rundeck用户管理配置
rundeck/server/config/realm.properties
#admin md5 mima
admin: MD5:xxxxxxxx,user,admin
##user1 ,md5 xxxx, 普通用户
user1: MD5:xxxxxxx,user
##普通用户,在rundeck的 rundeckzu里面,有组的权限 ,即 user2 有 那个prod_pkgs的所有执行权限,但是没有修改权限。注意read
user2: MD5:xxxxmd5,user,rundeckzu
给用户授权
cd rundeck/etc
创建 project_xx.aclpolicy ##创建以projectname名称的以aclpolicy为后缀的文件,直接创建就行 。例如
vim prod_aaaa.aclpolicy
############
description: user.
context:
project: 'Prod_aaaa'
for:
resource:
- equals:
kind: job
allow: [run,kill] # allow read/create all kinds
- equals:
kind: node
allow: [run]
- equals:
kind: event
allow: [read]
adhoc:
- deny: '*'
job:
- match:
group: '.*' ##若是project 给授权所有的job组权限,就这样,若是 project/moni/xxjob 就改成 moni
name: 'xxjobname1|xxjobname2'
allow: [read,run,runAs,kill,killAs] # allow read/write/delete/run/kill of all jobs
node:
- allow: [read,run] # allow read/run for all nodes
by:
username: 'user1'
---
description: user.
context:
project: 'Prod_aaaa'
for:
resource:
- equals:
kind: job
allow: [run,kill] # allow read/create all kinds
- equals:
kind: node
allow: [run]
- equals:
kind: event
allow: [read]
adhoc:
- deny: '*'
job:
- match:
group: '.*' ##若是project 给授权所有的job组权限,就这样,若是 project/moni/xxjob 就改成 moni
name: 'xxjobname1|xxjobname2|xxjob'
allow: [read,run,runAs,kill,killAs] # allow read/write/delete/run/kill of all jobs
node:
- allow: [read,run] # allow read/run for all nodes
by:
username: 'userxxxxx'
---
description: user.
context:
application: 'rundeck'
for:
resource:
- equals:
kind: project
allow: [read] # allow create of projects
- equals:
kind: system
allow: [read]
- equals:
kind: user
allow: [read]
project:
- match:
name: 'Prod_aaaa'
allow: [read] # allow view/admin of all projects
storage:
- allow: [read,create] # allow read/create/update/delete for all /keys/* storage content
by:
username: 'admin|user1|userxxx'
group: 'rundeckzu'
##一个 project里面 多个用户,就把userxxx那块 代码直接复制一下修改jobname即可
##普通用户,在rundeck的 rundeckzu里面,有组的权限 ,即 user2 有 那个prod_pkgs的所有执行权限,但是没有修改权限。注意read
user2: MD5:xxxxmd5,user,rundeckzu
