#306 ✓resolved
Alex-SF

Document if jobs can be hidden but be executed from other

Reported by Alex-SF | May 26th, 2011 @ 04:57 PM | in Rundeck 1.2.1

Test disallowing workflow_read but allowing workflow_run in order to see if a hidden subjob can still be executed from another (workflow) job.

Comments and changes to this ticket

  • Alex-SF

    Alex-SF May 31st, 2011 @ 02:44 PM

    • Tag changed from documentation to customer request, documentation
  • Alex-SF

    Alex-SF May 31st, 2011 @ 03:10 PM

    The underlying goal is to reduce the clutter in the job list. For example, there may be a handful of top level processes that should be visible. These top level jobs may be constructed from lower level "helper jobs" that should not be visible since they should normally be run by themselves.

  • Alex-SF

    Alex-SF May 31st, 2011 @ 03:22 PM

    Adding job definition describing trivial multi-job workflow structure in a group named "#306".

    The following aclpolicy hides the jobs that are not meant to be visible in the gui.

    <policies>
      <policy description="User group that has limited access.">
        <context project="*">
          <command group="#306" job="Restart" actions="workflow_run,workflow_read"/>
          <command group="#306" job="stop" actions="workflow_run"/>
          <command group="#306" job="stop" actions="workflow_run"/>
        </context>
        <by>
          <group name="user"/>
        </by>
      </policy>
    </policies>
    
  • Greg Schueler

    Greg Schueler May 31st, 2011 @ 03:52 PM

    any job can be run as a subjob (auth is not checked)

    also, authorization checks for grails actions (pages) use the mapped roles, not the aclpolicy. so, e.g. you can still view the /job/show/id page for any of those jobs where there is no workflow_read authorization. Likewise, mapped roles must assign workflow_update to one of the user's roles to be able to edit a job, even if aclpolicy allows * actions.

    another point:

    Job listings are filtered by aclpolicy. So the main Jobs page will not show unauthorized jobs. Also, job reference selection in the job edit page will not show unauthorized jobs.

  • Deleted User

    Deleted User May 31st, 2011 @ 04:38 PM

    • State changed from “new” to “resolved”

    (from [bf290717af15fc03592da801708b615fcaa13eeb]) Added example in an admin section: "Access control policy actions example" [#306 state:resolved] https://github.com/dtolabs/rundeck/commit/bf290717af15fc03592da8017...

  • Deleted User

    Deleted User May 31st, 2011 @ 04:45 PM

    (from [21709b23ce0ed9edde92d93e09c27bab0ec82ea8]) Added an example to the admin manual describing how to use workflow policy actions. [#306 state:resolved] https://github.com/dtolabs/rundeck/commit/21709b23ce0ed9edde92d93e0...

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

(DEPRECATED) Please use github issues for issue tracking at http://github.com/dtolabs/rundeck/issues

Shared Ticket Bins

People watching this ticket

Attachments

Referenced by

Pages