问题描述
总结我的环境:
- 在 Kuberenetes 集群上运行 Rundeck (3.3.11)
- 通过 JDBC 连接器连接的专用数据库 MariaDB。
- 通过 JAAS 使用变量
RUNDECK_JAAS_LDAP_ *配置 Active Directory,并且身份验证有效,我可以使用我的 AD 用户登录。 - 使用 K8s 秘密配置的 ACL 策略模板,如Zoo sample:
volumeMounts:
- name: aclpolicy
mountPath: /home/rundeck/etc/rundeck-adm.aclpolicy
subPath: rundeck-adm.aclpolicy
volumes:
- name: aclpolicy
secret:
secretName: rundeck-adm-policy
items:
- key: rundeck-admin-role.yaml
path: rundeck-adm.aclpolicy
导出到 Rundeck Pod 的变量:
RUNDECK_JAAS_MODULES_0=JettyCombinedLdapLoginModule
RUNDECK_JAAS_LDAP_USERBASedn=OU=Users,OU=MYBRAND,DC=corp,DC=MYDOMAIN
RUNDECK_JAAS_LDAP_ROLEBASedn=OU=RundeckRoles,OU=Users,DC=MYDOMAIN
RUNDECK_JAAS_LDAP_FLAG=sufficient
RUNDECK_JAAS_LDAP_BINDDN=myrundeckuser@mybrand.mydomain
RUNDECK_JAAS_LDAP_BINDPASSWORD=foo
在我的 MS Active Directory 中,结构是:
-mybrand.mydomain
- MYBRAND
- Users
- RundeckRoles
- rundeck-adm (group with my user associated)
登录后返回此屏幕:
EDIT1:
我的rundeck-admin-role.yaml:
description: Admin project level access control. Applies to resources within a specific project.
context:
project: '.*' # all projects
for:
resource:
- equals:
kind: job
allow: [create] # allow create jobs
- equals:
kind: node
allow: [read,create,update,refresh] # allow refresh node sources
- equals:
kind: event
allow: [read,create] # allow read/create events
adhoc:
- allow: [read,run,runAs,kill,killAs] # allow running/killing adhoc jobs
job:
- allow: [create,read,delete,killAs] # allow create/read/write/delete/run/kill of all jobs
node:
- allow: [read,run] # allow read/run for nodes
by:
group: rundeck-adm
---
description: Admin Application level access control,applies to creating/deleting projects,admin of user profiles,viewing projects and reading system information.
context:
application: 'rundeck'
for:
resource:
- equals:
kind: project
allow: [create] # allow create of projects
- equals:
kind: system
allow: [read,enable_executions,disable_executions,admin] # allow read of system info,enable/disable all executions
- equals:
kind: system_acl
allow: [read,admin] # allow modifying system ACL files
- equals:
kind: user
allow: [admin] # allow modify user profiles
project:
- match:
name: '.*'
allow: [read,import,export,configure,admin] # allow full access of all projects or use 'admin'
project_acl:
- match:
name: '.*'
allow: [read,admin] # allow modifying project-specific ACL files
storage:
- allow: [read,delete] # allow access for /ssh-key/* storage content
by:
group: rundeck-adm
有人可以帮我找出错误吗?
解决方法
伙计们,我发现了问题!
缺少添加一些变量 RUNDECK_JAAS_LDAP_ROLEMEMBERATTRIBUTE 和 RUNDECK_JAAS_LDAP_ROLEOBJECTCLASS,默认,如果您不声明,Rundeck 会假定其他值。
在我应用此 vars 并重新部署我的 Rundeck Pod 后,我可以使用我的 AD 帐户进行访问。
为了帮助社区,我提供了我在部署中使用的变量列表:
"JVM_MAX_RAM_PERCENTAGE"
"RUNDECK_DATABASE_URL"
"RUNDECK_DATABASE_DRIVER"
"RUNDECK_DATABASE_USERNAME"
"RUNDECK_DATABASE_PASSWORD"
"RUNDECK_LOGGING_AUDIT_ENABLED"
"RUNDECK_JAAS_MODULES_0"
"RUNDECK_JAAS_LDAP_FLAG"
"RUNDECK_JAAS_LDAP_PROVIDERURL"
"RUNDECK_JAAS_LDAP_BINDDN"
"RUNDECK_JAAS_LDAP_BINDPASSWORD"
"RUNDECK_JAAS_LDAP_USERBASEDN"
"RUNDECK_JAAS_LDAP_ROLEBASEDN"
"RUNDECK_GRAILS_URL"
"RUNDECK_SERVER_FORWARDED"
"RUNDECK_JAAS_LDAP_USERRDNATTRIBUTE"
"RUNDECK_JAAS_LDAP_USERIDATTRIBUTE"
"RUNDECK_JAAS_LDAP_ROLEMEMBERATTRIBUTE"
我使用的 JAAS 插件是:JettyCombinedLdapLoginModule