regex in aclpolicy files not being read correctly #2269

Open
herdingkittens opened this Issue Jan 9, 2017 · 1 comment

Projects

None yet

2 participants

@herdingkittens
herdingkittens commented Jan 9, 2017 edited

Bug report

My Rundeck detail

  • Rundeck version: 2.6.3-1, AD-integrated login
  • install type: rpm
  • OS Name/version: RHEL 6.5

Expected Behavior
I have several projects that have similar names, so I am trying to use regex to allow a specific group access to anything starting with "Abc". According to the documentation, the *.aclpolicy files should match a regex expression. However, when I construct my aclpolicy file as follows, the users can log in, but they see no projects at all:

(all projects they should have access to are named "Abc...."

description: Abc application team access
context:
project: 'Abc.' # all projects
for:
resource:
- allow: '
' # allow read/create all kinds
adhoc:
- allow: '' # allow read/running/killing adhoc jobs
job:
- allow: '
' # allow read/write/delete/run/kill of all jobs
node:
- allow: '*' # allow read/run for all nodes
by:
group: rundeck-prod


description: Abc application team access to Abc projects
context:
application: 'rundeck'
for:
resource:
- allow: '' # allow create of projects
project:
- allow: 'Abc
' # allow view/admin of all Abc projects
project_acl:
- allow: '' # allow admin of all project-level ACL policies
storage:
- allow: '
' # allow read/create/update/delete for all /keys/* storage content
by:
group: rundeck-prod

I've read the documentation a hundred times, but it's still not clear how I'm supposed to construct this file so that it's read properly. Any help would be appreciated.

@JustRiedy

I'm pretty green on the ACL's to, but possibly something like this?

description: Limited Access - Abc project only
context:
application: 'rundeck'
for:
resource:
- allow: ''
project:
- match:
name: 'Abc'
allow: '
' #Allow full access to Abc
storage:
- allow: '*'
by:
group:
- rundeck-prod


description: Admin - Abc project only
context:
project: 'Abc' # Abc project only
for:
resource:
- allow: ''
adhoc:
- allow: '
'
job:
- allow: ''
node:
- allow: '
'
by:
group:
- rundeck-prod

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment