Node selection as "Execute locally" should not requires read privilege to server node #2251

Open
rophy opened this Issue Dec 26, 2016 · 0 comments

Projects

None yet

2 participants

@rophy
Contributor
rophy commented Dec 26, 2016 edited

Bug report

My Rundeck detail

  • Rundeck version: 2.6.11
  • install type: rpm
  • OS Name/version: CentOS 7

Expected Behavior

Currently, with the #1459 fix, the Local Commmand step node requires run privilege, but not read privilege to run commands on server node, which is good.

Ideally, this should also mean that the Execute locally node selection should not require read privilege for server node, since user is not selecting nodes at all.


Actual Behavior

If user has run but not read privilege to server node, setting node selection to Execute locally would fail the job:

[Workflow result: , step failures: {1=NodeDispatchFailure: No nodes matched}, flow control: Continue, status: failed]

How to reproduce Behavior

  1. Create a job with one Local Command step
  2. Set job node selection to Execute locally
  3. Log in rundeck as a user with run but not read privilege to server node,
  4. Run the job
  5. The job will fail with above error.
  6. Change job node selection to Dispatch to Nodes, selecting a "stub" node which do not actually exist.
  7. Run the job
  8. The job will *success without error.
  • Notice how the job can have different results in step 5 and step 8, even though user has exactly the same privilege in two cases.
@rophy rophy changed the title from Local Command step requires read access to rundeck server to Jobs with node selection as "Execute locally" should not requires read privilege to server node Dec 26, 2016
@rophy rophy changed the title from Jobs with node selection as "Execute locally" should not requires read privilege to server node to Node selection as "Execute locally" should not requires read privilege to server node Dec 26, 2016
@gschueler gschueler added the bug label Jan 3, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment