rundeck
rundeck copied to clipboard
notBy clause not work when use urn type
I'm try to use notBy clause to define aclpolicy that block normal users to run on localhost (rundeck server node). I was follow the rundeck document and my aclpolicy below:
description: "Deny action [run] on rundeckserver node but testuser and admin group users"
context:
project: '.*'
for:
node:
- equals:
nodename: rundeckserver
deny: [run]
notBy:
urn:
- user:testuser
- group:admin
But the config not work and all user can't run the jobs on rundeckserver. This is the bug or I wrong somewhere?
My setup:
- Rundeck: v4.4.0
- Environment: Docker Image (ubuntu-base offical)
Probably you have another ACL "interfering" with your urn
ACL.
I tested in the following way successfully.
My qa
group users (on the real.properties
file):
user:user,qa
bob:bob,qa
charlie:charlie,qa
This ACL allows to entire qa
group to execute the ProjectEXAMPLE
jobs across all nodes:
description: project context.
context:
project: ProjectEXAMPLE
for:
resource:
- allow: [run,read]
job:
- allow: [run,read]
node:
- allow: [read,run]
by:
group: qa
---
description: app context.
context:
application: 'rundeck'
for:
project:
- match:
name: ProjectEXAMPLE
allow: [read]
storage:
- allow: [read]
by:
group: qa
But we need to restrict the node00
on all qa
group users, except bob
using the notBy
+urn
way:
description: project context.
context:
project: ProjectEXAMPLE
for:
resource:
- deny: [run,read]
node:
- equals:
nodename: node00
deny: [run]
notBy:
urn:
- user:bob
So, bob
can execute the jobs on all nodes (localhost
,node00
, node01
,node02
):
The rest of the crew doesn't (user
and charlie
):
I don't think the realm.properties
"interfering" with other aclpolicy. My realm.properties
like:
admin: MD5:xxxxxxxxx,user,admin,build,deploy
testuser: MD5:xxxxxxxxxx,user
My idea is simultaneously block all user in the group and specified user to execute on localhost
node (rundeckserver). So, I use urn
with notBy
clause as document.
I tried to many ways to test and when I use urn
as your recommendation:
urn
- user:bob
Rundeck worked well but that is not my purpose. The issue occurs when I put user:testuser
and group:admin
together like the first report and the aclpolicy still can't work with multi type (user, group) with urn
.
In an effort to focus on bugs and issues that impact currently supported versions of Rundeck, we have elected to notify GitHub issue creators if their issue is classified as stale and close the issue. An issue is identified as stale when there have been no new comments, responses or other activity within the last 12 months. If a closed issue is still present please feel free to open a new Issue against the current version and we will review it. If you are an enterprise customer, please contact your Rundeck Support to assist in your request. Thank you, The Rundeck Team
I've got the same issue for the case when the user I login is a member of two groups. For one of those resource access allowed, but denied for second. And deny rule takes precedence upon allow. And I didn`t find a way to change this.