rundeck
rundeck copied to clipboard
rundeck
notBy clause not work when use urn type
I'm try to use notBy clause to define aclpolicy that block normal users to run on localhost (rundeck server node). I was follow the rundeck document and my aclpolicy below:
description: "Deny action [run] on rundeckserver node but testuser and admin group users"
context:
project: '.*'
for:
node:
- equals:
nodename: rundeckserver
deny: [run]
notBy:
urn:
- user:testuser
- group:admin
But the config not work and all user can't run the jobs on rundeckserver. This is the bug or I wrong somewhere?
My setup:
- Rundeck: v4.4.0
- Environment: Docker Image (ubuntu-base offical)
Probably you have another ACL "interfering" with your urn ACL.
I tested in the following way successfully.
My qa group users (on the real.properties file):
user:user,qa
bob:bob,qa
charlie:charlie,qa
This ACL allows to entire qa group to execute the ProjectEXAMPLE jobs across all nodes:
description: project context.
context:
project: ProjectEXAMPLE
for:
resource:
- allow: [run,read]
job:
- allow: [run,read]
node:
- allow: [read,run]
by:
group: qa
---
description: app context.
context:
application: 'rundeck'
for:
project:
- match:
name: ProjectEXAMPLE
allow: [read]
storage:
- allow: [read]
by:
group: qa
But we need to restrict the node00 on all qa group users, except bob using the notBy+urn way:
description: project context.
context:
project: ProjectEXAMPLE
for:
resource:
- deny: [run,read]
node:
- equals:
nodename: node00
deny: [run]
notBy:
urn:
- user:bob
So, bob can execute the jobs on all nodes (localhost,node00, node01,node02):
The rest of the crew doesn't (user and charlie):
I don't think the realm.properties "interfering" with other aclpolicy. My realm.properties like:
admin: MD5:xxxxxxxxx,user,admin,build,deploy
testuser: MD5:xxxxxxxxxx,user
My idea is simultaneously block all user in the group and specified user to execute on localhost node (rundeckserver). So, I use urn with notBy clause as document.
I tried to many ways to test and when I use urn as your recommendation:
urn
- user:bob
Rundeck worked well but that is not my purpose. The issue occurs when I put user:testuser and group:admin together like the first report and the aclpolicy still can't work with multi type (user, group) with urn.
In an effort to focus on bugs and issues that impact currently supported versions of Rundeck, we have elected to notify GitHub issue creators if their issue is classified as stale and close the issue. An issue is identified as stale when there have been no new comments, responses or other activity within the last 12 months. If a closed issue is still present please feel free to open a new Issue against the current version and we will review it. If you are an enterprise customer, please contact your Rundeck Support to assist in your request. Thank you, The Rundeck Team
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}
I've got the same issue for the case when the user I login is a member of two groups. For one of those resource access allowed, but denied for second. And deny rule takes precedence upon allow. And I didn`t find a way to change this.
