Upgrade & Secure Your Future with DevOps, SRE, DevSecOps, MLOps!

We spend hours scrolling social media and waste money on things we forget, but won’t spend 30 minutes a day earning certifications that can change our lives.
Master in DevOps, SRE, DevSecOps & MLOps by DevOpsSchool!

Learn from Guru Rajesh Kumar and double your salary in just one year.


Get Started Now!

Rundeck Community Edition: Authentication & Authorization Tutorial

Here’s a detailed tutorial for Authentication and Authorization in Rundeck Community Edition. This guide includes setup for both file-based authentication and role-based access control (RBAC) using ACL policy files.


šŸ” Rundeck Community Edition: Authentication & Authorization Tutorial

🧰 Prerequisites

  • Rundeck Community Edition installed (Ubuntu/Windows)
  • Admin access to the server (root or sudo)
  • Basic knowledge of YAML and properties files

šŸ—ļø 1. Authentication in Rundeck

Rundeck CE uses JAAS (Java Authentication and Authorization Service) for authentication. By default, it authenticates users from a realm.properties file.

šŸ“‚ Location of the file

/etc/rundeck/realm.properties  # Linux
C:\rundeck\server\config\realm.properties  # Windows
Code language: PHP (php)

šŸ“Œ Format

username: password, role1,role2,...
Code language: HTTP (http)

āœ… Example

admin: admin123, admin, user
devuser: devpass, dev
viewonly: viewpass, read
Code language: HTTP (http)

šŸ”’ You can generate password hashes using tools like htpasswd or openssl passwd -crypt.

To apply changes, restart Rundeck:

sudo systemctl restart rundeckd

šŸŽ­ 2. Authorization in Rundeck (Access Control)

Rundeck uses ACL (Access Control List) policy files (YAML format) to define who can do what.

šŸ“‚ ACL Policy Directory

/etc/rundeck/aclpolicy/

Each file must end with .aclpolicy and be readable by the Rundeck process.


🧱 2.1 Example: Admin Policy

admin.aclpolicy

description: Admin Policy
context:
  project: '.*'
for:
  project:
    - match:
        name: '.*'
      allow: ['*']
  node:
    - allow: ['*']
  job:
    - allow: ['*']
  adhoc:
    - allow: ['*']
  resource:
    - allow: ['*']
by:
  group: [admin]
Code language: JavaScript (javascript)

🧪 2.2 Example: Developer Policy (limited job run rights)

developer.aclpolicy

description: Dev Policy
context:
  project: '.*'
for:
  job:
    - allow: [read, run]
  node:
    - allow: [read]
by:
  group: [dev]
Code language: JavaScript (javascript)

šŸ” 2.3 Example: Read-Only User

readonly.aclpolicy

description: ReadOnly Policy
context:
  project: '.*'
for:
  job:
    - allow: [read]
  node:
    - allow: [read]
  project:
    - allow: [read]
  resource:
    - allow: [read]
by:
  group: [read]
Code language: JavaScript (javascript)

āš™ļø 3. Managing Users and Roles

Edit realm.properties to assign users to roles (groups), which map to the group: field in your ACLs.

User: john, Role: dev

john: dev123, dev
Code language: HTTP (http)

Then, make sure your ACL file references group: [dev].


🚦 4. Verifying Access

  • Login to Rundeck Web UI as different users.
  • Validate access by attempting to:
    • View/run jobs
    • Execute ad-hoc commands
    • View project settings
  • Unauthorized attempts will show “Access Denied”

šŸ›”ļø 5. Tips & Best Practices

  • Keep ACL files small and modular (admin.aclpolicy, dev.aclpolicy, etc.)
  • Validate ACL syntax with rundeck logs (/var/log/rundeck/service.log)
  • Use .* regex cautiously—it grants access to all projects
  • Set appropriate permissions on /etc/rundeck/aclpolicy/: sudo chown -R rundeck:rundeck /etc/rundeck/aclpolicy/

šŸ“Ž Summary

FeatureTool/Config File
Authentication/etc/rundeck/realm.properties
Authorization/etc/rundeck/aclpolicy/*.aclpolicy
Access by RoleMapped via group: in ACL
Restart Rundecksudo systemctl restart rundeckd

šŸ“š References


Here is your Rundeck configuration in Markdown (markup) format with:

  • āœ… A realm.properties spec for user-role mapping
  • āœ… A unified ACL .aclpolicy file with RBAC for Dev, QA, and DevOps roles

šŸ” realm.properties

# /etc/rundeck/realm.properties

Rajesh: rajesh123, dev
Brad: brad123, qa
Raimy: raimy123, devops, dev
Andry: andry123, dev
Kevin: kevin123, qa
Code language: PHP (php)

ā„¹ļø Passwords here are in plain text. You can replace them with hashed versions for security.


šŸ“œ access-rbac.aclpolicy

# /etc/rundeck/aclpolicy/access-rbac.aclpolicy

description: RBAC policy for Dev, QA, and DevOps roles
context:
  application: 'rundeck'
for:
  project:
    - match:
        name: '.*'
      allow: ['read']
  job:
    - match:
        name: '.*'
      allow: ['read', 'run']
  node:
    - allow: ['read']
  adhoc:
    - allow: ['read']
  resource:
    - allow: ['read']
by:
  group: [dev, qa, devops]

---
# DevOps elevated privileges
description: DevOps Admin Rights
context:
  application: 'rundeck'
for:
  job:
    - allow: ['create', 'update', 'delete', 'read', 'run']
  node:
    - allow: ['read', 'run']
  project:
    - allow: ['read', 'configure']
  resource:
    - allow: ['read', 'create']
  storage:
    - allow: ['read', 'create', 'update', 'delete']
  system:
    - allow: ['admin']
by:
  group: [devops]
context:
  application: 'rundeck'

Code language: PHP (php)

🧾 Summary Table

UserPasswordRoles Assigned
Rajeshrajesh123dev
Bradbrad123qa
Raimyraimy123dev, devops
Andryandry123dev
Kevinkevin123qa
RolePermissions Granted
devRead & Run jobs, read nodes/projects
qaSame as dev (read + run only)
devopsFull system rights including job/project/config

Let me know if you want:

  • Separate ACLs per role (dev.aclpolicy, etc.)
  • Project-specific permissions
  • A packaged .zip with these files
Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments

Certification Courses

DevOpsSchool has introduced a series of professional certification courses designed to enhance your skills and expertise in cutting-edge technologies and methodologies. Whether you are aiming to excel in development, security, or operations, these certifications provide a comprehensive learning experience. Explore the following programs:

DevOps Certification, SRE Certification, and DevSecOps Certification by DevOpsSchool

Explore our DevOps Certification, SRE Certification, and DevSecOps Certification programs at DevOpsSchool. Gain the expertise needed to excel in your career with hands-on training and globally recognized certifications.

0
Would love your thoughts, please comment.x
()
x