码迷,mamicode.com
首页 > 其他好文 > 详细

rundeck创建帐号,授权普通帐号执行权限

时间:2017-12-21 11:57:00      阅读:155      评论:0      收藏:0      [点我收藏+]

标签:rundeck

rundeck用户管理配置

rundeck/server/config/realm.properties


#admin    md5 mima

admin: MD5:xxxxxxxx,user,admin

##user1 ,md5 xxxx, 普通用户

user1: MD5:xxxxxxx,user


##普通用户,在rundeck的  rundeckzu里面,有组的权限 ,即 user2  有 那个prod_pkgs的所有执行权限,但是没有修改权限。注意read

user2: MD5:xxxxmd5,user,rundeckzu


给用户授权

cd  rundeck/etc

创建 project_xx.aclpolicy   ##创建以projectname名称的以aclpolicy为后缀的文件,直接创建就行 。例如 


vim  prod_aaaa.aclpolicy


############  

description: user.

context:

  project: 'Prod_aaaa'

for:

  resource:

    - equals:

        kind: job

      allow: [run,kill] # allow read/create all kinds

    - equals:

        kind: node

      allow: [run]

    - equals:

        kind: event

      allow: [read]

  adhoc:

    - deny: '*'

  job:

    - match:

        group: '.*'   ##若是project 给授权所有的job组权限,就这样,若是  project/moni/xxjob    就改成 moni

        name: 'xxjobname1|xxjobname2'

      allow: [read,run,runAs,kill,killAs] # allow read/write/delete/run/kill of all jobs

  node:

    - allow: [read,run] # allow read/run for all nodes

by:

  username: 'user1'


---

description: user.

context:

  project: 'Prod_aaaa'

for:

  resource:

    - equals:

        kind: job

      allow: [run,kill] # allow read/create all kinds

    - equals:

        kind: node

      allow: [run]

    - equals:

        kind: event

      allow: [read]

  adhoc:

    - deny: '*'

  job:

    - match:

        group: '.*'   ##若是project 给授权所有的job组权限,就这样,若是  project/moni/xxjob    就改成 moni

        name: 'xxjobname1|xxjobname2|xxjob'

      allow: [read,run,runAs,kill,killAs] # allow read/write/delete/run/kill of all jobs

  node:

    - allow: [read,run] # allow read/run for all nodes

by:

  username: 'userxxxxx'


---


description: user.

context:

  application: 'rundeck'

for:

  resource:

    - equals:

        kind: project

      allow: [read] # allow create of projects

    - equals:

        kind: system

      allow: [read]

    - equals:

        kind: user

      allow: [read]

  project:

    - match:

        name: 'Prod_aaaa'

      allow: [read]  # allow view/admin of all projects

  storage:

    - allow: [read,create] # allow read/create/update/delete for all /keys/* storage content

by:

  username: 'admin|user1|userxxx'

  group: 'rundeckzu'                                                                 





##一个 project里面 多个用户,就把userxxx那块 代码直接复制一下修改jobname即可

##普通用户,在rundeck的  rundeckzu里面,有组的权限 ,即 user2  有 那个prod_pkgs的所有执行权限,但是没有修改权限。注意read

user2: MD5:xxxxmd5,user,rundeckzu


rundeck创建帐号,授权普通帐号执行权限

标签:rundeck

原文地址:http://blog.51cto.com/sry2004/2052766

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!