Failed to read SSH Private key stored at path: 无法读取存储在路径上的SSH私钥

huangapple go评论57阅读模式
英文:

Failed to read SSH Private key stored at path

问题

当除了admin以外的任何用户运行该作业时,我遇到了这个错误:

Failed to read SSH Private key stored at path: keys/rundeck/id_rsa: com.dtolabs.rundeck.core.storage.StorageAuthorizationException: Unauthorized access

我应该在哪里查找解决这个错误的方法?

TIA.

英文:

I am getting this error when any user besides admin runs the job:

Failed to read SSH Private key stored at path: keys/rundeck/id_rsa: com.dtolabs.rundeck.core.storage.StorageAuthorizationException: Unauthorized access

Where should I be looking to solve this error?

TIA.

答案1

得分: 0

因为您需要为您的用户/角色授予密钥存储的访问权限,这个ACL授予对Rundeck密钥存储的访问权限:

description: 项目上下文。
context:
  project: ProjectEXAMPLE
for:
  resource:
    - allow: [run,read]
  job:
    - allow: [read,view,update,run]
  node:
    - allow: [read,run]
by:
  username: user
 
---

description: 应用上下文。
context:
  application: 'rundeck'
for:
  project:
  - allow: read
    match:
      name: ProjectEXAMPLE
  storage:
     - allow: [read]
by:
  username: user

请查看应用上下文的存储部分。

但是,如果您想要限制到特定的密钥,您可以使用这种方法。例如:

description: 项目上下文。
context:
  project: ProjectEXAMPLE
for:
  resource:
    - allow: [run,read]
  job:
    - allow: [read,view,update,run]
  node:
    - allow: [read,run]
by:
  username: user
 
---

description: 应用上下文。
context:
  application: 'rundeck'
for:
  project:
  - allow: read
    match:
      name: ProjectEXAMPLE
  storage:
    - match:
        path: 'keys/rundeck'
      allow: [read]
by:
  username: user

在这两种情况下,如果您想要将ACL集中在特定角色上,请将"username"更改为"group"。

考虑到您正在使用密钥keys/rundeck来访问远程节点。

<?xml version="1.0" encoding="UTF-8"?>

<project>
  <node name="node00" description="NODE 00" tags="canada" hostname="192.168.56.20" osArch="amd64" osFamily="unix" osName="Linux" osVersion="3.10.0-514.el7.x86_64" username="vagrant" ssh-key-storage-path="keys/rundeck"/>
</project>
英文:

That's because you need to grant access to key storage to your user/roles, this ACL grant access to the Rundeck Key Storage:

description: project context.
context:
  project: ProjectEXAMPLE
for:
  resource:
    - allow: [run,read]
  job:
    - allow: [read,view,update,run]
  node:
    - allow: [read,run]
by:
  username: user
 
---

description: app context.
context:
  application: &#39;rundeck&#39;
for:
  project:
  - allow: read
    match:
      name: ProjectEXAMPLE
  storage:
     - allow: [read]
by:
  username: user

Check the app context storage section.

But if you want to limit to an specific key you will use this approach. e.g:

description: project context.
context:
  project: ProjectEXAMPLE
for:
  resource:
    - allow: [run,read]
  job:
    - allow: [read,view,update,run]
  node:
    - allow: [read,run]
by:
  username: user
 
---

description: app context.
context:
  application: &#39;rundeck&#39;
for:
  project:
  - allow: read
    match:
      name: ProjectEXAMPLE
  storage:
    - match:
        path: &#39;keys/rundeck&#39;
      allow: [read]
by:
  username: user

In both cases if you want to focus your ACL to a specific role change "username" by "group".

Considering that you're using the key keys/rundeck to access the remote node.

&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt;

&lt;project&gt;
  &lt;node name=&quot;node00&quot; description=&quot;NODE 00&quot; tags=&quot;canada&quot; hostname=&quot;192.168.56.20&quot; osArch=&quot;amd64&quot; osFamily=&quot;unix&quot; osName=&quot;Linux&quot; osVersion=&quot;3.10.0-514.el7.x86_64&quot; username=&quot;vagrant&quot; ssh-key-storage-path=&quot;keys/rundeck&quot;/&gt;
&lt;/project&gt;

huangapple
  • 本文由 发表于 2023年5月25日 03:50:54
  • 转载请务必保留本文链接:https://go.coder-hub.com/76326965.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定