To add a new user to rundeck, we need to edit the file:
rundeck/server/config/realm.properties
the file looks like this:
$ cat realm.properties
#
# This file defines users passwords and roles for a HashUserRealm
#
# The format is
# <username>: <password>[,<rolename> ...]
#
# Passwords may be clear text, obfuscated or checksummed. The class
# org.mortbay.util.Password should be used to generate obfuscated
# passwords or password checksums
#
# This sets the temporary user accounts for the Rundeck app
#
admin:admin,user,admin,api_token_group
user:user,user
sherif:sherif,otherusers,user,api_token_group
To Authorize the user to have certain privilages, we create a new policy file at:
rundeck/etc/otherusers.aclpolicy
$ cat otherusers.aclpolicy
description: Limited user access for adm restart action
context:
project: 'someproj.*'
for:
resource:
- allow: [read]
job:
- allow: [read,run,kill]
node:
- allow: [read,run,refresh]
by:
group: [otherusers]
---
description: Limited user
context:
application: 'rundeck'
for:
#resource:
# - equals:
# kind: system
# allow: [read] # allow read of system info
project:
- match:
name: 'someproj.*'
allow: [read]
by:
group: [otherusers]
$
This policy will grant the group "otherusers" limited access to just be able to see run and kill jobs for the projects matching "someproj.*" pattern.
This policy is a modified copy from admin policy.
Both the policy and the realm files will be loaded automatically by rundeck, no restart is required.
rundeck/server/config/realm.properties
the file looks like this:
$ cat realm.properties
#
# This file defines users passwords and roles for a HashUserRealm
#
# The format is
# <username>: <password>[,<rolename> ...]
#
# Passwords may be clear text, obfuscated or checksummed. The class
# org.mortbay.util.Password should be used to generate obfuscated
# passwords or password checksums
#
# This sets the temporary user accounts for the Rundeck app
#
admin:admin,user,admin,api_token_group
user:user,user
sherif:sherif,otherusers,user,api_token_group
To Authorize the user to have certain privilages, we create a new policy file at:
rundeck/etc/otherusers.aclpolicy
$ cat otherusers.aclpolicy
description: Limited user access for adm restart action
context:
project: 'someproj.*'
for:
resource:
- allow: [read]
job:
- allow: [read,run,kill]
node:
- allow: [read,run,refresh]
by:
group: [otherusers]
---
description: Limited user
context:
application: 'rundeck'
for:
#resource:
# - equals:
# kind: system
# allow: [read] # allow read of system info
project:
- match:
name: 'someproj.*'
allow: [read]
by:
group: [otherusers]
$
This policy will grant the group "otherusers" limited access to just be able to see run and kill jobs for the projects matching "someproj.*" pattern.
This policy is a modified copy from admin policy.
Both the policy and the realm files will be loaded automatically by rundeck, no restart is required.
No comments:
Post a Comment