search

redhat-cop / controller_configuration

A collection of roles to manage Ansible Controller and previously Ansible Tower
https://galaxy.ansible.com/infra/controller_configuration
GNU General Public License v3.0
268 stars 141 forks source link

Issue with team permission import for a workflow #907

Closed przemkalit closed 2 weeks ago

przemkalit commented 2 weeks ago

Summary

Hi, I've discovered that team permissions for a workflow are not populated in the target controller. As a result, user roles for the workflow are added, but team roles are marked as Ok instead of Changed. I tested this with the latest versions of the ansible.controller, with awx.awx controller there is no issue.

Please check it ASAP, because this functionality is crucial.

Issue Type

Ansible, Collection, Controller details

ansible --version

ansible [core 2.15.8]

ansible-galaxy collection list
Collection                     Version
------------------------------ -------
ansible.controller                        4.5.10
infra.controller_configuration 2.9.0

OS / ENVIRONMENT

RH 9.4

Desired Behavior

Permission roles are imported

Actual Behavior

Permission roles are not imported

TASK [infra.controller_configuration.roles : Managing Role Based Access Entries on Controller] ***********************************************************************************************************************************************************************
ok: [localhost] => (item=Create/Update Role Based Access Entry on Controller execute)

STEPS TO REPRODUCE

---
- name: restore
  hosts: localhost
  connection: local
  gather_facts: false
  vars:
    controller_roles:
      - team: "team-X"
        workflows:
          - "workflow_name"
        role: "execute"

    controller_hostname: ""
    controller_oauthtoken: ""
    controller_validate_certs: false

  tasks:
    - name: Import objects
      ansible.builtin.include_role:
        name: infra.controller_configuration.dispatch
przemkalit commented 2 weeks ago

Okay, something is not right on our side, I will close this issue.

przemkalit commented 2 weeks ago

Sorry but in result I found the bug. It occurs in the export of roles: the role looks for workflow/workflows inside the controller_roles structure, but filetree_create exports workflow_job_template/workflow_job_templates into controller_roles. That's why the roles cannot be imported.

/roles/roles/tasks/main.yml

    - name: "Managing Role Based Access Entries on Controller"
      role:
      ...
        workflow:    "{{ __controller_role_item.0.workflow | default(__controller_role_item.workflow) | default(omit, true) }}"
        workflows:   "{{ __controller_role_item.0.workflows | default(__controller_role_item.workflows) | default(([] if controller_configuration_role_enforce_defaults else omit), true) }}"

/roles/filetree_create/templates/current_team_roles.j2

{% if first_team_role | default(true) | bool %}
---
controller_roles:
{% endif %}
{% for role in object_roles %}
...
{% elif (role|dict2items)[0].value.resource_type is match('workflow_job_template') %}
    workflow_job_templates:

I don't know why it works for the user, but I think maybe user is treated differently.

ivarmu commented 2 weeks ago

So... if I understand well... the key workflow_job_templates should be changed to workflow or workflows to let the dispatch to work. Am I right?

przemkalit commented 2 weeks ago

Yes, that works in our customised collection, I would create PR but I am kinda busy with something else.