Rundeck Static Token not loaded when Rundeck Service is started

问题

I think my Rundeck does not load my tokens.properties file. I can't see it on my service.log being loaded. Here is a screenshot of the log

That's why when I restart the service or the server my scheduled jobs, that triggers Rundeck API, always get this error

{"error":true,"apiversion":35,"errorCode":"api.error.item.unauthorized","message":"Not authorized for action \"Run\" for Job ID 109fd435-765f-4b7a-a547-0c5906c4a1f5"}

For it to work properly again, I need to generate a new token each time I restart Rundeck or the server. I have already included this line in my framework.properties

rundeck.tokens.file=C:/rundeck/etc/tokens.properties

And in my tokens.properties, it has 1 line only which is

atrsdk-runner: token_string

How can I make my token permanent? Did I miss something here, how will I fix this issue? Thanks!

回答1:

You need to add the role on tokens.properties file. I tested on a Windows machine and works in this way:

1. Stop the Rundeck service.

2. On framework.properties file add:

rundeck.tokens.file=C:/rundeck/tokens.properties

3. On realm.properties file add (just an example user for testing):

bob:bob,admin

4. Create a file named tokens.properties at c:\rundeck\ path with the following content (i added the role at the end of the line):

bob: 12345, admin

5. Start the Rundeck service.

6. With this API call you can run the job using the custom token (check the rdeck_token variable, tested on an external Linux host running cURL):

#!/bin/sh

# protocol
protocol="http"

# basic rundeck info
rdeck_host="10.0.1.81"
rdeck_port="4440"
rdeck_api="36"
rdeck_token="12345"

# specific api call info
rdeck_job="91c5b968-166f-4138-9345-580cd624adda"

# api call
curl -s --location --request POST "$protocol://$rdeck_host:$rdeck_port/api/$rdeck_api/job/$rdeck_job/run" \
  --header "Accept: application/json" \
  --header "X-Rundeck-Auth-Token: $rdeck_token" \
  --header "Content-Type: application/json"

Now, without a role defined at tokens.properties file I obtain your error (the output was "beautified" with jq):

{
  "error": true,
  "apiversion": 36,
  "errorCode": "api.error.item.unauthorized",
  "message": "Not authorized for action \"Run\" for Job ID 91c5b968-166f-4138-9345-580cd624adda"
}

And with the role defined at tokens.properties file (successful):

{
  "id": 3,
  "href": "http://10.0.1.81:4440/api/36/execution/3",
  "permalink": "http://10.0.1.81:4440/project/ProjectBOB/execution/show/3",
  "status": "running",
  "project": "ProjectBOB",
  "executionType": "user",
  "user": "bob",
  "date-started": {
    "unixtime": 1603801591299,
    "date": "2020-10-27T12:26:31Z"
  },
  "job": {
    "id": "91c5b968-166f-4138-9345-580cd624adda",
    "averageDuration": 1727,
    "name": "HelloWorld",
    "group": "",
    "project": "ProjectBOB",
    "description": "",
    "href": "http://10.0.1.81:4440/api/36/job/91c5b968-166f-4138-9345-580cd624adda",
    "permalink": "http://10.0.1.81:4440/project/ProjectBOB/job/show/91c5b968-166f-4138-9345-580cd624adda"
  },
  "description": "echo \"hi\"",
  "argstring": null,
  "serverUUID": "2337f5f7-e951-47d2-ba62-f8c02a0bb8df"
}

And here the execution on Rundeck.

来源：https://stackoverflow.com/questions/64552766/rundeck-static-token-not-loaded-when-rundeck-service-is-started