所以我将ACL的设置分为两组。他们在一个小组中表现良好,但我尝试设置其他相同的小组,但它们没有起作用。我在Cog /访问控制和项目/项目设置/访问控制中都有2个单独的ACL策略。在每种情况下,我都剪切并粘贴了除组名称以外的所有名称,因此我希望它们能够相同地工作。这些组位于jaas-multiauth.conf文件中我的roleBaseDn的另一个子文件夹中的Active Directory中。这是Cog /访问控制级别策略之一:
description: Admin project level access control
context:
project: '.*' # all projects
for:
resource:
- equals:
kind: job
allow: [create] # allow create jobs
- equals:
kind: node
allow: [read,create,update,refresh] # allow refresh node sources
- equals:
kind: event
allow: [read,create] # allow read/create events
adhoc:
- allow: [read,run,runAs,kill,killAs] # allow running/killing adhoc jobs
job:
- allow: [create,read,update,delete,run,runAs,kill,killAs] # allow create/read/write/delete/run/kill of all jobs
node:
- allow: [read,run] # allow read/run for nodes
by:
group: Group-Zero
---
description: All jobs access control
context:
application: 'rundeck'
for:
resource:
- equals:
kind: project
allow: [create] # allow create of projects
- equals:
kind: system
allow: [read,enable_executions,disable_executions,admin] # allow read of system info, enable/disable all executions
- equals:
kind: system_acl
allow: [read,create,update,delete,admin] # allow modifying system ACL files
- equals:
kind: user
allow: [admin] # allow modify user profiles
project:
- match:
name: '.*'
allow: [read,import,export,configure,delete,promote,admin] # allow full access of all projects or use 'admin'
project_acl:
- match:
name: '.*'
allow: [read,create,update,delete,admin] # allow modifying project-specific ACL files
storage:
- allow: [read,create,update,delete] # allow access for /ssh-key/* storage content
by:
group: Group-One
另一个是相同的,但AD组不同。这是项目级别设置,两者合而为一:
description: User project level access control. Applies to resources within a specific project.
for:
resource:
- equals:
kind: job
allow: [read,run,refresh] # allow create jobs
- equals:
kind: node
allow: [read] # allow read node sources
- equals:
kind: event
allow: [read] # allow read events
adhoc:
- allow: [read] # allow read adhoc jobs
job:
- allow: [read,run] # allow read/run of all jobs
node:
- allow: [read] # allow read/run for nodes
by:
group: Group-One
---
description: User project level access control. Applies to resources within a specific project.
for:
resource:
- equals:
kind: job
allow: [read,run,refresh] # allow create jobs
- equals:
kind: node
allow: [read] # allow read node sources
- equals:
kind: event
allow: [read] # allow read events
adhoc:
- allow: [read] # allow read adhoc jobs
job:
- allow: [read,run] # allow read/run of all jobs
node:
- allow: [read] # allow read/run for nodes
by:
group: Group-Two
在我看来,我不需要第二个项目级别的ACL策略,因为我不希望那些用户弄乱项目设置,而只需要让他们尽快访问即可。认为一旦完成这项工作,我就可以减少他们的隐私。谢谢!!!
答案 0 :(得分:0)
您必须使用此结构定义ACL(在“ for:”之前检查“ context”块)。您没有在第二个ACL中定义这些行。
description: Allow groups to list projects
context:
application: 'rundeck'
for:
project:
- allow: read
match:
name: '.*'
by:
group: [group-two]
---
description: Global run permissions
context:
project: '.*'
for:
resource:
- equals:
kind: 'node'
allow: [read,refresh]
job:
- allow: [read, run]
match:
name: '.*'
node:
- allow: [read, run, refresh]
match:
nodename: '.*'
resource:
- allow: read
equals:
kind: event
by:
group: [group-two]
您有一个很好的例子here。
此外,请确保另一个ACL不被第一个ACL的规则覆盖。
如果需要一些示例(在Rundeck 3.1下),则可以检查/ etc / rundeck目录并查看“ .aclpolicy_template”文件。
答案 1 :(得分:0)
好的,所以看来我的ACL并不是问题。我的用户试图使用Internet Explorer。显然,IE中的某些设置与Rundeck不同。登录将有效,但只会尝试加载项目。我让他们之一单击嵌齿轮,并且他们具有各种访问权限。一旦他们使用Edge或Firefox访问该项目,该项目就会立即加载,并且能够执行所需的任何操作。感谢您一直以来向我介绍ACL的知识,现在它们实际上已经变得有些意义了!