Support creation of .aclpolicy files

[ARentz07]

Overview

This cookbook supports configuring different user groups, via adding them to your login configuration (i.e. jaas-loginmodule.conf). However, roles added here are practically unusable unless an associated .aclpolicy file is added. As a developer who is building out Rundeck using this cookbook, I would like to be able to Chef-ify the process of assigning access control on Rundeck.

Design

The access control files have a structure that maps well to a Hash. We should attempt to replicate this structure with a template. UPDATE: This will be done using an "aclpolicies.json" data bag item which will contain the different acl policies.

Ref: http://rundeck.org/docs/administration/access-control-policy.html

[pcross616]

Yes I agree we need LWRP.. I just haven't had a lot of time to finish that branch off.

[ARentz07]

Ah, thanks for the reply.

It looks like the pieces for creating the access control policies are still not started. Were you needing someone to start on this piece? I could just work off the 2.1 branch I suppose.

[pcross616]

yes, the 2.1 will have the LWRP, I need to refresh the branch from master. But that shouldn't be too hard.

Your more than welcome to start working on it. :)

[ARentz07]

Cool. Planning to start on this today.

[ARentz07]

Curious, how are we normally doing testing for this? When I check it out, install, and run kitchen converge, I run across this:

       Missing Cookbooks:
       ------------------
       No such cookbook: create_chef_dir

I was able to fix this by adding the following to the Berksfile:

group :integration do
  cookbook 'create_chef_dir', path: 'test/fixtures/cookbooks/create_chef_dir'
end

If I run again after that correction, I get this:

    ================================================================================       
    Error executing action `create` on resource 'cookbook_file[/var/lib/rundeck/libext/rundeck-winrm-plugin-1.1.jar]'       
    ================================================================================       

    Chef::Exceptions::FileNotFound       
    ------------------------------       
    Cookbook 'rundeck' (2.0.5) does not contain a file at any of these locations:       
      files/ubuntu-14.04/rundeck-winrm-plugin-1.1.jar       
      files/ubuntu/rundeck-winrm-plugin-1.1.jar       
      files/default/rundeck-winrm-plugin-1.1.jar       
      files/rundeck-winrm-plugin-1.1.jar       

    This cookbook _does_ contain: ['/tmp/kitchen/cache/cookbooks/rundeck/files/default/rundeck-winrm-plugin-1.0-beta.jar.REMOVED.git-id','/tmp/kitchen/cache/cookbooks/rundeck/files/default/rundeck','/tmp/kitchen/cache/cookbooks/rundeck/files/default/rundeck.pub','/tmp/kitchen/cache/cookbooks/rundeck/files/default/rundeck-winrm-plugin-1.1.jar.REMOVED.git-id']   

[pcross616]

i would update the 2.1 branch with the latest from master and merge in the changes. I think that will fix your issue.

[ARentz07]

So I merged in the changes with master, but of course, when comparing the changes with 2.1, that results in a very ugly diff. 😄 Were you wanting to rebase 2.1 onto master? If not I can do a separate PR for that, though I doubt the tests, etc. will be in a good state without some adjustments. (In my branch, this was the resulting merge commmit: https://github.com/Webtrends/rundeck/commit/57c8a959ce17081df8a5e04854577c6effdacfea)

[pcross616]

ya i would think we will need to rebase.

[ARentz07]

OK, were you planning to do this rebase? .. If not, I can push the changes rebased onto master without the new stuff as a 2.1-rebased just so we have something to review.

[ARentz07]

I've been fighting with this for a couple days now... On the "check-project-localhost" resource of the server_install recipe, I seem to be getting this during kitchen converge. However, I've been using this cookbook for some time on "real" servers with no issues, so it must be something with my test setup. Either way, here it is:

STDERR: com.dtolabs.rundeck.core.cli.project.ProjectToolException: com.dtolabs.rundeck.core.CoreException: Error making server request to http://localhost:4440: Error occurred while trying to authenticate to server: Connection refused
        at com.dtolabs.rundeck.core.cli.project.ProjectTool.executeAction(ProjectTool.java:171)
        at com.dtolabs.rundeck.core.cli.project.ProjectTool.run(ProjectTool.java:117)
        at com.dtolabs.rundeck.core.cli.project.ProjectTool.main(ProjectTool.java:104)
       Caused by: com.dtolabs.rundeck.core.CoreException: Error making server request to http://localhost:4440: Error occurred while trying to authenticate to server: Connection refused
        at com.dtolabs.client.services.ServerService.makeRundeckRequest(ServerService.java:205)
        at com.dtolabs.client.services.ServerService.makeRundeckRequest(ServerService.java:144)
        at com.dtolabs.client.services.RundeckAPICentralDispatcher.createProject(RundeckAPICentralDispatcher.java:1839)
        at com.dtolabs.rundeck.core.cli.project.CreateAction.exec(CreateAction.java:142)
        at com.dtolabs.rundeck.core.cli.project.ProjectTool.executeAction(ProjectTool.java:169)
        ... 2 more
       Caused by: com.dtolabs.client.utils.HttpClientException: Error occurred while trying to authenticate to server: Connection refused
        at com.dtolabs.client.utils.BaseFormAuthenticator.authenticate(BaseFormAuthenticator.java:299)
        at com.dtolabs.client.utils.BaseHttpClientChannel.doAuthentication(BaseHttpClientChannel.java:128)
        at com.dtolabs.client.utils.HttpClientChannel.makeRequest(HttpClientChannel.java:325)
        at com.dtolabs.client.services.ServerService.makeRundeckRequest(ServerService.java:201)
        ... 6 more
       Caused by: java.net.ConnectException: Connection refused
        at java.net.PlainSocketImpl.socketConnect(Native Method)
        at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:339)
        at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:200)
        at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:182)
        at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
        at java.net.Socket.connect(Socket.java:579)
        at java.net.Socket.connect(Socket.java:528)
        at java.net.Socket.<init>(Socket.java:425)
        at java.net.Socket.<init>(Socket.java:280)
        at org.apache.commons.httpclient.protocol.DefaultProtocolSocketFactory.createSocket(DefaultProtocolSocketFactory.java:79)
        at org.apache.commons.httpclient.protocol.DefaultProtocolSocketFactory.createSocket(DefaultProtocolSocketFactory.java:121)
        at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:706)
        at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:386)
        at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:170)
        at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396)
        at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324)
        at com.dtolabs.client.utils.BaseFormAuthenticator.authenticate(BaseFormAuthenticator.java:287)
        ... 9 more
       ---- End output of "bash"  "/tmp/chef-script20160613-16738-1eds5x9" ----
       Ran "bash"  "/tmp/chef-script20160613-16738-1eds5x9" returned 1
       [2016-06-13T18:58:26+00:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)

Even after the service has been running for a while, no rd-project commands seem to work, giving me the same error.

Aside from that, I think my changes are ready to go and will be opening a pull request.

[ARentz07]

Hey @pcross616, I've got a rebased version of the 2.1 branch pushed here: https://github.com/ARentz07/rundeck/tree/2.1_rebased_2

Would we want to merge the changes from it + my changes into master, or perhaps reset 2.1 to my (rebased) branch and then review from that point?

[snehitgajjar]

@pcross616 Same issue as mentioned by @ARentz07 .

[ARentz07]

Hey @all, My team and I are looking to contribute some things back, and we have made a lot more changes since this issue was opened. We'd like to contribute back but have found that it's difficult to continue to develop and await feedback on this. In other words, our fork has moved along quite a ways. We're thinking, however, of simply creating a new cookbook, as we might be able to design away a lot of the issues we have faced with this cookbook (from test failures to security issues). If we can contribute to this one, we would like to do so. Otherwise, we'll be working on a cookbook that would be passive to replace this one. Please let me know what you think.

[pcross616]

don't create a new cook book, contribute. We have a branch we been trying to get off the ground feel free to make any changes you need. I been wanting to get the LWRP added for awhile now.

[ARentz07]

A lot of the changes we've planned and possibly even some that we have done would warrant a 3.0 release in my mind, since some are non-passive. You think it would be fine for us to work on putting up a 3.x branch in a public repo which we could review? We've pretty much left 2.1 behind.

[pcross616]

@ARentz07 you should be good to go and able to create the branch.

[ARentz07]

Cool, thanks a ton. :) There were some requirements we were looking to meet with our changes:

• Support ACL policies ( ✅/❌ , needs refactoring)
• Support security roles ( ✅ )
• Support plugins, LWRP ( ✅ )
• Support external database url/clustering ( ✅/❌ , needs refactoring)
• Encrypt the LDAP bindDN and bindPWD ( ✅ , same as #83 )
• Get kitchen converge working again (thankfully, ✅ )

I'll probably just push up what we have so far and try to work on cleaning some of the things up. as well as tackling some of the smaller refactoring. For instance, aclpolicies are all in one data bag at the moment, which is not desirable if a rundeck server is to be shared among teams - it becomes hard to review the changes and makes it more difficult to organize. In any case I'll have the branch pushed up today. If anything above ^ is concerning, of course let me know. We could always move extra functionality into a wrapper cookbook if it absolutley can't live here.

[ARentz07]

Just pushed what my team and I have been working on here. As far as diffs go it would be quite messy to include in either master or in 2.1.

What I can do is attempt to rebase this and 2.1 changes onto master, then will go from there on pulling into this repo.

[ARentz07]

I have the initial, rebased stuff pushed to a branch on my remote - 2.1-rebased. Here's how it differs from master.

I do think I would like to take care of simplifying the acl policies prior to pushing anything. Will post an update on that later on.

[ARentz07]

FYI, I am canceling the acl policy stuff I mentioned above - I realized it was a bit more business-specific and may not be well-suited to the project for general use. I'll open a pull request to review.

[ARentz07]

https://github.com/Webtrends/rundeck/issues/86 is now merged, which puts this functionality into a staging branch for 3.0-related changes. @pcross616 , I think I'll go ahead and open a pull request to get 3.x into master so we don't have pull requests, etc. which cause us to diverge from it. It's not going to be a clean merge thanks to the recent JDK version change, but I think that's something we can address while merging the pull request. I tried out the rebase locally, and there were no conflicts.

[pcross616]

I agree, create a PR from the rebase and I will review the PR to merge to master.

[ARentz07]

Moved to the 3.0.0 milestone

[ARentz07]

Got this and the other changes mentioned merged in #91

[lock[bot]]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.