Skip to content

Commit ea1de81

Browse files
committed
Merge branch '4.0.x' into 6.0.0
2 parents 943753a + 7f06762 commit ea1de81

2 files changed

Lines changed: 63 additions & 25 deletions

File tree

docs/administration/security/sso/azure-sso.md

Lines changed: 13 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -40,14 +40,19 @@ Next, add the required permissions in Azure.
4040

4141
![](/assets/img/sso-azure-04-apiperm2.jpg)
4242

43+
**For group name mapping (optional):**
44+
45+
If you need to use group names (not group IDs) in ACL policies, add the following Application permission:
46+
4347
1. Select **"API permissions"** on the left
4448
2. Select **"+ Add a permission"**
4549
3. Select **"Microsoft Graph"** as the permission type
4650
4. Select **"Application permissions"**
47-
5. Enter **"Directory.Read.All"** in the search box
48-
6. Select **"Directory"** to expand it
49-
7. Select **"Directory.Read.All"** under Directory to enable the permission
50-
8. Select **"Add permission"** at the bottom
51+
5. Enter **"GroupMember.Read.All"** in the search box
52+
6. Select **"GroupMember.Read.All"** to enable the permission
53+
7. Select **"Add permission"** at the bottom
54+
55+
**Note:** Using group IDs instead of group names requires no additional Application permissions beyond the delegated permissions above.
5156

5257
### Azure - Create the Application Secret
5358

@@ -89,7 +94,8 @@ rundeck.security.oauth.azure.clientSecret=<SECRET_VALUE>
8994
rundeck.security.syncOauthUser=true
9095

9196
# Define the Azure scopes to map
92-
rundeck.security.oauth.azure.scope=openid email profile https://graph.microsoft.com/Directory.Read.All
97+
# Use GroupMember.Read.All only if group name mapping is required
98+
rundeck.security.oauth.azure.scope=openid email profile https://graph.microsoft.com/GroupMember.Read.All
9399

94100
# Map Azure user detail attributes
95101
rundeck.ssoSyncAttribNames.firstname=given_name
@@ -104,7 +110,7 @@ rundeck.ssoSyncAttribNames.email=preferred_username
104110

105111
### Important: First Login Approval
106112

107-
Upon first login to Rundeck using Azure SSO an Azure Admin level user will need to consent to the `Directory.Read.All` permission. Make sure to click the checkbox that asks to consent for the **whole organization**.
113+
If using the `GroupMember.Read.All` permission for group name mapping, an Azure Admin level user will need to consent upon first login to Rundeck using Azure SSO. Make sure to click the checkbox that asks to consent for the **whole organization**.
108114

109115
<img width="517" alt="image" src="https://github.com/rundeck/docs/assets/58412426/185bf972-577f-4e15-8367-d29fccaae578">
110116

@@ -115,7 +121,7 @@ By default, Azure does not send group information in the SSO token. You can conf
115121
![](/assets/img/sso-azure-08-token.png)
116122

117123

118-
**If you need to sync user groups by group name**, you need to enable the Rundeck plugin that uses the MS Graph API to get user/group information. Using this requires additional API permissions that were setup in the App Registration.
124+
**If you need to sync user groups by group name**, you need to enable the Rundeck plugin that uses the MS Graph API to get user/group information. Using this requires the `GroupMember.Read.All` Application permission configured in the App Registration above.
119125

120126
To enable this plugin, enable the *Enable Azure UserGroupSource Plugin* setting in the **System Configuration** page (config key `framework.plugin.UserGroupSource.AzureGroupSource.enabled`), or add the following to the `framework.properties` file:
121127

docs/learning/howto/runner-service-windows.md

Lines changed: 50 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -22,8 +22,8 @@ Skip this section if you have already installed an Enterprise Runner on a Window
2222

2323
2. Edit the `rundeck-config.properties` file and add the following line:
2424

25-
```
26-
rundeck.feature.runner.enabled=true
25+
```properties
26+
rundeck.feature.runner.enabled = true
2727
```
2828

2929
This line enables the Enterprise Runner functionality on Runbook Automation Self-Hosted. Runbook Automation SaaS includes this feature out of the box.
@@ -112,55 +112,87 @@ To register the Enterprise Runner as a service, check the following steps:
112112

113113
2. Uncompress the file and copy the `prunmgr.exe` and `prunsrv.exe` files to the `C:\runner\` folder.
114114

115+
:::warning Use the 64-bit binary on a 64-bit JDK/JRE
116+
On a 64-bit system running a 64-bit JDK/JRE, use the 64-bit `prunsrv.exe` located in the `amd64\` subfolder of the uncompressed archive — **not** the 32-bit `prunsrv.exe` in the root of the archive. (`prunmgr.exe`, the GUI monitor, is 32-bit only — that is expected and fine.)
117+
:::
118+
115119
3. Rename the `prunsrv.exe` as `runner.exe`, and `prunmgr.exe` as `runnerw.exe`.
116120

117-
4. Open a new CMD terminal with Administrative rights.
121+
:::warning Architecture mismatch
122+
If a 32-bit `runner.exe` is used with a 64-bit JRE/JDK, it cannot load the 64-bit `jvm.dll`, and the service will fail to start or stop with the error `%1 is not a valid Win32 application`. You can confirm which architecture is in use by checking `commons-daemon.log`: the startup line should read `procrun (1.x.x.x 64-bit) started`.
123+
:::
124+
125+
4. Create a stop script named `stop-runner.bat` in the `C:\runner\` folder with the content below. This script stops only the Runner process that the service started — it reads the PID that procrun writes to `runner.pid` — instead of killing every `java.exe` process on the host:
126+
127+
```bat
128+
@echo off
129+
setlocal
130+
set "PIDFILE=C:\runner\runner.pid"
131+
if not exist "%PIDFILE%" exit /b 0
132+
set /p PID=<"%PIDFILE%"
133+
if "%PID%"=="" exit /b 0
134+
taskkill /F /FI "PID eq %PID%" /FI "IMAGENAME eq java.exe"
135+
endlocal
136+
```
118137

119-
5. Go to the `C:\runner\` folder.
138+
5. Open a new CMD terminal with Administrative rights.
120139

121-
6. Execute the following command (you can copy and paste it directly on the CMD terminal to execute it):
140+
6. Go to the `C:\runner\` folder.
122141

123-
```
124-
runner.exe //IS/runner ^
142+
7. Execute the following command (you can copy and paste it directly on the CMD terminal to execute it):
143+
144+
```bat
145+
runner.exe //IS//Runner ^
125146
--DisplayName=Runner ^
126-
--LogLevel=Debug ^
147+
--LogLevel=Info ^
127148
--LogPath=C:\runner ^
128149
--ServiceUser=LocalSystem ^
129150
--Startup=auto ^
151+
--Jvm=auto ^
130152
--StartMode=java ^
131153
--StartPath=C:\runner ^
132154
--StartParams=-jar#runner.jar ^
133155
--StopMode=exe ^
156+
--StopImage=C:\Windows\System32\cmd.exe ^
157+
--StopParams=/c#C:\runner\stop-runner.bat ^
134158
--StopPath=C:\runner ^
135-
--StopImage=TASKKILL.exe ^
136159
--StopTimeout=30 ^
137-
--PidFile=rundeck.pid ^
138-
--JvmMs=1024 --JvmMx=2048 ^
160+
--PidFile=runner.pid ^
161+
--JvmMs=1024 ^
162+
--JvmMx=4096 ^
139163
--StdOutput=C:\runner\runner.log ^
140164
--StdError=C:\runner\runner.log
141165
```
142166

143-
You will see the following messages:
167+
:::tip Note
168+
The service name uses a double slash (`//IS//runner`) — this is the procrun syntax for "install service". `--Jvm=auto` lets procrun locate `jvm.dll` automatically from `JAVA_HOME` / the registry. The stop is delegated to `stop-runner.bat` through `cmd.exe`; the full path to `cmd.exe` is required because procrun passes `--StopImage` directly to `CreateProcess`, which does not search the `PATH` (a bare `cmd` fails with `The system cannot find the file specified`).
169+
:::
170+
171+
You will see messages similar to the following:
144172

145-
```
146-
[2023-10-04 13:12:51] [info] ( prunsrv.c:2018) [ 5164] Apache Commons Daemon procrun (1.3.4.0 32-bit) started.
173+
```log
174+
[2023-10-04 13:12:51] [info] ( prunsrv.c:2018) [ 5164] Apache Commons Daemon procrun (1.5.1.0 64-bit) started.
147175
[2023-10-04 13:12:51] [debug] ( prunsrv.c:774 ) [ 5164] Installing service...
148176
[2023-10-04 13:12:51] [info] ( prunsrv.c:831 ) [ 5164] Installing service 'runner' name 'Runner'.
149177
[2023-10-04 13:12:51] [debug] ( prunsrv.c:865 ) [ 5164] Setting service user 'LocalSystem'.
150178
[2023-10-04 13:12:51] [info] ( prunsrv.c:882 ) [ 5164] Service 'runner' installed.
151179
[2023-10-04 13:12:51] [info] ( prunsrv.c:2102) [ 5164] Apache Commons Daemon procrun finished.
152180
```
153181

154-
7. Now press the Windows key + R key combination, then type `services.msc` and press the Enter key.
182+
8. Now press the Windows key + R key combination, then type `services.msc` and press the Enter key.
155183

156-
8. Scroll down the Service list and locate the "Runner" service.
184+
9. Scroll down the Service list and locate the "Runner" service.
157185

158186
![Launching services.msc](/assets/img/raas2.png)<br>
159187

160-
9. Click the right button and select "Start", after a couple of seconds, the service must be shown as "Running" status.
188+
10. Click the right button and select "Start", after a couple of seconds, the service must be shown as "Running" status.
161189

162190
![Windows Services](/assets/img/raas5.png)<br>
163191

192+
:::tip Note
193+
If you install the service at `--LogLevel=Debug`, the stop sequence may log repeated `conhost.exe ... Still here!` lines for a few seconds while procrun tears down the console host of the spawned `java.exe` process. This is cosmetic — the service still reaches the `Stopped` state. Running at `--LogLevel=Info` (as shown above) keeps the log clean. Note that the Runner's own application logs are written under `C:\runner\runner\logs\`, separate from the procrun `--StdOutput`/`--StdError` file.
194+
:::
195+
164196
### How to remove the service
165197

166198
To stop and remove the Enterprise Runner service check the following steps:
@@ -169,7 +201,7 @@ To stop and remove the Enterprise Runner service check the following steps:
169201

170202
2. Go to the `C:\runner\` folder.
171203

172-
3. Execute `runner.exe //DS/Runner`. This process could take around 30 seconds.
204+
3. Execute `runner.exe //DS//Runner`. This process could take around 30 seconds.
173205

174206
Now, the service is down and unregistered from Windows Services.
175207

0 commit comments

Comments
 (0)