Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

regex in aclpolicy files not being read correctly #2269

Closed
herdingkittens opened this issue Jan 9, 2017 · 2 comments
Closed

regex in aclpolicy files not being read correctly #2269

herdingkittens opened this issue Jan 9, 2017 · 2 comments

Comments

@herdingkittens
Copy link

herdingkittens commented Jan 9, 2017
edited by gschueler

Bug report

My Rundeck detail

  • Rundeck version: 2.6.3-1, AD-integrated login
  • install type: rpm
  • OS Name/version: RHEL 6.5

Expected Behavior
I have several projects that have similar names, so I am trying to use regex to allow a specific group access to anything starting with "Abc". According to the documentation, the *.aclpolicy files should match a regex expression. However, when I construct my aclpolicy file as follows, the users can log in, but they see no projects at all:

(all projects they should have access to are named "Abc...."

description: Abc application team access
context:
  project: 'Abc.*' # all projects
for:
  resource:
    - allow: '*' # allow read/create all kinds
  adhoc:
    - allow: '*' # allow read/running/killing adhoc jobs
  job:
    - allow: '*' # allow read/write/delete/run/kill of all jobs
  node:
    - allow: '*' # allow read/run for all nodes
by:
  group: rundeck-prod

---

description: Abc application team access to Abc projects
context:
  application: 'rundeck'
for:
  resource:
    - allow: '*' # allow create of projects
  project:
    - allow: 'Abc*' # allow view/admin of all Abc projects
  project_acl:
    - allow: '*' # allow admin of all project-level ACL policies
  storage:
    - allow: '*' # allow read/create/update/delete for all /keys/* storage content
by:
  group: rundeck-prod

I've read the documentation a hundred times, but it's still not clear how I'm supposed to construct this file so that it's read properly. Any help would be appreciated.
@UnicodeTreason
Copy link

UnicodeTreason commented Jan 10, 2017
edited by gschueler

I'm pretty green on the ACL's to, but possibly something like this?

description: Limited Access - Abc project only
context:
  application: 'rundeck'
for:
  resource:
    - allow: '*'
  project:
    - match:
        name: 'Abc'
      allow: '*' #Allow full access to Abc
  storage:
    - allow: '*'
by:
  group:
    - rundeck-prod

---

description: Admin - Abc project only
context:
  project: 'Abc' # Abc project only
for:
  resource:
    - allow: '*'
  adhoc:
    - allow: '*'
  job:
    - allow: '*'
  node:
    - allow: '*'
by:
  group:
    - rundeck-prod

@gschueler
Copy link
Member

this line is incorrect:

 project:
    - allow: 'Abc*' # allow view/admin of all Abc projects

you want to use match: similar to what @JustRiedy suggested:


    - match:
        name: 'Abc.*'
      allow: '*' #Allow full access to Abc

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gschueler @UnicodeTreason @herdingkittens