Define aclpolicy that confines node execution
Reported by Alex-SF | December 17th, 2010 @ 08:54 AM | in Rundeck 1.4 (closed)
Define a policy configuration that controls which Nodes a user can execute commands. This should include the same node filtering model used for controlling command dispatch.
Below is a hypothetical example using the nodefilters element used in job definitions:
<policies>
<policy description="Node filtering policy">
<context project="anvils">
<command group="*" job="*" actions="resource_exec"/>
</context>
<nodefilters excludeprecedence="true">
<include>
<tags>web</tags>
</include>
</nodefilters>
<by>
<group name="webop"/>
</by>
</policy>
</policies>
Comments and changes to this ticket
-
Alex-SF December 17th, 2010 @ 08:54 AM
- Tag set to “security feedback”
-
Alex-SF December 17th, 2010 @ 08:55 AM
- Tag changed from “security feedback” to “feedback, security”
-
Alex-SF January 14th, 2011 @ 07:28 AM
- Milestone set to “Rundeck 1.2”
- Milestone order changed from “15” to “0”
-
Alex-SF February 14th, 2011 @ 01:10 PM
- Milestone cleared.
- Milestone order changed from “1” to “0”
-
Alex-SF September 29th, 2011 @ 08:09 AM
- Milestone set to “Rundeck 1.4”
- Milestone order changed from “33” to “0”
-
Greg Schueler October 5th, 2011 @ 01:30 PM
- State changed from “new” to “needs_verification”
This has been added as part of #429
Example restriction on nodes:
for: node: - contains: tags: [dev,qa] allow: [read,run] - contains: tags: [prod] allow: [read] deny: [run] - match: nodename: 'test.*' allow: [read,run] - equals: rundeck_server: 'true' deny: [run] -
Greg Schueler October 5th, 2011 @ 01:30 PM
- Assigned user set to “Greg Schueler”
-
Greg Schueler October 25th, 2011 @ 12:37 PM
- State changed from “needs_verification” to “resolved”
-
Williams Daniel May 5th, 2023 @ 09:06 PM
Your instructions are already very detailed so I just added that During implementation, be careful and follow the security rules Pokemon Showdown and make sure you have admin rights to make the es.
-
victorpatrick June 30th, 2023 @ 09:46 PM
The provided example demonstrates a policy configuration that controls which nodes a user can execute commands on, using the same node filtering model as command dispatch control. Here's a breakdown of the configuration:
<!-- Define the context for the policy --><!-- Specify the node filters for the policy --> <nodefilters excludeprecedence="true"> <include> <tags>web</tags> </include> </nodefilters> <!-- Specify the user or group associated with the policy --> <by> <group name="webop"/> </by>
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create new ticket
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป
(DEPRECATED) Please use github issues for issue tracking at http://github.com/dtolabs/rundeck/issues
Alex-SF
Greg Baker
Greg Schueler