Information missing from aclpolicy docs

[wcooley]

In neither the aclpolicy format reference nor the "Authorization" section of the Accesss Control Policy chapter of the admin guide are the answers to the following important questions:

• How are aclpolicy files found? I.e., is anything in the rundeck config dir ending with .aclpolicy loaded or are files named like "*role*.aclpolicy", etc.
• When are the aclpolicy files loaded? When the server starts or when someone tries to login, etc.?
  • Are they reloaded on update or does the server have to be restarted if they are changed or added/removed?

[mathieuchateau]

Hello,

for the reload on update, it's written somewhere that changes are taken
immediately. I confirm this behavior

Cordialement,
Mathieu CHATEAU
http://www.lotp.fr

2015-05-11 21:38 GMT+02:00 Wil Cooley [email protected]:

In neither the aclpolicy format reference (
http://rundeck.org/docs/man5/aclpolicy.html) nor the "Authorization"
section of the Accesss Control Policy chapter of the admin guide (
http://rundeck.org/docs/administration/access-control-policy.html#rundeck-resource-authorizations)
are the answers to the following important questions:

• How are .aclpolicy files found? I.e., is anything in the rundeck
  config dir ending with .aclpolicy loaded or are files named like "
  *role.aclpolicy", etc.
• When are the aclpolicy files loaded? When the server starts or when
  someone tries to login, etc.?
  • Are they reloaded on update or does the server have to be
    restarted if they are changed or added/removed?

—
Reply to this email directly or view it on GitHub
#1232.

[wcooley]

@mathieuchateau I see now in the "Authorization Caveats" at the very bottom of "Access Control Policy" that it says "aclpolicy changes do not require a restart." That does not exactly correlate with what I saw, but I might have been impatient with reloading (I was attempting to add a new aclpolicy file -- not change an existing one, so it may be that "changes" above just indicates changes to existing policy files?)

Still, a single bullet point in a section named "Authorization Caveats" is an awkward place for such a piece of information -- A more natural place would be a section that included the other information that I could not find. (Furthermore, "caveat" in English indicates a warning or caution; this would be more of a "nota bene" -- an important point.)

[mathieuchateau]

Yep , sure. I am not the author, just to say I read it ;)

Cordialement,
Mathieu CHATEAU
http://www.lotp.fr

2015-05-11 22:01 GMT+02:00 Wil Cooley [email protected]:

@mathieuchateau https://github.com/mathieuchateau I see now in the
"Authorization Caveats" at the very bottom of "Access Control Policy" that
it says "aclpolicy changes do not require a restart." That does not exactly
correlate with what I saw, but I might have been impatient with reloading
(I was attempting to add a new aclpolicy file -- not change an existing
one, so it may be that "changes" above just indicates changes to existing
policy files?)

Still, a single bullet point in a section named "Authorization Caveats" is
an awkward place for such a piece of information -- A more natural place
would be a section that included the other information that I could not
find. (Furthermore, "caveat" in English indicates a warning or caution;
this would be more of a "nota bene" -- an important point.)

—
Reply to this email directly or view it on GitHub
#1232 (comment).

[gschueler]

thanks for the improvement suggestions

to answer your questions here:

1. Rundeck loads all *.aclpolicy files found in the rundeck etc dir, which is either /etc/rundeck (rpm and debian install defaults), or $RDECK_BASE/etc (launcher/war configuration)
2. They are loaded at startup, and each file's policies are cached. When an authorization request occurs, the policies may be reloaded if they were modified. The contents are cached for at least 60 seconds before checking if they need to be reloaded.

hope this helps. I will put this info in the docs