search

redhat-cop / aap_configuration_extended

providing extended functionality that is not in aap_configuration
GNU General Public License v3.0
2 stars 8 forks source link

feature - support of exporting access lists #1

Closed przemkalit closed 3 weeks ago

przemkalit commented 1 month ago

What does this PR do?

This PR introduce a feature that I was working recently, which is exporting permission of objects using access list endpoint of API.

I don't know if you would like to allow this in the collection but I decided to share this feature, but let me know what do you think.

How should this be tested?

- name: Permission export
  hosts: localhost
  connection: local
  gather_facts: false

  tasks:
    - name: Export team permissions of an object
      ansible.builtin.include_role:
        name: filetree_create
        tasks_from: team_access_list
      vars:
        object_id: 1
        object_type: "job_templates"

    - name: Export user permissions of an object
      ansible.builtin.include_role:
        name: filetree_create
        tasks_from: user_access_list
      vars:
        object_id: 1
        object_type: "job_templates"

Is there a relevant Issue open for this?

N/A

Other Relevant info, PRs, etc

N/A

przemkalit commented 1 month ago

Ok I've added support for an object_name.

przemkalit commented 3 weeks ago

How are you going to use these new task files? As I can see, you're not adding these new ones to all.yaml task file. And I think we shouldn't add them to all.yaml due to we want to export teams and user roles as we have been doing so far.

Take into consideration that if you export objects using access_list and you've done that before using "regular" way, you could end up having duplicated roles definition.

Have you tested this code? I'm not sure this can work or at least can provide an output useful for dispatch role. Can you share the output of it?

I did not want to add it to all.yml because, for me, it is a set of tasks that export the access list to an object. Now that I think about it, maybe I should add these tasks as a separate role?

I am using this in our content promotion solution and it is exporting properly the permission and then they are properly loaded with the dispatcher.

adonisgarciac commented 3 weeks ago

If you don't want want to add it to all.yaml, will you use those file tasks calling them directly or how do you want to manage it?

are you defining controller_roles as a dict in you environment and it works? I expected it fails because aap_conifuguration.controller_roles expects a list: https://github.com/redhat-cop/infra.aap_configuration/blob/devel/roles/controller_roles/tasks/main.yml#L34

przemkalit commented 3 weeks ago

If you don't want want to add it to all.yaml, will you use those file tasks calling them directly or how do you want to manage it?

It would be like that:

    - name: Export team permissions of an object
      ansible.builtin.include_role:
        name: filetree_create
        tasks_from: team_access_list
      vars:
        object_id: 1
        object_type: "job_templates"

are you defining controller_roles as a dict in you environment and it works? I expected it fails because aap_conifuguration.controller_roles expects a list: https://github.com/redhat-cop/infra.aap_configuration/blob/devel/roles/controller_roles/tasks/main.yml#L34

Yes, you are totally right, I don't know why in our environment it works without dictionary issue. I ran it as regular playbook in EE and it return the error, I've introduce the fix.