Can anybody help me in how to configure a user in Rundeck to
1) only run a job
2) deny modification/deletion of existing job
3) deny creation of new jobs
I suppose I need to set this configuration in the aclpolicy.yaml file but I cannot find detailed instructions on how to do it.
Thanks in advance
Yeah.. Happy to help.
I assume you already have a project and a job in there. Say project Test and job testjob. I assume you have created a role/group on WEB.xml file as testrole and you have a .aclpolicy as test.aclpolicy. The above stuffs have detailed documentation on Rundeck, however it's true they don't have better documentation on various rd-acl use cases.
In your case, if you want your user "testuser" to just run/read/kill a job execution, use the below test.aclpolicy.
---
for:
job:
- allow:
- runAs
- killAs
- kill
- read
- run
equals:
name: testjob
node:
- allow:
- read
- run
adhoc:
- deny:
- read
- run
resource:
- allow: read
equals:
kind: event
description: generated
context:
project: Test
by:
group: testrole
---
for:
project:
- allow: read
equals:
name: Test
description: generated
context:
application: rundeck
by:
group: testrole
In case if you wanted to give same privilege to multiple jobs in a same project for the same user, just replace "equals" with "match" and under name parameter, enter your jobs separating a pipe "|" like "testjob1|testjob2"..
If you need a user with permission to execute all jobs in all projects you can configure the next policy (little modification from Leo answer):
---
description: 'Allow group runjob to run all jobs'
for:
job:
- allow:
- runAs
- killAs
- kill
- run
- read
match:
name: '.*'
node:
- allow:
- read
- run
adhoc:
- deny:
- read
- run
resource:
- allow: read
equals:
kind: event
context:
project: '.*'
by:
group: runjob
---
description: 'Allow '
for:
project:
- allow: read
match:
name: '.*'
context:
application: rundeck
by:
group: runjob
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.