7

Having trouble to get user that belongs to group "user" having access (at least read) to projects. I've read and tried several examples I found on the internet, none seems to work.

What I need for now is: allow any users who belong to group "user" to read project named MYPROJECT. I have this, saved in a file named user.aclpolicy under /etc/rundeck. I have waited for 60+ seconds. I've also tried restarting RunDeck. No luck.

I keep getting:

You have no authorized access to projects. Contact your administrator. (User roles: raka, user)

description: application access to a project
  application: 'rundeck'
for:
  resource:
    - equals:
        kind: project
      deny: [create] # deny create of projects
    - equals:
        kind: system
      allow: [read] # allow read of system info
    - equals:
        kind: user
      deny: [admin] # allow modify user profiles
  project:
    - equals:
        name: 'MYPROJECT'
      allow: [read] # allow access
      deny: [import,export,configure,delete] # deny admin actions
  storage:
    - deny: [read,create,update,delete] # allow access for /keys/* storage content
by:
  group: user

What's wrong with YAML above? I've also checked the web.xml under /var/lib/rundeck/exp/webapp/WEB-INF to make sure role-name "user" is registered there.

My realm.properties contains this line:

raka:greentooth60,user

I've also tried this. Basically copying whatever was there for the "admin" group. And for that I also tried it putting it direcly in the admin.aclpolicy instead of separate file. Still no luck.

description: User, all access.
context:
  project: '.*' # all projects
for:
  resource:
    - allow: '*' # allow read/create all kinds
  adhoc:
    - allow: '*' # allow read/running/killing adhoc jobs
  job:
    - allow: '*' # allow read/write/delete/run/kill of all jobs
  node:
    - allow: '*' # allow read/run for all nodes
by:
  group: user

RunDeck version: Rundeck 2.6.9-1 cafe bonbon indigo tower 2016-08-03

This is a debian installation of RunDeck (.deb). Which log file(s) can I look at to analyze situations like this?

Thanks, Raka

4

2 回答 2

10

RunDeck ACL 可能违反直觉,需要一些时间来适应。为了可见性,尤其是在您开始编写 RunDeck ACL 策略时,最好只设置允许用户执行的操作,而不是拒绝访问。默认情况下,不允许任何操作,因此您只需要添加allow语句以授予用户访问资源的权限。

RunDeck 需要针对“应用程序”上下文和“项目”上下文的 ACL 策略。您read在应用程序上下文中指定对项目的访问权限,并在项目上下文中按名称(在您的情况下)访问所有作业.*,但您还需要授予read对资源类型job的访问权限才能使作业可见。请参见下面的示例。

有用的日志

对于 RunDeck 故障排除,我发现以下日志很有用:

tail -f /var/log/rundeck/{rundeck.log,service.log}

测试 ACL 策略

如果您想针对您的 ACL 文件测试特定的用户操作,您可以使用rd-acl与 RunDeck 一起安装的工具。例如,要测试组成员是否user可以读取restart some server项目中的作业MYPROJECT,您可以执行以下操作:

rd-acl test -p 'MYPROJECT' -g user -c project -j 'restart some server' -a read

有关更多详细信息,请参阅rd-acl 手册

只读 ACL 示例

这是一个示例(在 上测试Rundeck 2.6.9-1),它应该让“用户”组中的任何人都可以读取 RunDeck 服务器上的所有内容:

context:
  application: rundeck
description: "normal users will only have read permissions"
for:
  project:
    - match:
        name: '.*'
      allow: [read]
  system:
    - match:
        name: '.*'
      allow: [read]
by:
  group: user

---

context:
  project: '.*'
description: "normal users will only have read permissions"
for:
  resource:
    - equals:
        kind: 'node'
      allow: [read,refresh]
    - equals:
        kind: 'job'
      allow: [read]
    - equals:
        kind: 'event'
      allow: [read]
  job:
    - match:
        name: '.*'
      allow: [read]
  node:
    - match:
        nodename: '.*'
      allow: [read,refresh]
by:
  group: user
于 2016-11-08T13:33:59.663 回答
4

在处理“您无权访问项目”时,您可能会偶然发现的另一件事是权限。

如果出于某种原因,您使用 root 用户创建了带有简单副本的 aclpolicy 文件,则需要将所有者和组更改为“rundeck”(当然,除非您更改了运行 rundeck 的用户)。

这让我今天放松了 30 分钟,希望这对某人有所帮助。

于 2018-08-10T16:58:36.243 回答