stackoom
  简体   繁体   中英

How can be set an ACL policy to allow a user to only run a job on Rundeck?

 原文  2016-04-06 15:00:37       rundeck

Question

Can anybody help me in how to configure a user in Rundeck to
1) only run a job
2) deny modification/deletion of existing job
3) deny creation of new jobs

I suppose I need to set this configuration in the aclpolicy.yaml file but I cannot find detailed instructions on how to do it.

Thanks in advance

2 answers

solution1
 1  2016-05-18 13:45:20

Yeah.. Happy to help.

I assume you already have a project and a job in there. Say project Test and job testjob. I assume you have created a role/group on WEB.xml file as testrole and you have a .aclpolicy as test.aclpolicy. The above stuffs have detailed documentation on Rundeck, however it's true they don't have better documentation on various rd-acl use cases.

In your case, if you want your user "testuser" to just run/read/kill a job execution, use the below test.aclpolicy. 

---
for:
  job:
  - allow:
    - runAs
    - killAs
    - kill
    - read
    - run
    equals:
      name: testjob
  node:
  - allow:
    - read
    - run
  adhoc:
  - deny:
    - read
    - run
  resource:
  - allow: read
    equals:
      kind: event
description: generated
context:
  project: Test
by:
  group: testrole

---
 for:
  project:
  - allow: read
    equals:
      name: Test
description: generated
context:
  application: rundeck
by:
  group: testrole

In case if you wanted to give same privilege to multiple jobs in a same project for the same user, just replace "equals" with "match" and under name parameter, enter your jobs separating a pipe "|" like "testjob1|testjob2"..

solution2
 1  2017-02-23 11:35:51

If you need a user with permission to execute all jobs in all projects you can configure the next policy (little modification from Leo answer): 

---
description: 'Allow group runjob to run all jobs'
for:
  job:
  - allow:
    - runAs
    - killAs
    - kill
    - run
    - read
    match:
      name: '.*'
  node:
  - allow:
    - read
    - run
  adhoc:
  - deny:
    - read
    - run
  resource:
  - allow: read
    equals:
      kind: event
context:
  project: '.*'
by:
  group: runjob

---
description: 'Allow '
for:
  project:
  - allow: read
    match:
      name:  '.*'
context:
  application: rundeck
by:
  group: runjob

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How can I run a job on Rundeck for each user in the list? How to set a different Rundeck user in a scheduled job? How to run only specific task within a Job in Rundeck? How can I run more complex job dependencies via Rundeck Rundeck - run job on localhost as different user Rundeck ACL Limit user to only see specific groups in project can rundeck accept input from slack to run a specific job with a parameter provided by the slack user? How can I skip a failing Rundeck job? How to allow Rundeck job to pickup latest node inventory list? User running a scheduled job in Rundeck
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM