ACL policy for storage resources

admin.aclpolicy.yaml

description: Admin, all access.
context:
  project: '.*' # all projects
for:
  resource:
    - allow: '*' # allow read/create all kinds
  adhoc:
    - allow: '*' # allow read/running/killing adhoc jobs
  job: 
    - allow: '*' # allow read/write/delete/run/kill of all jobs
  node:
    - allow: '*' # allow read/run for all nodes
  storagePath:
    - allow: '*' # allow read/create/update/delete for all storage data under /project/name/*
by:
  group: admin

---

description: Admin, all access.
context:
  application: 'rundeck'
for:
  resource:
    - allow: '*' # allow create of projects
  project:
    - allow: '*' # allow view/admin of all projects
  storagePath:
    - allow: '*' # allow read/create/update/delete for all storage data not specific to a project
by:
  group: admin

example.aclpolicy.yaml

description: Developer, test1 project access
context:
  project: 'dev1' # all projects
for:
  resource:
    - allow: '*' # allow read/create all kinds
  adhoc:
    - allow: '*' # allow read/running/killing adhoc jobs
  job: 
    - allow: '*' # allow read/write/delete/run/kill of all jobs
  node:
    - allow: '*' # allow read/run for all nodes
  storagePath:
    - match:
        path: /project/dev1/data/.*
      allow: '*' # allow read/create/update/delete
    - match:
        path: /project/dev1/other/.*
      allow: 'read' # allow read
by:
  group: developer

---

description: Developer
context:
  application: 'rundeck'
for:
  resource:
    - allow: '*' # allow create of projects
  project:
    - allow: '*' # allow view/admin of all projects
  storagePath:
    - match:
        path: /ssh-key/project/dev1/.*
      allow: '*' # allow read/create/update/delete ssh-keys within dev1 project only
    - match:
        path: /ssh-key/shared/.*
      allow: 'read' # allow read of ssh-keys within shared path
by:
  group: developer