Make the "required role" in web.xml configurable #590

Open
diranged opened this Issue Nov 19, 2013 · 28 comments

Projects

None yet
@diranged

The "role" thats required to exist on all users who log into Rundeck should be configurable, rather than being hard-coded to "user". Frankly, it should also be optional...

@ColOfAbRiX

I agree, this should be optional/configurable. I use LDAP and I had to create a group only for rundeck.

@ColOfAbRiX

If I start rundeck with --skipinstall I am able to override the name of the default group. But, at least, this kind of error should be signaled better

@gschueler
Contributor

fyi: I added this FAQ entry on how to configure the web.xml required role if necessary: https://github.com/dtolabs/rundeck/wiki/Faq#i-get-an-error-logging-in-http-error-403--reason-role

@schast
schast commented Feb 4, 2014

I also use ldap and do not want to create an extra group for rundeck. please make this optional (configurable)

@diranged
diranged commented Feb 9, 2014

Any chance this is going to get fixed in the near future?

@andyregan

Thanks for posting a work-around in the FAQ. I would also be grateful if this could be optional.

@mbizkit76

+1 on this

@gschueler gschueler added this to the 2.x milestone Apr 3, 2014
@ghost
ghost commented Apr 4, 2014

Sorry - i zapped my previous comment - the web.xml workaround was fine - it's just our AD setup is rather strange, and i had to use a different "base" group.

Still +1 to make this easier! :)

@ahonor
Contributor
ahonor commented Apr 8, 2014

+1 on eliminating it

@azet
azet commented Apr 28, 2014

+1

@zarry
zarry commented Apr 29, 2014

+1

@pforai
pforai commented Apr 29, 2014

+1

@sebw
sebw commented May 6, 2014

I used to auth against AD with 1.4.4 and it worked fine. I'm migrating to 2.1 and I get this problem, this is clearly a regression.

Can you make it optional?

@azet
azet commented May 7, 2014

any update on that?

@ptangsir

+1

@nostrame

+1

@ntkach
ntkach commented Jul 8, 2014

Same here. Either that role name should be optional or else provide the same setup mechanism that was default in RunDeck 1.6.x. I've not been able to find it specifically, but I know we didn't have to do anything special to set/change that role name to get LDAP to work.

@UO180222

+1

@gschueler
Contributor

in 2.2.0 we added a change that allows a "supplementalRole" to be set for your LDAP jaas config, which can be used to sidestep this issue. http://rundeck.org/docs/administration/authenticating-users.html#login-module-configuration

@gsreynolds gsreynolds added a commit to gsreynolds/rundeck_old that referenced this issue Oct 29, 2014
@gsreynolds gsreynolds Merge branch 'master' into develop
* master:
  rundeck package bump and ldap settings for supplemental group fix to rundeck/rundeck#590
  attributes fix
  Remove selinux depends
  Improved the install process for the package option
  Improved the install process for the package option
  Fixed package upgrade process
  Added more options for LDAP configurations
  Correct site enable rundeck
  Disabled selinux
  Correct apache_sites resource
  Disable gpgcheck, no signed rpm
  Update README.md
  creating release 2.0.5
  more documentation and adding myself as contributor
  upgrading to 2.2.1 and fixing config file for latest format
  meta version bump
  commenting out the url from the config due to rundeck bug
  merge conflicts
  support local user management via data bag
7e83990
@Bigd271
Bigd271 commented Nov 4, 2014

Does the "supplementalRole" feature allow for special characters like spaces and stars (i.e. supplementalRole="Everyone - Office")? I can't seem to make this work. I would like to spin up the launcher version in our Production environment, but this issue is keeping me from deploying since I cannot properly set "--skipinstall" from the RDECK_JVM properties so that I may continue to use the server/sbin/rundeckd script to start|stop.

@gschueler
Contributor

@Bigd271 you would have to alter the server/sbin/rundeckd to add --skipinstall in the start command.

supplementalRoles allow spaces, however it does a split on , *, meaning any spaces after the comma separating roles are lost, and the resulting string is .trim()'d so that any leading/trailing spaces are also lost. Make sure you use supplementalRoles (with an "s")

@Bigd271
Bigd271 commented Nov 14, 2014

thank you @gschueler. I have chosen to go the route of installing the RPM. I've then changed the default seucrity role in the web.xml to be the "Everyone - Office" distrobution list. Our ops team is very excited to use this product. Thanks again!

@pcross616 pcross616 pushed a commit to Webtrends/rundeck that referenced this issue Jan 16, 2015
@ev0ldave ev0ldave rundeck package bump and ldap settings for supplemental group fix to
rundeck/rundeck#590

Former-commit-id: 734e548
b1e82e5
@ava-dylang

Can this role requirement be turned off entirely?

@ssbarnea

👍 Any news on this? After 2 days, I am still unable to finish the LDAP configuration step, which usually takes only few minutes on other services.

@joerocklin

Getting ready to do an update, remembered that I had an unexpected downtime after the last one, found this issue to remind me what to do. We're approaching the 2-year mark on this issue, any news on the state of things?

@gschueler
Contributor

@joerocklin good question, the status of this issue is: we don't have any immediate plans for a "fix".

Reasons:

  1. making this "configurable" requires rewriting the web.xml prior to the webapp starting up. Not an ideal fix, and especially hard to do in the case of a .war deployment anyway
  2. Whether you are using Jetty (e.g. via the Launcher or with the default RPM install) or Tomcat, there is already a workaround via configuration:
    • the JettyCachingLdapLoginModule (JAAS module used for Jetty) supports a supplementalRoles setting, that allows you add "user" to the default roles for any successfully authenticated user. See Login module configuration
    • The JNDIRealm (realm module used for Tomcat) authentication also supports a commonRole setting to do a similar thing for a single role name, see JNDIRealm#commonRole
  3. because of limitations of "servlet-container based authentication", we hope that at some future point we can move to something more flexible
@gsreynolds gsreynolds pushed a commit to gsreynolds/rundeck_old that referenced this issue Nov 9, 2015
@ev0ldave ev0ldave rundeck package bump and ldap settings for supplemental group fix to
rundeck/rundeck#590

Former-commit-id: 734e548
Former-commit-id: 88f10d38b1a97ab69352fa71cec0a0971e901220 [formerly ccb09254e59e69e95a5665281513cd9fb75681a9] [formerly 53171cb2283e3bd0b5ea31b8f600817b39cf39f2 [formerly b1e82e5]]
Former-commit-id: aeaddd3bf57e391ad78f26491614a50076c9083f [formerly 68c9af570008e43bdcb5162d1b93ae45ef705896]
Former-commit-id: f900bb819ac6c10017718b827e2361e1e422bc12
c475b98
@pcross616 pcross616 pushed a commit to Webtrends/rundeck that referenced this issue Nov 15, 2015
@ev0ldave ev0ldave rundeck package bump and ldap settings for supplemental group fix to
rundeck/rundeck#590

Former-commit-id: 734e548
Former-commit-id: 88f10d38b1a97ab69352fa71cec0a0971e901220 [formerly ccb09254e59e69e95a5665281513cd9fb75681a9] [formerly 53171cb2283e3bd0b5ea31b8f600817b39cf39f2 [formerly b1e82e5]]
Former-commit-id: aeaddd3bf57e391ad78f26491614a50076c9083f [formerly 68c9af570008e43bdcb5162d1b93ae45ef705896]
Former-commit-id: f900bb819ac6c10017718b827e2361e1e422bc12
6f1f54a
@pcross616 pcross616 pushed a commit to Webtrends/rundeck that referenced this issue Nov 15, 2015
@ev0ldave ev0ldave rundeck package bump and ldap settings for supplemental group fix to
rundeck/rundeck#590

Former-commit-id: 734e548
8d560e7
@xeor
xeor commented Mar 21, 2016

Did this discussion die out again? It would be nice to get a better error message when you don't have access to rundeck. The roles rundeck is able to see in my setup is also everything except the Domain Users group, so I am stuck with adding a bunch of roles to my web.xml to try to catch all users.

The message you get about not having access to any projects is by far good enough as a default access denied message. So the option in my configuration am looking for is just a way to set the accepted role to * (which doesn't work btw)..

@DerfOh
DerfOh commented Jun 22, 2016

+1 Being able to set ACL based on the AD group needs better documentation. I've been at this for a week now 😢

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment