I am having trouble creating a non-admin user.
I have been able to create users and add the desired roles for them in the realm.properties file.
My problem is that every user I create is given the admin role, in addition to the other roles I specify.
My user creation process goes like this:
myuser:mypassword,user,group2,group3I have also added a user first in the realm.properties before adding the user to the system to see if it made a difference. It did not.
I know I fundamentally don't understand how Rundeck is authenticating users, but the fact that everything works, except that the user always has the role of admin in addition to the other desired roles, is driving me nuts.
EDIT:
Adding description of other attempt at user creation
operationsuser2 user in realm.propertiesoperationsuser2Adding my realm.properties
#
# This sets the default user accounts for the Rundeck app
#
admin:admin,user,admin,architect,deploy,build
otheradmin:adminPass,user,admin,architect,deploy,build
operationsuser1:myPass1,user,operations
operationsuser2:myPass2,user,operations
Adding the Access Policy that I have been trying to test this whole time lol
description: Operations manager project access
context:
application: 'rundeck'
by:
group: operations
for:
project:
- equals:
name: 'myProject'
allow: [read]
---
description: Operations manager project specific rules
context:
project: 'myProject'
by:
group: operations
for:
job:
- equals:
uuid: 096852ba-099e-42c1-9373-11621f17398d
allow: [read, run]
node:
- allow: 'read'
adhoc:
- allow: [read, run]
I think I have found out why all the users are admins. After clearing up some miscommunication with my coworker who originally set up Rundeck, he told me that he set up PAM, which led me to investigate the jaas config below. We are using the JettyPamLoginModule.
➜ ~ sudo cat /etc/rundeck/jaas-loginmodule.conf
RDpropertyfilelogin {
org.rundeck.jaas.jetty.JettyPamLoginModule requisite
debug="true"
service="sshd"
supplementalRoles="admin"
storePass="true";
org.rundeck.jaas.jetty.JettyRolePropertyFileLoginModule required
debug="true"
useFirstPass="true"
file="/etc/rundeck/realm.properties";
};
I now understand why every Unix system user I created would allow me to log into Rundeck, and also be an admin.
I, however, still do not understand why I cannot log in with a user I created in realm.properties.
I thought that the JettyRolePropertyFileLoginModule would allow us to create users in the realm.properties file, and then log into Rundeck with them.
Add the ReloadablePropertyFileLoginModule module inside the RDpropertyfilelogin.
Following this, the JettyRolePropertyFileLoginModule isn't for authentication purposes.
org.rundeck.jaas.jetty.JettyRolePropertyFileLoginModule does not authenticate and only uses authorization roles from a property file. Can be combined with previous modules.
So, to get it to work follow this config and restart the Rundeck service:
The jaas-loginmodule.conf file:
RDpropertyfilelogin {
org.rundeck.jaas.jetty.JettyPamLoginModule optional
debug="true"
service="sshd"
supplementalRoles="user,readonly"
storePass="true";
org.rundeck.jaas.jetty.ReloadablePropertyFileLoginModule optional
debug="true"
useFirstPass="true"
file="/etc/rundeck/realm.properties"
storePass="true";
org.rundeck.jaas.jetty.JettyRolePropertyFileLoginModule required
debug="true"
useFirstPass="true"
file="/etc/rundeck/realm.properties";
};
The realm.properties file.
admin:admin,admin
bob: -,admin
The bob user (PAM) entry it's just to define the admin role for him.
Now, with the JettyRolePropertyFileLoginModule module you can add any user on the realm.properties file without restarting Rundeck keeping the PAM auth users too.
Tested on Rundeck 4.3.1 (Debian 9).