Overview
This article will describe the methodology used to manage user and team access in Ansible Web Executable (AWX).
Terminology
Ansible Web Executable (AWX) is the upstream open source software that is used in Ansible Automation Platform (AAP). Prior versions were also called Ansible Tower. I may use AWX, AAP or even Tower in this and following related articles.
Environment Methodology
The AWX Quickstart documentation describes the process in configuring AWX by creating an Organization, Users and Teams, Inventory, Credentials, Projects, and a Job Template.
The problem with this approach is objects created by Users are only visible to Users until they are added as a Role to a Team. This task would be done by the AWX automation admin, someone on the automation team. For smaller organizations, this could be acceptable, however as the organization grows, it’s going to require more members of the automation team in order to process tickets.
One of the problems with Roles is they can only be assigned for existing objects. Under the various tasks such as Credentials, there is no overall admin Role. This means you can’t give an admin privileges to just manage Credentials within the Roles.
However there is a way around this in AWX which is how my environments have been configured. I did follow the process to create an Organization, Users, and two Teams; an Admin team and a User team. This is all described below.
For permissions though, I decided to work at the Organization level and gave the Admin Team full access to the Organization via Roles and the Users Team the ability to view objects and run Job Templates. This takes the task of an automation admin having to work tickets for any team and gives it to the admins for the group that use AWX.
I was reading an article on User access and the proposal was that Users and Teams would be part of the Default Organization. This would give anyone who’s in the Default Organization the ability to view objects in any Organization. And the Organization itself would only be used to manage objects. This keeps things tidy but also permits troubleshooting without having to be a member of 1 or more Organizations.
AWX Logins
There are three instances of AWX here on my homelab.
Organizations
Within each instance, there is a Default Organization and an instance specific Organization for the Unix Admins.
- HCS-AWX-DEV-EXUX
- HCS-AWX-QA-EXUX
- HCS-AWX-PROD-EXUX
Teams
There are two Teams in each Organization. One for users who administer the objects in the Organization and one for users to are tasked with running jobs.
- HCS-AWX-DEV-EXUX-ADMINS
- HCS-AWX-DEV-EXUX-USERS
- HCS-AWX-QA-EXUX-ADMINS
- HCS-AWX-QA-EXUX-USERS
- HCS-AWX-PROD-EXUX-ADMINS
- HCS-AWX-PROD-EXUX-USERS
Pingback: Kubernetes Index | Motorcycle Touring