rundeck创建帐号，授权普通帐号执行权限

rundeck用户管理配置

rundeck/server/config/realm.properties

#admin    md5 mima

admin: MD5:xxxxxxxx,user,admin

##user1 ,md5 xxxx, 普通用户

user1: MD5:xxxxxxx,user

##普通用户，在rundeck的  rundeckzu里面，有组的权限 ，即 user2  有 那个prod_pkgs的所有执行权限，但是没有修改权限。注意read

user2: MD5:xxxxmd5,user,rundeckzu

给用户授权

cd  rundeck/etc

创建 project_xx.aclpolicy   ##创建以projectname名称的以aclpolicy为后缀的文件，直接创建就行 。例如 

vim  prod_aaaa.aclpolicy

############  

description: user.

context:

  project: 'Prod_aaaa'

for:

  resource:

    - equals:

        kind: job

      allow: [run,kill] # allow read/create all kinds

    - equals:

        kind: node

      allow: [run]

    - equals:

        kind: event

      allow: [read]

  adhoc:

    - deny: '*'

  job:

    - match:

        group: '.*'   ##若是project 给授权所有的job组权限，就这样，若是  project/moni/xxjob    就改成 moni

        name: 'xxjobname1|xxjobname2'

      allow: [read,run,runAs,kill,killAs] # allow read/write/delete/run/kill of all jobs

  node:

    - allow: [read,run] # allow read/run for all nodes

by:

  username: 'user1'

---

description: user.

context:

  project: 'Prod_aaaa'

for:

  resource:

    - equals:

        kind: job

      allow: [run,kill] # allow read/create all kinds

    - equals:

        kind: node

      allow: [run]

    - equals:

        kind: event

      allow: [read]

  adhoc:

    - deny: '*'

  job:

    - match:

        group: '.*'   ##若是project 给授权所有的job组权限，就这样，若是  project/moni/xxjob    就改成 moni

        name: 'xxjobname1|xxjobname2|xxjob'

      allow: [read,run,runAs,kill,killAs] # allow read/write/delete/run/kill of all jobs

  node:

    - allow: [read,run] # allow read/run for all nodes

by:

  username: 'userxxxxx'

---

description: user.

context:

  application: 'rundeck'

for:

  resource:

    - equals:

        kind: project

      allow: [read] # allow create of projects

    - equals:

        kind: system

      allow: [read]

    - equals:

        kind: user

      allow: [read]

  project:

    - match:

        name: 'Prod_aaaa'

      allow: [read]  # allow view/admin of all projects

  storage:

    - allow: [read,create] # allow read/create/update/delete for all /keys/* storage content

by:

  username: 'admin|user1|userxxx'

  group: 'rundeckzu'                                                                 

##一个 project里面 多个用户，就把userxxx那块 代码直接复制一下修改jobname即可

##普通用户，在rundeck的  rundeckzu里面，有组的权限 ，即 user2  有 那个prod_pkgs的所有执行权限，但是没有修改权限。注意read

user2: MD5:xxxxmd5,user,rundeckzu