Here’s a detailed tutorial for Authentication and Authorization in Rundeck Community Edition. This guide includes setup for both file-based authentication and role-based access control (RBAC) using ACL policy files.
๐ Rundeck Community Edition: Authentication & Authorization Tutorial
๐งฐ Prerequisites
- Rundeck Community Edition installed (Ubuntu/Windows)
- Admin access to the server (root or sudo)
- Basic knowledge of YAML and properties files
๐๏ธ 1. Authentication in Rundeck
Rundeck CE uses JAAS (Java Authentication and Authorization Service) for authentication. By default, it authenticates users from a realm.properties file.
๐ Location of the file
/etc/rundeck/realm.properties # Linux
C:\rundeck\server\config\realm.properties # Windows
Code language: PHP (php)
๐ Format
username: password, role1,role2,...
Code language: HTTP (http)
โ Example
admin: admin123, admin, user
devuser: devpass, dev
viewonly: viewpass, read
Code language: HTTP (http)
๐ You can generate password hashes using tools like
htpasswdoropenssl passwd -crypt.
To apply changes, restart Rundeck:
sudo systemctl restart rundeckd
๐ญ 2. Authorization in Rundeck (Access Control)
Rundeck uses ACL (Access Control List) policy files (YAML format) to define who can do what.
๐ ACL Policy Directory
/etc/rundeck/aclpolicy/
Each file must end with
.aclpolicyand be readable by the Rundeck process.
๐งฑ 2.1 Example: Admin Policy
admin.aclpolicy
description: Admin Policy
context:
project: '.*'
for:
project:
- match:
name: '.*'
allow: ['*']
node:
- allow: ['*']
job:
- allow: ['*']
adhoc:
- allow: ['*']
resource:
- allow: ['*']
by:
group: [admin]
Code language: JavaScript (javascript)
๐งช 2.2 Example: Developer Policy (limited job run rights)
developer.aclpolicy
description: Dev Policy
context:
project: '.*'
for:
job:
- allow: [read, run]
node:
- allow: [read]
by:
group: [dev]
Code language: JavaScript (javascript)
๐ 2.3 Example: Read-Only User
readonly.aclpolicy
description: ReadOnly Policy
context:
project: '.*'
for:
job:
- allow: [read]
node:
- allow: [read]
project:
- allow: [read]
resource:
- allow: [read]
by:
group: [read]
Code language: JavaScript (javascript)
โ๏ธ 3. Managing Users and Roles
Edit realm.properties to assign users to roles (groups), which map to the group: field in your ACLs.
User: john, Role: dev
john: dev123, dev
Code language: HTTP (http)
Then, make sure your ACL file references group: [dev].
๐ฆ 4. Verifying Access
- Login to Rundeck Web UI as different users.
- Validate access by attempting to:
- View/run jobs
- Execute ad-hoc commands
- View project settings
- Unauthorized attempts will show “Access Denied”
๐ก๏ธ 5. Tips & Best Practices
- Keep ACL files small and modular (
admin.aclpolicy,dev.aclpolicy, etc.) - Validate ACL syntax with
rundecklogs (/var/log/rundeck/service.log) - Use
.*regex cautiouslyโit grants access to all projects - Set appropriate permissions on
/etc/rundeck/aclpolicy/:sudo chown -R rundeck:rundeck /etc/rundeck/aclpolicy/
๐ Summary
| Feature | Tool/Config File |
|---|---|
| Authentication | /etc/rundeck/realm.properties |
| Authorization | /etc/rundeck/aclpolicy/*.aclpolicy |
| Access by Role | Mapped via group: in ACL |
| Restart Rundeck | sudo systemctl restart rundeckd |
๐ References
Here is your Rundeck configuration in Markdown (markup) format with:
- โ
A
realm.propertiesspec for user-role mapping - โ
A unified ACL
.aclpolicyfile with RBAC forDev,QA, andDevOpsroles
๐ realm.properties
# /etc/rundeck/realm.properties
Rajesh: rajesh123, dev
Brad: brad123, qa
Raimy: raimy123, devops, dev
Andry: andry123, dev
Kevin: kevin123, qa
Code language: PHP (php)
โน๏ธ Passwords here are in plain text. You can replace them with hashed versions for security.
๐ access-rbac.aclpolicy
# /etc/rundeck/aclpolicy/access-rbac.aclpolicy
description: RBAC policy for Dev, QA, and DevOps roles
context:
application: 'rundeck'
for:
project:
- match:
name: '.*'
allow: ['read']
job:
- match:
name: '.*'
allow: ['read', 'run']
node:
- allow: ['read']
adhoc:
- allow: ['read']
resource:
- allow: ['read']
by:
group: [dev, qa, devops]
---
# DevOps elevated privileges
description: DevOps Admin Rights
context:
application: 'rundeck'
for:
job:
- allow: ['create', 'update', 'delete', 'read', 'run']
node:
- allow: ['read', 'run']
project:
- allow: ['read', 'configure']
resource:
- allow: ['read', 'create']
storage:
- allow: ['read', 'create', 'update', 'delete']
system:
- allow: ['admin']
by:
group: [devops]
context:
application: 'rundeck'
Code language: PHP (php)
๐งพ Summary Table
| User | Password | Roles Assigned |
|---|---|---|
| Rajesh | rajesh123 | dev |
| Brad | brad123 | qa |
| Raimy | raimy123 | dev, devops |
| Andry | andry123 | dev |
| Kevin | kevin123 | qa |
| Role | Permissions Granted |
|---|---|
dev | Read & Run jobs, read nodes/projects |
qa | Same as dev (read + run only) |
devops | Full system rights including job/project/config |
Let me know if you want:
- Separate ACLs per role (
dev.aclpolicy, etc.) - Project-specific permissions
- A packaged
.zipwith these files
I’m Rajesh Kumar, a DevOps, SRE, DevSecOps, Cloud, and Platform Engineering expert passionate about sharing practical knowledge, real-world experiences, and industry best practices. I have worked at Cotocus and regularly write about technology, travel, investing, health, product reviews, and digital marketing through my various platforms.
I publish technical articles at DevOps School, travel stories at Holiday Landmark, stock market insights at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at TrueReviewNow, and SEO and digital marketing strategies at Wizbrand.
Find Trusted Cardiac Hospitals
Compare heart hospitals by city and services โ all in one place.
Explore Hospitals