Here’s a detailed tutorial for Authentication and Authorization in Rundeck Community Edition. This guide includes setup for both file-based authentication and role-based access control (RBAC) using ACL policy files.
š Rundeck Community Edition: Authentication & Authorization Tutorial
š§° Prerequisites
- Rundeck Community Edition installed (Ubuntu/Windows)
- Admin access to the server (root or sudo)
- Basic knowledge of YAML and properties files
šļø 1. Authentication in Rundeck
Rundeck CE uses JAAS (Java Authentication and Authorization Service) for authentication. By default, it authenticates users from a realm.properties
file.
š Location of the file
/etc/rundeck/realm.properties # Linux
C:\rundeck\server\config\realm.properties # Windows
Code language: PHP (php)
š Format
username: password, role1,role2,...
Code language: HTTP (http)
ā Example
admin: admin123, admin, user
devuser: devpass, dev
viewonly: viewpass, read
Code language: HTTP (http)
š You can generate password hashes using tools like
htpasswd
oropenssl passwd -crypt
.
To apply changes, restart Rundeck:
sudo systemctl restart rundeckd
š 2. Authorization in Rundeck (Access Control)
Rundeck uses ACL (Access Control List) policy files (YAML format) to define who can do what.
š ACL Policy Directory
/etc/rundeck/aclpolicy/
Each file must end with
.aclpolicy
and be readable by the Rundeck process.
š§± 2.1 Example: Admin Policy
admin.aclpolicy
description: Admin Policy
context:
project: '.*'
for:
project:
- match:
name: '.*'
allow: ['*']
node:
- allow: ['*']
job:
- allow: ['*']
adhoc:
- allow: ['*']
resource:
- allow: ['*']
by:
group: [admin]
Code language: JavaScript (javascript)
š§Ŗ 2.2 Example: Developer Policy (limited job run rights)
developer.aclpolicy
description: Dev Policy
context:
project: '.*'
for:
job:
- allow: [read, run]
node:
- allow: [read]
by:
group: [dev]
Code language: JavaScript (javascript)
š 2.3 Example: Read-Only User
readonly.aclpolicy
description: ReadOnly Policy
context:
project: '.*'
for:
job:
- allow: [read]
node:
- allow: [read]
project:
- allow: [read]
resource:
- allow: [read]
by:
group: [read]
Code language: JavaScript (javascript)
āļø 3. Managing Users and Roles
Edit realm.properties
to assign users to roles (groups), which map to the group:
field in your ACLs.
User: john
, Role: dev
john: dev123, dev
Code language: HTTP (http)
Then, make sure your ACL file references group: [dev]
.
š¦ 4. Verifying Access
- Login to Rundeck Web UI as different users.
- Validate access by attempting to:
- View/run jobs
- Execute ad-hoc commands
- View project settings
- Unauthorized attempts will show “Access Denied”
š”ļø 5. Tips & Best Practices
- Keep ACL files small and modular (
admin.aclpolicy
,dev.aclpolicy
, etc.) - Validate ACL syntax with
rundeck
logs (/var/log/rundeck/service.log
) - Use
.*
regex cautiouslyāit grants access to all projects - Set appropriate permissions on
/etc/rundeck/aclpolicy/
:sudo chown -R rundeck:rundeck /etc/rundeck/aclpolicy/
š Summary
Feature | Tool/Config File |
---|---|
Authentication | /etc/rundeck/realm.properties |
Authorization | /etc/rundeck/aclpolicy/*.aclpolicy |
Access by Role | Mapped via group: in ACL |
Restart Rundeck | sudo systemctl restart rundeckd |
š References
Here is your Rundeck configuration in Markdown (markup) format with:
- ā
A
realm.properties
spec for user-role mapping - ā
A unified ACL
.aclpolicy
file with RBAC forDev
,QA
, andDevOps
roles
š realm.properties
# /etc/rundeck/realm.properties
Rajesh: rajesh123, dev
Brad: brad123, qa
Raimy: raimy123, devops, dev
Andry: andry123, dev
Kevin: kevin123, qa
Code language: PHP (php)
ā¹ļø Passwords here are in plain text. You can replace them with hashed versions for security.
š access-rbac.aclpolicy
# /etc/rundeck/aclpolicy/access-rbac.aclpolicy
description: RBAC policy for Dev, QA, and DevOps roles
context:
application: 'rundeck'
for:
project:
- match:
name: '.*'
allow: ['read']
job:
- match:
name: '.*'
allow: ['read', 'run']
node:
- allow: ['read']
adhoc:
- allow: ['read']
resource:
- allow: ['read']
by:
group: [dev, qa, devops]
---
# DevOps elevated privileges
description: DevOps Admin Rights
context:
application: 'rundeck'
for:
job:
- allow: ['create', 'update', 'delete', 'read', 'run']
node:
- allow: ['read', 'run']
project:
- allow: ['read', 'configure']
resource:
- allow: ['read', 'create']
storage:
- allow: ['read', 'create', 'update', 'delete']
system:
- allow: ['admin']
by:
group: [devops]
context:
application: 'rundeck'
Code language: PHP (php)
š§¾ Summary Table
User | Password | Roles Assigned |
---|---|---|
Rajesh | rajesh123 | dev |
Brad | brad123 | qa |
Raimy | raimy123 | dev, devops |
Andry | andry123 | dev |
Kevin | kevin123 | qa |
Role | Permissions Granted |
---|---|
dev | Read & Run jobs, read nodes/projects |
qa | Same as dev (read + run only) |
devops | Full system rights including job/project/config |
Let me know if you want:
- Separate ACLs per role (
dev.aclpolicy
, etc.) - Project-specific permissions
- A packaged
.zip
with these files
Iām a DevOps/SRE/DevSecOps/Cloud Expert passionate about sharing knowledge and experiences. I have worked at Cotocus. I share tech blog at DevOps School, travel stories at Holiday Landmark, stock market tips at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at TrueReviewNow , and SEO strategies at Wizbrand.
Do you want to learn Quantum Computing?
Please find my social handles as below;
Rajesh Kumar Personal Website
Rajesh Kumar at YOUTUBE
Rajesh Kumar at INSTAGRAM
Rajesh Kumar at X
Rajesh Kumar at FACEBOOK
Rajesh Kumar at LINKEDIN
Rajesh Kumar at WIZBRAND