我们正在设置RunDeck网站,以便用户只能看到他们自己的项目。在这种结构中,我需要使用户成为工作查看者/工作作家/工作跑步者和项目管理员。我有跑步者,项目管理员和观众。但是,我似乎无法让工作撰稿人工作。我正在使用两个ACL文件。每当我以用户身份登录时,都看不到“创建作业”按钮,当我导航至rundeck / project / MY_PROJECT / job / create时,出现错误“未授权创建新作业”,我会丢失什么?
这是my_project_job_writer.acl
---
context:
application: 'rundeck'
description: "project_job_writer"
for:
project:
- equals:
name: 'MY_PROJECT'
allow: [read]
system:
- match:
name: '.*'
allow: [read]
by:
username: ['jack.hill','jill.hill']
---
context:
project:
- equals:
name: 'MY_PROJECT'
description: "project_job_writer"
for:
resource:
- equals:
kind: 'node'
allow: [read,refresh]
- equals:
kind: job
allow: [create, delete]
- equals:
kind: event
allow: [read]
job:
- allow: [create,read,update,delete,run,kill]
match:
name: '.*'
node:
- allow: [read, run, refresh]
match:
nodename: '.*'
by:
username: ['jack.hill','jill.hill']
这是system-job_writer.acl
description: Allow groups to list projects
context:
application: 'rundeck'
for:
project:
- equals:
name: 'Default'
allow: [read]
system:
- match:
name: '.*'
allow: [read]
by:
group: job_writer
---
description: Global write permissions to job_writer role
context:
project: '.*'
for:
resource:
- equals:
kind: 'node'
allow: [read,refresh]
- equals:
kind: job
allow: [create, delete]
- equals:
kind: event
allow: [read]
job:
- allow: [create,read,update,delete,run,kill]
match:
name: '.*'
node:
- allow: [read, run, refresh]
match:
nodename: '.*'
by:
group: job_writer
这些是realm.properties中的条目
jack.hill:password,user,job_writer
jill.hill:password,user,job_writer
因此,旧的IT解决方案起作用了。我刚刚重新启动了正在运行的apache服务器,并使其正常运行。那真是浪费了一个小时,大声笑。对于任何想使用此ACL策略的人来说,它都很方便。