Rundeck user permissions and access control setup

DevOps

While using Rundeck I came across a very thin documentation with examples to show how to define the access control to individual roles and projects and in our company it was very much required to make different roles so that there will be segregation between who is who in rundeck system. For example we had some users which required readonly privileges to know if the job is completed and few users with run a job privilege but no modification to job  and few users needed to have privileges to modify the jobs and work flows. So in this article we will discuss on what needs to be done to have the access rights set for individual users for better control on your rundeck system.

Before going deep on configurations below is the excerpt from rundeck official url about the access control policy and mechanism.

A Rundeck access control policy grants users and user groups certain privileges to perform actions against rundeck resources like projects, jobs, nodes, commands and API. Every action requested by a user is evaluated by the Rundeck authorization system and logged for reporting and auditing purposes. You can define role-based authorization to restrict users to only a subset of actions. This enables a self-service type interface, where some users have access to a limited set of executable actions.

Two dimensions of information dictate authorization inside Rundeck:

– group memberships assigned to a user login.
– access control policy that grants access to one or more policy actions to a group or user.

In this article we will describe how you can create roles and provide access control like readonly/run/admin to individual projects and as a whole rundeck for users.

Things to achieve :

1. Create below roles with different access to projects for rundeck user permissions.

user/upload : Role for a QA person or whoever uploads the release files to the system. This user will have the minimum privileges.
opsrm : A QA person or one of our CORD team member with privileges to run the jobs and complete the installation and release.
opsadmin : CORD POC of a project. Have higher privileges to modify and update work flows to suit the release.
superadmin : Very few selected CORD member with complete privileges to system like update, add, modify, delete in all projects flows, jobs, schedules, etc.

2. Define access control policies for all the roles created.

Assumptions:

1. Rundeck installed in /opt/rundeck directory using the rundeck launcher 2.5.1(current latest) from here with Oracle JDK version 1.7.0_55

2. Rundeck launcher installed succesfully using below command to extract the jar files one time.

nohup /opt/rundeck/jdk1.7.0_55/bin/java -XX:MaxPermSize=256m -Xmx1024m -jar /opt/rundeck/rundeck-launcher-2.5.1.jar &

3. You are able to login to rundeck using admin/admin username and password in web url http://rundeck_hostname:4440/

Steps to define the roles:

1. cd to /opt/rundeck/server/exp/webapp/WEB-INF folder and open the web.xml file in any text editor.

2. Search for text “<security-role>” and update all the roles you have decided to create in rundeck and save the file:

<security-role>
<role-name>user</role-name>
<role-name>admin</role-name>
<role-name>opsadmin</role-name>
<role-name>opsrm</role-name>
<role-name>upload</role-name>
</security-role>

3. cd to /opt/rundeck/etc folder and open admin.aclpolicy file and update below configurations for assigning the access control policies for each role as described in above section and save the file.

description: Admin, all access.
context:
application: 'rundeck'
for:
resource:
- allow: '*' # allow create of projects
project:
- allow: '*' # allow view/admin of all projects
by:
group: admin

---

description: Full access.
context:
project: '.*' # all projects
for:
resource:
- allow: '*' # allow read/create all kinds
adhoc:
- allow: '*' # allow read/running/killing adhoc jobs
job:
- allow: '*' # allow read/write/delete/run/kill of all jobs
node:
- allow: '*' # allow read/run for all nodes
by:
group: opsadmin

---

context:
application: rundeck
description: "Ops Admin Engineers can launch jobs but can not delete them"
for:
project:
- match:
name: '.*'
allow: [read,write,run,kill]
system:
- match:
name: '.*'
allow: [read,write,run,kill]
by:
group: opsadmin
---

description: "Ops Engineers can launch jobs but not edit them"
context:
project: .*
for:
resource:
- equals:
kind: 'node'
allow: [read,update,refresh]
- equals:
kind: 'job'
allow: [read,run,kill]
- equals:
kind: 'adhoc'
allow: [read,run,kill]
- equals:
kind: 'event'
allow: [read,create]
job:
- match:
name: '.*'
allow: [read,run,kill]
adhoc:
- match:
name: '.*'
allow: [read,run,kill]
node:
- match:
nodename: '.*'
allow: [read,run,refresh]
by:
group: opsrm

---

context:
application: rundeck
description: "Ops Engineers can launch jobs but not edit them"
for:
project:
- match:
name: '.*'
allow: [read]
system:
- match:
name: '.*'
allow: [read]
by:
group: opsrm
---

description: "Normal users will only have read permissions"
context:
project: .*
for:
resource:
- equals:
kind: 'node'
allow: [read,refresh]
- equals:
kind: 'job'
allow: [read]
- equals:
kind: 'adhoc'
allow: [read]
- equals:
kind: 'event'
allow: [read]
job:
- match:
name: '.*'
allow: [read]
adhoc:
- match:
name: '.*'
allow: [read]
node:
- match:
nodename: '.*'
allow: [read,refresh]
by:
group: user

---

context:
application: rundeck
description: "Normal users will only have read permissions"
for:
project:
- match:
name: '.*'
allow: [read]
system:
- match:
name: '.*'
allow: [read]
by:
group: user
---

description: "Normal users will only have read permissions"
context:
project: .*
for:
resource:
- equals:
kind: 'node'
allow: [read,refresh]
- equals:
kind: 'job'
allow: [read]
- equals:
kind: 'adhoc'
allow: [read]
- equals:
kind: 'event'
allow: [read]
job:
- match:
name: '.*'
allow: [read]
adhoc:
- match:
name: '.*'
allow: [read]
node:
- match:
nodename: '.*'
allow: [read,refresh]
by:
group: upload

---

context:
application: rundeck
description: "Ops Engineers can read jobs but not launch them"
for:
project:
- match:
name: '.*'
allow: [read]
system:
- match:
name: '.*'
allow: [read]
by:
group: upload

4. Now to assign these roles to any perticular user, go to /opt/rundeck/etc folder and realm.properties file in any text editor and update like below:

– If you want to add a user (Ex: user1 with password welcome) and give him admin privileges then add a new line to existing data like below and save the file.

user1:welcome,admin,opsadmin,opsrm,user,upload

– If you want to add a user (Ex: user2 with password welcome1) and give him readonly privileges then add a new line to existing data like below and save the file.

user2:welcome1,user,upload

5. Now restart the rundeck using below command using the skipinstall else it will overwrite the edited configuration file in web.xml.

nohup /opt/rundeck/jdk1.7.0_55/bin/java -XX:MaxPermSize=256m -Xmx1024m -jar /opt/rundeck/rundeck-launcher-2.5.1.jar --skipinstall &

6. Once started you can login to the web console using the newly added username and passwords. The roles will be assigned automatically once you login.

This completes creating the groups and roles for providing rundeck user permissions and access control policies.

References for further reading on rundeck user permissions:

Rundeck Access Control Policy

Rundeck access control

In case of any ©Copyright or missing credits issue please check CopyRights page for faster resolutions.

Leave a Reply