Closed rll01 closed 6 years ago
the roles listed in the UI will only be a subset of the roles defined in your ACL policy files.
e.g. if you add an aclpolicy file for "servicedesk" role, you should see it listed in the UI after that
I have two ACL policy files:
description: operador en proyecto Microinformatica.
context:
project: 'Microinformatica|Clonezilla_DRBL|GAM'
for:
resource:
- allow: [read,run,kill]
job:
- allow: [read,run,kill]
node:
- allow: [read,run,kill] # allow read/run for all nodes
adhoc:
- allow: [read,run,kill] # allow read/running/killing adhoc jobs
by:
group: operador
---
description: operador en rundeck.
context:
application: 'rundeck'
for:
resource:
- allow: [read] # allow create of projects
project:
- allow: [read]
match:
name: '(Microinformatica|Clonezilla_DRBL|GAM)'
project_acl:
- allow: [read] # allow admin of all project-level ACL policies
storage:
- allow: [read] # allow read/create/update/delete for all /keys/* storage content
by:
group: operador
and
description: servicedesk.
context:
project: 'ServiceDesk|GAM' # all projects
for:
resource:
- allow: [read,run,kill]
job:
- allow: [read,run,kill]
node:
- allow: [read,run,kill] # allow read/run for all nodes
adhoc:
- allow: [read,run,kill] # allow read/running/killing adhoc jobs
by:
group: servicedesk
---
description: servicedesk.
context:
application: 'rundeck'
for:
resource:
- allow: 'read' # allow create of projects
project:
- allow: [read]
match:
name: '(ServiceDesk|GAM)'
project_acl:
- allow: [read] # allow admin of all project-level ACL policies
storage:
- allow: [read] # allow read/create/update/delete for all /keys/* storage content
by:
group: servicedesk
I think so the problem is module "JettyRolePropertyFileLoginModule" because no assign role to users with realm.properties .
Yessss, I have Rundeck running with AD. I think so url path role... Thank you.
@rll01 what was the issue ?
Issue type: Bug report
My Rundeck detail
Expected Behavior
When I login with ldap user it's ok but user roles no match with realm.properties . The message of web is "You have no authorized access to projects. Contact your administrator. (User roles: user)"
My config is:
`multiauth {
com.dtolabs.rundeck.jetty.jaas.JettyCombinedLdapLoginModule required debug="true" contextFactory="com.sun.jndi.ldap.LdapCtxFactory" providerUrl="ldap://metaeprinsa.eprinsa.org:389" bindDn="uid=explo,ou=Usuarios,ou=eprinsa,dc=metaeprinsa,dc=org" bindPassword="XXXX" authenticationMethod="simple" forceBindingLogin="true" userBaseDn="ou=Usuarios,ou=eprinsa,dc=metaeprinsa,dc=org" userRdnAttribute="uid" userIdAttribute="uid" userPasswordAttribute="userPassword" userObjectClass="person"
roleBaseDn="ou=Grupos,dc=metaeprinsa,dc=org" roleNameAttribute="cn" roleUsernameMemberAttribute="memberof" roleMemberAttribute="uniqueMember" roleObjectClass="groupofuniquenames" supplementalRoles="user"
reportStatistics="true" ignoreRoles="true" storePass="true" clearPass="true";
org.rundeck.jaas.jetty.JettyRolePropertyFileLoginModule required debug="true" useFirstPass="true" caseInsensitive="true" refreshInterval="60" file="C:\Program Files\eprinsa\rundeck211\server\config\realm.properties"; };`
realm.properties:
explo: -,admin,user rll01: -,user,operador user2: -,user,servicedesk
How to Reproduce
Login with diferent user of ldap.