Creating Rundec ACL policies

Posted: February 9, 2018 in Linux, RunDeck

Creating role

vi /var/lib/rundeck/exp/webapp/WEB-INF/web.xml

search for section security-role

1

Creating a user

The format is

username:password,rolename

vi /etc/rundeck/realm.properties
demo:demo,user,demo

We created user demo with password demo and put it to demo role

Creating policy

In this example, we’ll create policy for allowing demo role to see only aws project

(-c Context: either ‘project’ or ‘application’.

-c application   Access to projects, users, storage, system info, execution management.

-c project  Access to jobs, nodes, events, within a project.

-a allow

  • Reading read
  • Deleting delete
  • Configuring configure
  • Importing archives import
  • Exporting archives export
  • Deleting executions delete_execution
  • Export project to another Rundeck instance promote
  • Full access admin

-g group

-p project

-j job (read,update,delete,run,runAs,kill,killAs,create)

 

Access to projects (read-only)

rd-acl is tool for creating code which we can append to policy file (usually to /etc/rundeck/admin.aclpolicy)

rd-acl create -c application -g demo -p aws -a read,delete,import>>/etc/rundeck/admin.aclpolicy

Command output:

---
by:
  group: demo
context:
  application: rundeck
for:
  project:
  - allow:
    - read
    - import
    - delete
    equals:
      name: aws
description: generated

Members of demo role will be able to see only aws project

1.PNG

If we need that role have access to multiple projects we just need to add following line in /etc/rundeck/admin.aclpolicy file

---
by:

group: demo

context:

application: rundeck

for:

project:

- allow:

- read

- import

- delete

equals:

name: demo

description: generated

Access to jobs

If we want to allow some jobs we need to type following:

rd-acl create -c project -p aws -g demo -j job2 -a read,run,kill>> /etc/rundeck/admin.aclpolicy

Code added to policy file:

---
by:
  group: demo
context:
  project: aws
for:
  job:
  - allow:
    - read
    - run
    - kill
    equals:
      name: 'jobs'

Access to Activity tab

-G (node,event,job),generic
-G event (read,create)

rd-acl create -c project -p aws -g demo -G event -a read >> /etc/rundeck/admin.aclpolicy

Code in policy:

---
by:
  group: demo
context:
  project: aws
for:
  resource:
  - allow: read
    equals:
      kind: event
description: generated

1.PNG

Access to nodes

-G node (read,create,update,refresh)

rd-acl create -c project -p aws -g demo -G node -a read>> /etc/rundeck/admin.aclpolicy

Policy code:

---
by:
  group: demo
context:
  project: aws
for:
  resource:
  - allow: read
    equals:
      kind: node
description: generated

Node access can be allowed based on node tag -t (read,create,update,refresh)

rd-acl create -c project -p aws -g demo -G node -t prod -a read,refresh
---by:
  group: demo
context:
  project: aws
for:
  node:
  - allow:
    - read
    - refresh
    contains:
      tags:
      - prod
description: generated

Now, users who belong to demo role can see only node with tag named prod

Example of admin ACL

description: Admin, all access.
context:
  application: 'rundeck'
for:
  resource:
    - allow: '*' # allow create of projects
  project:
    - allow: '*' # allow view/admin of all projects
by:
  group: [Rundeck_Admin]

description: Full access.
context:
  project: '.*' # all projects
for:
  resource:
    - allow: '*' # allow read/create all kinds
  adhoc:
    - allow: '*' # allow read/running/killing adhoc jobs
  job:
    - allow: '*' # allow read/write/delete/run/kill of all jobs
  node:
    - allow: '*' # allow read/run for all nodes
by:
  group: [Rundeck_Admin]

---

description: Admin, all access.
context:
  application: 'rundeck'
for:
  resource:
    - allow: '*' # allow create of projects
  project:
    - allow: '*' # allow view/admin of all projects
  project_acl:
    - allow: '*' # allow admin of all project-level ACL policies
  storage:
    - allow: '*' # allow read/create/update/delete for all /keys/* storage content


by:
  group: [Rundeck_Admin]

Read-Only ACL:

description: "Ops Engineers can launch jobs but not edit them"
context:

project: '.*' # all projects

for:

resource:

- equals:

kind: job

allow: [read,run] # allow create jobs

- equals:

kind: node

allow: [read,update,refresh] # allow refresh node sources

- equals:

kind: event

allow: [read] # allow read/create events

adhoc:

- allow: [read,run] # allow running/killing adhoc jobs

job:

- allow: [read,run] # allow create/read/write/delete/run/kill of all jobs

node:

- allow: [read,run] # allow read/run for nodes

by:

group: [Rundeck_Jobs_RunOnly]
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s