rundeck创建帐号,授权普通帐号执行权限

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了rundeck创建帐号,授权普通帐号执行权限相关的知识,希望对你有一定的参考价值。

rundeck用户管理配置

rundeck/server/config/realm.properties


#admin    md5 mima

admin: MD5:xxxxxxxx,user,admin

##user1 ,md5 xxxx, 普通用户

user1: MD5:xxxxxxx,user


##普通用户,在rundeck的  rundeckzu里面,有组的权限 ,即 user2  有 那个prod_pkgs的所有执行权限,但是没有修改权限。注意read

user2: MD5:xxxxmd5,user,rundeckzu


给用户授权

cd  rundeck/etc

创建 project_xx.aclpolicy   ##创建以projectname名称的以aclpolicy为后缀的文件,直接创建就行 。例如 


vim  prod_aaaa.aclpolicy


############  

description: user.

context:

  project: 'Prod_aaaa'

for:

  resource:

    - equals:

        kind: job

      allow: [run,kill] # allow read/create all kinds

    - equals:

        kind: node

      allow: [run]

    - equals:

        kind: event

      allow: [read]

  adhoc:

    - deny: '*'

  job:

    - match:

        group: '.*'   ##若是project 给授权所有的job组权限,就这样,若是  project/moni/xxjob    就改成 moni

        name: 'xxjobname1|xxjobname2'

      allow: [read,run,runAs,kill,killAs] # allow read/write/delete/run/kill of all jobs

  node:

    - allow: [read,run] # allow read/run for all nodes

by:

  username: 'user1'


---

description: user.

context:

  project: 'Prod_aaaa'

for:

  resource:

    - equals:

        kind: job

      allow: [run,kill] # allow read/create all kinds

    - equals:

        kind: node

      allow: [run]

    - equals:

        kind: event

      allow: [read]

  adhoc:

    - deny: '*'

  job:

    - match:

        group: '.*'   ##若是project 给授权所有的job组权限,就这样,若是  project/moni/xxjob    就改成 moni

        name: 'xxjobname1|xxjobname2|xxjob'

      allow: [read,run,runAs,kill,killAs] # allow read/write/delete/run/kill of all jobs

  node:

    - allow: [read,run] # allow read/run for all nodes

by:

  username: 'userxxxxx'


---


description: user.

context:

  application: 'rundeck'

for:

  resource:

    - equals:

        kind: project

      allow: [read] # allow create of projects

    - equals:

        kind: system

      allow: [read]

    - equals:

        kind: user

      allow: [read]

  project:

    - match:

        name: 'Prod_aaaa'

      allow: [read]  # allow view/admin of all projects

  storage:

    - allow: [read,create] # allow read/create/update/delete for all /keys/* storage content

by:

  username: 'admin|user1|userxxx'

  group: 'rundeckzu'                                                                 





##一个 project里面 多个用户,就把userxxx那块 代码直接复制一下修改jobname即可

##普通用户,在rundeck的  rundeckzu里面,有组的权限 ,即 user2  有 那个prod_pkgs的所有执行权限,但是没有修改权限。注意read

user2: MD5:xxxxmd5,user,rundeckzu


以上是关于rundeck创建帐号,授权普通帐号执行权限的主要内容,如果未能解决你的问题,请参考以下文章

MongoDB用户及权限管理:用户管理

sudo: Running a Command with root Privileges/sudo:使用root权限执行命令

账户和权限管理

CLI命令行接口

账号和权限管理(理论知识铺垫)

identity与ASP.NET 模拟