search

ansible / awx

AWX provides a web-based user interface, REST API, and task engine built on top of Ansible. It is one of the upstream projects for Red Hat Ansible Automation Platform.
Other
13.91k stars 3.41k forks source link

RFE: Allow creation of only smart inventories by non-admins #7999

Open xstasi opened 4 years ago

xstasi commented 4 years ago
ISSUE TYPE
SUMMARY

A customer would like to give individual technical teams the ability to create smart inventories, limiting the source pool to the hosts that they are supposed to see. A simplified example could be "team windows manages all the windows hosts and should not see any linux or aix".

The only permission currently available to unprivileged user is "inventory admin", but while this allows them to create smart inventories, it also allows them to create arbitrary inventories and this is an undesired side effect. The alternative would be to not give users this permission, which would force them to limit host exclusively by name or group which becomes prohibitive on their scale of thousands of target hosts. Being able to group target hosts by their characteristics as is done with smart inventories is an essential feature for them.

A possible solution could be to split the "inventory admin" role into two - "regular" inventory and smart inventory admin

AlanCoding commented 2 years ago

Smart inventories are limited to the organization they are in. I can't remember if superusers can create smart inventories with a null organization, which would fetch hosts from all inventories.

Since these only can use hosts in the org, and creating them requires inventory_admin_role, and because this role already gives edit access to inventories in that organization, there is no escalation here. Could you give any more elaboration on your concern?