rundeck創建帳號,授權普通帳號執行權限
rundeck/server/config/realm.properties
#admin md5 mima
admin: MD5:xxxxxxxx,user,admin
##user1 ,md5 xxxx, 普通用戶
user1: MD5:xxxxxxx,user
##普通用戶,在rundeck的 rundeckzu裏面,有組的權限 ,即 user2 有 那個prod_pkgs的所有執行權限,但是沒有修改權限。註意read
user2: MD5:xxxxmd5,user,rundeckzu
給用戶授權
cd rundeck/etc
創建 project_xx.aclpolicy ##創建以projectname名稱的以aclpolicy為後綴的文件,直接創建就行 。例如
vim prod_aaaa.aclpolicy
############
description: user.
context:
project: 'Prod_aaaa'
for:
resource:
- equals:
kind: job
allow: [run,kill] # allow read/create all kinds
- equals:
kind: node
allow: [run]
- equals:
kind: event
allow: [read]
adhoc:
- deny: '*'
job:
- match:
group: '.*' ##若是project 給授權所有的job組權限,就這樣,若是 project/moni/xxjob 就改成 moni
name: 'xxjobname1|xxjobname2'
allow: [read,run,runAs,kill,killAs] # allow read/write/delete/run/kill of all jobs
node:
- allow: [read,run] # allow read/run for all nodes
by:
username: 'user1'
---
description: user.
context:
project: 'Prod_aaaa'
for:
resource:
- equals:
kind: job
allow: [run,kill] # allow read/create all kinds
- equals:
kind: node
allow: [run]
- equals:
kind: event
allow: [read]
adhoc:
- deny: '*'
job:
- match:
group: '.*' ##若是project 給授權所有的job組權限,就這樣,若是 project/moni/xxjob 就改成 moni
name: 'xxjobname1|xxjobname2|xxjob'
allow: [read,run,runAs,kill,killAs] # allow read/write/delete/run/kill of all jobs
node:
- allow: [read,run] # allow read/run for all nodes
by:
username: 'userxxxxx'
---
description: user.
context:
application: 'rundeck'
for:
resource:
- equals:
kind: project
allow: [read] # allow create of projects
- equals:
kind: system
allow: [read]
- equals:
kind: user
allow: [read]
project:
- match:
name: 'Prod_aaaa'
allow: [read] # allow view/admin of all projects
storage:
- allow: [read,create] # allow read/create/update/delete for all /keys/* storage content
by:
username: 'admin|user1|userxxx'
group: 'rundeckzu'
##一個 project裏面 多個用戶,就把userxxx那塊 代碼直接復制一下修改jobname即可
##普通用戶,在rundeck的 rundeckzu裏面,有組的權限 ,即 user2 有 那個prod_pkgs的所有執行權限,但是沒有修改權限。註意read
user2: MD5:xxxxmd5,user,rundeckzu
rundeck創建帳號,授權普通帳號執行權限