object_diff role support for `roles` , `settings` and ` teams` controllers ?

[nodje]

I'm trying to use object_diff on roles & settings controller.

Evenb though the default.yml doesn't list them in controller_configuration_object_diff_tasks but at list they are referenced as variables in # Automation Controller Object Lists

A trial with the following playbook

• role: redhat_cop.controller_configuration.object_diff vars: controller_configuration_object_diff_tasks:

  - {name: settings, var: controller_settings, tags: settings }

    - {name: roles, var: controller_roles, tags: roles }

produces a weird error: fatal: [localhost]: FAILED! => { "msg": "An unhandled exception occurred while running the lookup plugin 'redhat_cop.controller_configuration.controller_object_diff'. Error was a <class 'ansible.errors.AnsibleError'>, original message: Key: 'name' missing from item in compare_list item: {'user': 'e75758', 'organization': 'BP2I CS21B - OS AIX MEO MOE', 'role': 'admin'}. Key: 'name' missing from item in compare_list item: {'user': 'e75758', 'organization': 'BP2I CS21B - OS AIX MEO MOE', 'role': 'admin'}" }

I can't find any reference to a name Key in https://github.com/redhat-cop/controller_configuration/tree/devel/roles/roles but I'm not sure I'm reading this correctly.

Trying on settings controllers produces a: fatal: [localhost]: FAILED! => { "reason": "Could not find or access '/root/project/ansible/tower/automation-admin/settings.yml' on the Ansible Controller." }

[adonisgarciac]

Hi, which version of collection are you using? It had a commit about object_diff plugin and roles and it is not in the public release 2.2.4: https://github.com/redhat-cop/controller_configuration/commit/500d8e82df69adf4be1218cfae158303a33e9b89.

Settings are not managed by object_diff: https://github.com/redhat-cop/controller_configuration/tree/devel/roles/object_diff/tasks

Settings is an unique object which will be defined with a json or a yaml dict. To sure the desired state you can define every setting in this json/yaml dict and your configuration as code will implement always these settings. Example defined settings:

controller_settings:
  - settings:
      ACTIVITY_STREAM_ENABLED: true
      ACTIVITY_STREAM_ENABLED_FOR_INVENTORY_SYNC: false
      AUTH_LDAP_GROUP_TYPE_PARAMS:
          member_attr: member
          name_attr: cn
      AUTOMATION_ANALYTICS_GATHER_INTERVAL: 14400
      AUTOMATION_ANALYTICS_LAST_ENTRIES: ''
      DEFAULT_EXECUTION_ENVIRONMENT: null
      INSIGHTS_TRACKING_STATE: true
      INSTALL_UUID: XXXXXXXXXXXXXXX
      LICENSE:
          instance_count: 100
          license_date: XXXXXXXXX
          license_type: enterprise
          pool_id: XXXXXXXXXXXXX
          product_name: Red Hat Ansible Automation Platform
          satellite: null
          sku: XXXXXXXXXXX
          subscription_name: XXXXXXXXXXXXXXx
          support_level: Standard
          valid_key: true
      MANAGE_ORGANIZATION_AUTH: true
      ORG_ADMINS_CAN_SEE_ALL_USERS: true
      PENDO_TRACKING_STATE: detailed
      PROXY_IP_ALLOWED_LIST: []
      REDHAT_PASSWORD: ''
      REDHAT_USERNAME: ''
      REMOTE_HOST_HEADERS:
      - REMOTE_ADDR
      - REMOTE_HOST
      SUBSCRIPTIONS_USERNAME: user
      TOWER_URL_BASE: https://192.168.1.1

[nodje]

Thanks, I got the settings part, it makes sense now.

I do have a support for roles controller in 2.2.4 though. See https://github.com/redhat-cop/controller_configuration/blob/2.2.4/roles/object_diff/tasks/roles.yml

Also I'm trying to remove Teams atm, and I bumped into another issue. Even though supported and working as expected, I realise the dedicated playbook only seem to be able to target the Teams from the SuperAdmin organization. See https://github.com/redhat-cop/controller_configuration/blob/2.2.4/roles/object_diff/tasks/teams.yml

I think there should be a way to list and make a difference between all existing Teams PER Organization. WDYT?

[adonisgarciac]

Roles are only managed by superadmin in the object_diff role because roles are a particular kind of object. For instance:

Org1 has a template and give admin permission to team1 which is member or org2.

This should be work defining the role in the org1 but it doesn't work if object_diff can remove roles from orgs. If object_diff can remove roles from orgs and the above role is only present in the code of org1, the desired state of org2 will remove the permissions. So to work property, role should be defined in two orgs and you can't manage desired state of you org because it depends on the configuration as code of another org.

[nodje]

Hi, thanks for your answer, but I'm not sure I follow you.

2 things:

• object_diff on rolescontroller is working end up with an issue: fatal: [localhost]: FAILED! => { "msg": "An unhandled exception occurred while running the lookup plugin 'redhat_cop.controller_configuration.controller_object_diff'. Error was a <class 'ansible.errors.AnsibleError'>, original message: Key: 'name' missing from item in compare_list item: {'user': 'e75758', 'organization': 'BP2I CS21B - OS AIX MEO MOE', 'role': 'admin'}. Key: 'name' missing from item in compare_list item: {'user': 'e75758', 'organization': 'BP2I CS21B - OS AIX MEO MOE', 'role': 'admin'}" } obvioulsy it has found some object to compare, but fails on a name property that doesn't seem to exist.

• Teams: object_diff will only make a difference with teams controllers found in the SuperAdmin org.

If I'm following this logic, the only way to setup a Tower instance Teams controller to a desired state is to have all the Teams under the SuperAdmin orgs and add members from other Organizations into it and apply roles to objects belonging to Any organizations. From my test, it would work and I've no issue with this. But I think this kind of requirements structures the way one can administrate a Tower instance. And I'm not sure this si a best pratice documented anywhere.

[adonisgarciac]

For the first one: Can you test it with the latest content of this collection? Not with the publish one (Version 2.2.4), but with the latest content and built it by yourself. It had some changes about roles in the controller_object_diff plugin and it is not published yet: https://github.com/redhat-cop/controller_configuration/commit/500d8e82df69adf4be1218cfae158303a33e9b89

Second one: yes, RBAC is creepy to develop for the Desired State because teams, users and roles can belong to different organizations, etc.. For this reason, Desired State for RBAC was developed to be managed only from SuperAdmin. Maybe we need to find a way to allow Desired State for RBAC within every organization but it is not developed yet.

[nodje]

Gotcha, and sorry I didn't get your first post:

It had a commit about object_diff plugin and roles and it is not in the public release 2.2.4: https://github.com/redhat-cop/controller_configuration/commit/500d8e82df69adf4be1218cfae158303a33e9b89. at first.

I'm gonna test it this commit

[djdanielsson]

if you can update this issue that would be great

[nodje]

Sorry about this one, I'll be testing this again soon.

[adonisgarciac]

I think this issue can be closed. @djdanielsson