rundeck使用说明

1. 登录rundeck系统http://rundeck.com:4440/user/login  (登录自己的系统)

2.权限设置, 点击Access Contral

3.创建策略

4. 策略内容模板

注: 以下各字段说明参考官方文档:http://rundeck.org/docs/administration/access-control-policy.html

 用户hyh01是用命令行工具创建,参考文档: https://blog.51cto.com/haoyonghui/2085869

权限控制配置

description: hyh01 project access contral
context:    #描述策略范围project和application, application级别策略控制所有project的规则及system级别权限,project策略控制project下的资源规则
  project: '.*' # 项目app01对应的策略
for:    #for下面对应的资源类型job node adhoc project resource
  resource: 
    - match:   # 匹配模式match(list or string) equals(string) contains(list or string) subset(list string) 
        kind: job
      allow: [create] # allow create jobs 可填的选项create/delete
    - equals:
        kind: node
      allow: [read,create,update,refresh] # allow refresh node sources
    - equals:
        kind: event #read显示执行命令历史记录
      allow: [read,create] # allow read/create events
  adhoc:    #command命令策略
    - allow: [read,run] # allow running/killing adhoc jobs
  job:
    - match:
        name: 'check'
      allow: [read,create,delete,run]   #只有满足这里的策略，resource的策略才生效
    #- allow: [create,run,read,update,delete,runAs,kill,killAs] # allow create/read/write/delete/run/kill of all jobs
  node:
    - match:
        nodename: 'rundeck' #匹配节点机,匹配不到则job执行失败
      allow: [read,run]
    #- allow: [read,run] # allow read/run for nodes
by:
  username: 'hyh01'


---

description: hyh01 application access contral
context:
  application: 'rundeck'
for:
  resource:
    - equals:
        kind: project
      allow: [create] # allow create of projects
    - equals:
        kind: system
      allow: [read,enable_executions,disable_executions,admin] # allow read of system info, enable/disable all executions
    - equals:
        kind: system_acl
      allow: [read,create,update,delete,admin] # allow modifying system ACL files
    - equals:
        kind: user
      allow: [admin] # allow modify user profiles
  project:
    - match:
        name: 'test|app01'
      allow: [read,import] # allow full access of all projects or use 'admin'
  project_acl:
    - match:
        name: 'test|app01'
      allow: [read,create] # allow modifying project-specific ACL files
  storage:
    - allow: [create,update,delete] # allow access for /ssh-key/* storage content

by:
  group: hyh01

转载于:https://blog.51cto.com/haoyonghui/2086774