I'm having trouble constructing an ACL policy that will let members of 2 LDAP groups access 4 specific projects. Our version is Rundeck 4.12.0. If anyone could give me a pointer on where I''m making mistakes in the following .yaml config I'd appreciate it.
I've followed the examples detailed here: https://resources.rundeck.com/learning/acl-policy-files-by-example/ but on login, my test user who is a member of one of the specified groups get the message: You have no authorized access to projects. Contact your administrator. (User roles: qa). Here is my aclpolicy:
description: System-level read access to specific project
context:
application: rundeck
for:
project:
- equals:
name:
- qa
- qa-sql-cron
- staging
- staging-sql-cron
allow: read
by:
group:
- developers
- qa
---
description: Project-level Access to Create and Delete Jobs
context:
project:
- equals:
name:
- qa
- qa-sql-cron
- staging
- staging-sql-cron
for:
resource:
- equals:
kind: job
allow: "*"
by:
group:
- developers
- qa
Based on this, the following definition is the easiest way (tested on Rundeck 4.12):
description: project context.
context:
project: '(ProjectONE|ProjectTWO|ProjectTHREE|ProjectFOUR)'
for:
resource:
- allow: [run,read]
job:
- allow: [read,view,update,run]
node:
- allow: [read,run]
by:
group: [group1,group2]
---
description: app context.
context:
application: 'rundeck'
for:
project:
- allow: read
match:
name: '(ProjectONE|ProjectTWO|ProjectTHREE|ProjectFOUR)'
storage:
- allow: [read]
by:
group: [group1,group2]