Here’s a detailed tutorial for Authentication and Authorization in Rundeck Community Edition. This guide includes setup for both file-based authentication and role-based access control (RBAC) using ACL policy files.
š Rundeck Community Edition: Authentication & Authorization Tutorial
š§° Prerequisites
- Rundeck Community Edition installed (Ubuntu/Windows)
- Admin access to the server (root or sudo)
- Basic knowledge of YAML and properties files
šļø 1. Authentication in Rundeck
Rundeck CE uses JAAS (Java Authentication and Authorization Service) for authentication. By default, it authenticates users from a realm.properties file.
š Location of the file
/etc/rundeck/realm.properties # Linux
C:\rundeck\server\config\realm.properties # Windows
Code language: PHP (php)š Format
username: password, role1,role2,...
Code language: HTTP (http)ā Example
admin: admin123, admin, user
devuser: devpass, dev
viewonly: viewpass, read
Code language: HTTP (http)š You can generate password hashes using tools like
htpasswdoropenssl passwd -crypt.
To apply changes, restart Rundeck:
sudo systemctl restart rundeckd
š 2. Authorization in Rundeck (Access Control)
Rundeck uses ACL (Access Control List) policy files (YAML format) to define who can do what.
š ACL Policy Directory
/etc/rundeck/aclpolicy/
Each file must end with
.aclpolicyand be readable by the Rundeck process.
š§± 2.1 Example: Admin Policy
admin.aclpolicy
description: Admin Policy
context:
project: '.*'
for:
project:
- match:
name: '.*'
allow: ['*']
node:
- allow: ['*']
job:
- allow: ['*']
adhoc:
- allow: ['*']
resource:
- allow: ['*']
by:
group: [admin]
Code language: JavaScript (javascript)š§Ŗ 2.2 Example: Developer Policy (limited job run rights)
developer.aclpolicy
description: Dev Policy
context:
project: '.*'
for:
job:
- allow: [read, run]
node:
- allow: [read]
by:
group: [dev]
Code language: JavaScript (javascript)š 2.3 Example: Read-Only User
readonly.aclpolicy
description: ReadOnly Policy
context:
project: '.*'
for:
job:
- allow: [read]
node:
- allow: [read]
project:
- allow: [read]
resource:
- allow: [read]
by:
group: [read]
Code language: JavaScript (javascript)āļø 3. Managing Users and Roles
Edit realm.properties to assign users to roles (groups), which map to the group: field in your ACLs.
User: john, Role: dev
john: dev123, dev
Code language: HTTP (http)Then, make sure your ACL file references group: [dev].
š¦ 4. Verifying Access
- Login to Rundeck Web UI as different users.
- Validate access by attempting to:
- View/run jobs
- Execute ad-hoc commands
- View project settings
- Unauthorized attempts will show “Access Denied”
š”ļø 5. Tips & Best Practices
- Keep ACL files small and modular (
admin.aclpolicy,dev.aclpolicy, etc.) - Validate ACL syntax with
rundecklogs (/var/log/rundeck/service.log) - Use
.*regex cautiouslyāit grants access to all projects - Set appropriate permissions on
/etc/rundeck/aclpolicy/:sudo chown -R rundeck:rundeck /etc/rundeck/aclpolicy/
š Summary
| Feature | Tool/Config File |
|---|---|
| Authentication | /etc/rundeck/realm.properties |
| Authorization | /etc/rundeck/aclpolicy/*.aclpolicy |
| Access by Role | Mapped via group: in ACL |
| Restart Rundeck | sudo systemctl restart rundeckd |
š References
Here is your Rundeck configuration in Markdown (markup) format with:
- ā
A
realm.propertiesspec for user-role mapping - ā
A unified ACL
.aclpolicyfile with RBAC forDev,QA, andDevOpsroles
š realm.properties
# /etc/rundeck/realm.properties
Rajesh: rajesh123, dev
Brad: brad123, qa
Raimy: raimy123, devops, dev
Andry: andry123, dev
Kevin: kevin123, qa
Code language: PHP (php)ā¹ļø Passwords here are in plain text. You can replace them with hashed versions for security.
š access-rbac.aclpolicy
# /etc/rundeck/aclpolicy/access-rbac.aclpolicy
description: RBAC policy for Dev, QA, and DevOps roles
context:
application: 'rundeck'
for:
project:
- match:
name: '.*'
allow: ['read']
job:
- match:
name: '.*'
allow: ['read', 'run']
node:
- allow: ['read']
adhoc:
- allow: ['read']
resource:
- allow: ['read']
by:
group: [dev, qa, devops]
---
# DevOps elevated privileges
description: DevOps Admin Rights
context:
application: 'rundeck'
for:
job:
- allow: ['create', 'update', 'delete', 'read', 'run']
node:
- allow: ['read', 'run']
project:
- allow: ['read', 'configure']
resource:
- allow: ['read', 'create']
storage:
- allow: ['read', 'create', 'update', 'delete']
system:
- allow: ['admin']
by:
group: [devops]
context:
application: 'rundeck'
Code language: PHP (php)š§¾ Summary Table
| User | Password | Roles Assigned |
|---|---|---|
| Rajesh | rajesh123 | dev |
| Brad | brad123 | qa |
| Raimy | raimy123 | dev, devops |
| Andry | andry123 | dev |
| Kevin | kevin123 | qa |
| Role | Permissions Granted |
|---|---|
dev | Read & Run jobs, read nodes/projects |
qa | Same as dev (read + run only) |
devops | Full system rights including job/project/config |
Let me know if you want:
- Separate ACLs per role (
dev.aclpolicy, etc.) - Project-specific permissions
- A packaged
.zipwith these files
Iām a DevOps/SRE/DevSecOps/Cloud Expert passionate about sharing knowledge and experiences. I have worked at Cotocus. I share tech blog at DevOps School, travel stories at Holiday Landmark, stock market tips at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at TrueReviewNow , and SEO strategies at Wizbrand.
Do you want to learn Quantum Computing?
Please find my social handles as below;
Rajesh Kumar Personal Website
Rajesh Kumar at YOUTUBE
Rajesh Kumar at INSTAGRAM
Rajesh Kumar at X
Rajesh Kumar at FACEBOOK
Rajesh Kumar at LINKEDIN
Rajesh Kumar at WIZBRAND
