Search code examples
rundeck

Rundeck Static Token not loaded when Rundeck Service is started

I think my Rundeck does not load my tokens.properties file. I can't see it on my service.log being loaded. Here is a screenshot of the log

That's why when I restart the service or the server my scheduled jobs, that triggers Rundeck API, always get this error

{"error":true,"apiversion":35,"errorCode":"api.error.item.unauthorized","message":"Not authorized for action \"Run\" for Job ID 109fd435-765f-4b7a-a547-0c5906c4a1f5"}

For it to work properly again, I need to generate a new token each time I restart Rundeck or the server. I have already included this line in my framework.properties

rundeck.tokens.file=C:/rundeck/etc/tokens.properties

And in my tokens.properties, it has 1 line only which is

atrsdk-runner: token_string

How can I make my token permanent? Did I miss something here, how will I fix this issue? Thanks!

Solution

  • You need to add the role on tokens.properties file. I tested on a Windows machine and works in this way:

    1. Stop the Rundeck service.

    2. On framework.properties file add:

    rundeck.tokens.file=C:/rundeck/tokens.properties
    1. On realm.properties file add (just an example user for testing):
    bob:bob,admin
    1. Create a file named tokens.properties at c:\rundeck\ path with the following content (i added the role at the end of the line):
    bob: 12345, admin

    1. Start the Rundeck service.

    2. With this API call you can run the job using the custom token (check the rdeck_token variable, tested on an external Linux host running cURL):

    #!/bin/sh

# protocol
protocol="http"

# basic rundeck info
rdeck_host="10.0.1.81"
rdeck_port="4440"
rdeck_api="36"
rdeck_token="12345"

# specific api call info
rdeck_job="91c5b968-166f-4138-9345-580cd624adda"

# api call
curl -s --location --request POST "$protocol://$rdeck_host:$rdeck_port/api/$rdeck_api/job/$rdeck_job/run" \
  --header "Accept: application/json" \
  --header "X-Rundeck-Auth-Token: $rdeck_token" \
  --header "Content-Type: application/json"

    Now, without a role defined at tokens.properties file I obtain your error (the output was "beautified" with jq):

    {
  "error": true,
  "apiversion": 36,
  "errorCode": "api.error.item.unauthorized",
  "message": "Not authorized for action \"Run\" for Job ID 91c5b968-166f-4138-9345-580cd624adda"
}

    And with the role defined at tokens.properties file (successful):

    {
  "id": 3,
  "href": "http://10.0.1.81:4440/api/36/execution/3",
  "permalink": "http://10.0.1.81:4440/project/ProjectBOB/execution/show/3",
  "status": "running",
  "project": "ProjectBOB",
  "executionType": "user",
  "user": "bob",
  "date-started": {
    "unixtime": 1603801591299,
    "date": "2020-10-27T12:26:31Z"
  },
  "job": {
    "id": "91c5b968-166f-4138-9345-580cd624adda",
    "averageDuration": 1727,
    "name": "HelloWorld",
    "group": "",
    "project": "ProjectBOB",
    "description": "",
    "href": "http://10.0.1.81:4440/api/36/job/91c5b968-166f-4138-9345-580cd624adda",
    "permalink": "http://10.0.1.81:4440/project/ProjectBOB/job/show/91c5b968-166f-4138-9345-580cd624adda"
  },
  "description": "echo \"hi\"",
  "argstring": null,
  "serverUUID": "2337f5f7-e951-47d2-ba62-f8c02a0bb8df"
}

    And here the execution on Rundeck.