所以我在两组中设置了相同的ACL。它们在一个组中运行良好,但我试图设置另一个相同的组,但它们不起作用。我在Cog/访问控制和项目/项目设置/访问控制中的两个单独的ACL策略中都有它们。在每种情况下,除了组名之外,我都剪切并粘贴了所有的名称,所以我希望它们也能正常工作。这些组位于Active Directory中jaas-multiauth.conf文件中roleBaseDn的另一个子文件夹中。以下是Cog/访问控制级别策略之一:
description: Admin project level access control
context:
project: '.*' # all projects
for:
resource:
- equals:
kind: job
allow: [create] # allow create jobs
- equals:
kind: node
allow: [read,create,update,refresh] # allow refresh node sources
- equals:
kind: event
allow: [read,create] # allow read/create events
adhoc:
- allow: [read,run,runAs,kill,killAs] # allow running/killing adhoc jobs
job:
- allow: [create,read,update,delete,run,runAs,kill,killAs] # allow create/read/write/delete/run/kill of all jobs
node:
- allow: [read,run] # allow read/run for nodes
by:
group: Group-Zero
---
description: All jobs access control
context:
application: 'rundeck'
for:
resource:
- equals:
kind: project
allow: [create] # allow create of projects
- equals:
kind: system
allow: [read,enable_executions,disable_executions,admin] # allow read of system info, enable/disable all executions
- equals:
kind: system_acl
allow: [read,create,update,delete,admin] # allow modifying system ACL files
- equals:
kind: user
allow: [admin] # allow modify user profiles
project:
- match:
name: '.*'
allow: [read,import,export,configure,delete,promote,admin] # allow full access of all projects or use 'admin'
project_acl:
- match:
name: '.*'
allow: [read,create,update,delete,admin] # allow modifying project-specific ACL files
storage:
- allow: [read,create,update,delete] # allow access for /ssh-key/* storage content
by:
group: Group-One
另一个是相同但不同的AD组。以下是项目级别设置,两者合一:
description: User project level access control. Applies to resources within a specific project.
for:
resource:
- equals:
kind: job
allow: [read,run,refresh] # allow create jobs
- equals:
kind: node
allow: [read] # allow read node sources
- equals:
kind: event
allow: [read] # allow read events
adhoc:
- allow: [read] # allow read adhoc jobs
job:
- allow: [read,run] # allow read/run of all jobs
node:
- allow: [read] # allow read/run for nodes
by:
group: Group-One
---
description: User project level access control. Applies to resources within a specific project.
for:
resource:
- equals:
kind: job
allow: [read,run,refresh] # allow create jobs
- equals:
kind: node
allow: [read] # allow read node sources
- equals:
kind: event
allow: [read] # allow read events
adhoc:
- allow: [read] # allow read adhoc jobs
job:
- allow: [read,run] # allow read/run of all jobs
node:
- allow: [read] # allow read/run for nodes
by:
group: Group-Two
在我看来,我不需要项目级ACL策略的第二组,因为我不希望这些用户扰乱项目设置,只需要尽快让他们访问。我想一旦我完成这项工作,我就可以修剪他们的女贞。谢谢
好吧,所以看起来我的ACL不是问题所在。我的用户正试图使用Internet Explorer登录。显然IE中有一些设置与Rundeck不一致。登录是可行的,但它只是在尝试加载项目时旋转。我让其中一个点击齿轮,他们有各种各样的访问权限。一旦他们使用Edge或Firefox,项目就会立即加载,并且可以做任何他们需要做的事情。感谢你一直在教育我ACL,他们现在真的有意义了!
您必须使用此结构定义ACL(请检查"for:"之前的"context"块(。您没有在第二个ACL中定义这些行。
description: Allow groups to list projects
context:
application: 'rundeck'
for:
project:
- allow: read
match:
name: '.*'
by:
group: [group-two]
---
description: Global run permissions
context:
project: '.*'
for:
resource:
- equals:
kind: 'node'
allow: [read,refresh]
job:
- allow: [read, run]
match:
name: '.*'
node:
- allow: [read, run, refresh]
match:
nodename: '.*'
resource:
- allow: read
equals:
kind: event
by:
group: [group-two]
你有一个很好的例子。
此外,请确保另一个ACL不会凌驾于第一个ACL的规则之上。
如果您需要一些示例(在Rundeck 3.1下(,可以查看/etc/Rundeck目录并查看".accolicy_template"文件。