问题
I think my Rundeck does not load my tokens.properties file. I can't see it on my service.log being loaded. Here is a screenshot of the log
That's why when I restart the service or the server my scheduled jobs, that triggers Rundeck API, always get this error
{"error":true,"apiversion":35,"errorCode":"api.error.item.unauthorized","message":"Not authorized for action \"Run\" for Job ID 109fd435-765f-4b7a-a547-0c5906c4a1f5"}
For it to work properly again, I need to generate a new token each time I restart Rundeck or the server. I have already included this line in my framework.properties
rundeck.tokens.file=C:/rundeck/etc/tokens.properties
And in my tokens.properties, it has 1 line only which is
atrsdk-runner: token_string
How can I make my token permanent? Did I miss something here, how will I fix this issue? Thanks!
回答1:
You need to add the role on tokens.properties
file. I tested on a Windows machine and works in this way:
Stop the Rundeck service.
On
framework.properties
file add:
rundeck.tokens.file=C:/rundeck/tokens.properties
- On
realm.properties
file add (just an example user for testing):
bob:bob,admin
- Create a file named
tokens.properties
atc:\rundeck\
path with the following content (i added the role at the end of the line):
bob: 12345, admin
Start the Rundeck service.
With this API call you can run the job using the custom token (check the
rdeck_token
variable, tested on an external Linux host running cURL):
#!/bin/sh
# protocol
protocol="http"
# basic rundeck info
rdeck_host="10.0.1.81"
rdeck_port="4440"
rdeck_api="36"
rdeck_token="12345"
# specific api call info
rdeck_job="91c5b968-166f-4138-9345-580cd624adda"
# api call
curl -s --location --request POST "$protocol://$rdeck_host:$rdeck_port/api/$rdeck_api/job/$rdeck_job/run" \
--header "Accept: application/json" \
--header "X-Rundeck-Auth-Token: $rdeck_token" \
--header "Content-Type: application/json"
Now, without a role defined at tokens.properties
file I obtain your error (the output was "beautified" with jq):
{
"error": true,
"apiversion": 36,
"errorCode": "api.error.item.unauthorized",
"message": "Not authorized for action \"Run\" for Job ID 91c5b968-166f-4138-9345-580cd624adda"
}
And with the role defined at tokens.properties
file (successful):
{
"id": 3,
"href": "http://10.0.1.81:4440/api/36/execution/3",
"permalink": "http://10.0.1.81:4440/project/ProjectBOB/execution/show/3",
"status": "running",
"project": "ProjectBOB",
"executionType": "user",
"user": "bob",
"date-started": {
"unixtime": 1603801591299,
"date": "2020-10-27T12:26:31Z"
},
"job": {
"id": "91c5b968-166f-4138-9345-580cd624adda",
"averageDuration": 1727,
"name": "HelloWorld",
"group": "",
"project": "ProjectBOB",
"description": "",
"href": "http://10.0.1.81:4440/api/36/job/91c5b968-166f-4138-9345-580cd624adda",
"permalink": "http://10.0.1.81:4440/project/ProjectBOB/job/show/91c5b968-166f-4138-9345-580cd624adda"
},
"description": "echo \"hi\"",
"argstring": null,
"serverUUID": "2337f5f7-e951-47d2-ba62-f8c02a0bb8df"
}
And here the execution on Rundeck.
来源:https://stackoverflow.com/questions/64552766/rundeck-static-token-not-loaded-when-rundeck-service-is-started