Configure Rundeck ACL
Page content
In this post I will configure access control in Rundeck.
Configurate AD groups in rundeck
The modification of the web.xml no longer needed after 3.0.x.
nano /var/lib/rundeck/exp/webapp/WEB-INF/web.xml
<security-role>
<role-name>rundeck-administrators</role-name>
<role-name>rundeck-project</role-name>
</security-role>
Configure the privilege for AD group
nano /etc/rundec/admin.aclpolicy
description: Admin, all access.
context:
project: '.*' # all projects
for:
resource:
- allow: '*' # allow read/create all kinds
adhoc:
- allow: '*' # allow read/running/killing adhoc jobs
job:
- allow: '*' # allow read/write/delete/run/kill of all jobs
node:
- allow: '*' # allow read/run for all nodes
by:
group: rundeck-administrators
---
description: Admin, all access.
context:
application: 'rundeck'
for:
resource:
- allow: '*' # allow create of projects
project:
- allow: '*' # allow view/admin of all projects
project_acl:
- allow: '*' # allow admin of all project-level ACL policies
storage:
- allow: '*' # allow read/create/update/delete for all /keys/* storage content
by:
group: rundeck-administrators
---
description: rundeck-project PROJECT all access.
context:
project: 'PROJECT'
for:
resource:
- allow: '*' # allow read/create all kinds
adhoc:
- allow: '*' # allow read/running/killing adhoc jobs
job:
- allow: '*' # allow read/write/delete/run/kill of all jobs
node:
- allow: '*' # allow read/run for all nodes
by:
group: rundeck-project
---
description: rundeck-project, all access.
context:
application: 'rundeck'
for:
project:
- match:
name: 'PROJECT'
allow: [read]
system:
- match:
name: '.*'
allow: [read]
storage:
- equals:
path: 'keys'
allow: [read]
- match:
path: 'keys/id_rsa*'
allow: [read]
by:
group: rundeck-project
