一、访问控制
rundeck 有两个项目,为p1和p2
p1赋权限deploy完全控制,p2赋权限devops完全控制
如果用rpm的方式安装的话,在/etc/rundeck创建p1.aclpolicy,p2.aclpolicy
文件的内容如下:
[root@shaka rundeck]# cat /etc/rundeck/p1.aclpolicy
description: user.
context:
project: 'p1'
for:
resource:
- equals:
kind: job
allow: [run,kill] # allow read/create all kinds
- equals:
kind: node
allow: [run]
- equals:
kind: event
allow: [read]
adhoc:
- deny: '*'
job:
- allow: '*'
node:
- allow: [read,run] # allow read/run for all nodes
by:
username: 'deploy'
---
description: user.
context:
application: 'rundeck'
for:
resource:
- equals:
kind: project
allow: [read] # allow create of projects
- equals:
kind: system
allow: [read]
- equals:
kind: user
allow: [read]
project:
- match:
name: 'p1'
allow: [read] # allow view/admin of all projects
storage:
- allow: [read,create] # allow read/create/update/delete for all /keys/* storage content
by:
username: 'deploy'
[root@shaka rundeck]# cat /etc/rundeck/p2.aclpolicy
description: user.
context:
project: 'p2'
for:
resource:
- equals:
kind: job
allow: [run,kill] # allow read/create all kinds
- equals:
kind: node
allow: [run]
- equals:
kind: event
allow: [read]
adhoc:
- deny: '*'
job:
- allow: '*'
node:
- allow: [read,run] # allow read/run for all nodes
by:
username: 'devops'
---
description: user.
context:
application: 'rundeck'
for:
resource:
- equals:
kind: project
allow: [read] # allow create of projects
- equals:
kind: system
allow: [read]
- equals:
kind: user
allow: [read]
project:
- match:
name: 'p2'
allow: [read] # allow view/admin of all projects
storage:
- allow: [read,create] # allow read/create/update/delete for all /keys/* storage content
by:
username: 'devops'
二、密码加密
rundeck默认的密码是明文存储的,改成用MD5的方式保存
配置用户密码用MD5的方式加密存储
把这个字符串拷到
部署目录下的server/config/realm.properties文件中