2. Rundeck’s ACL benefits
● Rundeck is great for enabling self-service and improving
collaboration between teams BUT…
○ InfoSec (“lock it down!”)
○ Compliance (“separation of concerns!”)
● Rundeck’s ACL lets you define policy so that you can
determine who can do what, and where they can do it
○ Separates out key tasks like running jobs, viewing
events/history, and writing jobs
○ Everything is logged and auditable, making Compliance,
InfoSec, and Managers more comfortable
3. About Policies
Rundeck governs access using an ACL policy.
Rundeck models capabilities as resources.
Resources have actions like “read” and “run”
A policy is a set of rules permitting or denying actions on a
resource for a given user or group.
Users and groups are managed in your user directory (LDAP)
4. About Projects
A project is a place for work activity.
An application team might each have a project.
A project can span one or more environments.
A RUNDECK admin will create projects for their
users
5. Projects, Environments & Nodes
Project activity happens across environments
A node is a member of just one environment.
Declare a Node attribute: “environment”
DIT Development integration test
UAT User acceptance test
STAGE Final release and staging
PROD Production operation
7. Roles used in this example
● {TEAM}: Gives a team access to a Project(s)
Then these Roles give permissions within the context of a
Project...
● AUDIT: Activities (read)
● WRITE: Job writer (read, create, update, delete)
● RUN_STAGE: Jobs run on nodes in environments except
PROD
● RUN_PROD: Jobs run on nodes in PROD
These are only examples. Customize any roles you want!
8. Matrix of roles & groups for a project
AUDIT
WRITE
RUN_NON_PROD
RUN_PROD
Project A Project B Project C
manager eng SRE
9. Project-A
Policy: Allow users in Team-C to access Project-C
Project-B Project-C
{TEAM} Grant access to a project
A Team-C user
> Note: “{TEAM}” is a placeholder for a real team name (eg, “Team-C”)
“manager”
10. {TEAM}.aclpolicy
description: Given a user in group "{TEAM}" and for project name, {TEAM}, then allow
action [read].'
context:
application: 'rundeck'
for:
project:
- match:
name: {TEAM}
allow: [read]
by:
group: {TEAM}
Grants the team access to
their project
> Note: “{TEAM}” is a placeholder for a real team name (eg, “Team-C”)
11. Policy: AUDIT Allows: Read Events
history history history
Project A Project B Project ...
AUDIT Read job execution history
{TEAM}
“manager”
12. AUDIT.aclpolicy
description: 'Users in "AUDIT" can [read] events and nodes.'
context:
project: '.*'
for:
resource:
- equals:
kind: event
- allow: [read]
node:
- allow: [read]
by:
group: AUDIT
Read any event
Read any node
13. Policy: WRITE Allows: create,read,update,delete
WRITE.aclpolicy
Jobs Jobs Jobs
Project A Project B Project ...
{TEAM}
“eng”