This document summarizes a Rundeck community meeting on access control policies. It introduces Nathan Fluegel as the speaker and provides an agenda that includes an introduction to ACL policies, an overview of access control basics, questions from the community, and a demo. It then discusses Rundeck architecture, authorization, and how ACL policies can control access to resources and actions at both the system and project levels. Examples of ACL policies are provided. Recommendations are given around storing policies at the project level and limiting key access. The community Q&A addresses controlling key storage and admin access permissions. Relevant documentation links are also included.
3. Agenda
1 Intro to ACL policies
2 Quick Download: Access Control Basics
3 Questions from the Community
4 Demo
4. Physical, VMs,
Containers, Serverless,
Network Devices…
Nodes (Infrastructure)
Rundeck
Architecture
External
Authentication
LDAP, AD, SSO
HTTP(S)
Rundeck CLI
Web API
Client CLI
Browser
Web GUI
Webhooks
config/settings files, resources,
plugins, users/groups/acl
server logs, execution history
Server Resources
Authorization
5. What is Rundeck ACL good for?
ACL = Access Control Language
• Only authorized users have the ability to create
jobs or run commands
• “Job Runners” can be limited to only running
authorized jobs
• Only access machines you need to, when
carrying out a job
ACL controls object access:
Projects
Jobs
Keys
…
And Available Actions:
View
Edit
Run
…
Core to Rundeck security,
provides guard rails
6. Access Control Policies
Key Rundeck Resources and Access
System Resources
Project Context
System/Rundeck
Context
Project Components/Resources
7. Both system and project
rules can be stored here.
Requires admin access.
Only project-specific rules
can be stored here. Can be
delegated to project admins.
8. Quick Download: Access
Control Basics
Rundeck can control access to resources and actions,
providing guardrails that control who can do what and
when.
● Control access to resources (projects, jobs, nodes,
keys)
● Allow and deny specific actions (create jobs, run
ad hoc commands, view activity history)
● Use existing usernames and groups from your
Enterprise directory
9. ACL example (basic job runner)
Is this for the
system or a
project?
What
resources? In
what way?
Which user or
group is
associated?
11. ACL Recommendations
➔ Store as many policies as possible at the project level
➔ Create and edit policies in the Rundeck database to avoid managing ACL
files
➔ Consider limiting keys and passwords within projects for maximum security
12. Community Q&A
➔ Can access to key storage be controlled on a per-project basis?
➔ What’s the easiest way to provide admin-level access to all projects for a
specific group?
➔ I have users who can run jobs but not see job history. What gives?
13. Key ACL docs pages
➔ Overview of ACL policy process
https://docs.rundeck.com/docs/manual/document-format-reference/aclpolicy-v1
0.html#overview
➔ Details of ACL clauses and all available options
https://docs.rundeck.com/docs/administration/security/authorization.html#acces
s-control-policy-2
14. Proprietary & Confidential
Rundeck Resources
Visit:
www.rundeck.com/open-source
Join the Conversation:
https://community.pagerduty.com/for
um/c/rundeck
Sign up for release notes here:
https://www.rundeck.com/release-no
tes-signup