[英]How can be set an ACL policy to allow a user to only run a job on Rundeck?
Can anybody help me in how to configure a user in Rundeck to 有人可以帮助我如何在Rundeck中配置用户以
1) only run a job 1)只做一份工作
2) deny modification/deletion of existing job 2)拒绝修改/删除现有工作
3) deny creation of new jobs 3)拒绝创造新工作
I suppose I need to set this configuration in the aclpolicy.yaml file but I cannot find detailed instructions on how to do it. 我想我需要在aclpolicy.yaml文件中设置此配置,但是我找不到有关如何执行此操作的详细说明。
Thanks in advance 提前致谢
Yeah.. Happy to help. 是的。很乐意提供帮助。
I assume you already have a project and a job in there. 我假设您已经有一个项目和一份工作。 Say project Test and job testjob.
说项目测试和工作测试工作。 I assume you have created a role/group on WEB.xml file as testrole and you have a .aclpolicy as test.aclpolicy.
我假设您已经在WEB.xml文件上创建了一个角色/组作为testrole,并且具有一个.aclpolicy作为test.aclpolicy。 The above stuffs have detailed documentation on Rundeck, however it's true they don't have better documentation on various rd-acl use cases.
以上内容在Rundeck上都有详细的文档,但是,的确,它们没有关于各种rd-acl用例的更好的文档。
In your case, if you want your user "testuser" to just run/read/kill a job execution, use the below test.aclpolicy. 在您的情况下,如果希望用户“ testuser”仅运行/读取/杀死作业执行,请使用以下test.aclpolicy。
---
for:
job:
- allow:
- runAs
- killAs
- kill
- read
- run
equals:
name: testjob
node:
- allow:
- read
- run
adhoc:
- deny:
- read
- run
resource:
- allow: read
equals:
kind: event
description: generated
context:
project: Test
by:
group: testrole
---
for:
project:
- allow: read
equals:
name: Test
description: generated
context:
application: rundeck
by:
group: testrole
In case if you wanted to give same privilege to multiple jobs in a same project for the same user, just replace "equals" with "match" and under name parameter, enter your jobs separating a pipe "|" 如果要为同一用户为同一项目中的多个作业赋予相同的特权,只需将“ equals”替换为“ match”,然后在name参数下输入分隔管道“ |”的作业即可 like "testjob1|testjob2"..
例如“ testjob1 | testjob2”。
If you need a user with permission to execute all jobs in all projects you can configure the next policy (little modification from Leo answer): 如果您需要一个有权执行所有项目中的所有作业的用户,则可以配置下一个策略(Leo答案的小修改):
---
description: 'Allow group runjob to run all jobs'
for:
job:
- allow:
- runAs
- killAs
- kill
- run
- read
match:
name: '.*'
node:
- allow:
- read
- run
adhoc:
- deny:
- read
- run
resource:
- allow: read
equals:
kind: event
context:
project: '.*'
by:
group: runjob
---
description: 'Allow '
for:
project:
- allow: read
match:
name: '.*'
context:
application: rundeck
by:
group: runjob
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.