the few example which we can use to restrict project level, user level restriction.

rd-acl test --context project --groups groupname --project projectname --job testjob --allow read,run -v

 

---
for:
  job:
  - allow:
    - read
    - run
    equals:
      name: 'testjob'
      
description: generated
context:
  project: Alerts
by:
  group: groupname

where,

test – display output in the command prompt. Create a file with name.aclpolicy with the output content.

–context – Access request. Options are rundeck, project

–project – Specify your project name.

–job – Mention your job name

–allow – Mention the privileges for the above category.

As mentioned earlier, you can simply create groupname.aclpolicy with the above mentioned lines. The beauty here is we don’t need to restart any service.

rd-acl test --context application --groups groupname --project projectname --allow read -v

for:
project:
- allow: read
equals:
name: groupname
description: generated
context:
application: rundeck
by:
group: alerts

 

where,

application – here application refers to rundeck.

The below command will help to add a read, run privilege.

rd-acl test --context project --groups alerts --project <projectname>  --resource=node  --allow read,run -v

 

where,

resource – specific resource to the project or whole resources. Options are jobs, system,project, node.

 

In a very simplified manner, the following ACL is a readonly privilege for the project by specific group.
Create a file groupname.aclpolicy and append the following content.
 

 

---
description: "Allow users in runjobs group to run, kill jobs, etc. in the project called YOUR PROJECT"
context:
  project: YOUR PROJECT
by:
  group: groupname
for:
  resource:
    - equals:
        kind: job
      allow: [read, run, kill]
    - equals:
        kind: node
      allow: [read]
    - equals:
        kind: event
      allow: [read] # allow reading activity logs
    - equals:
        kind: 'adhoc'
      allow: [read,run,kill]
  adhoc:
    - allow: [read,run,kill] # allow running/killing adhoc jobs
  job:
    - allow: [read,run,kill]
  node:
    - allow: [read,run] # allow read/run for nodes
---
context:
  application: rundeck
description: "Users in the 'runjobs' group can launch jobs in the project called YOUR PROJECT but not edit them"
for:
  project:
    - match:
        name: 'YOUR PROJECT'
      allow: [read]
  system:
    - match:
        name: '.*'
      allow: [read]
by:
  group: groupname
Post Views: 1,164

Leave a Reply