New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make the "required role" in web.xml configurable #590

Closed
diranged opened this Issue Nov 19, 2013 · 30 comments

Comments

Projects
None yet
@diranged

diranged commented Nov 19, 2013

The "role" thats required to exist on all users who log into Rundeck should be configurable, rather than being hard-coded to "user". Frankly, it should also be optional...

@ColOfAbRiX

This comment has been minimized.

Show comment
Hide comment
@ColOfAbRiX

ColOfAbRiX Jan 15, 2014

I agree, this should be optional/configurable. I use LDAP and I had to create a group only for rundeck.

ColOfAbRiX commented Jan 15, 2014

I agree, this should be optional/configurable. I use LDAP and I had to create a group only for rundeck.

@ColOfAbRiX

This comment has been minimized.

Show comment
Hide comment
@ColOfAbRiX

ColOfAbRiX Jan 15, 2014

If I start rundeck with --skipinstall I am able to override the name of the default group. But, at least, this kind of error should be signaled better

ColOfAbRiX commented Jan 15, 2014

If I start rundeck with --skipinstall I am able to override the name of the default group. But, at least, this kind of error should be signaled better

@gschueler

This comment has been minimized.

Show comment
Hide comment
@gschueler

gschueler Jan 21, 2014

Member

fyi: I added this FAQ entry on how to configure the web.xml required role if necessary: https://github.com/dtolabs/rundeck/wiki/Faq#i-get-an-error-logging-in-http-error-403--reason-role

Member

gschueler commented Jan 21, 2014

fyi: I added this FAQ entry on how to configure the web.xml required role if necessary: https://github.com/dtolabs/rundeck/wiki/Faq#i-get-an-error-logging-in-http-error-403--reason-role

@schast

This comment has been minimized.

Show comment
Hide comment
@schast

schast Feb 4, 2014

I also use ldap and do not want to create an extra group for rundeck. please make this optional (configurable)

schast commented Feb 4, 2014

I also use ldap and do not want to create an extra group for rundeck. please make this optional (configurable)

@diranged

This comment has been minimized.

Show comment
Hide comment
@diranged

diranged Feb 9, 2014

Any chance this is going to get fixed in the near future?

diranged commented Feb 9, 2014

Any chance this is going to get fixed in the near future?

@andyregan

This comment has been minimized.

Show comment
Hide comment
@andyregan

andyregan Feb 19, 2014

Thanks for posting a work-around in the FAQ. I would also be grateful if this could be optional.

andyregan commented Feb 19, 2014

Thanks for posting a work-around in the FAQ. I would also be grateful if this could be optional.

@mbizkit76

This comment has been minimized.

Show comment
Hide comment
@mbizkit76

mbizkit76 Mar 19, 2014

+1 on this

mbizkit76 commented Mar 19, 2014

+1 on this

@gschueler gschueler added this to the 2.x milestone Apr 3, 2014

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Apr 4, 2014

Sorry - i zapped my previous comment - the web.xml workaround was fine - it's just our AD setup is rather strange, and i had to use a different "base" group.

Still +1 to make this easier! :)

ghost commented Apr 4, 2014

Sorry - i zapped my previous comment - the web.xml workaround was fine - it's just our AD setup is rather strange, and i had to use a different "base" group.

Still +1 to make this easier! :)

@ahonor

This comment has been minimized.

Show comment
Hide comment
@ahonor

ahonor Apr 8, 2014

Contributor

+1 on eliminating it

Contributor

ahonor commented Apr 8, 2014

+1 on eliminating it

@azet

This comment has been minimized.

Show comment
Hide comment
@azet

azet commented Apr 28, 2014

+1

@zarry

This comment has been minimized.

Show comment
Hide comment
@zarry

zarry commented Apr 29, 2014

+1

@pforai

This comment has been minimized.

Show comment
Hide comment
@pforai

pforai commented Apr 29, 2014

+1

@sebw

This comment has been minimized.

Show comment
Hide comment
@sebw

sebw May 6, 2014

I used to auth against AD with 1.4.4 and it worked fine. I'm migrating to 2.1 and I get this problem, this is clearly a regression.

Can you make it optional?

sebw commented May 6, 2014

I used to auth against AD with 1.4.4 and it worked fine. I'm migrating to 2.1 and I get this problem, this is clearly a regression.

Can you make it optional?

@azet

This comment has been minimized.

Show comment
Hide comment
@azet

azet May 7, 2014

any update on that?

azet commented May 7, 2014

any update on that?

@ptangsir

This comment has been minimized.

Show comment
Hide comment
@ptangsir

ptangsir commented Jun 12, 2014

+1

@nostrame

This comment has been minimized.

Show comment
Hide comment
@nostrame

nostrame commented Jun 24, 2014

+1

@ntkach

This comment has been minimized.

Show comment
Hide comment
@ntkach

ntkach Jul 8, 2014

Same here. Either that role name should be optional or else provide the same setup mechanism that was default in RunDeck 1.6.x. I've not been able to find it specifically, but I know we didn't have to do anything special to set/change that role name to get LDAP to work.

ntkach commented Jul 8, 2014

Same here. Either that role name should be optional or else provide the same setup mechanism that was default in RunDeck 1.6.x. I've not been able to find it specifically, but I know we didn't have to do anything special to set/change that role name to get LDAP to work.

@UO180222

This comment has been minimized.

Show comment
Hide comment
@UO180222

UO180222 commented Jul 25, 2014

+1

@gschueler

This comment has been minimized.

Show comment
Hide comment
@gschueler

gschueler Jul 25, 2014

Member

in 2.2.0 we added a change that allows a "supplementalRole" to be set for your LDAP jaas config, which can be used to sidestep this issue. http://rundeck.org/docs/administration/authenticating-users.html#login-module-configuration

Member

gschueler commented Jul 25, 2014

in 2.2.0 we added a change that allows a "supplementalRole" to be set for your LDAP jaas config, which can be used to sidestep this issue. http://rundeck.org/docs/administration/authenticating-users.html#login-module-configuration

@Bigd271

This comment has been minimized.

Show comment
Hide comment
@Bigd271

Bigd271 Nov 4, 2014

Does the "supplementalRole" feature allow for special characters like spaces and stars (i.e. supplementalRole="Everyone - Office")? I can't seem to make this work. I would like to spin up the launcher version in our Production environment, but this issue is keeping me from deploying since I cannot properly set "--skipinstall" from the RDECK_JVM properties so that I may continue to use the server/sbin/rundeckd script to start|stop.

Bigd271 commented Nov 4, 2014

Does the "supplementalRole" feature allow for special characters like spaces and stars (i.e. supplementalRole="Everyone - Office")? I can't seem to make this work. I would like to spin up the launcher version in our Production environment, but this issue is keeping me from deploying since I cannot properly set "--skipinstall" from the RDECK_JVM properties so that I may continue to use the server/sbin/rundeckd script to start|stop.

@gschueler

This comment has been minimized.

Show comment
Hide comment
@gschueler

gschueler Nov 11, 2014

Member

@Bigd271 you would have to alter the server/sbin/rundeckd to add --skipinstall in the start command.

supplementalRoles allow spaces, however it does a split on , *, meaning any spaces after the comma separating roles are lost, and the resulting string is .trim()'d so that any leading/trailing spaces are also lost. Make sure you use supplementalRoles (with an "s")

Member

gschueler commented Nov 11, 2014

@Bigd271 you would have to alter the server/sbin/rundeckd to add --skipinstall in the start command.

supplementalRoles allow spaces, however it does a split on , *, meaning any spaces after the comma separating roles are lost, and the resulting string is .trim()'d so that any leading/trailing spaces are also lost. Make sure you use supplementalRoles (with an "s")

@Bigd271

This comment has been minimized.

Show comment
Hide comment
@Bigd271

Bigd271 Nov 14, 2014

thank you @gschueler. I have chosen to go the route of installing the RPM. I've then changed the default seucrity role in the web.xml to be the "Everyone - Office" distrobution list. Our ops team is very excited to use this product. Thanks again!

Bigd271 commented Nov 14, 2014

thank you @gschueler. I have chosen to go the route of installing the RPM. I've then changed the default seucrity role in the web.xml to be the "Everyone - Office" distrobution list. Our ops team is very excited to use this product. Thanks again!

@ava-dylang

This comment has been minimized.

Show comment
Hide comment
@ava-dylang

ava-dylang Jun 10, 2015

Can this role requirement be turned off entirely?

ava-dylang commented Jun 10, 2015

Can this role requirement be turned off entirely?

@ssbarnea

This comment has been minimized.

Show comment
Hide comment
@ssbarnea

ssbarnea Aug 17, 2015

👍 Any news on this? After 2 days, I am still unable to finish the LDAP configuration step, which usually takes only few minutes on other services.

ssbarnea commented Aug 17, 2015

👍 Any news on this? After 2 days, I am still unable to finish the LDAP configuration step, which usually takes only few minutes on other services.

@joerocklin

This comment has been minimized.

Show comment
Hide comment
@joerocklin

joerocklin Oct 13, 2015

Getting ready to do an update, remembered that I had an unexpected downtime after the last one, found this issue to remind me what to do. We're approaching the 2-year mark on this issue, any news on the state of things?

joerocklin commented Oct 13, 2015

Getting ready to do an update, remembered that I had an unexpected downtime after the last one, found this issue to remind me what to do. We're approaching the 2-year mark on this issue, any news on the state of things?

@gschueler

This comment has been minimized.

Show comment
Hide comment
@gschueler

gschueler Oct 13, 2015

Member

@joerocklin good question, the status of this issue is: we don't have any immediate plans for a "fix".

Reasons:

  1. making this "configurable" requires rewriting the web.xml prior to the webapp starting up. Not an ideal fix, and especially hard to do in the case of a .war deployment anyway
  2. Whether you are using Jetty (e.g. via the Launcher or with the default RPM install) or Tomcat, there is already a workaround via configuration:
    • the JettyCachingLdapLoginModule (JAAS module used for Jetty) supports a supplementalRoles setting, that allows you add "user" to the default roles for any successfully authenticated user. See Login module configuration
    • The JNDIRealm (realm module used for Tomcat) authentication also supports a commonRole setting to do a similar thing for a single role name, see JNDIRealm#commonRole
  3. because of limitations of "servlet-container based authentication", we hope that at some future point we can move to something more flexible
Member

gschueler commented Oct 13, 2015

@joerocklin good question, the status of this issue is: we don't have any immediate plans for a "fix".

Reasons:

  1. making this "configurable" requires rewriting the web.xml prior to the webapp starting up. Not an ideal fix, and especially hard to do in the case of a .war deployment anyway
  2. Whether you are using Jetty (e.g. via the Launcher or with the default RPM install) or Tomcat, there is already a workaround via configuration:
    • the JettyCachingLdapLoginModule (JAAS module used for Jetty) supports a supplementalRoles setting, that allows you add "user" to the default roles for any successfully authenticated user. See Login module configuration
    • The JNDIRealm (realm module used for Tomcat) authentication also supports a commonRole setting to do a similar thing for a single role name, see JNDIRealm#commonRole
  3. because of limitations of "servlet-container based authentication", we hope that at some future point we can move to something more flexible

pcross616 pushed a commit to sous-chefs/rundeck that referenced this issue Nov 15, 2015

David Andrew David Andrew
rundeck package bump and ldap settings for supplemental group fix to
rundeck/rundeck#590

Former-commit-id: 734e548
Former-commit-id: 88f10d38b1a97ab69352fa71cec0a0971e901220 [formerly ccb09254e59e69e95a5665281513cd9fb75681a9] [formerly 53171cb2283e3bd0b5ea31b8f600817b39cf39f2 [formerly b1e82e5]]
Former-commit-id: aeaddd3bf57e391ad78f26491614a50076c9083f [formerly 68c9af570008e43bdcb5162d1b93ae45ef705896]
Former-commit-id: f900bb819ac6c10017718b827e2361e1e422bc12

pcross616 pushed a commit to sous-chefs/rundeck that referenced this issue Nov 15, 2015

@xeor

This comment has been minimized.

Show comment
Hide comment
@xeor

xeor Mar 21, 2016

Did this discussion die out again? It would be nice to get a better error message when you don't have access to rundeck. The roles rundeck is able to see in my setup is also everything except the Domain Users group, so I am stuck with adding a bunch of roles to my web.xml to try to catch all users.

The message you get about not having access to any projects is by far good enough as a default access denied message. So the option in my configuration am looking for is just a way to set the accepted role to * (which doesn't work btw)..

xeor commented Mar 21, 2016

Did this discussion die out again? It would be nice to get a better error message when you don't have access to rundeck. The roles rundeck is able to see in my setup is also everything except the Domain Users group, so I am stuck with adding a bunch of roles to my web.xml to try to catch all users.

The message you get about not having access to any projects is by far good enough as a default access denied message. So the option in my configuration am looking for is just a way to set the accepted role to * (which doesn't work btw)..

@DerfOh

This comment has been minimized.

Show comment
Hide comment
@DerfOh

DerfOh Jun 22, 2016

+1 Being able to set ACL based on the AD group needs better documentation. I've been at this for a week now 😢

DerfOh commented Jun 22, 2016

+1 Being able to set ACL based on the AD group needs better documentation. I've been at this for a week now 😢

@zonArt

This comment has been minimized.

Show comment
Hide comment
@zonArt

zonArt Mar 23, 2017

+1 for better documentation, supplementalRoles option works great but you should be aware that you need to put "user, <other_groups>".
If you only put the other_groups it doesn't work, as the param is called supplementalRoles, I was expecting "user" to be integrated already
Edit: my bad, I misunderstood the behavior of this param

zonArt commented Mar 23, 2017

+1 for better documentation, supplementalRoles option works great but you should be aware that you need to put "user, <other_groups>".
If you only put the other_groups it doesn't work, as the param is called supplementalRoles, I was expecting "user" to be integrated already
Edit: my bad, I misunderstood the behavior of this param

scottymarshall pushed a commit to scottymarshall/rundeck that referenced this issue Mar 9, 2018

David Andrew David Andrew
rundeck package bump and ldap settings for supplemental group fix to
rundeck/rundeck#590

Former-commit-id: 734e548
Former-commit-id: 88f10d38b1a97ab69352fa71cec0a0971e901220 [formerly ccb09254e59e69e95a5665281513cd9fb75681a9] [formerly 53171cb2283e3bd0b5ea31b8f600817b39cf39f2 [formerly cc0212f [formerly b1e82e5]]]
Former-commit-id: aeaddd3bf57e391ad78f26491614a50076c9083f [formerly 68c9af570008e43bdcb5162d1b93ae45ef705896]
Former-commit-id: f900bb819ac6c10017718b827e2361e1e422bc12
Former-commit-id: 6f1f54a

scottymarshall pushed a commit to scottymarshall/rundeck that referenced this issue Mar 9, 2018

@sjrd218

This comment has been minimized.

Show comment
Hide comment
@sjrd218

sjrd218 Jul 10, 2018

Contributor

Fixed in Rundeck 3.0.0

Contributor

sjrd218 commented Jul 10, 2018

Fixed in Rundeck 3.0.0

@sjrd218 sjrd218 closed this Jul 10, 2018

@gschueler gschueler modified the milestones: 2.x, 3.0.0 Jul 10, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment