Make the "required role" in web.xml configurable

[diranged]

The "role" thats required to exist on all users who log into Rundeck should be configurable, rather than being hard-coded to "user". Frankly, it should also be optional...

[ColOfAbRiX]

I agree, this should be optional/configurable. I use LDAP and I had to create a group only for rundeck.

[ColOfAbRiX]

If I start rundeck with --skipinstall I am able to override the name of the default group. But, at least, this kind of error should be signaled better

[gschueler]

fyi: I added this FAQ entry on how to configure the web.xml required role if necessary: https://github.com/dtolabs/rundeck/wiki/Faq#i-get-an-error-logging-in-http-error-403--reason-role

[schast]

I also use ldap and do not want to create an extra group for rundeck. please make this optional (configurable)

[diranged]

Any chance this is going to get fixed in the near future?

[andyregan]

Thanks for posting a work-around in the FAQ. I would also be grateful if this could be optional.

[mbizkit76]

+1 on this

[ghost]

Sorry - i zapped my previous comment - the web.xml workaround was fine - it's just our AD setup is rather strange, and i had to use a different "base" group.

Still +1 to make this easier! :)

[ahonor]

+1 on eliminating it

[azet]

+1

[zarry]

+1

[pforai]

+1

[sebw]

I used to auth against AD with 1.4.4 and it worked fine. I'm migrating to 2.1 and I get this problem, this is clearly a regression.

Can you make it optional?

[azet]

any update on that?

[ptangsir]

+1

[nostrame]

+1

[ntkach]

Same here. Either that role name should be optional or else provide the same setup mechanism that was default in RunDeck 1.6.x. I've not been able to find it specifically, but I know we didn't have to do anything special to set/change that role name to get LDAP to work.

[UO180222]

+1

[gschueler]

in 2.2.0 we added a change that allows a "supplementalRole" to be set for your LDAP jaas config, which can be used to sidestep this issue. http://rundeck.org/docs/administration/authenticating-users.html#login-module-configuration

[Bigd271]

Does the "supplementalRole" feature allow for special characters like spaces and stars (i.e. supplementalRole="Everyone - Office")? I can't seem to make this work. I would like to spin up the launcher version in our Production environment, but this issue is keeping me from deploying since I cannot properly set "--skipinstall" from the RDECK_JVM properties so that I may continue to use the server/sbin/rundeckd script to start|stop.

[gschueler]

@Bigd271 you would have to alter the server/sbin/rundeckd to add --skipinstall in the start command.

supplementalRoles allow spaces, however it does a split on , *, meaning any spaces after the comma separating roles are lost, and the resulting string is .trim()'d so that any leading/trailing spaces are also lost. Make sure you use supplementalRoles (with an "s")

[Bigd271]

thank you @gschueler. I have chosen to go the route of installing the RPM. I've then changed the default seucrity role in the web.xml to be the "Everyone - Office" distrobution list. Our ops team is very excited to use this product. Thanks again!

[ghost]

Can this role requirement be turned off entirely?

[ssbarnea]

👍 Any news on this? After 2 days, I am still unable to finish the LDAP configuration step, which usually takes only few minutes on other services.

[joerocklin]

Getting ready to do an update, remembered that I had an unexpected downtime after the last one, found this issue to remind me what to do. We're approaching the 2-year mark on this issue, any news on the state of things?

[gschueler]

@joerocklin good question, the status of this issue is: we don't have any immediate plans for a "fix".

Reasons:

1. making this "configurable" requires rewriting the web.xml prior to the webapp starting up. Not an ideal fix, and especially hard to do in the case of a .war deployment anyway
2. Whether you are using Jetty (e.g. via the Launcher or with the default RPM install) or Tomcat, there is already a workaround via configuration:
   • the JettyCachingLdapLoginModule (JAAS module used for Jetty) supports a supplementalRoles setting, that allows you add "user" to the default roles for any successfully authenticated user. See Login module configuration
   • The JNDIRealm (realm module used for Tomcat) authentication also supports a commonRole setting to do a similar thing for a single role name, see JNDIRealm#commonRole
3. because of limitations of "servlet-container based authentication", we hope that at some future point we can move to something more flexible

[xeor]

Did this discussion die out again? It would be nice to get a better error message when you don't have access to rundeck. The roles rundeck is able to see in my setup is also everything except the Domain Users group, so I am stuck with adding a bunch of roles to my web.xml to try to catch all users.

The message you get about not having access to any projects is by far good enough as a default access denied message. So the option in my configuration am looking for is just a way to set the accepted role to * (which doesn't work btw)..

[DerfOh]

+1 Being able to set ACL based on the AD group needs better documentation. I've been at this for a week now 😢

[zonArt]

+1 for better documentation, supplementalRoles option works great but you should be aware that you need to put "user, <other_groups>".
If you only put the other_groups it doesn't work, as the param is called supplementalRoles, I was expecting "user" to be integrated already
Edit: my bad, I misunderstood the behavior of this param

[sjrd218]

Fixed in Rundeck 3.0.0

[ryancurrah]

@sjrd218 care to explain or link to a doc about the fix?

[Bigd271]

Agreed, @sjrd218 please comment on how to use the new "fix"

A colleague of mine pointed out that this is in the release notes:

https://rundeck.org/news/2018/07/27/rundeck-3.0.0.html

Authentication

We no longer rely on “container-based” security/authentication (i.e. web.xml auth constraints, coupled >with Jetty/Tomcat authentication setup.) We now use “Spring Security” for Grails, which moves the >authentication checks into Rundeck itself. This enables SSO, Oauth, and other types of >authentication which was difficult/impossible to implement before.

The default JAAS authentication method still works, so existing JAAS based configuration should >operate as expected.

[sjrd218]

Rundeck 3.x is built on top of Grails 3.x which removed the web.xml file altogether from the deployment artifact. This means there won't be a web.xml file you can edit.

Additionally Rundeck 3.x now uses Spring Security to secure the application. With this change there is no longer a 'required role' that must be configured for Rundeck.

If you were previously using the tomcat-users.xml file to manage users, you will want to migrate to use one of the JAAS options documented here: https://rundeck.org/docs/administration/security/authenticating-users.html#jetty-and-jaas-authentication. You can ignore the fact that it is labeled 'Jetty and JAAS authentication' because JAAS authentication will work for any container.